Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wLw52XmkOM.exe

Overview

General Information

Sample name:wLw52XmkOM.exe
renamed because original name is a hash value
Original sample name:e78473bca17b8e1e7353570719b5ad0c.exe
Analysis ID:1447538
MD5:e78473bca17b8e1e7353570719b5ad0c
SHA1:b86d03c15612419b13245d8593a6f843775f7d20
SHA256:f81de3b76d2e7f5166c6029cbd9918dcc6c8649bb0d9f869a76e141b3abca791
Tags:32exeRedLineStealer
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wLw52XmkOM.exe (PID: 7520 cmdline: "C:\Users\user\Desktop\wLw52XmkOM.exe" MD5: E78473BCA17B8E1E7353570719B5AD0C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
wLw52XmkOM.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 8D 88 44 24 2B 88 44 24 2F B0 86 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.0.wLw52XmkOM.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 8D 88 44 24 2B 88 44 24 2F B0 86 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.
0.2.wLw52XmkOM.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 8D 88 44 24 2B 88 44 24 2F B0 86 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: wLw52XmkOM.exeReversingLabs: Detection: 34%
Source: wLw52XmkOM.exeVirustotal: Detection: 40%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 68.9% probability
Machine Learning detection for sample
Source: wLw52XmkOM.exeJoe Sandbox ML: detected
Source: wLw52XmkOM.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: _.pdb source: wLw52XmkOM.exe, 00000000.00000002.2883688606.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1624510010.000000000079F000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1621827937.0000000000778000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2883523183.0000000002239000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2886783889.00000000035E1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: STHealthUp.pdbh; source: wLw52XmkOM.exe, 00000000.00000002.2883688606.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1621827937.0000000000778000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2883523183.0000000002239000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2886873518.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2886783889.00000000035E1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: STHealthUp.pdb source: wLw52XmkOM.exe, 00000000.00000002.2883688606.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1621827937.0000000000778000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2883523183.0000000002239000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2886873518.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2886783889.00000000035E1000.00000004.00000800.00020000.00000000.sdmp
Source: wLw52XmkOM.exe, 00000000.00000003.1635643956.00000000055AC000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: wLw52XmkOM.exe, 00000000.00000003.1646452465.00000000055BF000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1647359223.00000000055B3000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1646106838.00000000055C0000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1646237880.00000000055C0000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1645838759.00000000055BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: wLw52XmkOM.exe, 00000000.00000003.1646452465.00000000055BF000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1646106838.00000000055C0000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1646237880.00000000055C0000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1645838759.00000000055BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html.
Source: wLw52XmkOM.exe, 00000000.00000003.1636309621.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636140853.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636217370.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636834509.00000000055D2000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636180894.00000000055D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
Source: wLw52XmkOM.exe, 00000000.00000003.1636266529.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636309621.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636217370.00000000055D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comP
Source: wLw52XmkOM.exe, 00000000.00000003.1636834509.00000000055D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comTC
Source: wLw52XmkOM.exe, 00000000.00000003.1636266529.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636309621.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636217370.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636180894.00000000055D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comitkY
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: wLw52XmkOM.exe, 00000000.00000003.1636266529.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636309621.00000000055D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comt
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1642522152.00000000055AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerse
Source: wLw52XmkOM.exe, 00000000.00000003.1642522152.00000000055AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com=
Source: wLw52XmkOM.exe, 00000000.00000003.1646473890.00000000055AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF4if
Source: wLw52XmkOM.exe, 00000000.00000003.1642522152.00000000055AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comaYi
Source: wLw52XmkOM.exe, 00000000.00000003.1642522152.00000000055AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
Source: wLw52XmkOM.exe, 00000000.00000003.1642522152.00000000055AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comived
Source: wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como.jp/
Source: wLw52XmkOM.exe, 00000000.00000003.1646473890.00000000055AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtalic
Source: wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comx
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: wLw52XmkOM.exe, 00000000.00000003.1634015778.00000000055B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: wLw52XmkOM.exe, 00000000.00000003.1638725711.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639512013.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638549054.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639681409.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638962512.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639188257.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638725711.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4if
Source: wLw52XmkOM.exe, 00000000.00000003.1637962712.00000000055A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
Source: wLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639512013.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639681409.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638962512.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639188257.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Fit
Source: wLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Fy
Source: wLw52XmkOM.exe, 00000000.00000003.1638331422.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638549054.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1637962712.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638725711.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Giw
Source: wLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639512013.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639681409.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Oi
Source: wLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Pi
Source: wLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639512013.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639681409.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639188257.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639512013.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639681409.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638962512.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639188257.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1637962712.00000000055A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Yi
Source: wLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639512013.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638549054.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639681409.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638962512.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639188257.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638725711.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/bi
Source: wLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639512013.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638549054.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639681409.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638962512.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639188257.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638725711.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: wLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/4if
Source: wLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638331422.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638549054.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638725711.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Yi
Source: wLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/ki
Source: wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ki
Source: wLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639512013.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638549054.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639681409.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638962512.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639188257.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638725711.00000000055AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
Source: wLw52XmkOM.exe, 00000000.00000003.1642096502.00000000055AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.Yf5
Source: wLw52XmkOM.exe, 00000000.00000003.1630132733.00000000055BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: wLw52XmkOM.exe, 00000000.00000003.1629865595.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630753132.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1629956611.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630346475.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630220282.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630021282.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630132733.00000000055BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com6
Source: wLw52XmkOM.exe, 00000000.00000003.1629865595.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630753132.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1629956611.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630346475.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630220282.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630021282.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630132733.00000000055BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comB
Source: wLw52XmkOM.exe, 00000000.00000003.1629865595.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630753132.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1629956611.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630346475.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630220282.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630021282.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630132733.00000000055BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comednj
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: wLw52XmkOM.exe, 00000000.00000003.1635643956.00000000055AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.&Fc
Source: wLw52XmkOM.exe, 00000000.00000003.1635643956.00000000055AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnueFA
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_0702F186 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0702F186

