Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AO_RDS01_2024-04-18_16_39_30.221.zip

Overview

General Information

Sample name:AO_RDS01_2024-04-18_16_39_30.221.zip
Analysis ID:1428288
MD5:f827a1fd82ba3c0a6e29b52c846350c4
SHA1:0cbaa6e35f322eb6cb783b3c78f7c2ba98c727d4
SHA256:704784b07c98d684e9d8bc49631f333ae54cedd94f2fbbc7ce3506ddc0f6b221
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Allocates memory with a write watch (potentially for evading sandboxes)
Detected potential crypto function
Drops PE files
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 5096 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • 7zG.exe (PID: 6992 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\" -spe -an -ai#7zMap23008:124:7zEvent13671 MD5: 50F289DF0C19484E970849AAC4E6F977)
  • AccountRestore.exe (PID: 1668 cmdline: "C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221C:\Users\jjohnson\Music\AccountRestore.exe" MD5: 5A01695BE573F95DFC0CF73AB6B5234D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeReversingLabs: Detection: 54%
Source: Binary string: C:\Users\user.DESKTOP-3VUNKBC\Downloads\Account\CrackAccount\obj\Debug\test.pdb source: 7zG.exe, 0000000E.00000003.1581912628.0000014075E30000.00000004.00000800.00020000.00000000.sdmp, AccountRestore.exe, 00000011.00000000.1756166927.00000000004E2000.00000002.00000001.01000000.00000008.sdmp, AccountRestore.exe.14.dr
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/View/MainWindow.xamlP
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/View/MainWindow.xamll
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/View/MainWindow.xamlP
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/View/MainWindow.xamll
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/view/mainwindow.baml
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/view/mainwindow.bamlP
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/view/mainwindow.bamll
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeCode function: 17_2_0ABD66F017_2_0ABD66F0
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeCode function: 17_2_0ABD66E217_2_0ABD66E2
Source: manifest.json.14.drBinary string: [{"included":true,"path":"\\Device\\HarddiskVolume4\\Users\\jjohnson\\Music\\AccountRestore.exe","reason":"","sha1":"28400c267815762e49c200e8b481a592c67f9cf7","sha256":"e97bdf7fafb1cb2a2bf0a4e14f51e18a34f3ff2f6f7b99731e93070d50801bef","size":29184}]
Source: classification engineClassification label: mal48.winZIP@3/2@0/0
Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeMutant created: NULL
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\" -spe -an -ai#7zMap23008:124:7zEvent13671
Source: unknownProcess created: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe "C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221C:\Users\jjohnson\Music\AccountRestore.exe"
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: msvcp140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: activeds.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: adsnt.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: samlib.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: msctfui.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: d3dcompiler_47.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: dui70.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: duser.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: thumbcache.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: windows.ui.fileexplorer.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: assignedaccessruntime.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: structuredquery.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: windows.storage.search.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeSection loaded: networkexplorer.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeWindow detected: Number of UI elements: 13
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: C:\Users\user.DESKTOP-3VUNKBC\Downloads\Account\CrackAccount\obj\Debug\test.pdb source: 7zG.exe, 0000000E.00000003.1581912628.0000014075E30000.00000004.00000800.00020000.00000000.sdmp, AccountRestore.exe, 00000011.00000000.1756166927.00000000004E2000.00000002.00000001.01000000.00000008.sdmp, AccountRestore.exe.14.dr
Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeJump to dropped file
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeMemory allocated: 2860000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeMemory allocated: 2900000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeMemory allocated: 4900000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: AccountRestore.exe, 00000011.00000002.2285458013.0000000007DA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:|
Source: AccountRestore.exe, 00000011.00000002.2285458013.0000000007DA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: AccountRestore.exe, 00000011.00000002.2288141082.000000000AEB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: od_VMware_SATA_C
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\v4.0_4.0.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Query Registry		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory11
Security Software Discovery		Remote Desktop Protocol1
Data from Local System		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Disable or Modify Tools		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS12
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA Secrets12
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428288 Sample: AO_RDS01_2024-04-18_16_39_3... Startdate: 18/04/2024 Architecture: WINDOWS Score: 48 4 AccountRestore.exe 5 12 2->4         started        7 7zG.exe 8 2->7         started        10 rundll32.exe 2->10         started        file3 14 Multi AV Scanner detection for dropped file 4->14 12 C:\Users\user\Desktop\...\AccountRestore.exe, PE32 7->12 dropped signatures4

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe54%ReversingLabsWin32.PUA.Generic

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://foo/View/MainWindow.xamllAccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmpfalse
    		low
    http://defaultcontainer/View/MainWindow.xamllAccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmpfalse
      		low
      http://foo/bar/view/mainwindow.bamllAccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmpfalse
        		low
        http://defaultcontainer/View/MainWindow.xamlPAccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmpfalse
          		low
          http://foo/bar/view/mainwindow.bamlPAccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmpfalse
            		low
            http://foo/View/MainWindow.xamlPAccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmpfalse
              		low
              http://foo/bar/view/mainwindow.bamlAccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmpfalse
                		low

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1428288
                Start date and time:2024-04-18 19:13:15 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 21s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:20
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:AO_RDS01_2024-04-18_16_39_30.221.zip
                Detection:MAL
                Classification:mal48.winZIP@3/2@0/0
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 97%
                • Number of executed functions: 38
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .zip

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, evoke-windowsservices-tas.msedge.net, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtEnumerateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: AO_RDS01_2024-04-18_16_39_30.221.zip

                Simulations

                Behavior and APIs

                TimeTypeDescription
                19:15:36API Interceptor1x Sleep call for process: AccountRestore.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe

                Download File
                Process:C:\Program Files\7-Zip\7zG.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):29184
                Entropy (8bit):5.724804053256654
                Encrypted:false
                SSDEEP:384:frG7kKgtNehIpakQyE0zfYaUmGvt22ATmEkMFTBel8YRmgx3ll+8ft63S1pfm:a77gahIpy1Szt7n3eiYMgxE3
                MD5:5A01695BE573F95DFC0CF73AB6B5234D
                SHA1:28400C267815762E49C200E8B481A592C67F9CF7
                SHA-256:E97BDF7FAFB1CB2A2BF0A4E14F51E18A34F3FF2F6F7B99731E93070D50801BEF
                SHA-512:B47D248EA32D6F1FCDF1C8996E5D01CDA11F4D11FA4BEBF819C9ABEF2A378356E6134F8840E3EEB3B377063BFA241B6D952DEF1CED0E8EE115978FCCC139E010
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 54%
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......].........."...0..h.............. ........@.. ....................................`.................................p...O...................................8................................................ ............... ..H............text....g... ...h.................. ..`.rsrc................j..............@..@.reloc...............p..............@..B........................H........6...?..........@v..............................................R..r...p.s....(.....*....0...........s......o......o....&*".(.....*B.( ......(.....*.0..*.........{......,..+...}....r+..p.s.......(!....*...0.................+...t....}....+...}....*&.(".....*....0..9........~.........,".ru..p.....(#...o$...s%...........~.....+..*....0...........~.....+..*".......*.0...........~.....+..*".(&....*Vs....('...t.........*...0..)........{.........((...t!.....|......(...+...3.