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: wLw52XmkOM.exe, type: SAMPLEMatched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.wLw52XmkOM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.wLw52XmkOM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_00408C600_2_00408C60
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_0040DC110_2_0040DC11
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_00407C3F0_2_00407C3F
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_00418CCC0_2_00418CCC
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_00406CA00_2_00406CA0
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_004028B00_2_004028B0
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_0041A4BE0_2_0041A4BE
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_00408C600_2_00408C60
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_004182440_2_00418244
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_004016500_2_00401650
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_00402F200_2_00402F20
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_004193C40_2_004193C4
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_004187880_2_00418788
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_00402F890_2_00402F89
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_00402B900_2_00402B90
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_004073A00_2_004073A0
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_021610300_2_02161030
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_021610200_2_02161020
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_04A8D3CC0_2_04A8D3CC
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_05371C000_2_05371C00
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_053700400_2_05370040
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_05371BF10_2_05371BF1
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_066B1E080_2_066B1E08
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_066B1E0C0_2_066B1E0C
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_066B8B8B0_2_066B8B8B
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_066B91880_2_066B9188
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_066F600C0_2_066F600C
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_070249C00_2_070249C0
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_0702A8D00_2_0702A8D0
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_070200F90_2_070200F9
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_0702A8D00_2_0702A8D0
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_070227500_2_07022750
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_0702563F0_2_0702563F
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_070249C00_2_070249C0
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: String function: 0040E1D8 appears 43 times
Source: wLw52XmkOM.exe, 00000000.00000002.2883688606.00000000023E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSTHealthUp.exe6 vs wLw52XmkOM.exe
Source: wLw52XmkOM.exe, 00000000.00000002.2883688606.00000000023E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs wLw52XmkOM.exe
Source: wLw52XmkOM.exe, 00000000.00000002.2884219674.000000000264B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs wLw52XmkOM.exe
Source: wLw52XmkOM.exe, 00000000.00000002.2884219674.000000000264B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs wLw52XmkOM.exe
Source: wLw52XmkOM.exe, 00000000.00000002.2884219674.000000000264B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs wLw52XmkOM.exe
Source: wLw52XmkOM.exe, 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSTHealthUp.exe6 vs wLw52XmkOM.exe
Source: wLw52XmkOM.exe, 00000000.00000003.1621437550.00000000007D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs wLw52XmkOM.exe
Source: wLw52XmkOM.exe, 00000000.00000003.1624510010.000000000079F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs wLw52XmkOM.exe
Source: wLw52XmkOM.exe, 00000000.00000003.1621536508.00000000007D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs wLw52XmkOM.exe
Source: wLw52XmkOM.exe, 00000000.00000003.1621827937.0000000000778000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSTHealthUp.exe6 vs wLw52XmkOM.exe
Source: wLw52XmkOM.exe, 00000000.00000003.1621827937.0000000000778000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs wLw52XmkOM.exe
Source: wLw52XmkOM.exe, 00000000.00000002.2883523183.0000000002239000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSTHealthUp.exe6 vs wLw52XmkOM.exe
Source: wLw52XmkOM.exe, 00000000.00000002.2883523183.0000000002239000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs wLw52XmkOM.exe
Source: wLw52XmkOM.exe, 00000000.00000000.1619610533.0000000000426000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSTHealthUp.exe6 vs wLw52XmkOM.exe
Source: wLw52XmkOM.exe, 00000000.00000002.2886873518.0000000004A20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSTHealthUp.exe6 vs wLw52XmkOM.exe
Source: wLw52XmkOM.exe, 00000000.00000002.2886783889.00000000035E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSTHealthUp.exe6 vs wLw52XmkOM.exe
Source: wLw52XmkOM.exe, 00000000.00000002.2886783889.00000000035E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs wLw52XmkOM.exe
Source: wLw52XmkOM.exeBinary or memory string: OriginalFilenameSTHealthUp.exe6 vs wLw52XmkOM.exe
Source: wLw52XmkOM.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: wLw52XmkOM.exe, type: SAMPLEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.wLw52XmkOM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.wLw52XmkOM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.wLw52XmkOM.exe.35e64a2.8.raw.unpack, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
Source: 0.2.wLw52XmkOM.exe.35e64a2.8.raw.unpack, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
Source: 0.2.wLw52XmkOM.exe.35e64a2.8.raw.unpack, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
Source: 0.2.wLw52XmkOM.exe.35e64a2.8.raw.unpack, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
Source: 0.2.wLw52XmkOM.exe.227a9d0.2.raw.unpack, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
Source: 0.2.wLw52XmkOM.exe.227a9d0.2.raw.unpack, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
Source: 0.2.wLw52XmkOM.exe.227a9d0.2.raw.unpack, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
Source: 0.2.wLw52XmkOM.exe.227a9d0.2.raw.unpack, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
Source: 0.2.wLw52XmkOM.exe.4a20000.9.raw.unpack, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
Source: 0.2.wLw52XmkOM.exe.4a20000.9.raw.unpack, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
Source: 0.2.wLw52XmkOM.exe.4a20000.9.raw.unpack, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
Source: 0.2.wLw52XmkOM.exe.4a20000.9.raw.unpack, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
Source: wLw52XmkOM.exe, 00000000.00000002.2882166975.0000000000720000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.VBp
Source: classification engineClassification label: mal68.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
Source: C:\Users\user\Desktop\wLw52XmkOM.exeMutant created: NULL
Source: C:\Users\user\Desktop\wLw52XmkOM.exeMutant created: \Sessions\1\BaseNamedObjects\STHealthUp
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCommand line argument: 08A0_2_00413780
Source: wLw52XmkOM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\wLw52XmkOM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: wLw52XmkOM.exeReversingLabs: Detection: 34%
Source: wLw52XmkOM.exeVirustotal: Detection: 40%
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: mscorjit.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\wLw52XmkOM.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: wLw52XmkOM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: _.pdb source: wLw52XmkOM.exe, 00000000.00000002.2883688606.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1624510010.000000000079F000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1621827937.0000000000778000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2883523183.0000000002239000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2886783889.00000000035E1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: STHealthUp.pdbh; source: wLw52XmkOM.exe, 00000000.00000002.2883688606.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1621827937.0000000000778000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2883523183.0000000002239000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2886873518.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2886783889.00000000035E1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: STHealthUp.pdb source: wLw52XmkOM.exe, 00000000.00000002.2883688606.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1621827937.0000000000778000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2883523183.0000000002239000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2886873518.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2886783889.00000000035E1000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.wLw52XmkOM.exe.35e64a2.8.raw.unpack, DyyVDbaRvM1YfIq9il.cs.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777365)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777266)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777259))})
Source: 0.2.wLw52XmkOM.exe.227a9d0.2.raw.unpack, DyyVDbaRvM1YfIq9il.cs.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777365)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777266)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777259))})
Source: 0.2.wLw52XmkOM.exe.4a20000.9.raw.unpack, DyyVDbaRvM1YfIq9il.cs.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777365)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777266)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777259))})
Source: 0.2.wLw52XmkOM.exe.23e0f32.4.raw.unpack, DyyVDbaRvM1YfIq9il.cs.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777365)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777266)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777259))})
Source: 0.3.wLw52XmkOM.exe.7786e2.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777365)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777266)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777259))})
Source: 0.2.wLw52XmkOM.exe.360db90.7.raw.unpack, DyyVDbaRvM1YfIq9il.cs.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777365)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777266)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.dDYu3EUMgtAH5(16777259))})
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
Source: wLw52XmkOM.exeStatic PE information: real checksum: 0x23bfb should be: 0x42be2
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_0040E21D push ecx; ret 0_2_0040E230
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_0040BB97 push dword ptr [ecx-75h]; iretd 0_2_0040BBA3
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_04A843C1 push 5D6CF1B3h; ret 0_2_04A843D9
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_066B7EEF push es; retf 0_2_066B7EF0
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_066B7F7B push es; iretd 0_2_066B7F7C
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_066B7F33 push es; ret 0_2_066B7F38
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_066BF05B pushad ; retf 0_2_066BF061
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_066B802F push es; iretd 0_2_066B8030
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_066FF6D8 pushfd ; iretd 0_2_066FF6E1
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_066F9760 push es; ret 0_2_066F9770
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_066FBA09 push E406D045h; iretd 0_2_066FBA15
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_07028E20 pushfd ; ret 0_2_07028E29
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_07021151 pushfd ; iretd 0_2_0702115D
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_0702F179 push eax; ret 0_2_0702F185
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_07029863 pushad ; retf 0_2_07029879
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_0702987B push esp; retf 0_2_07029881
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_0702C09F push es; ret 0_2_0702C0A0
Source: 0.2.wLw52XmkOM.exe.35e64a2.8.raw.unpack, DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: 'D4r4O0AxSI', 'GBHu3EOUCogsl', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.2.wLw52XmkOM.exe.35e64a2.8.raw.unpack, R2mIapWar4cwoqqx6Q.csHigh entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.2.wLw52XmkOM.exe.227a9d0.2.raw.unpack, DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: 'D4r4O0AxSI', 'GBHu3EOUCogsl', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.2.wLw52XmkOM.exe.227a9d0.2.raw.unpack, R2mIapWar4cwoqqx6Q.csHigh entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.2.wLw52XmkOM.exe.4a20000.9.raw.unpack, DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: 'D4r4O0AxSI', 'GBHu3EOUCogsl', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.2.wLw52XmkOM.exe.4a20000.9.raw.unpack, R2mIapWar4cwoqqx6Q.csHigh entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.2.wLw52XmkOM.exe.23e0f32.4.raw.unpack, DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: 'D4r4O0AxSI', 'GBHu3EOUCogsl', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.2.wLw52XmkOM.exe.23e0f32.4.raw.unpack, R2mIapWar4cwoqqx6Q.csHigh entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.3.wLw52XmkOM.exe.7786e2.0.raw.unpack, DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: 'D4r4O0AxSI', 'GBHu3EOUCogsl', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.3.wLw52XmkOM.exe.7786e2.0.raw.unpack, R2mIapWar4cwoqqx6Q.csHigh entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.2.wLw52XmkOM.exe.360db90.7.raw.unpack, DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: 'D4r4O0AxSI', 'GBHu3EOUCogsl', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.2.wLw52XmkOM.exe.360db90.7.raw.unpack, R2mIapWar4cwoqqx6Q.csHigh entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeMemory allocated: 2160000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeMemory allocated: 25E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeMemory allocated: 2320000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\wLw52XmkOM.exeAPI call chain: ExitProcess graph end nodegraph_0-66403
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_0040ADB0 GetProcessHeap,HeapFree,0_2_0040ADB0
Source: C:\Users\user\Desktop\wLw52XmkOM.exeProcess token adjusted: DebugJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040E61C
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00416F6A
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_004123F1 SetUnhandledExceptionFilter,0_2_004123F1
Source: C:\Users\user\Desktop\wLw52XmkOM.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: GetLocaleInfoA,0_2_00417A20
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\wLw52XmkOM.exeCode function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00412A15
Source: C:\Users\user\Desktop\wLw52XmkOM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		1
Input Capture		1
System Time Discovery		Remote Services1
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory3
Security Software Discovery		Remote Desktop Protocol11
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Deobfuscate/Decode Files or Information		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS1
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets23
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
wLw52XmkOM.exe34%ReversingLabs
wLw52XmkOM.exe41%VirustotalBrowse
wLw52XmkOM.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.fontbureau.com/designersG0%URL Reputationsafe
http://www.fontbureau.com/designers/?0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.fontbureau.com/designers?0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.fontbureau.com/designers0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.carterandcone.com0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
http://www.fonts.com0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
http://www.fontbureau.com0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.fontbureau.com/designers80%URL Reputationsafe
http://www.zhongyicts.com.cnueFA0%Avira URL Cloudsafe
http://www.sajatypeworks.com60%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Fit0%Avira URL Cloudsafe
http://www.fontbureau.como.jp/0%Avira URL Cloudsafe
http://www.sajatypeworks.comB0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Pi0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Fit0%VirustotalBrowse
http://www.fontbureau.comF4if0%Avira URL Cloudsafe
http://www.fontbureau.comaYi0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/4if0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/80%Avira URL Cloudsafe
http://www.sajatypeworks.comednj0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Pi0%VirustotalBrowse
http://www.fontbureau.como.jp/0%VirustotalBrowse
http://www.ascendercorp.com/typedesigners.html.0%Avira URL Cloudsafe
http://www.fontbureau.com/designerse0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Fy0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/80%VirustotalBrowse
http://www.jiyu-kobo.co.jp/Y00%Avira URL Cloudsafe
http://www.carterandcone.comP0%Avira URL Cloudsafe
http://www.ascendercorp.com/typedesigners.html.0%VirustotalBrowse
http://www.jiyu-kobo.co.jp/jp/ki0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Oi0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Y00%VirustotalBrowse
http://www.zhongyicts.com.cno.&Fc0%Avira URL Cloudsafe
http://www.fontbureau.com/designerse0%VirustotalBrowse
http://www.fontbureau.com=0%Avira URL Cloudsafe
http://www.founder.com.cn/cnd0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Fy0%VirustotalBrowse
http://www.jiyu-kobo.co.jp/bi0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/jp/ki0%VirustotalBrowse
http://www.jiyu-kobo.co.jp/jp/4if0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Oi0%VirustotalBrowse
http://www.carterandcone.comTC0%Avira URL Cloudsafe
http://www.carterandcone.comitkY0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Giw0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/bi0%VirustotalBrowse
http://www.fontbureau.comived0%Avira URL Cloudsafe
http://www.founder.com.cn/cnd1%VirustotalBrowse
http://www.carterandcone.comt0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/jp/0%Avira URL Cloudsafe
http://www.fontbureau.comd0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/ki0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/jp/Yi0%Avira URL Cloudsafe
http://www.fontbureau.comtalic0%Avira URL Cloudsafe
http://www.monotype.Yf50%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/t0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/jp/0%VirustotalBrowse
http://www.jiyu-kobo.co.jp/Yi0%Avira URL Cloudsafe
http://www.fontbureau.comx0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/t0%VirustotalBrowse
http://www.jiyu-kobo.co.jp/ki0%VirustotalBrowse
http://www.jiyu-kobo.co.jp/Yi0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.fontbureau.com/designersGwLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.jiyu-kobo.co.jp/FitwLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639512013.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639681409.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638962512.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639188257.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.fontbureau.com/designers/?wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.founder.com.cn/cn/bThewLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.sajatypeworks.com6wLw52XmkOM.exe, 00000000.00000003.1629865595.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630753132.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1629956611.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630346475.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630220282.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630021282.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630132733.00000000055BB000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.zhongyicts.com.cnueFAwLw52XmkOM.exe, 00000000.00000003.1635643956.00000000055AC000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.fontbureau.com/designers?wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.como.jp/wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.tiro.comwLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.sajatypeworks.comBwLw52XmkOM.exe, 00000000.00000003.1629865595.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630753132.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1629956611.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630346475.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630220282.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630021282.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630132733.00000000055BB000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.fontbureau.com/designerswLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.jiyu-kobo.co.jp/PiwLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.goodfont.co.krwLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.carterandcone.comwLw52XmkOM.exe, 00000000.00000003.1636309621.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636140853.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636217370.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636834509.00000000055D2000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636180894.00000000055D1000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.comaYiwLw52XmkOM.exe, 00000000.00000003.1642522152.00000000055AF000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.sajatypeworks.comwLw52XmkOM.exe, 00000000.00000003.1630132733.00000000055BB000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.typography.netDwLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.founder.com.cn/cn/cThewLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.comF4ifwLw52XmkOM.exe, 00000000.00000003.1646473890.00000000055AF000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.galapagosdesign.com/staff/dennis.htmwLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.jiyu-kobo.co.jp/4ifwLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639512013.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638549054.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639681409.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638962512.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639188257.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638725711.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.jiyu-kobo.co.jp/8wLw52XmkOM.exe, 00000000.00000003.1637962712.00000000055A4000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.sajatypeworks.comednjwLw52XmkOM.exe, 00000000.00000003.1629865595.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630753132.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1629956611.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630346475.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630220282.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630021282.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1630132733.00000000055BB000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.ascendercorp.com/typedesigners.html.wLw52XmkOM.exe, 00000000.00000003.1646452465.00000000055BF000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1646106838.00000000055C0000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1646237880.00000000055C0000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1645838759.00000000055BF000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.fontbureau.com/designersewLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.jiyu-kobo.co.jp/FywLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.galapagosdesign.com/DPleasewLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.jiyu-kobo.co.jp/Y0wLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639512013.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639681409.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639188257.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.carterandcone.comPwLw52XmkOM.exe, 00000000.00000003.1636266529.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636309621.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636217370.00000000055D1000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.ascendercorp.com/typedesigners.htmlwLw52XmkOM.exe, 00000000.00000003.1646452465.00000000055BF000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1647359223.00000000055B3000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1646106838.00000000055C0000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1646237880.00000000055C0000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1645838759.00000000055BF000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fonts.comwLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.sandoll.co.krwLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.jiyu-kobo.co.jp/jp/kiwLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.urwpp.deDPleasewLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.jiyu-kobo.co.jp/OiwLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639512013.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639681409.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.zhongyicts.com.cnwLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.sakkal.comwLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.zhongyicts.com.cno.&FcwLw52XmkOM.exe, 00000000.00000003.1635643956.00000000055AC000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.fontbureau.com=wLw52XmkOM.exe, 00000000.00000003.1642522152.00000000055AF000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.founder.com.cn/cndwLw52XmkOM.exe, 00000000.00000003.1634015778.00000000055B7000.00000004.00000020.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.jiyu-kobo.co.jp/biwLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639512013.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638549054.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639681409.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638962512.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639188257.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638725711.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.apache.org/licenses/LICENSE-2.0wLw52XmkOM.exe, 00000000.00000003.1635643956.00000000055AC000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.comwLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1642522152.00000000055AF000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.jiyu-kobo.co.jp/jp/4ifwLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.carterandcone.comTCwLw52XmkOM.exe, 00000000.00000003.1636834509.00000000055D2000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.carterandcone.comitkYwLw52XmkOM.exe, 00000000.00000003.1636266529.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636309621.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636217370.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636180894.00000000055D1000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.jiyu-kobo.co.jp/GiwwLw52XmkOM.exe, 00000000.00000003.1638331422.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638549054.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1637962712.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638725711.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.fontbureau.comivedwLw52XmkOM.exe, 00000000.00000003.1642522152.00000000055AF000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.carterandcone.comtwLw52XmkOM.exe, 00000000.00000003.1636266529.00000000055D1000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1636309621.00000000055D1000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.jiyu-kobo.co.jp/jp/wLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639512013.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638549054.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639681409.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638962512.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639188257.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638725711.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.fontbureau.comdwLw52XmkOM.exe, 00000000.00000003.1642522152.00000000055AF000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.jiyu-kobo.co.jp/kiwLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.carterandcone.comlwLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.comtalicwLw52XmkOM.exe, 00000000.00000003.1646473890.00000000055AF000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.fontbureau.com/designers/cabarga.htmlNwLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.founder.com.cn/cnwLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designers/frere-user.htmlwLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.jiyu-kobo.co.jp/jp/YiwLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638331422.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638549054.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638725711.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.monotype.Yf5wLw52XmkOM.exe, 00000000.00000003.1642096502.00000000055AC000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.jiyu-kobo.co.jp/twLw52XmkOM.exe, 00000000.00000003.1640433108.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639512013.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638549054.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639681409.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638962512.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639188257.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638725711.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.jiyu-kobo.co.jp/YiwLw52XmkOM.exe, 00000000.00000003.1640224705.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639512013.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639681409.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1638962512.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639188257.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1639952825.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wLw52XmkOM.exe, 00000000.00000003.1637962712.00000000055A4000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.jiyu-kobo.co.jp/wLw52XmkOM.exe, 00000000.00000003.1638725711.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designers8wLw52XmkOM.exe, 00000000.00000002.2887586288.0000000006722000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.comxwLw52XmkOM.exe, 00000000.00000003.1640543348.00000000055AB000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1447538
Start date and time:2024-05-25 23:41:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 37s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:wLw52XmkOM.exe
renamed because original name is a hash value
Original Sample Name:e78473bca17b8e1e7353570719b5ad0c.exe
Detection:MAL
Classification:mal68.evad.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 62
  • Number of non-executed functions: 43
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.3849491452610065
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:wLw52XmkOM.exe
File size:263'168 bytes
MD5:e78473bca17b8e1e7353570719b5ad0c
SHA1:b86d03c15612419b13245d8593a6f843775f7d20
SHA256:f81de3b76d2e7f5166c6029cbd9918dcc6c8649bb0d9f869a76e141b3abca791
SHA512:918d8ab9fcde9448e56e84f73a14f081d0514ca537853e4c3970ab4b094f92476c6a9a17456115e89c9ef70433c5225384e6d3e5f23c7e3acd2ae80c95940409
SSDEEP:6144:WDKW1Lgbdl0TBBvjc/ZbIu2CZd/5E4Nwsxx0L9QqL8:Qh1Lk70TnvjcN2kVvDp
TLSH:0644BE117181C2B3C4B7113045E6CB769E3A70314BBA96DBB6DD1BBA6F213D1A3362C9
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~................W.Md....PE..L...t..P..........#........

File Icon

Icon Hash:072919949c39230f

Static PE Info

General

Entrypoint:0x40cd2f
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:TERMINAL_SERVER_AWARE
Time Stamp:0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:0
File Version Major:5
File Version Minor:0
Subsystem Version Major:5
Subsystem Version Minor:0
Import Hash:bf5a4aa99e5b160f8521cadd6bfe73b8

Entrypoint Preview

Instruction
call 00007FB48914B1D6h
jmp 00007FB489145399h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 0041F058h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007FB4891454FEh
test byte ptr [eax], 00000008h
je 00007FB4891454F9h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [0041B000h]
leave
retn 0008h
ret
mov eax, 00413563h
mov dword ptr [004228E4h], eax
mov dword ptr [004228E8h], 00412C4Ah
mov dword ptr [004228ECh], 00412BFEh
mov dword ptr [004228F0h], 00412C37h
mov dword ptr [004228F4h], 00412BA0h
mov dword ptr [004228F8h], eax
mov dword ptr [004228FCh], 004134DBh
mov dword ptr [00422900h], 00412BBCh
mov dword ptr [00422904h], 00412B1Eh
mov dword ptr [00422908h], 00412AABh
ret
mov edi, edi
push ebp
mov ebp, esp
call 00007FB48914548Bh
call 00007FB48914BD10h
cmp dword ptr [ebp+00h], 00000000h

Rich Headers

Programming Language:
  • [ASM] VS2008 build 21022
  • [IMP] VS2005 build 50727
  • [C++] VS2008 build 21022
  • [ C ] VS2008 build 21022
  • [LNK] VS2008 build 21022

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x215b40x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x260000x1e334.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x1b1c00x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x20da00x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x184.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x197180x198007b218b42526c4c548865f21c7cf3e479False0.5789483762254902data6.748603021116175IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x1b0000x6db40x6e005826801f33fc1b607aa8e942aa92e9faFalse0.5467329545454546data6.442956247632331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x220000x30c00x16002fe51a72ede820cd7cf55a77ba59b1f4False0.3126775568181818data3.2625868398009703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x260000x1e3340x1e40059a5a7f3f063df96a7c190d2a2c98dc1False0.9312451575413223data7.819636407050906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x261b40x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 5906 x 5906 px/m0.5351913084553613
RT_RCDATA0x2a3dc0x19a0adata1.0003905877869868
RT_RCDATA0x43de80x20data1.34375
RT_GROUP_ICON0x43e080x14data1.1
RT_VERSION0x43e1c0x32cdata0.4236453201970443
RT_MANIFEST0x441480x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
KERNEL32.dllRaiseException, GetLastError, MultiByteToWideChar, lstrlenA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeResource, SizeofResource, LockResource, LoadResource, FindResourceA, GetModuleHandleA, Module32Next, CloseHandle, Module32First, CreateToolhelp32Snapshot, GetCurrentProcessId, SetEndOfFile, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetLocaleInfoA, HeapFree, GetProcessHeap, HeapAlloc, GetCommandLineA, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, ReadFile, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, FlushFileBuffers, SetFilePointer, SetHandleCount, GetFileType, GetStartupInfoA, RtlUnwind, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CompareStringA, CompareStringW, SetEnvironmentVariableA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
ole32.dllOleInitialize
OLEAUT32.dllSafeArrayCreate, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayDestroy, SafeArrayCreateVector, VariantClear, VariantInit, SysFreeString, SysAllocString