                C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\manifest.json

                Download File
                Process:C:\Program Files\7-Zip\7zG.exe
                File Type:JSON data
                Category:dropped
                Size (bytes):249
                Entropy (8bit):5.05024577539805
                Encrypted:false
                SSDEEP:6:lQ2P70eTMfPEjq6sfCHNi8C5ZFw3KxRVAUGnPocck434Vn:LP1TConm8C7FswPgPoC4in
                MD5:65D31CAAE0A3287E5BAFB5D49F32A19F
                SHA1:C7984EC3D628BF38A34C86DF7B138B1F060852E0
                SHA-256:7E330274CC48E8BEF1D16539FDD6BAFAA52D2C422FC55CCDCDE0B5E349B56083
                SHA-512:BF18E249D912E62C8E16D85E953AB860246C9721B4EACEC24877AAA53044027979FA8B517485173CB411FF8BB915674143545CB5D12729D4F781AE1094A37593
                Malicious:false
                Reputation:low
                Preview:[{"included":true,"path":"\\Device\\HarddiskVolume4\\Users\\jjohnson\\Music\\AccountRestore.exe","reason":"","sha1":"28400c267815762e49c200e8b481a592c67f9cf7","sha256":"e97bdf7fafb1cb2a2bf0a4e14f51e18a34f3ff2f6f7b99731e93070d50801bef","size":29184}]

                Static File Info

                General

                File type:Zip archive data, at least v4.5 to extract, compression method=deflate
                Entropy (8bit):7.973895919178688
                TrID:
                • ZIP compressed archive (8000/1) 100.00%
                File name:AO_RDS01_2024-04-18_16_39_30.221.zip
                File size:13'972 bytes
                MD5:f827a1fd82ba3c0a6e29b52c846350c4
                SHA1:0cbaa6e35f322eb6cb783b3c78f7c2ba98c727d4
                SHA256:704784b07c98d684e9d8bc49631f333ae54cedd94f2fbbc7ce3506ddc0f6b221
                SHA512:00e3fe2edfffbb06dc9142e85e4e4eecf5a79e3cdcbe3a8dfc5b5b644269ae89a2ca1e87e54ea79e87c11d743fc1354ac10612589054a57df8845f171cfad469
                SSDEEP:192:NxUpx1FrhtrHuApM3jQA2gg8qEuUlAfdxxBW2F69w3oLGkk0ZL1r8fh78eq6mk+0:NxKDtrHuApTQJluVUmoaq98578eq655X
                TLSH:EC52D19B656FD907ED7028B938F5F5D4210B9907E615BC32C5CA80EC88DD3DE8443A72
                File Content Preview:PK..-.............W4...r..>...Device/HarddiskVolume4/Users/jjohnson/Music/AccountRestore.exe.....................=.2...m...^.....T...6.\~...c\..8......Zph./:W.R..V..._.Y-..l..@.A.<...#....&m.S...i.7....7S*=..C"t...Q}./>.}.?.TE.>K.8z..%..![.@....Y.......1.

                File Icon

                Icon Hash:1c1c1e4e4ececedc

                Network Behavior

                No network behavior found

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:19:13:44
                Start date:18/04/2024
                Path:C:\Windows\System32\rundll32.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                Imagebase:0x7ff770e50000
                File size:71'680 bytes
                MD5 hash:EF3179D498793BF4234F708D3BE28633
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:14
                Start time:19:14:28
                Start date:18/04/2024
                Path:C:\Program Files\7-Zip\7zG.exe
                Wow64 process (32bit):false
                Commandline:"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\" -spe -an -ai#7zMap23008:124:7zEvent13671
                Imagebase:0x540000
                File size:700'416 bytes
                MD5 hash:50F289DF0C19484E970849AAC4E6F977
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:true

                General

                Target ID:17
                Start time:19:14:56
                Start date:18/04/2024
                Path:C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221C:\Users\jjohnson\Music\AccountRestore.exe"
                Imagebase:0x4e0000
                File size:29'184 bytes
                MD5 hash:5A01695BE573F95DFC0CF73AB6B5234D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Antivirus matches:
                • Detection: 54%, ReversingLabs
                Reputation:low
                Has exited:false