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:17:41:52
Start date:25/05/2024
Path:C:\Users\user\Desktop\wLw52XmkOM.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\wLw52XmkOM.exe"
Imagebase:0x400000
File size:263'168 bytes
MD5 hash:E78473BCA17B8E1E7353570719B5AD0C
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:12.3%
    Dynamic/Decrypted Code Coverage:85.1%
    Signature Coverage:5.1%
    Total number of Nodes:1091
    Total number of Limit Nodes:79
    execution_graph 65424 4a8d4a8 DuplicateHandle 65425 4a8d53e 65424->65425 66463 4a80448 66464 4a80457 66463->66464 66465 4a804ba 66464->66465 66474 4a844c8 66464->66474 66467 4a804ae 66487 66bf9bb 66467->66487 66491 66bf9c8 66467->66491 66475 4a844ed 66474->66475 66495 4a845c8 66475->66495 66499 4a845d8 66475->66499 66476 4a8048d 66479 4a86d40 66476->66479 66483 4a86d50 66476->66483 66480 4a86d5b 66479->66480 66507 4a856ec 66480->66507 66482 4a86d62 66482->66467 66484 4a86d5b 66483->66484 66485 4a856ec 10 API calls 66484->66485 66486 4a86d62 66485->66486 66486->66467 66488 66bf9c8 66487->66488 66519 66be2fc 66488->66519 66492 66bf9da 66491->66492 66493 66be2fc 20 API calls 66492->66493 66494 4a804b6 66493->66494 66496 4a845ff 66495->66496 66498 4a846dc 66496->66498 66503 4a80318 66496->66503 66500 4a845ff 66499->66500 66501 4a80318 CreateActCtxA 66500->66501 66502 4a846dc 66500->66502 66501->66502 66504 4a85a68 CreateActCtxA 66503->66504 66506 4a85b2b 66504->66506 66508 4a856f7 66507->66508 66511 4a8570c 66508->66511 66510 4a86e05 66510->66482 66512 4a85717 66511->66512 66515 4a8573c 66512->66515 66514 4a86ee2 66514->66510 66516 4a85747 66515->66516 66517 4a8576c 10 API calls 66516->66517 66518 4a86fe5 66517->66518 66518->66514 66521 66be307 66519->66521 66523 66be33c 66521->66523 66522 66bfb0c 66522->66522 66526 66be347 66523->66526 66524 66be584 11 API calls 66525 66bfd79 66524->66525 66529 66bfdb3 66525->66529 66536 70200f9 66525->66536 66528 66bfc1e 66526->66528 66526->66529 66531 66be584 66526->66531 66528->66524 66528->66525 66529->66522 66532 66be58f 66531->66532 66548 66f0448 66532->66548 66556 66f0439 66532->66556 66533 66bffb4 66533->66528 66537 7020129 66536->66537 66538 70201b4 66537->66538 66539 7020508 WaitMessage 66537->66539 66566 7020608 PeekMessageW 66537->66566 66568 7020603 PeekMessageW 66537->66568 66570 70208d0 66537->66570 66573 70208d8 KiUserCallbackDispatcher 66537->66573 66575 7020da0 66537->66575 66578 7020da8 DispatchMessageW 66537->66578 66580 702ea28 66537->66580 66583 702ea30 DispatchMessageA 66537->66583 66539->66537 66550 66f046e 66548->66550 66549 66f0482 66549->66533 66550->66549 66552 66f056d 66550->66552 66554 4a8db88 9 API calls 66550->66554 66555 4a8db78 9 API calls 66550->66555 66551 66f0741 66551->66533 66552->66551 66564 66f00f8 GetFocus 66552->66564 66554->66552 66555->66552 66558 66f046e 66556->66558 66557 66f0482 66557->66533 66558->66557 66561 66f056d 66558->66561 66562 4a8db88 9 API calls 66558->66562 66563 4a8db78 9 API calls 66558->66563 66559 66f0741 66559->66533 66561->66559 66565 66f00f8 GetFocus 66561->66565 66562->66561 66563->66561 66564->66551 66565->66559 66567 702067f 66566->66567 66567->66537 66569 702067f 66568->66569 66569->66537 66571 70208d8 KiUserCallbackDispatcher 66570->66571 66572 702094c 66571->66572 66572->66537 66574 702094c 66573->66574 66574->66537 66576 7020da8 DispatchMessageW 66575->66576 66577 7020e14 66576->66577 66577->66537 66579 7020e14 66578->66579 66579->66537 66581 702ea30 DispatchMessageA 66580->66581 66582 702ea9c 66581->66582 66582->66537 66584 702ea9c 66583->66584 66584->66537 66585 4a8a9c8 66586 4a8a9d7 66585->66586 66589 4a8aec8 66585->66589 66597 4a8aeb1 66585->66597 66590 4a8aed9 66589->66590 66591 4a8aefc 66589->66591 66590->66591 66605 4a8b160 66590->66605 66609 4a8b151 66590->66609 66591->66586 66592 4a8aef4 66592->66591 66593 4a8b100 GetModuleHandleW 66592->66593 66594 4a8b12d 66593->66594 66594->66586 66598 4a8aeba 66597->66598 66599 4a8aefc 66597->66599 66598->66599 66603 4a8b160 LoadLibraryExW 66598->66603 66604 4a8b151 LoadLibraryExW 66598->66604 66599->66586 66600 4a8aef4 66600->66599 66601 4a8b100 GetModuleHandleW 66600->66601 66602 4a8b12d 66601->66602 66602->66586 66603->66600 66604->66600 66607 4a8b174 66605->66607 66606 4a8b199 66606->66592 66607->66606 66613 4a8aae0 66607->66613 66611 4a8b174 66609->66611 66610 4a8b199 66610->66592 66611->66610 66612 4a8aae0 LoadLibraryExW 66611->66612 66612->66610 66614 4a8b320 LoadLibraryExW 66613->66614 66616 4a8b399 66614->66616 66616->66606 65426 702ec00 65427 702ec14 65426->65427 65428 702ec25 65427->65428 65432 66f1120 65427->65432 65437 66f1110 65427->65437 65429 702ec48 65433 66f1166 65432->65433 65434 66f1189 65433->65434 65442 5373eb0 65433->65442 65446 5373ec0 65433->65446 65434->65429 65438 66f1120 65437->65438 65439 66f1189 65438->65439 65440 5373eb0 CallWindowProcW 65438->65440 65441 5373ec0 CallWindowProcW 65438->65441 65439->65429 65440->65439 65441->65439 65443 5373f02 65442->65443 65445 5373f09 65442->65445 65444 5373f5a CallWindowProcW 65443->65444 65443->65445 65444->65445 65445->65434 65447 5373f02 65446->65447 65448 5373f09 65446->65448 65447->65448 65449 5373f5a CallWindowProcW 65447->65449 65448->65434 65449->65448 65450 216b290 65451 216b2d8 VirtualProtect 65450->65451 65452 216b312 65451->65452 65453 66f1f68 65454 66f1f54 65453->65454 65456 66f1f72 65453->65456 65455 66f1f86 65456->65455 65457 66f1ffb SendMessageW 65456->65457 65458 66f1fcb 65456->65458 65460 66f2074 65457->65460 65463 66f1570 65458->65463 65464 66f2008 SendMessageW 65463->65464 65465 66f1ff1 65464->65465 65466 66f6de8 65467 66f6e42 65466->65467 65468 66f6ec7 GetCurrentThreadId 65467->65468 65469 66f6ef7 65467->65469 65468->65469 66617 66f3608 66618 66f362f 66617->66618 66619 66f3690 66618->66619 66620 4a8d10c 7 API calls 66618->66620 66623 4a8f6df 66618->66623 66638 4a8f660 66618->66638 66620->66619 66624 4a8f68c 66623->66624 66625 4a8f6e3 66623->66625 66626 4a8ef7c 7 API calls 66624->66626 66625->66624 66628 4a8f6e7 66625->66628 66627 4a8f694 66626->66627 66627->66619 66628->66627 66630 4a8f76a 66628->66630 66643 4a8f868 66628->66643 66649 4a8f850 66628->66649 66661 66f42d8 66628->66661 66666 66f42e8 66628->66666 66629 4a8f809 66636 66f4928 3 API calls 66629->66636 66637 66f4917 3 API calls 66629->66637 66630->66629 66631 4a8ef7c 7 API calls 66630->66631 66631->66630 66636->66627 66637->66627 66639 4a8f66b 66638->66639 66641 4a8f614 66638->66641 66640 4a8ef7c 7 API calls 66639->66640 66642 4a8f697 66640->66642 66641->66619 66642->66619 66645 4a8f899 66643->66645 66646 4a8f999 66643->66646 66644 4a8f8a5 66644->66630 66645->66644 66670 53709c0 66645->66670 66676 53709ba 66645->66676 66646->66630 66650 4a8f85b 66649->66650 66652 4a8f7d5 66649->66652 66651 4a8f808 66650->66651 66655 4a8f85f 66650->66655 66659 66f4928 3 API calls 66651->66659 66660 66f4917 3 API calls 66651->66660 66652->66651 66654 4a8ef7c 7 API calls 66652->66654 66653 4a8f840 66653->66630 66654->66652 66656 4a8f8a5 66655->66656 66657 53709c0 4 API calls 66655->66657 66658 53709ba 4 API calls 66655->66658 66656->66630 66657->66656 66658->66656 66659->66653 66660->66653 66662 66f42e8 66661->66662 66664 4a8f868 4 API calls 66662->66664 66665 4a8f850 7 API calls 66662->66665 66663 66f4315 66664->66663 66665->66663 66668 4a8f868 4 API calls 66666->66668 66669 4a8f850 7 API calls 66666->66669 66667 66f4315 66668->66667 66669->66667 66671 53709eb 66670->66671 66682 5370ef2 66671->66682 66672 5370a9a 66672->66672 66673 5370a6e 66673->66672 66674 5371870 CreateWindowExW CreateWindowExW 66673->66674 66674->66672 66677 53709eb 66676->66677 66681 5370ef2 2 API calls 66677->66681 66678 5370a6e 66679 5370a9a 66678->66679 66705 5371870 66678->66705 66681->66678 66683 5370f4d 66682->66683 66684 5370fce 66683->66684 66687 5371082 66683->66687 66692 5371090 66683->66692 66688 53710a5 66687->66688 66689 53710f0 66688->66689 66697 66f37b0 66688->66697 66701 66f37a8 66688->66701 66689->66684 66693 53710a5 66692->66693 66694 53710f0 66693->66694 66695 66f37a8 GetClassInfoW 66693->66695 66696 66f37b0 GetClassInfoW 66693->66696 66694->66684 66695->66694 66696->66694 66698 66f37f5 GetClassInfoW 66697->66698 66700 66f383b 66698->66700 66700->66689 66703 66f37b0 GetClassInfoW 66701->66703 66704 66f383b 66703->66704 66704->66689 66709 53718e4 66705->66709 66713 53718f0 66705->66713 66710 5371958 CreateWindowExW 66709->66710 66712 5371a14 66710->66712 66712->66712 66714 5371958 CreateWindowExW 66713->66714 66716 5371a14 66714->66716 66716->66716 65470 20cd104 65471 20cd11c 65470->65471 65472 20cd176 65471->65472 65478 5371a97 65471->65478 65483 5371aa8 65471->65483 65488 5372818 65471->65488 65494 5372809 65471->65494 65500 5371be0 65471->65500 65479 5371aa8 65478->65479 65480 5371aef 65479->65480 65481 5372809 9 API calls 65479->65481 65482 5372818 9 API calls 65479->65482 65480->65472 65481->65480 65482->65480 65484 5371ace 65483->65484 65485 5371aef 65484->65485 65486 5372809 9 API calls 65484->65486 65487 5372818 9 API calls 65484->65487 65485->65472 65486->65485 65487->65485 65490 5372845 65488->65490 65489 5372877 65490->65489 65504 53729a0 65490->65504 65509 5372a6c 65490->65509 65515 5372990 65490->65515 65495 5372845 65494->65495 65496 5372877 65495->65496 65497 53729a0 9 API calls 65495->65497 65498 5372990 9 API calls 65495->65498 65499 5372a6c 9 API calls 65495->65499 65497->65496 65498->65496 65499->65496 65501 5371be7 65500->65501 65681 5371bf1 65500->65681 65685 5371c00 65500->65685 65501->65472 65505 53729b4 65504->65505 65520 5372a58 65505->65520 65529 5372a48 65505->65529 65506 5372a40 65506->65489 65510 5372a2a 65509->65510 65511 5372a7a 65509->65511 65513 5372a58 9 API calls 65510->65513 65514 5372a48 9 API calls 65510->65514 65512 5372a40 65512->65489 65513->65512 65514->65512 65517 53729b4 65515->65517 65516 5372a40 65516->65489 65518 5372a58 9 API calls 65517->65518 65519 5372a48 9 API calls 65517->65519 65518->65516 65519->65516 65527 5372a69 65520->65527 65538 66f0acf 65520->65538 65564 66f0ae0 65520->65564 65590 66f4378 65520->65590 65595 66f4368 65520->65595 65599 66f3878 65520->65599 65604 66f3868 65520->65604 65608 5373e91 65520->65608 65527->65506 65530 5372a69 65529->65530 65531 66f0acf 9 API calls 65529->65531 65532 5373e91 2 API calls 65529->65532 65533 66f3868 8 API calls 65529->65533 65534 66f3878 8 API calls 65529->65534 65535 66f4368 2 API calls 65529->65535 65536 66f4378 2 API calls 65529->65536 65537 66f0ae0 9 API calls 65529->65537 65530->65506 65531->65530 65532->65530 65533->65530 65534->65530 65535->65530 65536->65530 65537->65530 65539 66f0ae0 65538->65539 65540 66f0afe 65539->65540 65541 66f0b40 65539->65541 65552 66f0b15 65539->65552 65542 66f0b1a 65540->65542 65543 66f0b03 65540->65543 65544 66f0dcc 65541->65544 65545 66f0b51 65541->65545 65541->65552 65549 66f0b23 65542->65549 65550 66f0ca1 65542->65550 65547 66f0b0c 65543->65547 65548 66f0d2a 65543->65548 65633 66f0310 65544->65633 65546 66f0c8e 65545->65546 65545->65552 65560 66f0c46 65545->65560 65546->65527 65547->65552 65553 66f0da2 65547->65553 65621 66f0260 65548->65621 65549->65546 65549->65552 65556 66f0d94 65549->65556 65559 66f0d38 65549->65559 65549->65560 65617 66f0210 65550->65617 65552->65546 65562 66f1080 8 API calls 65552->65562 65629 66f02e0 65553->65629 65625 66f02d0 65556->65625 65561 66f1080 8 API calls 65559->65561 65612 66f1080 65560->65612 65561->65546 65562->65546 65565 66f0af9 65564->65565 65577 66f0b15 65564->65577 65566 66f0afe 65565->65566 65567 66f0b40 65565->65567 65568 66f0b1a 65566->65568 65569 66f0b03 65566->65569 65570 66f0dcc 65567->65570 65567->65577 65578 66f0b51 65567->65578 65573 66f0b23 65568->65573 65574 66f0ca1 65568->65574 65571 66f0b0c 65569->65571 65572 66f0d2a 65569->65572 65580 66f0310 8 API calls 65570->65580 65576 66f0da2 65571->65576 65571->65577 65579 66f0260 8 API calls 65572->65579 65573->65577 65581 66f0d38 65573->65581 65582 66f0d94 65573->65582 65585 66f0c8e 65573->65585 65586 66f0c46 65573->65586 65575 66f0210 GetFocus 65574->65575 65575->65585 65583 66f02e0 8 API calls 65576->65583 65577->65585 65588 66f1080 8 API calls 65577->65588 65578->65577 65578->65585 65578->65586 65579->65585 65580->65585 65587 66f1080 8 API calls 65581->65587 65584 66f02d0 8 API calls 65582->65584 65583->65585 65584->65585 65585->65527 65589 66f1080 8 API calls 65586->65589 65587->65585 65588->65585 65589->65585 65591 66f439e 65590->65591 65593 66f438e 65590->65593 65591->65527 65592 66f43eb 65592->65527 65593->65527 65593->65592 65670 66f4420 65593->65670 65596 66f4378 65595->65596 65596->65527 65597 66f439e 65596->65597 65598 66f4420 2 API calls 65596->65598 65597->65527 65598->65597 65600 66f38b8 65599->65600 65601 66f3886 65599->65601 65600->65527 65602 66f388d 65601->65602 65674 66f38d0 65601->65674 65602->65527 65605 66f3878 65604->65605 65606 66f388d 65605->65606 65607 66f38d0 8 API calls 65605->65607 65606->65527 65607->65606 65610 5373eb0 CallWindowProcW 65608->65610 65611 5373ec0 CallWindowProcW 65608->65611 65609 5373eaa 65609->65527 65610->65609 65611->65609 65613 66f1092 65612->65613 65614 66f108b 65612->65614 65637 66f10a0 65613->65637 65614->65546 65615 66f1098 65615->65546 65619 66f021b 65617->65619 65665 66f501c 65619->65665 65620 66f77fa 65620->65546 65622 66f026b 65621->65622 65623 66f1080 8 API calls 65622->65623 65624 66f1296 65623->65624 65624->65546 65626 66f02db 65625->65626 65627 66f1080 8 API calls 65626->65627 65628 66f35f4 65627->65628 65628->65546 65630 66f02eb 65629->65630 65631 66f1080 8 API calls 65630->65631 65632 66ff993 65630->65632 65631->65632 65632->65546 65634 66f031b 65633->65634 65635 66f1080 8 API calls 65634->65635 65636 66f2fa1 65635->65636 65636->65546 65638 66f10be 65637->65638 65640 66f10e0 65637->65640 65639 66f10cc 65638->65639 65643 5373278 65638->65643 65654 5373288 65638->65654 65639->65615 65640->65615 65644 5373288 65643->65644 65645 5373325 65644->65645 65646 5373bb4 GetKeyState 65644->65646 65651 5373c82 65644->65651 65645->65639 65647 5373be0 GetKeyState 65646->65647 65649 5373c33 GetFocus 65647->65649 65649->65651 65651->65645 65652 66f1120 2 API calls 65651->65652 65653 66f1110 2 API calls 65651->65653 65652->65645 65653->65645 65655 53732d4 65654->65655 65656 5373325 65655->65656 65657 5373bb4 GetKeyState 65655->65657 65662 5373c82 65655->65662 65656->65639 65658 5373be0 GetKeyState 65657->65658 65660 5373c33 GetFocus 65658->65660 65660->65662 65662->65656 65663 66f1120 2 API calls 65662->65663 65664 66f1110 2 API calls 65662->65664 65663->65656 65664->65656 65667 66f5027 65665->65667 65666 66f826e 65666->65620 65667->65666 65669 66f00f8 GetFocus 65667->65669 65669->65666 65671 66f4441 65670->65671 65672 66f4464 65671->65672 65673 5373e91 2 API calls 65671->65673 65672->65591 65673->65672 65675 66f38da 65674->65675 65676 66f38c9 65674->65676 65677 66f3906 65675->65677 65678 5373e91 2 API calls 65675->65678 65679 5373278 5 API calls 65675->65679 65680 5373288 5 API calls 65675->65680 65676->65602 65677->65602 65678->65677 65679->65677 65680->65677 65682 5371c2b 65681->65682 65683 5371e76 65682->65683 65689 5371b08 65682->65689 65686 5371c2b 65685->65686 65687 5371e76 65686->65687 65688 5371b08 2 API calls 65686->65688 65688->65687 65693 5371b30 SetWindowLongW 65689->65693 65695 5371b38 SetWindowLongW 65689->65695 65690 5371b20 65690->65683 65694 5371ba4 65693->65694 65694->65690 65696 5371ba4 65695->65696 65696->65690 66442 66b26a0 66443 66b26d6 66442->66443 66444 66b2796 66443->66444 66446 66bd108 66443->66446 66447 66bd15b 66446->66447 66448 66bd179 MonitorFromPoint 66447->66448 66449 66bd1aa 66447->66449 66448->66449 66449->66444 66450 66f2da0 66451 66f2db0 66450->66451 66454 5371b08 2 API calls 66451->66454 66455 5371af7 66451->66455 66452 66f2dc2 66454->66452 66456 5371b20 66455->66456 66457 5371b30 SetWindowLongW 66455->66457 66458 5371b38 SetWindowLongW 66455->66458 66456->66452 66457->66456 66458->66456 66717 4a8ce58 66718 4a8ce9e GetCurrentProcess 66717->66718 66720 4a8cee9 66718->66720 66721 4a8cef0 GetCurrentThread 66718->66721 66720->66721 66722 4a8cf2d GetCurrentProcess 66721->66722 66723 4a8cf26 66721->66723 66724 4a8cf63 66722->66724 66723->66722 66725 4a8cf8b GetCurrentThreadId 66724->66725 66726 4a8cfbc 66725->66726 66727 66b2498 66731 66b24c0 66727->66731 66734 66b24b0 66727->66734 66728 66b24ac 66738 66b2599 66731->66738 66735 66b24c0 66734->66735 66737 66b2599 7 API calls 66735->66737 66736 66b24fe 66736->66728 66737->66736 66739 66b25a2 66738->66739 66740 66b24fe 66738->66740 66742 216ffb8 66739->66742 66740->66728 66744 537c724 7 API calls 66742->66744 66746 537e101 66742->66746 66743 216ffcf 66743->66740 66744->66743 66747 537e110 66746->66747 66748 537e1b0 66747->66748 66750 537e230 7 API calls 66747->66750 66751 537e1d0 7 API calls 66747->66751 66752 537e1cf 7 API calls 66747->66752 66753 66b29e0 7 API calls 66747->66753 66754 66b29f0 7 API calls 66747->66754 66748->66743 66749 537e17a 66749->66743 66750->66749 66751->66749 66752->66749 66753->66749 66754->66749 66459 216b440 66460 216b493 LoadLibraryA 66459->66460 66462 216b526 66460->66462 66755 216bee0 66756 216bf23 VirtualAlloc 66755->66756 66757 216bf57 66756->66757 66208 40cbf7 66209 40cc08 66208->66209 66252 40d534 HeapCreate 66209->66252 66212 40cc46 66313 41087e 71 API calls 8 library calls 66212->66313 66215 40cc4c 66216 40cc50 66215->66216 66217 40cc58 __RTC_Initialize 66215->66217 66314 40cbb4 62 API calls 3 library calls 66216->66314 66254 411a15 67 API calls 3 library calls 66217->66254 66219 40cc57 66219->66217 66221 40cc66 66222 40cc72 GetCommandLineA 66221->66222 66223 40cc6a 66221->66223 66255 412892 71 API calls 3 library calls 66222->66255 66315 40e79a 62 API calls 3 library calls 66223->66315 66226 40cc71 66226->66222 66227 40cc82 66316 4127d7 107 API calls 3 library calls 66227->66316 66229 40cc8c 66230 40cc90 66229->66230 66231 40cc98 66229->66231 66317 40e79a 62 API calls 3 library calls 66230->66317 66256 41255f 106 API calls 6 library calls 66231->66256 66234 40cc97 66234->66231 66235 40cc9d 66236 40cca1 66235->66236 66237 40cca9 66235->66237 66318 40e79a 62 API calls 3 library calls 66236->66318 66257 40e859 73 API calls 5 library calls 66237->66257 66240 40cca8 66240->66237 66241 40ccb0 66242 40ccb5 66241->66242 66243 40ccbc 66241->66243 66319 40e79a 62 API calls 3 library calls 66242->66319 66258 4019f0 OleInitialize 66243->66258 66246 40ccbb 66246->66243 66247 40ccd8 66248 40ccea 66247->66248 66320 40ea0a 62 API calls _doexit 66247->66320 66321 40ea36 62 API calls _doexit 66248->66321 66251 40ccef __close 66253 40cc3a 66252->66253 66253->66212 66312 40cbb4 62 API calls 3 library calls 66253->66312 66254->66221 66255->66227 66256->66235 66257->66241 66259 401ab9 66258->66259 66322 40b99e 66259->66322 66261 401abf 66262 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 66261->66262 66291 402467 66261->66291 66263 401dc3 FindCloseChangeNotification GetModuleHandleA 66262->66263 66271 401c55 66262->66271 66335 401650 66263->66335 66265 401e8b FindResourceA LoadResource LockResource SizeofResource 66337 40b84d 66265->66337 66269 401c9c CloseHandle 66269->66247 66270 401ecb _memset 66272 401efc SizeofResource 66270->66272 66271->66269 66275 401cf9 Module32Next 66271->66275 66273 401f1c 66272->66273 66274 401f5f 66272->66274 66273->66274 66393 401560 __VEC_memcpy __fptostr 66273->66393 66277 401f92 _memset 66274->66277 66394 401560 __VEC_memcpy __fptostr 66274->66394 66275->66263 66283 401d0f 66275->66283 66279 401fa2 FreeResource 66277->66279 66280 40b84d _malloc 62 API calls 66279->66280 66281 401fbb SizeofResource 66280->66281 66282 401fe5 _memset 66281->66282 66284 4020aa LoadLibraryA 66282->66284 66283->66269 66287 401dad Module32Next 66283->66287 66285 401650 66284->66285 66286 40216c GetProcAddress 66285->66286 66288 4021aa 66286->66288 66286->66291 66287->66263 66287->66283 66288->66291 66367 4018f0 66288->66367 66291->66247 66292 4021f1 66310 40243f 66292->66310 66379 401870 66292->66379 66294 402269 VariantInit 66295 401870 75 API calls 66294->66295 66296 40228b VariantInit 66295->66296 66297 4022a7 66296->66297 66298 4022d9 SafeArrayCreate SafeArrayAccessData 66297->66298 66384 40b350 66298->66384 66301 40232c 66302 402354 SafeArrayDestroy 66301->66302 66311 40235b 66301->66311 66302->66311 66303 402392 SafeArrayCreateVector 66304 4023a4 66303->66304 66305 4023bc VariantClear VariantClear 66304->66305 66386 4019a0 66305->66386 66308 40242e 66309 4019a0 65 API calls 66308->66309 66309->66310 66310->66291 66395 40b6b5 62 API calls 2 library calls 66310->66395 66311->66303 66312->66212 66313->66215 66314->66219 66315->66226 66316->66229 66317->66234 66318->66240 66319->66246 66320->66248 66321->66251 66324 40b9aa __close _strnlen 66322->66324 66323 40b9b8 66396 40bfc1 62 API calls __getptd_noexit 66323->66396 66324->66323 66328 40b9ec 66324->66328 66326 40b9bd 66397 40e744 6 API calls 2 library calls 66326->66397 66398 