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:9.8%
                  Dynamic/Decrypted Code Coverage:98.1%
                  Signature Coverage:0%
                  Total number of Nodes:155
                  Total number of Limit Nodes:13
                  execution_graph 20230 abd624e 20233 abd601c 20230->20233 20234 abd6027 20233->20234 20239 abd7400 20234->20239 20235 abd73b0 20243 abd7bb0 20235->20243 20236 abd625b 20240 abd745f GetCurrentThreadId 20239->20240 20242 abd74a5 20240->20242 20242->20235 20244 abd7c0e 20243->20244 20247 abd7c6d 20243->20247 20245 abd7c19 GetActiveWindow 20244->20245 20244->20247 20246 abd7c47 20245->20246 20246->20247 20248 abd7c7f GetFocus 20246->20248 20247->20236 20248->20247 20102 abd4278 20103 abd42d1 20102->20103 20104 abd431a GetActiveWindow 20103->20104 20105 abd4348 20103->20105 20104->20105 20195 abd55e8 20196 abd562e GetCurrentProcess 20195->20196 20198 abd5679 20196->20198 20199 abd5680 GetCurrentThread 20196->20199 20198->20199 20200 abd56bd GetCurrentProcess 20199->20200 20201 abd56b6 20199->20201 20202 abd56f3 20200->20202 20201->20200 20203 abd571b GetCurrentThreadId 20202->20203 20204 abd574c 20203->20204 20249 28656f0 20250 28656f4 20249->20250 20253 286593a 20250->20253 20259 2865a10 20253->20259 20263 2865b36 20253->20263 20267 2865b1c 20253->20267 20271 2865a20 20253->20271 20260 2865a1e 20259->20260 20261 2865b5b 20260->20261 20275 2865dc8 20260->20275 20264 2865b49 20263->20264 20265 2865b5b 20263->20265 20266 2865dc8 2 API calls 20264->20266 20266->20265 20268 2865acf 20267->20268 20269 2865b5b 20268->20269 20270 2865dc8 2 API calls 20268->20270 20270->20269 20272 2865a24 20271->20272 20273 2865b5b 20272->20273 20274 2865dc8 2 API calls 20272->20274 20274->20273 20276 2865de6 20275->20276 20280 2865e17 20276->20280 20284 2865e28 20276->20284 20277 2865df6 20277->20261 20283 2865e28 20280->20283 20281 2865e8c RtlEncodePointer 20282 2865eb5 20281->20282 20282->20277 20283->20281 20283->20282 20285 2865e62 20284->20285 20286 2865e8c RtlEncodePointer 20285->20286 20287 2865eb5 20285->20287 20286->20287 20287->20277 20205 9770360 20206 9770378 20205->20206 20207 97703d2 20206->20207 20209 abd7ea8 20206->20209 20210 abd7f55 CallWindowProcW 20209->20210 20211 abd7efc 20209->20211 20210->20211 20211->20207 20212 2863b51 20213 2863b60 20212->20213 20217 28640b0 20213->20217 20222 28640a1 20213->20222 20214 2863b85 20218 28640d2 20217->20218 20219 28640ce 20217->20219 20218->20214 20219->20218 20227 2863d7c 20219->20227 20223 28640d2 20222->20223 20224 28640ce 20222->20224 20223->20214 20224->20223 20225 2863d7c CompareStringW 20224->20225 20226 286411d 20225->20226 20228 2864198 CompareStringW 20227->20228 20229 286411d 20228->20229 20106 abd7df0 KiUserCallbackDispatcher 20107 abd7e66 20106->20107 20108 abd5830 DuplicateHandle 20109 abd58c6 20108->20109 20288 abd7500 20289 abd754e EnumThreadWindows 20288->20289 20290 abd7544 20288->20290 20291 abd7580 20289->20291 20290->20289 20110 28622c8 20111 28622ec 20110->20111 20115 2863077 20111->20115 20120 2863078 20111->20120 20112 2862522 20116 286308d 20115->20116 20125 2867b80 20116->20125 20130 2867b4a 20116->20130 20121 286308d 20120->20121 20123 2867b80 7 API calls 20121->20123 20124 2867b4a 7 API calls 20121->20124 20122 28630b0 20122->20112 20123->20122 20124->20122 20126 2867bba 20125->20126 20136 2867ec8 20126->20136 20148 2867ed8 20126->20148 20127 2867bee 20131 2867bb5 20130->20131 20132 28630b0 20130->20132 20134 2867ec8 7 API calls 20131->20134 20135 2867ed8 7 API calls 20131->20135 20132->20112 20133 2867bee 20133->20133 20134->20133 20135->20133 20146 2867ec8 7 API calls 20136->20146 20147 2867ed8 7 API calls 20136->20147 20137 2867eeb 20137->20127 20138 2867ee5 20138->20137 20160 28685ed 20138->20160 20165 28684bd 20138->20165 20170 286860d 20138->20170 20175 28684d2 20138->20175 20180 2868379 20138->20180 20185 286842b 20138->20185 20190 28685fd 20138->20190 20146->20138 20147->20138 20150 2867ee5 20148->20150 20158 2867ec8 7 API calls 20148->20158 20159 2867ed8 7 API calls 20148->20159 20149 2867eeb 20149->20127 20150->20149 20151 28684d2 LoadLibraryW 20150->20151 20152 286860d LoadLibraryW 20150->20152 20153 28684bd LoadLibraryW 20150->20153 20154 28685ed LoadLibraryW 20150->20154 20155 28685fd LoadLibraryW 20150->20155 20156 286842b LoadLibraryW 20150->20156 20157 2868379 LoadLibraryW 20150->20157 20151->20149 20152->20149 20153->20149 20154->20149 20155->20149 20156->20149 20157->20149 20158->20150 20159->20150 20161 2868535 20160->20161 20162 2868798 LoadLibraryW 20161->20162 20164 286868d 20161->20164 20163 28687c5 20162->20163 20163->20137 20164->20137 20166 28684e4 20165->20166 20167 2868798 LoadLibraryW 20166->20167 20169 286868d 20166->20169 20168 28687c5 20167->20168 20168->20137 20169->20137 20171 2868535 20170->20171 20172 2868798 LoadLibraryW 20171->20172 20174 286868d 20171->20174 20173 28687c5 20172->20173 20173->20137 20174->20137 20176 28684dd 20175->20176 20177 2868798 LoadLibraryW 20176->20177 20179 286868d 20176->20179 20178 28687c5 20177->20178 20178->20137 20179->20137 20181 286837e 20180->20181 20181->20137 20182 2868798 LoadLibraryW 20181->20182 20184 286868d 20181->20184 20183 28687c5 20182->20183 20183->20137 20184->20137 20186 286842e 20185->20186 20186->20137 20187 2868798 LoadLibraryW 20186->20187 20189 286868d 20186->20189 20188 28687c5 20187->20188 20188->20137 20189->20137 20191 2868535 20190->20191 20192 2868798 LoadLibraryW 20191->20192 20194 286868d 20191->20194 20193 28687c5 20192->20193 20193->20137 20194->20137

                  Executed Functions

                  Function 0ABD66F0 Relevance: .3, Instructions: 315COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2287816205.000000000ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_abd0000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a091fbd7dcdca778d56e69b2dddf74d537109b740ddd566337ce9bd9016d60ee
                  • Instruction ID: 927cb5aaa09852cae5d01b000cbfe6731aea02dc585b60bf5bbeb2d2324fd5cf
                  • Opcode Fuzzy Hash: a091fbd7dcdca778d56e69b2dddf74d537109b740ddd566337ce9bd9016d60ee
                  • Instruction Fuzzy Hash: 8812AFF08247469BE310DF66E9481893FF9F7443A8B50420DD2A5ABAD2D7F9198BCF44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0ABD66E2 Relevance: .2, Instructions: 220COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2287816205.000000000ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_abd0000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e620af965b01aa47d04b4ecdda1b3e878ae22f8843444c9b34dadae27bd7d27d
                  • Instruction ID: e0e6362ce7dddfec4cf87fd59b1757e9f73263d11c2b6c49715a5ea99c0aaa2b
                  • Opcode Fuzzy Hash: e620af965b01aa47d04b4ecdda1b3e878ae22f8843444c9b34dadae27bd7d27d
                  • Instruction Fuzzy Hash: 27C103B0C247469BE710DF66E8481897FB9FB853A8B61430DD161AB6D2D7F8188BCF44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0ABD55D7 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetCurrentProcess.KERNEL32 ref: 0ABD5666
                  • GetCurrentThread.KERNEL32 ref: 0ABD56A3
                  • GetCurrentProcess.KERNEL32 ref: 0ABD56E0
                  • GetCurrentThreadId.KERNEL32 ref: 0ABD5739
                  Memory Dump Source
                  • Source File: 00000011.00000002.2287816205.000000000ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_abd0000_AccountRestore.jbxd
                  Similarity
                  • API ID: Current$ProcessThread
                  • String ID:
                  • API String ID: 2063062207-0
                  • Opcode ID: 0ec807dfd5282216902737fe4d68deda55946d060b7a2273a114b36323859331
                  • Instruction ID: 6e411cdd4cfa2692c5ecc3223eb9a005a4719764e0f475f6523ff36735adf0a2
                  • Opcode Fuzzy Hash: 0ec807dfd5282216902737fe4d68deda55946d060b7a2273a114b36323859331
                  • Instruction Fuzzy Hash: 9E5198B1D042498FDB14DFA9D548BAEBFF1EF88300F248599D049AB361D739A844CF69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0ABD55E8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetCurrentProcess.KERNEL32 ref: 0ABD5666
                  • GetCurrentThread.KERNEL32 ref: 0ABD56A3
                  • GetCurrentProcess.KERNEL32 ref: 0ABD56E0
                  • GetCurrentThreadId.KERNEL32 ref: 0ABD5739
                  Memory Dump Source
                  • Source File: 00000011.00000002.2287816205.000000000ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_abd0000_AccountRestore.jbxd
                  Similarity
                  • API ID: Current$ProcessThread
                  • String ID:
                  • API String ID: 2063062207-0
                  • Opcode ID: 1c2c91940299f67ddbe322122efbf53a458bf41555ed0d2d1e53e90fc1557191
                  • Instruction ID: c166a27cdcd3fc072bebc0526182f558b27512fd706941195574895f24c44039
                  • Opcode Fuzzy Hash: 1c2c91940299f67ddbe322122efbf53a458bf41555ed0d2d1e53e90fc1557191
                  • Instruction Fuzzy Hash: DA5187B1D006098FDB14DFA9D548BAEBBF1EF88314F248199D009BB360D739A844CF69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0ABD7BB0 Relevance: 3.2, APIs: 2, Instructions: 186windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Memory Dump Source
                  • Source File: 00000011.00000002.2287816205.000000000ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_abd0000_AccountRestore.jbxd
                  Similarity
                  • API ID: ActiveFocusWindow
                  • String ID:
                  • API String ID: 2022189218-0
                  • Opcode ID: f95500ec8bbcc48fa2817ef47550663656385b262d4b8143788d373e92a1e33f
                  • Instruction ID: a4b87e34369c2eb51c34f24ec1ab0fa6bfd2bd79b314e228142582d0f0e78a7e
                  • Opcode Fuzzy Hash: f95500ec8bbcc48fa2817ef47550663656385b262d4b8143788d373e92a1e33f
                  • Instruction Fuzzy Hash: A5713CB4A002458FDB14DF69C584ABABBF5EF48204F198499D805EB362DB34ED81DBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02868379 Relevance: 1.9, APIs: 1, Instructions: 392COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 93 2868379-286837c 94 286837e-2868395 93->94 95 28683dc 93->95 94->95 96 28683de-28683e2 95->96 97 286843c 95->97 99 28683e4-28683e6 96->99 100 28683e8-28683f2 96->100 101 286843e-2868460 97->101 102 286849c 97->102 99->100 115 2868461-286847c 100->115 101->115 103 286849e-28684b8 102->103 104 28684fc 102->104 109 28684dc 103->109 105 28684fe-2868506 104->105 106 286855c 104->106 118 286850c 105->118 111 28685bc-28685c2 106->111 112 286855d-2868560 106->112 113 28684de-28684f9 109->113 114 286853c-2868556 109->114 127 28685c4-28685c6 111->127 128 286862e 111->128 116 2868535-2868539 112->116 117 2868562 112->117 113->104 114->106 115->109 136 286847e-286849a 115->136 129 286853b 116->129 122 2868564-2868566 117->122 123 28685ce-28685d9 117->123 124 286856c 118->124 125 286850d-2868510 118->125 122->124 123->122 138 28685db 123->138 132 28685cc 124->132 133 286856d-2868572 124->133 125->118 131 2868512-2868533 125->131 127->132 134 2868634-2868687 call 2868394 128->134 135 2868630-2868633 128->135 129->114 137 28685a5-28685b6 129->137 131->116 142 286862c 132->142 143 28685cd 132->143 140 2868574-2868582 133->140 141 28685de-28685e8 133->141 167 2868726-2868790 134->167 168 286868d-28686ce call 2868394 134->168 135->134 136->102 146 28685b9 137->146 138->141 144 28685ee-28685f8 140->144 155 2868584-2868592 140->155 141->144 142->128 142->146 143->123 149 28685fe-2868608 144->149 146->129 151 28685bb 146->151 153 286860e-286862b 149->153 151->111 153->142 155->149 159 2868594-28685a2 155->159 159->153 164 28685a4 159->164 164->137 178 2868792-2868795 167->178 179 2868798-28687c3 LoadLibraryW 167->179 187 28686d3-28686e7 168->187 178->179 180 28687c5-28687cb 179->180 181 28687cc-28687e9 179->181 180->181 190 28686ff-2868725 187->190 191 28686e9-28686fe 187->191
                  Memory Dump Source
                  • Source File: 00000011.00000002.2281382292.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_2860000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 87f45696d2349cff0a0b52e6f04c236dc8a2eefd4f3bc48091fc1041a33f0ef7
                  • Instruction ID: de02c55080398b0b37f313283a77961ff2fb1f2d52d49e2149522eabaec5559a
                  • Opcode Fuzzy Hash: 87f45696d2349cff0a0b52e6f04c236dc8a2eefd4f3bc48091fc1041a33f0ef7