40d6e0 62 API calls 2 library calls 66328->66398 66330 40b9f3 66399 40b917 120 API calls 3 library calls 66330->66399 66332 40b9ff 66400 40ba18 LeaveCriticalSection _doexit 66332->66400 66334 40b9cd __close 66334->66261 66336 4017cc _realloc 66335->66336 66336->66265 66338 40b900 66337->66338 66348 40b85f 66337->66348 66408 40d2e3 6 API calls __decode_pointer 66338->66408 66340 40b906 66409 40bfc1 62 API calls __getptd_noexit 66340->66409 66345 40b8bc RtlAllocateHeap 66345->66348 66346 40b870 66346->66348 66401 40ec4d 62 API calls 2 library calls 66346->66401 66402 40eaa2 62 API calls 7 library calls 66346->66402 66403 40e7ee GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 66346->66403 66348->66345 66348->66346 66349 40b8ec 66348->66349 66352 40b8f1 66348->66352 66354 401ebf 66348->66354 66404 40b7fe 62 API calls 4 library calls 66348->66404 66405 40d2e3 6 API calls __decode_pointer 66348->66405 66406 40bfc1 62 API calls __getptd_noexit 66349->66406 66407 40bfc1 62 API calls __getptd_noexit 66352->66407 66355 40af66 66354->66355 66357 40af70 66355->66357 66356 40b84d _malloc 62 API calls 66356->66357 66357->66356 66358 40af8a 66357->66358 66362 40af8c std::bad_alloc::bad_alloc 66357->66362 66410 40d2e3 6 API calls __decode_pointer 66357->66410 66358->66270 66360 40afb2 66412 40af49 62 API calls std::exception::exception 66360->66412 66362->66360 66411 40d2bd 73 API calls __cinit 66362->66411 66363 40afbc 66413 40cd39 RaiseException 66363->66413 66366 40afca 66368 401903 lstrlenA 66367->66368 66369 4018fc 66367->66369 66414 4017e0 66368->66414 66369->66292 66372 401940 GetLastError 66374 40194b MultiByteToWideChar 66372->66374 66375 40198d 66372->66375 66373 401996 66373->66292 66376 4017e0 72 API calls 66374->66376 66375->66373 66422 401030 GetLastError 66375->66422 66377 401970 MultiByteToWideChar 66376->66377 66377->66375 66380 40af66 74 API calls 66379->66380 66381 40187c 66380->66381 66382 4018a4 66381->66382 66383 401885 SysAllocString 66381->66383 66382->66294 66383->66382 66385 40231a SafeArrayUnaccessData 66384->66385 66385->66301 66387 4019aa InterlockedDecrement 66386->66387 66392 4019df VariantClear 66386->66392 66388 4019b8 66387->66388 66387->66392 66389 4019c2 SysFreeString 66388->66389 66390 4019c9 66388->66390 66388->66392 66389->66390 66426 40aec0 63 API calls 2 library calls 66390->66426 66392->66308 66393->66273 66394->66277 66395->66291 66396->66326 66398->66330 66399->66332 66400->66334 66401->66346 66402->66346 66404->66348 66405->66348 66406->66352 66407->66354 66408->66340 66409->66354 66410->66357 66411->66360 66412->66363 66413->66366 66415 4017e9 66414->66415 66419 401844 66415->66419 66420 40182d 66415->66420 66423 40b783 72 API calls 4 library calls 66415->66423 66421 40186d MultiByteToWideChar 66419->66421 66425 40b743 62 API calls 2 library calls 66419->66425 66420->66419 66424 40b6b5 62 API calls 2 library calls 66420->66424 66421->66372 66421->66373 66423->66420 66424->66419 66425->66419 66426->66392 66427 66f7053 66428 66f7066 66427->66428 66432 66f7301 66428->66432 66436 66f7328 PostMessageW 66428->66436 66429 66f7089 66433 66f7326 PostMessageW 66432->66433 66435 66f7394 66433->66435 66435->66429 66437 66f7394 66436->66437 66437->66429 65697 4a8f835 65698 4a8f840 65697->65698 65701 66f4928 65697->65701 65706 66f4917 65697->65706 65702 66f493a 65701->65702 65703 66f4977 65702->65703 65711 66f5050 65702->65711 65720 66f5040 65702->65720 65703->65698 65708 66f4928 65706->65708 65707 66f4977 65707->65698 65708->65707 65709 66f5040 3 API calls 65708->65709 65710 66f5050 3 API calls 65708->65710 65709->65707 65710->65707 65712 66f5073 65711->65712 65713 66f51a8 65712->65713 65729 66b9e98 65712->65729 65734 66f53d1 65712->65734 65743 66f53e0 65712->65743 65752 66f6a08 65712->65752 65756 66b9f53 65712->65756 65766 66b9e88 65712->65766 65713->65703 65721 66f5050 65720->65721 65722 66f51a8 65721->65722 65723 66b9e88 2 API calls 65721->65723 65724 66b9e98 2 API calls 65721->65724 65725 66f6a08 2 API calls 65721->65725 65726 66b9f53 2 API calls 65721->65726 65727 66f53d1 GetPrivateProfileStringA 65721->65727 65728 66f53e0 GetPrivateProfileStringA 65721->65728 65722->65703 65723->65722 65724->65722 65725->65722 65726->65722 65727->65722 65728->65722 65731 66b9eac 65729->65731 65730 66b9ec7 65730->65713 65731->65730 65771 66b16a8 65731->65771 65733 66b9f45 65733->65713 65735 66f53f2 65734->65735 65816 66f5abf 65735->65816 65827 66f5611 65735->65827 65863 66f5922 65735->65863 65880 66f5631 65735->65880 65915 66f57bd 65735->65915 65941 66f59a7 65735->65941 65736 66f5403 65736->65713 65744 66f53f2 65743->65744 65746 66f5abf GetPrivateProfileStringA 65744->65746 65747 66f57bd GetPrivateProfileStringA 65744->65747 65748 66f59a7 GetPrivateProfileStringA 65744->65748 65749 66f5922 GetPrivateProfileStringA 65744->65749 65750 66f5631 GetPrivateProfileStringA 65744->65750 65751 66f5611 GetPrivateProfileStringA 65744->65751 65745 66f5403 65745->65713 65746->65745 65747->65745 65748->65745 65749->65745 65750->65745 65751->65745 65970 66f6a30 65752->65970 65975 66f6a40 65752->65975 65753 66f6a23 65753->65713 65757 66b9f01 65756->65757 65762 66b9f5a 65756->65762 65758 66b16a8 2 API calls 65757->65758 65759 66b9f45 65758->65759 65759->65713 65760 66b9fc4 65761 66b17a8 2 API calls 65760->65761 65764 66b9fc2 65761->65764 65762->65760 65763 66b9fa6 65762->65763 65765 66b17a8 2 API calls 65763->65765 65764->65713 65765->65764 65768 66b9eac 65766->65768 65767 66b9ec7 65767->65713 65768->65767 65769 66b16a8 2 API calls 65768->65769 65770 66b9f45 65769->65770 65770->65713 65773 66b16bb 65771->65773 65772 66b16d8 65772->65733 65773->65772 65775 66b9f53 2 API calls 65773->65775 65779 66f6ad1 65773->65779 65784 66f6ae0 65773->65784 65789 66b9f60 65773->65789 65774 66b16fc 65774->65733 65775->65774 65780 66f6ad6 65779->65780 65781 66f6b36 65780->65781 65796 66b17a8 65780->65796 65802 66b1799 65780->65802 65781->65774 65785 66f6ae1 65784->65785 65786 66f6b36 65785->65786 65787 66b1799 2 API calls 65785->65787 65788 66b17a8 2 API calls 65785->65788 65786->65774 65787->65786 65788->65786 65790 66b9f74 65789->65790 65791 66b9fc4 65790->65791 65793 66b9fa6 65790->65793 65792 66b17a8 2 API calls 65791->65792 65794 66b9fc2 65792->65794 65795 66b17a8 2 API calls 65793->65795 65794->65774 65795->65794 65798 66b17b6 65796->65798 65797 66b17fe 65797->65781 65798->65797 65808 66f13b0 65798->65808 65812 66f13b8 65798->65812 65799 66b17f9 65799->65781 65803 66b17a8 65802->65803 65804 66b17fe 65803->65804 65806 66f13b8 SetWindowTextW 65803->65806 65807 66f13b0 SetWindowTextW 65803->65807 65804->65781 65805 66b17f9 65805->65781 65806->65805 65807->65805 65809 66f13b8 SetWindowTextW 65808->65809 65811 66f1431 65809->65811 65811->65799 65813 66f13fa 65812->65813 65814 66f1400 SetWindowTextW 65812->65814 65813->65814 65815 66f1431 65814->65815 65815->65799 65817 66f5ad3 65816->65817 65958 66f5f80 65817->65958 65962 66f5f90 65817->65962 65819 66f5b69 65821 66f5f80 GetPrivateProfileStringA 65819->65821 65822 66f5f90 GetPrivateProfileStringA 65819->65822 65820 66f5bb4 65820->65736 65821->65820 65822->65820 65823 66f5f80 GetPrivateProfileStringA 65823->65819 65824 66f5f90 GetPrivateProfileStringA 65824->65819 65828 66f561e 65827->65828 65829 66f5649 65827->65829 65828->65736 65849 66f5f80 GetPrivateProfileStringA 65829->65849 65850 66f5f90 GetPrivateProfileStringA 65829->65850 65830 66f56b2 65853 66f5f80 GetPrivateProfileStringA 65830->65853 65854 66f5f90 GetPrivateProfileStringA 65830->65854 65831 66f5700 65861 66f5f80 GetPrivateProfileStringA 65831->65861 65862 66f5f90 GetPrivateProfileStringA 65831->65862 65832 66f574e 65847 66f5f80 GetPrivateProfileStringA 65832->65847 65848 66f5f90 GetPrivateProfileStringA 65832->65848 65833 66f581a 65859 66f5f80 GetPrivateProfileStringA 65833->65859 65860 66f5f90 GetPrivateProfileStringA 65833->65860 65834 66f58b4 65841 66f5f80 GetPrivateProfileStringA 65834->65841 65842 66f5f90 GetPrivateProfileStringA 65834->65842 65835 66f58ff 65855 66f5f80 GetPrivateProfileStringA 65835->65855 65856 66f5f90 GetPrivateProfileStringA 65835->65856 65836 66f5a04 65843 66f5f80 GetPrivateProfileStringA 65836->65843 65844 66f5f90 GetPrivateProfileStringA 65836->65844 65837 66f5a9c 65845 66f5f80 GetPrivateProfileStringA 65837->65845 65846 66f5f90 GetPrivateProfileStringA 65837->65846 65838 66f5b1c 65851 66f5f80 GetPrivateProfileStringA 65838->65851 65852 66f5f90 GetPrivateProfileStringA 65838->65852 65839 66f5b69 65857 66f5f80 GetPrivateProfileStringA 65839->65857 65858 66f5f90 GetPrivateProfileStringA 65839->65858 65840 66f5bb4 65840->65736 65841->65835 65842->65835 65843->65837 65844->65837 65845->65838 65846->65838 65847->65833 65848->65833 65849->65830 65850->65830 65851->65839 65852->65839 65853->65831 65854->65831 65855->65836 65856->65836 65857->65840 65858->65840 65859->65834 65860->65834 65861->65832 65862->65832 65864 66f5936 65863->65864 65874 66f5f80 GetPrivateProfileStringA 65864->65874 65875 66f5f90 GetPrivateProfileStringA 65864->65875 65865 66f5a04 65870 66f5f80 GetPrivateProfileStringA 65865->65870 65871 66f5f90 GetPrivateProfileStringA 65865->65871 65866 66f5a9c 65878 66f5f80 GetPrivateProfileStringA 65866->65878 65879 66f5f90 GetPrivateProfileStringA 65866->65879 65867 66f5b1c 65872 66f5f80 GetPrivateProfileStringA 65867->65872 65873 66f5f90 GetPrivateProfileStringA 65867->65873 65868 66f5b69 65876 66f5f80 GetPrivateProfileStringA 65868->65876 65877 66f5f90 GetPrivateProfileStringA 65868->65877 65869 66f5bb4 65869->65736 65870->65866 65871->65866 65872->65868 65873->65868 65874->65865 65875->65865 65876->65869 65877->65869 65878->65867 65879->65867 65881 66f5636 65880->65881 65905 66f5f80 GetPrivateProfileStringA 65881->65905 65906 66f5f90 GetPrivateProfileStringA 65881->65906 65882 66f56b2 65911 66f5f80 GetPrivateProfileStringA 65882->65911 65912 66f5f90 GetPrivateProfileStringA 65882->65912 65883 66f5700 65895 66f5f80 GetPrivateProfileStringA 65883->65895 65896 66f5f90 GetPrivateProfileStringA 65883->65896 65884 66f574e 65901 66f5f80 GetPrivateProfileStringA 65884->65901 65902 66f5f90 GetPrivateProfileStringA 65884->65902 65885 66f581a 65913 66f5f80 GetPrivateProfileStringA 65885->65913 65914 66f5f90 GetPrivateProfileStringA 65885->65914 65886 66f58b4 65897 66f5f80 GetPrivateProfileStringA 65886->65897 65898 66f5f90 GetPrivateProfileStringA 65886->65898 65887 66f58ff 65909 66f5f80 GetPrivateProfileStringA 65887->65909 65910 66f5f90 GetPrivateProfileStringA 