                  • Instruction Fuzzy Hash: 60C194B990E3D04FE703AB3858786AA7FB29F53114B0944DBD4C5DF5A3E628480DC7A6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0ABD4278 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 196 abd4278-abd42e8 201 abd42ee-abd42ff 196->201 202 abd45c0-abd4650 196->202 203 abd430c-abd4318 201->203 204 abd4301-abd4309 201->204 208 abd4359-abd4365 203->208 209 abd431a-abd4346 GetActiveWindow 203->209 204->203 216 abd43a9-abd43bf 208->216 217 abd4367-abd43a6 call abd34c0 208->217 211 abd434f-abd4356 209->211 212 abd4348-abd434e 209->212 211->208 212->211 222 abd43d1-abd444a 216->222 223 abd43c1-abd43cc call abd34d0 216->223 217->216 242 abd444c-abd4452 222->242 243 abd4455 222->243 223->222 242->243 252 abd4455 call abd4fb8 243->252 253 abd4455 call abd4fc8 243->253 254 abd4455 call abd4f91 243->254 244 abd445b-abd4463 255 abd4466 call abd7fc0 244->255 256 abd4466 call abd7fb2 244->256 246 abd4469-abd446b 247 abd446d-abd4472 246->247 248 abd4474 246->248 249 abd4479-abd4497 247->249 248->249 249->202 252->244 253->244 254->244 255->246 256->246
                  APIs
                  Memory Dump Source
                  • Source File: 00000011.00000002.2287816205.000000000ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_abd0000_AccountRestore.jbxd
                  Similarity
                  • API ID: ActiveWindow
                  • String ID:
                  • API String ID: 2558294473-0
                  • Opcode ID: 261891062b5d9af5526de96be48db605412642ae1307fe049af5991fc0c097a3
                  • Instruction ID: a59e94253d6fde2b744a3e7effe6f3c22e5ae377791df13be24f7331985d1ca0
                  • Opcode Fuzzy Hash: 261891062b5d9af5526de96be48db605412642ae1307fe049af5991fc0c097a3
                  • Instruction Fuzzy Hash: 60718A71A102488FCB04EFA9D4586ADBFB6FF89310F2481A9D406EB364DB749C85CF95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0ABD4267 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 257 abd4267-abd42e8 262 abd42ee-abd42ff 257->262 263 abd45c0-abd4650 257->263 264 abd430c-abd4318 262->264 265 abd4301-abd4309 262->265 269 abd4359-abd4365 264->269 270 abd431a-abd4346 GetActiveWindow 264->270 265->264 277 abd43a9-abd43bf 269->277 278 abd4367-abd43a6 call abd34c0 269->278 272 abd434f-abd4356 270->272 273 abd4348-abd434e 270->273 272->269 273->272 283 abd43d1-abd444a 277->283 284 abd43c1-abd43cc call abd34d0 277->284 278->277 303 abd444c 283->303 304 abd4455 283->304 284->283 306 abd4452 303->306 313 abd4455 call abd4fb8 304->313 314 abd4455 call abd4fc8 304->314 315 abd4455 call abd4f91 304->315 305 abd445b-abd4463 316 abd4466 call abd7fc0 305->316 317 abd4466 call abd7fb2 305->317 306->304 307 abd4469-abd446b 308 abd446d-abd4472 307->308 309 abd4474 307->309 310 abd4479-abd4497 308->310 309->310 310->263 313->305 314->305 315->305 316->307 317->307
                  APIs
                  Memory Dump Source
                  • Source File: 00000011.00000002.2287816205.000000000ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_abd0000_AccountRestore.jbxd
                  Similarity
                  • API ID: ActiveWindow
                  • String ID:
                  • API String ID: 2558294473-0
                  • Opcode ID: d0619abd1248fe53226ea5818e44e20256792c4ad94b5d2799047ceaf7ca0761
                  • Instruction ID: dfb3f68287278b7053a7423141b81a2c54749e7398392b6e88d178f25434b281
                  • Opcode Fuzzy Hash: d0619abd1248fe53226ea5818e44e20256792c4ad94b5d2799047ceaf7ca0761
                  • Instruction Fuzzy Hash: 0E616874E10248CFCB04DFA9D048AADBBB6FF88710F248169D406EB364DB749881DF55
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0ABD7EA8 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 318 abd7ea8-abd7efa 319 abd7efc-abd7f16 318->319 320 abd7f55-abd7f8c CallWindowProcW 318->320 327 abd7f29-abd7f38 319->327 328 abd7f18-abd7f27 319->328 321 abd7f8e-abd7f94 320->321 322 abd7f95 320->322 321->322 323 abd7f9c-abd7fac 322->323 331 abd7f51-abd7f53 327->331 328->331 331->323
                  APIs
                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 0ABD7F78
                  Memory Dump Source
                  • Source File: 00000011.00000002.2287816205.000000000ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_abd0000_AccountRestore.jbxd
                  Similarity
                  • API ID: CallProcWindow
                  • String ID:
                  • API String ID: 2714655100-0
                  • Opcode ID: 37d559ad9c9b30649212af8ac8ae8348fa45de1b62aa54e595a34df8cace300a
                  • Instruction ID: d33d035f725e4705dd3f19d003df9f4671c6c23a10e85f4bf4ce14a11ad5fffb
                  • Opcode Fuzzy Hash: 37d559ad9c9b30649212af8ac8ae8348fa45de1b62aa54e595a34df8cace300a
                  • Instruction Fuzzy Hash: 08317A75A10248DFCB24DFA9D448ADEBBF5FB48310F10809AE916A7360DB71AC40DF64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0ABD7400 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 332 abd7400-abd74a3 GetCurrentThreadId 336 abd74ac-abd74ed call abd617c 332->336 337 abd74a5-abd74ab 332->337 337->336
                  APIs
                  • GetCurrentThreadId.KERNEL32 ref: 0ABD7492
                  Memory Dump Source
                  • Source File: 00000011.00000002.2287816205.000000000ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_abd0000_AccountRestore.jbxd
                  Similarity
                  • API ID: CurrentThread
                  • String ID:
                  • API String ID: 2882836952-0
                  • Opcode ID: 9d9003a57970f55cbc81afa1cd8401f9770f2010b5fd81865de4f137b7276a81
                  • Instruction ID: 71191d08bf0e016af79dfdf5ca4ee83edd575756070d3ac2ddc53c806bb26513
                  • Opcode Fuzzy Hash: 9d9003a57970f55cbc81afa1cd8401f9770f2010b5fd81865de4f137b7276a81
                  • Instruction Fuzzy Hash: AE315671A0024A8FCB10DFA9D480AEEFBF0FB49314F148559C458AB322D339A944CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0ABD5828 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 342 abd5828-abd58c4 DuplicateHandle 343 abd58cd-abd58ea 342->343 344 abd58c6-abd58cc 342->344 344->343
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0ABD58B7
                  Memory Dump Source
                  • Source File: 00000011.00000002.2287816205.000000000ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_abd0000_AccountRestore.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: b2c54ca0e8a94c9a627c3765a9f5c2ed4726cc66d3cd6a8c8332a093155b78f2
                  • Instruction ID: f512103bb3c8d1d58a420a4c55d5aea43984a25faa2dd84f406fe5f21ff6146a
                  • Opcode Fuzzy Hash: b2c54ca0e8a94c9a627c3765a9f5c2ed4726cc66d3cd6a8c8332a093155b78f2
                  • Instruction Fuzzy Hash: 4E2116B5D002499FDB10CFAAD484AEEBFF4EB48310F14815AE958B3350D379A944CF60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0ABD5830 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 347 abd5830-abd58c4 DuplicateHandle 348 abd58cd-abd58ea 347->348 349 abd58c6-abd58cc 347->349 349->348
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0ABD58B7
                  Memory Dump Source
                  • Source File: 00000011.00000002.2287816205.000000000ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_abd0000_AccountRestore.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 9f832019a33ff9884b7f28d9b058bf18ef57cb6b3334470009832729d8860bb6
                  • Instruction ID: 406ca834450f4ffc8eb50465f1c7d09992eb73dc564df8501768ce456dae9c55