65887->65910 65888 66f5a04 65899 66f5f80 GetPrivateProfileStringA 65888->65899 65900 66f5f90 GetPrivateProfileStringA 65888->65900 65889 66f5a9c 65903 66f5f80 GetPrivateProfileStringA 65889->65903 65904 66f5f90 GetPrivateProfileStringA 65889->65904 65890 66f5b1c 65907 66f5f80 GetPrivateProfileStringA 65890->65907 65908 66f5f90 GetPrivateProfileStringA 65890->65908 65891 66f5b69 65893 66f5f80 GetPrivateProfileStringA 65891->65893 65894 66f5f90 GetPrivateProfileStringA 65891->65894 65892 66f5bb4 65892->65736 65893->65892 65894->65892 65895->65884 65896->65884 65897->65887 65898->65887 65899->65889 65900->65889 65901->65885 65902->65885 65903->65890 65904->65890 65905->65882 65906->65882 65907->65891 65908->65891 65909->65888 65910->65888 65911->65883 65912->65883 65913->65886 65914->65886 65916 66f57d1 65915->65916 65937 66f5f80 GetPrivateProfileStringA 65916->65937 65938 66f5f90 GetPrivateProfileStringA 65916->65938 65917 66f581a 65933 66f5f80 GetPrivateProfileStringA 65917->65933 65934 66f5f90 GetPrivateProfileStringA 65917->65934 65918 66f58b4 65925 66f5f80 GetPrivateProfileStringA 65918->65925 65926 66f5f90 GetPrivateProfileStringA 65918->65926 65919 66f58ff 65931 66f5f80 GetPrivateProfileStringA 65919->65931 65932 66f5f90 GetPrivateProfileStringA 65919->65932 65920 66f5a04 65927 66f5f80 GetPrivateProfileStringA 65920->65927 65928 66f5f90 GetPrivateProfileStringA 65920->65928 65921 66f5a9c 65939 66f5f80 GetPrivateProfileStringA 65921->65939 65940 66f5f90 GetPrivateProfileStringA 65921->65940 65922 66f5b1c 65929 66f5f80 GetPrivateProfileStringA 65922->65929 65930 66f5f90 GetPrivateProfileStringA 65922->65930 65923 66f5b69 65935 66f5f80 GetPrivateProfileStringA 65923->65935 65936 66f5f90 GetPrivateProfileStringA 65923->65936 65924 66f5bb4 65924->65736 65925->65919 65926->65919 65927->65921 65928->65921 65929->65923 65930->65923 65931->65920 65932->65920 65933->65918 65934->65918 65935->65924 65936->65924 65937->65917 65938->65917 65939->65922 65940->65922 65942 66f59bb 65941->65942 65948 66f5f80 GetPrivateProfileStringA 65942->65948 65949 66f5f90 GetPrivateProfileStringA 65942->65949 65943 66f5a04 65956 66f5f80 GetPrivateProfileStringA 65943->65956 65957 66f5f90 GetPrivateProfileStringA 65943->65957 65944 66f5a9c 65952 66f5f80 GetPrivateProfileStringA 65944->65952 65953 66f5f90 GetPrivateProfileStringA 65944->65953 65945 66f5b1c 65954 66f5f80 GetPrivateProfileStringA 65945->65954 65955 66f5f90 GetPrivateProfileStringA 65945->65955 65946 66f5b69 65950 66f5f80 GetPrivateProfileStringA 65946->65950 65951 66f5f90 GetPrivateProfileStringA 65946->65951 65947 66f5bb4 65947->65736 65948->65943 65949->65943 65950->65947 65951->65947 65952->65945 65953->65945 65954->65946 65955->65946 65956->65944 65957->65944 65959 66f5f90 65958->65959 65966 66f4dfc 65959->65966 65963 66f5fb2 65962->65963 65964 66f4dfc GetPrivateProfileStringA 65963->65964 65965 66f5b1c 65964->65965 65965->65823 65965->65824 65968 66f6018 65966->65968 65967 66f62b6 GetPrivateProfileStringA 65969 66f6310 65967->65969 65968->65967 65968->65968 65971 66f6a50 65970->65971 65972 66f6a66 65971->65972 65973 66b16a8 2 API calls 65971->65973 65980 66b1698 65971->65980 65972->65753 65973->65972 65976 66f6a50 65975->65976 65977 66f6a66 65976->65977 65978 66b16a8 2 API calls 65976->65978 65979 66b1698 2 API calls 65976->65979 65977->65753 65978->65977 65979->65977 65982 66b16a8 65980->65982 65981 66b16d8 65981->65972 65982->65981 65984 66b9f53 2 API calls 65982->65984 65985 66b9f60 2 API calls 65982->65985 65986 66f6ad1 2 API calls 65982->65986 65987 66f6ae0 2 API calls 65982->65987 65983 66b16fc 65983->65972 65984->65983 65985->65983 65986->65983 65987->65983 65988 5376928 65989 537693a 65988->65989 66001 537573c 65989->66001 65995 53769b0 65996 5376590 7 API calls 65995->65996 65997 5376a35 65996->65997 66013 66b3251 65997->66013 66024 66b3260 65997->66024 65998 5376b24 66002 5375747 66001->66002 66035 5376670 66002->66035 66004 537696a 66005 537574c 66004->66005 66006 5375757 66005->66006 66148 537c5f0 66006->66148 66008 5376988 66009 5376590 66008->66009 66010 537659b 66009->66010 66153 537c724 66010->66153 66012 537e0f6 66012->65995 66015 66b3260 66013->66015 66014 66b32fb 66022 66b3251 GetCurrentThreadId 66014->66022 66023 66b3260 GetCurrentThreadId 66014->66023 66015->66014 66017 66b3330 66015->66017 66016 66b3305 66016->65998 66018 66b3434 66017->66018 66184 66b1d14 66017->66184 66018->65998 66021 66b1d14 GetCurrentThreadId 66021->66018 66022->66016 66023->66016 66026 66b3275 66024->66026 66025 66b32fb 66033 66b3251 GetCurrentThreadId 66025->66033 66034 66b3260 GetCurrentThreadId 66025->66034 66026->66025 66028 66b3330 66026->66028 66027 66b3305 66027->65998 66029 66b1d14 GetCurrentThreadId 66028->66029 66032 66b3434 66028->66032 66030 66b3458 66029->66030 66031 66b1d14 GetCurrentThreadId 66030->66031 66031->66032 66032->65998 66033->66027 66034->66027 66036 537667b 66035->66036 66037 5376c72 66036->66037 66040 4a8576c 66036->66040 66044 4a88029 66036->66044 66037->66004 66042 4a85777 66040->66042 66041 4a88329 66041->66037 66042->66041 66048 4a8ca60 66042->66048 66045 4a88063 66044->66045 66046 4a88329 66045->66046 66047 4a8ca60 10 API calls 66045->66047 66046->66037 66047->66046 66050 4a8ca91 66048->66050 66049 4a8cab5 66049->66041 66050->66049 66053 4a8cd40 66050->66053 66057 4a8cd31 66050->66057 66055 4a8cd4d 66053->66055 66054 4a8cd87 66054->66049 66055->66054 66061 4a8ade0 66055->66061 66059 4a8cd4d 66057->66059 66058 4a8cd87 66058->66049 66059->66058 66060 4a8ade0 10 API calls 66059->66060 66060->66058 66062 4a8adeb 66061->66062 66064 4a8daa0 66062->66064 66065 4a8d0ec 66062->66065 66064->66064 66066 4a8d0f7 66065->66066 66067 4a8576c 10 API calls 66066->66067 66068 4a8db0f 66067->66068 66079 4a8db88 66068->66079 66090 4a8db78 66068->66090 66069 4a8db1e 66070 4a8d0fc 7 API calls 66069->66070 66071 4a8db38 66070->66071 66072 4a8d10c 7 API calls 66071->66072 66073 4a8db3f 66072->66073 66077 4a8f868 CreateWindowExW CreateWindowExW GetClassInfoW GetClassInfoW 66073->66077 66078 4a8f850 7 API calls 66073->66078 66074 4a8db49 66074->66064 66077->66074 66078->66074 66080 4a8dbb6 66079->66080 66082 4a8dbdf 66080->66082 66087 4a8dcf3 66080->66087 66101 4a8d188 66080->66101 66083 4a8dc87 66082->66083 66082->66087 66105 53741a0 66082->66105 66110 537418f 66082->66110 66083->66087 66115 4a8d10c 66083->66115 66084 4a8dc2e 66086 4a8dc82 KiUserCallbackDispatcher 66084->66086 66086->66083 66091 4a8dbb6 66090->66091 66092 4a8d188 GetFocus 66091->66092 66093 4a8dbdf 66091->66093 66098 4a8dcf3 66091->66098 66092->66093 66094 4a8dc87 66093->66094 66093->66098 66099 53741a0 7 API calls 66093->66099 66100 537418f 7 API calls 66093->66100 66095 4a8d10c 7 API calls 66094->66095 66094->66098 66095->66098 66096 4a8dc2e 66097 4a8dc82 KiUserCallbackDispatcher 66096->66097 66097->66094 66099->66096 66100->66096 66102 4a8d193 66101->66102 66119 4a8d1fc GetFocus 66102->66119 66104 4a8e195 66104->66082 66106 53741b0 66105->66106 66107 53741ed 66106->66107 66120 66f07e8 66106->66120 66128 66f07d9 66106->66128 66107->66084 66111 53741b0 66110->66111 66112 53741ed 66111->66112 66113 66f07d9 7 API calls 66111->66113 66114 66f07e8 7 API calls 66111->66114 66112->66084 66113->66112 66114->66112 66116 4a8d117 66115->66116 66136 4a8ef7c 66116->66136 66118 4a8f697 66118->66087 66119->66104 66121 66f0821 66120->66121 66122 66f08bf 66121->66122 66124 4a8f868 CreateWindowExW CreateWindowExW GetClassInfoW GetClassInfoW 66121->66124 66125 4a8f850 7 API calls 66121->66125 66123 66f0aa8 66122->66123 66126 4a8ed1a 7 API calls 66122->66126 66127 4a8d3ac 7 API calls 66122->66127 66123->66123 66124->66122 66125->66122 66126->66123 66127->66123 66129 66f07e8 66128->66129 66130 66f08bf 66129->66130 66134 4a8f868 CreateWindowExW CreateWindowExW GetClassInfoW GetClassInfoW 66129->66134 66135 4a8f850 7 API calls 66129->66135 66131 66f0aa8 66130->66131 66132 4a8ed1a 7 API calls 66130->66132 66133 4a8d3ac 7 API calls 66130->66133 66131->66131 66132->66131 66133->66131 66134->66130 66135->66130 66138 4a8ef87 66136->66138 66137 4a8f840 66137->66118 66138->66137 66140 4a8f76a 66138->66140 66142 4a8f868 CreateWindowExW CreateWindowExW GetClassInfoW GetClassInfoW 66138->66142 66143 66f42e8 7 API calls 66138->66143 66144 66f42d8 7 API calls 66138->66144 66145 4a8f850 7 API calls 66138->66145 66139 4a8f809 66146 66f4928 SetWindowTextW SetWindowTextW GetPrivateProfileStringA 66139->66146 66147 66f4917 SetWindowTextW SetWindowTextW GetPrivateProfileStringA 66139->66147 66140->66139 66141 4a8ef7c 7 API calls 66140->66141 66141->66140 66142->66140 66143->66140 66144->66140 66145->66140 66146->66137 66147->66137 66149 537c5fb 66148->66149 66151 4a88029 10 API calls 66149->66151 66152 4a8576c 10 API calls 66149->66152 66150 537da1c 66150->66008 66151->66150 66152->66150 66154 537c72f 66153->66154 66155 537e1b0 66154->66155 66162 66b29f0 66154->66162 66167 537e1d0 66154->66167 66171 537e1cf 66154->66171 66175 537e230 66154->66175 66179 66b29e0 66154->66179 66155->66012 66156 537e17a 66156->66012 66163 66b2a17 66162->66163 66165 66b2c35 66163->66165 66166 537e230 7 API calls 66163->66166 66164 66b2c69 66164->66156 66165->66156 66166->66164 66168 537e1e6 66167->66168 66170 537e230 7 API calls 66168->66170 66169 537e229 66169->66156 66170->66169 66172 537e1e6 66171->66172 66174 537e230 7 API calls 66172->66174 66173 537e229 66173->66156 66174->66173 66176 537e26f 66175->66176 66177 53741a0 7 API calls 66176->66177 66178 537e2f6 66176->66178 66177->66178 66181 66b29f0 66179->66181 66180 66b2c69 66180->66156 66182 66b2c35 66181->66182 66183 537e230 7 API calls 66181->66183 66182->66156 66183->66180 66185 66b1d1f 66184->66185 66186 66b377f GetCurrentThreadId 66185->66186 66187 66b3458 66185->66187 66186->66187 66187->66021 66188 5374028 66189 5374038 66188->66189 66194 5375a1c 66189->66194 66200 66f12fb 66189->66200 66204 66f1308 66189->66204 66190 5374061 66195 5375a25 66194->66195 66197 5375a43 66194->66197 66196 53741a0 7 API calls 66195->66196 66195->66197 66196->66197 66198 53741a0 7 API calls 66197->66198 66199 5375b7c 66197->66199 66198->66199 66199->66190 66201 66f1308 66200->66201 66203 5375a1c 7 API calls 66201->66203 66202 66f1392 66202->66190 66203->66202 66205 66f133d 66204->66205 66207 5375a1c 7 API calls 66205->66207 66206 66f1392 66206->66190 66207->66206 66438 5375f88 66439 5375fa5 66438->66439 66441 5375fbb 66438->66441 66440 53741a0 7 API calls 66439->66440 66439->66441 66440->66441