                  • Opcode Fuzzy Hash: 9f832019a33ff9884b7f28d9b058bf18ef57cb6b3334470009832729d8860bb6
                  • Instruction Fuzzy Hash: 6A21E4B5D012499FDB10CF9AD584AEEBFF8EB48310F14801AE958B3350D379A940CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0ABD74F8 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 352 abd74f8-abd7542 353 abd754e-abd757e EnumThreadWindows 352->353 354 abd7544-abd754c 352->354 355 abd7587-abd75b4 353->355 356 abd7580-abd7586 353->356 354->353 356->355
                  APIs
                  • EnumThreadWindows.USER32(?,00000000,?), ref: 0ABD7571
                  Memory Dump Source
                  • Source File: 00000011.00000002.2287816205.000000000ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_abd0000_AccountRestore.jbxd
                  Similarity
                  • API ID: EnumThreadWindows
                  • String ID:
                  • API String ID: 2941952884-0
                  • Opcode ID: 3ed37eea304dc84ec3d3323a8f5874512c559730811d34ce7efb13b379ee2a55
                  • Instruction ID: 3f8f1f14e4736413bb21e7b124d4a022452ae213ba700b084ec4b102f3fcc1f4
                  • Opcode Fuzzy Hash: 3ed37eea304dc84ec3d3323a8f5874512c559730811d34ce7efb13b379ee2a55
                  • Instruction Fuzzy Hash: D12147B1D0024A8FDB14CFAAC845BEEFBF5EB88314F24842AD455A3350D778A945CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0ABD7500 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 360 abd7500-abd7542 361 abd754e-abd757e EnumThreadWindows 360->361 362 abd7544-abd754c 360->362 363 abd7587-abd75b4 361->363 364 abd7580-abd7586 361->364 362->361 364->363
                  APIs
                  • EnumThreadWindows.USER32(?,00000000,?), ref: 0ABD7571
                  Memory Dump Source
                  • Source File: 00000011.00000002.2287816205.000000000ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_abd0000_AccountRestore.jbxd
                  Similarity
                  • API ID: EnumThreadWindows
                  • String ID:
                  • API String ID: 2941952884-0
                  • Opcode ID: 8b335f5af0b465689792010a87d9ef81c06736a49ec9b0384370822fecc220aa
                  • Instruction ID: fe3964d09143aacfb2a4c2cfe79c49426291d899bafd5c359d3246096819e1fd
                  • Opcode Fuzzy Hash: 8b335f5af0b465689792010a87d9ef81c06736a49ec9b0384370822fecc220aa
                  • Instruction Fuzzy Hash: 242108B1D0024A8FDB14CF9AC845BEEFBF5EB88314F14846AD455A3350D778A944CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02865E17 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 368 2865e17-2865e5c call 2865f00 370 2865e62-2865e6a 368->370 372 2865e70 370->372 373 2865e6c-2865e6e 370->373 374 2865e75-2865e80 372->374 373->374 375 2865e82-2865eb3 RtlEncodePointer 374->375 376 2865ee1-2865eee 374->376 378 2865eb5-2865ebb 375->378 379 2865ebc-2865edc 375->379 378->379 379->376
                  APIs
                  • RtlEncodePointer.NTDLL(00000000), ref: 02865EA2
                  Memory Dump Source
                  • Source File: 00000011.00000002.2281382292.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_2860000_AccountRestore.jbxd
                  Similarity
                  • API ID: EncodePointer
                  • String ID:
                  • API String ID: 2118026453-0
                  • Opcode ID: 662975d85647d59283175b1a673cab050af4b0a47e3332f8696adfa0e94e9029
                  • Instruction ID: 0bd5eeabdc2a371ea461ecc26796ec3d4b356ee23e64c408b8658e1be941ee2c
                  • Opcode Fuzzy Hash: 662975d85647d59283175b1a673cab050af4b0a47e3332f8696adfa0e94e9029
                  • Instruction Fuzzy Hash: 4421AE79D0474A8FDB20CFAAC5487AEBBF4FB49314F20841EC559A3241D7795944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02864184 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 382 2864184 383 2864189-2864207 CompareStringW 382->383 384 2864210-286422d 383->384 385 2864209-286420f 383->385 385->384
                  APIs
                  • CompareStringW.KERNELBASE(04E116B0,?,?,?,?,?), ref: 028641FA
                  Memory Dump Source
                  • Source File: 00000011.00000002.2281382292.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_2860000_AccountRestore.jbxd
                  Similarity
                  • API ID: CompareString
                  • String ID:
                  • API String ID: 1825529933-0
                  • Opcode ID: a6266264cdc993b7d689e3b9bdba0c8085c94fc418fd604d0debd9567fbf78fc
                  • Instruction ID: 2dd4628fff94c6614dd593e3713c169157a59b379e3b1ad2a1786d1c3f36938d
                  • Opcode Fuzzy Hash: a6266264cdc993b7d689e3b9bdba0c8085c94fc418fd604d0debd9567fbf78fc
                  • Instruction Fuzzy Hash: 3D2167B58042889FCB11CFA9C844BDEBFF4EF49314F14844AE559B7211C3799914CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02865E28 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 388 2865e28-2865e5c call 2865f00 389 2865e62-2865e6a 388->389 391 2865e70 389->391 392 2865e6c-2865e6e 389->392 393 2865e75-2865e80 391->393 392->393 394 2865e82-2865eb3 RtlEncodePointer 393->394 395 2865ee1-2865eee 393->395 397 2865eb5-2865ebb 394->397 398 2865ebc-2865edc 394->398 397->398 398->395
                  APIs
                  • RtlEncodePointer.NTDLL(00000000), ref: 02865EA2
                  Memory Dump Source
                  • Source File: 00000011.00000002.2281382292.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_2860000_AccountRestore.jbxd
                  Similarity
                  • API ID: EncodePointer
                  • String ID:
                  • API String ID: 2118026453-0
                  • Opcode ID: e850dc63b9516026304ed7f525d30176dd25899fcea349eb3fbd166f658a8a6f
                  • Instruction ID: 0fd74ec1fcb0e31e7be817e87b0a0ebab165d5450cfac00f4b4b3dbc87efb7e7
                  • Opcode Fuzzy Hash: e850dc63b9516026304ed7f525d30176dd25899fcea349eb3fbd166f658a8a6f
                  • Instruction Fuzzy Hash: 9E11AC78D0030A8FDB10CFAAC5487AEBBF4FB48315F60842AC519E3241D779A940CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02868748 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNELBASE(00000000), ref: 028687B6
                  Memory Dump Source
                  • Source File: 00000011.00000002.2281382292.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_2860000_AccountRestore.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 82504db547515986156d711e40cea22f4579d0b62ba07303ee3a6001b023bde6
                  • Instruction ID: 76d79e9ef6f7bf2f810246a45374b84177bd6198dec00d574684fe2a233e4d6a
                  • Opcode Fuzzy Hash: 82504db547515986156d711e40cea22f4579d0b62ba07303ee3a6001b023bde6
                  • Instruction Fuzzy Hash: FA1112BAD002498FDB10CF9AC444AEEFBF5AB88218F14841AD519B7710D379A545CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0ABD7DE8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                  Download Yara Rule
                  APIs
                  • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0ABD7E57
                  Memory Dump Source
                  • Source File: 00000011.00000002.2287816205.000000000ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_abd0000_AccountRestore.jbxd
                  Similarity
                  • API ID: CallbackDispatcherUser
                  • String ID:
                  • API String ID: 2492992576-0
                  • Opcode ID: 293e10bfd8f9813fe4a6b90eee6372bdbefa809e3c4903cbdbfa3cbc8c4977be
                  • Instruction ID: 5d2c709a39cc44b3908e7fa89b2f830639db2b5ef3d671dd97a24df55bebbedd
                  • Opcode Fuzzy Hash: 293e10bfd8f9813fe4a6b90eee6372bdbefa809e3c4903cbdbfa3cbc8c4977be
                  • Instruction Fuzzy Hash: 1911287680064A8FDB10CF9AD545BEEBBF4EB48324F14845AD458B3350D338AA84DFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02863D7C Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                  Download Yara Rule
                  APIs
                  • CompareStringW.KERNELBASE(04E116B0,?,?,?,?,?), ref: 028641FA
                  Memory Dump Source
                  • Source File: 00000011.00000002.2281382292.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_2860000_AccountRestore.jbxd
                  Similarity
                  • API ID: CompareString
                  • String ID:
                  • API String ID: 1825529933-0
                  • Opcode ID: 2804687ea3812e59c3f23411b2d798dcd4dc3b885f7e5d798fb1dbfaf7355931
                  • Instruction ID: 74eef8a7ebfab60f50f5ffd98be520089bec6abfe81f369846234775013c15d6
                  • Opcode Fuzzy Hash: 2804687ea3812e59c3f23411b2d798dcd4dc3b885f7e5d798fb1dbfaf7355931
                  • Instruction Fuzzy Hash: 731146B98002499FDB20CF99C844BEEBFF4EB48314F108419E519B7210C375A954CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02868750 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNELBASE(00000000), ref: 028687B6
                  Memory Dump Source
                  • Source File: 00000011.00000002.2281382292.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_2860000_AccountRestore.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: b39601c9f24727bfd333ab76a613d1ddd5d19e48c04ed985259bd70cdb5ab57a
                  • Instruction ID: 6a19a1bcf078b95f1ceabd6572dd80cbc71acf58d0c388fbd42513ce949c6b04
                  • Opcode Fuzzy Hash: b39601c9f24727bfd333ab76a613d1ddd5d19e48c04ed985259bd70cdb5ab57a
                  • Instruction Fuzzy Hash: 421102BAD002498FDB10CF9AC444AAEFBF9EF89324F14841AD569B7310D379A545CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0ABD7DF0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                  Download Yara Rule
                  APIs
                  • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0ABD7E57
                  Memory Dump Source
                  • Source File: 00000011.00000002.2287816205.000000000ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ABD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_abd0000_AccountRestore.jbxd
                  Similarity
                  • API ID: CallbackDispatcherUser
                  • String ID:
                  • API String ID: 2492992576-0
                  • Opcode ID: 3ef1dd007958a1e3647df545b5e0224e601259db7f67690dcbbf4084e4b6c275
                  • Instruction ID: d60b8db7d5a0efc9ea344b888e9de9f4ee1e7865576206dfa6534ff736ee5db1
                  • Opcode Fuzzy Hash: 3ef1dd007958a1e3647df545b5e0224e601259db7f67690dcbbf4084e4b6c275
                  • Instruction Fuzzy Hash: FB113A768002498FDB10CF9AC445BEEBBF8EB48320F14846AD558B3351D378AA84CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 026DFE84 Relevance: .1, Instructions: 83COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2281059263.00000000026DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_26dd000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8f0106d064ba19740f1dad8288e2a3369daeede470d36c21212229f6c30dd324
                  • Instruction ID: 7d3f5ba86ddd5b105367cd7095ba331eed022071c8ff9e1b1df247701db17880
                  • Opcode Fuzzy Hash: 8f0106d064ba19740f1dad8288e2a3369daeede470d36c21212229f6c30dd324
                  • Instruction Fuzzy Hash: 70312872904244EFDF059F54C9C0F26BF76FB88310F24C599EE0A4A656C336D456CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 026DFD88 Relevance: .1, Instructions: 80COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2281059263.00000000026DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_26dd000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ec2f065d01cae7f8b9e037116b84e607e3505051358eb5a8c61f616e37d2d17d
                  • Instruction ID: ab32be49498716c11e200a3434d61d240d2cc3a971fed7cad3d538c63426b6ba
                  • Opcode Fuzzy Hash: ec2f065d01cae7f8b9e037116b84e607e3505051358eb5a8c61f616e37d2d17d
                  • Instruction Fuzzy Hash: B821F972904244EFDF158F64D9C0F16BFA6FB88314F24C699ED0A0A657C336D456CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 026CD06C Relevance: .1, Instructions: 77COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2280967965.00000000026CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026CD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_26cd000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1058e7e14813f7ae03990784a3f3df676773cff213a51cca7a6dc682b8c34743
                  • Instruction ID: 3027103286a6f6a0622fd2589cfb9715ca36cacda87493c958fb3ec8f7bdeecc
                  • Opcode Fuzzy Hash: 1058e7e14813f7ae03990784a3f3df676773cff213a51cca7a6dc682b8c34743
                  • Instruction Fuzzy Hash: 7121C772504244DFDB15AF18D9C4B26BFA5FB8C314F34856DE9090A755C33AD416CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 026CD5C8 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2280967965.00000000026CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026CD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_26cd000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f228381eaa3c644877bc5af365cae4e4b333d7c36a59fbba8cc42289933fb198
                  • Instruction ID: 5263e33ff481f926fac29e1645ae033c39429dcaf4dd2c097ef4ac8c49703a25
                  • Opcode Fuzzy Hash: f228381eaa3c644877bc5af365cae4e4b333d7c36a59fbba8cc42289933fb198
                  • Instruction Fuzzy Hash: 1A21C172504204DFDB15FF15D9C0B26BF65FB88314F34857DE90A4A256C336D456C6A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 09770360 Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2286638007.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_9770000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5c0f7305cb3e760698b76e4d08f8cc51e010eb37f8b494458d36f45c0dc2ce6d
                  • Instruction ID: 042cbeb7226fcf7c5958c1c9812f7d0f33f032066cb1c0c73ab557f759f31637
                  • Opcode Fuzzy Hash: 5c0f7305cb3e760698b76e4d08f8cc51e010eb37f8b494458d36f45c0dc2ce6d
                  • Instruction Fuzzy Hash: 5A21F272604304DFDF04DF14D9C0B26FBA5FB85314F24C6ADE9495B292C33AD846CA61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 026DD01C Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2281059263.00000000026DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_26dd000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3e66b8d9acd8a5e5c1c91af2312d1091e3e853984e1811978fb67353237b6e86
                  • Instruction ID: a73100b0e9abcb9b1263fb60278fa062bf6b6a63728133d90780940fe74e1d97
                  • Opcode Fuzzy Hash: 3e66b8d9acd8a5e5c1c91af2312d1091e3e853984e1811978fb67353237b6e86
                  • Instruction Fuzzy Hash: 8721F572904288DFDB14EF14D980B16BBA5FBC8314F64C569D94A4B396C336D447CAA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 026DFCA8 Relevance: .1, Instructions: 71COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2281059263.00000000026DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_26dd000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aba95ae969bc1a9bece01e360132b8528897111dc3b859c37ff2eff9d3a5c763
                  • Instruction ID: d230a87e12564784753fd287d14c7061cf470c058d6c65fe0e271962dabdeba9
                  • Opcode Fuzzy Hash: aba95ae969bc1a9bece01e360132b8528897111dc3b859c37ff2eff9d3a5c763
                  • Instruction Fuzzy Hash: 29210171A04248DFDB14DF18D9C0B26BFA5FB88318F24C66DED0A4B796C336D846C6A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 026DFE7F Relevance: .1, Instructions: 64COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2281059263.00000000026DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_26dd000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dc9dcd8a821203a1bd19814fe54a57aa9b463fdb0c93c74936c5b16d84cde03a
                  • Instruction ID: bd41671dc149cb50630e5f036e7ce461dd8e9f73ea727bdbc37e15c26de3cef1
                  • Opcode Fuzzy Hash: dc9dcd8a821203a1bd19814fe54a57aa9b463fdb0c93c74936c5b16d84cde03a
                  • Instruction Fuzzy Hash: A1219276804244EFCF06CF54D9C0B56BF72FB48314F24C2A9ED094A66AC336D466DB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 026DD004 Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2281059263.00000000026DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_26dd000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 85245ec2896eba1c3150818fb50123cdcd7c45ecbb2cb22be9bdb5fc02051921
                  • Instruction ID: d23955d27673668a71ff549f21dacf8d3be70d87c9aab8fa86332ea835f4fb7a
                  • Opcode Fuzzy Hash: 85245ec2896eba1c3150818fb50123cdcd7c45ecbb2cb22be9bdb5fc02051921
                  • Instruction Fuzzy Hash: EF2192765093C48FCB12DF24D590715BF71EB86214F28C5DAD8498F6A7C33A980BCB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 026DFD83 Relevance: .1, Instructions: 61COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2281059263.00000000026DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_26dd000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 94d976c543fb1643bdbe8b5e3b6992184e4cbb3c6ad9218d786fd491f05bc371
                  • Instruction ID: 60b048600a6b369146a3db2591f33309ba9d6fc81704b4e70617930c5e38ebec
                  • Opcode Fuzzy Hash: 94d976c543fb1643bdbe8b5e3b6992184e4cbb3c6ad9218d786fd491f05bc371
                  • Instruction Fuzzy Hash: 2C218E76804244EFCF16CF24D9C4B56BF72FB88314F24C6A9E9094A667C336D466CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 026CD067 Relevance: .1, Instructions: 58COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2280967965.00000000026CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026CD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_26cd000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 86e2d0ad5966b4908552e02efda348fb7df0361686de0292c4c6c9527de2ff27
                  • Instruction ID: c146e5156af73f4246aa3dacf178f3660207aec9a4d993891a8fc3761240d160
                  • Opcode Fuzzy Hash: 86e2d0ad5966b4908552e02efda348fb7df0361686de0292c4c6c9527de2ff27
                  • Instruction Fuzzy Hash: 3321CD76404280DFCB06DF00D9C4B26BFB2FB88314F24C6A9D9490B756C33AD426CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 026CD5C3 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2280967965.00000000026CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026CD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_26cd000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2cdc662657c6c0affd5a20e4310f074f1f13e851f2143e19b38feb5762d19327
                  • Instruction ID: 3b87e25545841aa223bdaad2a30012e2224c3614420ae7ed039c4bdd69888790
                  • Opcode Fuzzy Hash: 2cdc662657c6c0affd5a20e4310f074f1f13e851f2143e19b38feb5762d19327
                  • Instruction Fuzzy Hash: 5C11AF76504240DFCB16EF14D9C4B2ABF62FB84314F34C6ADD8094B256C336D45ACBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0977035B Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2286638007.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_9770000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 72f31758580e09dbfc95d14a71d78f444649c9c869c0fd5114a31a9b883b897b
                  • Instruction ID: 7182587cda8dc8ceb30a334143becc0f3db377e416a99e806a7fb5a03dbb1f56
                  • Opcode Fuzzy Hash: 72f31758580e09dbfc95d14a71d78f444649c9c869c0fd5114a31a9b883b897b
                  • Instruction Fuzzy Hash: E311BB76504280CFCB05CF14D5C0B25FBB2FB85314F24C6AAE8494B696C33AD84ACBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 026DFCA3 Relevance: .1, Instructions: 52COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2281059263.00000000026DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_26dd000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3d5dd3ab0ab7eac8606309f9eb1c2ea32df6541e7b6040bb9e732f3f45b54f77
                  • Instruction ID: ecb651f8866f083dd5a9e22482acffac35641aea3b3390883e5a390324e61bff
                  • Opcode Fuzzy Hash: 3d5dd3ab0ab7eac8606309f9eb1c2ea32df6541e7b6040bb9e732f3f45b54f77
                  • Instruction Fuzzy Hash: 9811EF75904284CFCB05CF14C5C4B15BFA2FB88314F24C6AED84A4BBA6C33AD44ACB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 026CDA35 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2280967965.00000000026CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026CD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_26cd000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 07d6be1cb3f390e57bfd8b3d592a12d54e63e7201dd95a9b2264aaa2943615c8
                  • Instruction ID: 4086c9a395afda580b5d2ed30124828cd1de0216d8e60d1b7828ddd56b547081
                  • Opcode Fuzzy Hash: 07d6be1cb3f390e57bfd8b3d592a12d54e63e7201dd95a9b2264aaa2943615c8
                  • Instruction Fuzzy Hash: 1A01F271508340AAE710AB69CCC4776BF98DF82328F28C47EED495A282D3799801CAB1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 026CDA34 Relevance: .0, Instructions: 36COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.2280967965.00000000026CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026CD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_26cd000_AccountRestore.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 40f04e5e3ed7748e6a2410c86cbd85c714b7ceba229ddf6ed4f7badef3c48754
                  • Instruction ID: d777fc36065920263bb6c2d4601747392c431ff7c8d1dd86f8712b3533917bda
                  • Opcode Fuzzy Hash: 40f04e5e3ed7748e6a2410c86cbd85c714b7ceba229ddf6ed4f7badef3c48754
                  • Instruction Fuzzy Hash: FFF06272508344AEE7109E15CCC4B62FFD8EB81728F28C56AED485A386D3799845CAB1
                  Uniqueness

                  Uniqueness Score: -1.00%