    Executed Functions

    Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 FindCloseChangeNotification GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 27 401ed6-401eed call 40ba30 7->27 28 401eef 7->28 14 401c73-401c77 8->14 15 401c93-401c95 14->15 16 401c79-401c7b 14->16 20 401c98-401c9a 15->20 18 401c7d-401c83 16->18 19 401c8f-401c91 16->19 18->15 22 401c85-401c8d 18->22 19->20 23 401cb0-401cce call 401650 20->23 24 401c9c-401caf CloseHandle 20->24 22->14 22->19 34 401cd0-401cd4 23->34 30 401ef3-401f1a call 401300 SizeofResource 27->30 28->30 39 401f1c-401f2f 30->39 40 401f5f-401f69 30->40 36 401cf0-401cf2 34->36 37 401cd6-401cd8 34->37 38 401cf5-401cf7 36->38 41 401cda-401ce0 37->41 42 401cec-401cee 37->42 38->24 43 401cf9-401d09 Module32Next 38->43 44 401f33-401f5d call 401560 39->44 45 401f73-401f75 40->45 46 401f6b-401f72 40->46 41->36 47 401ce2-401cea 41->47 42->38 43->7 48 401d0f 43->48 44->40 50 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 45->50 51 401f77-401f8d call 401560 45->51 46->45 47->34 47->42 53 401d10-401d2e call 401650 48->53 50->5 87 4021aa-4021c0 50->87 51->50 61 401d30-401d34 53->61 63 401d50-401d52 61->63 64 401d36-401d38 61->64 68 401d55-401d57 63->68 66 401d3a-401d40 64->66 67 401d4c-401d4e 64->67 66->63 70 401d42-401d4a 66->70 67->68 68->24 71 401d5d-401d7b call 401650 68->71 70->61 70->67 76 401d80-401d84 71->76 78 401da0-401da2 76->78 79 401d86-401d88 76->79 83 401da5-401da7 78->83 81 401d8a-401d90 79->81 82 401d9c-401d9e 79->82 81->78 85 401d92-401d9a 81->85 82->83 83->24 86 401dad-401dbd Module32Next 83->86 85->76 85->82 86->7 86->53 89 4021c6-4021ca 87->89 90 40246a-402470 87->90 89->90 91 4021d0-402217 call 4018f0 89->91 92 402472-402475 90->92 93 40247a-402480 90->93 98 40221d-40223d 91->98 99 40244f-40245f 91->99 92->93 93->5 95 402482-402487 93->95 95->5 98->99 104 402243-402251 98->104 99->90 100 402461-402467 call 40b6b5 99->100 100->90 104->99 106 402257-4022b7 call 401870 VariantInit call 401870 VariantInit call 4018d0 104->106 114 4022c3-40232a call 4018d0 SafeArrayCreate SafeArrayAccessData call 40b350 SafeArrayUnaccessData 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-40234d call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 154 40234e call 71d01d 122->154 155 40234e call 71d01c 122->155 123->122 127 402350-402352 128 402354-402355 SafeArrayDestroy 127->128 129 40235b-402361 127->129 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 133 402377-402379 131->133 134 40237b 131->134 135 40237d-40238f call 4018d0 133->135 134->135 152 402390 call 71d01d 135->152 153 402390 call 71d01c 135->153 138 402392-4023a2 SafeArrayCreateVector 139 4023a4-4023a9 call 40ad90 138->139 140 4023ae-4023b4 138->140 139->140 142 4023b6-4023b8 140->142 143 4023ba 140->143 144 4023bc-402417 VariantClear * 2 call 4019a0 142->144 143->144 146 40241c-40242c VariantClear 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99 152->138 153->138 154->127 155->127
    APIs
    • OleInitialize.OLE32(00000000), ref: 004019FD
    • _getenv.LIBCMT ref: 00401ABA
    • GetCurrentProcessId.KERNEL32 ref: 00401ACD
    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
    • Module32First.KERNEL32 ref: 00401C48
    • CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
    • Module32Next.KERNEL32(00000000,?), ref: 00401D02
    • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401DC4
    • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
    • FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
    • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
    • LockResource.KERNEL32(00000000), ref: 00401EA7
    • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
    • _malloc.LIBCMT ref: 00401EBA
    • _memset.LIBCMT ref: 00401EDD
    • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
    • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
    • API String ID: 2366190142-2962942730
    • Opcode ID: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
    • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
    • Opcode Fuzzy Hash: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
    • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
    Function 066F600C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 295COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 909 66f600c-66f6097 913 66f6099-66f60a3 909->913 914 66f60d0-66f60f0 909->914 913->914 915 66f60a5-66f60a7 913->915 921 66f6129-66f6149 914->921 922 66f60f2-66f60fc 914->922 916 66f60ca-66f60cd 915->916 917 66f60a9-66f60b3 915->917 916->914 919 66f60b7-66f60c6 917->919 920 66f60b5 917->920 919->919 923 66f60c8 919->923 920->919 928 66f614b-66f6155 921->928 929 66f6182-66f61a4 921->929 922->921 924 66f60fe-66f6100 922->924 923->916 926 66f6123-66f6126 924->926 927 66f6102-66f610c 924->927 926->921 930 66f610e 927->930 931 66f6110-66f611f 927->931 928->929 933 66f6157-66f6159 928->933 939 66f61a6-66f61ca 929->939 940 66f6212-66f6216 929->940 930->931 931->931 932 66f6121 931->932 932->926 934 66f617c-66f617f 933->934 935 66f615b-66f6165 933->935 934->929 937 66f6169-66f6178 935->937 938 66f6167 935->938 937->937 941 66f617a 937->941 938->937 947 66f61cc-66f61ce 939->947 948 66f61fa-66f61ff 939->948 942 66f625a-66f626a 940->942 943 66f6218-66f6256 940->943 941->934 945 66f626c-66f6279 942->945 946 66f62a6-66f62ac 942->946 943->942 945->946 949 66f627b-66f627d 945->949 951 66f62b6-66f630e GetPrivateProfileStringA 946->951 952 66f61f0-66f61f8 947->952 953 66f61d0-66f61da 947->953 961 66f6201-66f620d 948->961 954 66f627f-66f6289 949->954 955 66f62a0-66f62a3 949->955 956 66f6317-66f6328 951->956 957 66f6310-66f6316 951->957 952->961 959 66f61de-66f61ec 953->959 960 66f61dc 953->960 963 66f628d-66f629c 954->963 964 66f628b 954->964 955->946 965 66f633e-66f6365 956->965 966 66f632a 956->966 957->956 959->959 967 66f61ee 959->967 960->959 961->940 963->963 968 66f629e 963->968 964->963 973 66f6367-66f636b 965->973 974 66f6375-66f6379 965->974 972 66f6332-66f6336 966->972 967->952 968->955 972->965 973->974 976 66f636d 973->976 977 66f637b-66f637f 974->977 978 66f6389-66f638d 974->978 976->974 977->978 979 66f6381 977->979 980 66f638f-66f6393 978->980 981 66f639d-66f63a1 978->981 979->978 980->981 982 66f6395 980->982 983 66f63a3-66f63a7 981->983 984 66f63b1-66f63b5 981->984 982->981 983->984 985 66f63a9 983->985 986 66f63b7-66f63bb 984->986 987 66f63c5 984->987 985->984 986->987 988 66f63bd 986->988 989 66f63c6 987->989 988->987 989->989
    APIs
    • GetPrivateProfileStringA.KERNEL32(?,?,?,00000000,?,?), ref: 066F62FE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887560348.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66f0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: PrivateProfileString
    • String ID: B^.$ B^.
    • API String ID: 1096422788-1586472816
    • Opcode ID: 187cbebf499f1507b2b7eb519de86d74a8b8454df3fbd396b8d6af8edd02a7ea
    • Instruction ID: 39da0224ef6035498ef1e98f8a99ccaef11462d9d33ef383e259a8f4f451b50c
    • Opcode Fuzzy Hash: 187cbebf499f1507b2b7eb519de86d74a8b8454df3fbd396b8d6af8edd02a7ea
    • Instruction Fuzzy Hash: 35C19A71D202198FDB54CFA8C9817AEBBF2BF48314F148529E959E7381DB749881CB82
    Function 070200F9 Relevance: 1.8, APIs: 1, Instructions: 329COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2887992307.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7020000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0bc34956bec03c70e81e631fed65c360a733e5f133d093fae2d8730b4c5090f6
    • Instruction ID: eb4ae14840c7a5bdbe27d093a9f1c56b31877f3161c54214531e881670490ed0
    • Opcode Fuzzy Hash: 0bc34956bec03c70e81e631fed65c360a733e5f133d093fae2d8730b4c5090f6
    • Instruction Fuzzy Hash: C9D16CB1A00329CFDB54DFA5C948BADBBF2BF44304F148259E409AF2A1DB74E946DB40
    Function 0702A8D0 Relevance: 1.8, Strings: 1, Instructions: 522COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887992307.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7020000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID: B^.
    • API String ID: 0-176575641
    • Opcode ID: 2bd38538bdbdde02d777cce966de5476acad965a7ebc67cf664b43cc5e85b2ed
    • Instruction ID: c4e532dfdcaf39bf15644c90be4bb3e689fe59e8af2a7769f2e4f91ae30edc13
    • Opcode Fuzzy Hash: 2bd38538bdbdde02d777cce966de5476acad965a7ebc67cf664b43cc5e85b2ed
    • Instruction Fuzzy Hash: 70323971A0062ACFCB61DF64C944BD9B7B2FF49300F1486D9E909AB221DB75AA85CF40
    Function 070249C0 Relevance: .6, Instructions: 635COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2887992307.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7020000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bb793f83cf918351cbff2b7b3bfe91608930f925fe669e520acc28447edb36fb
    • Instruction ID: 9b2bfb0e29ea4c8efbb6d440e8d53dc1ce3fc449572e190e041f78e1da1a1ad3
    • Opcode Fuzzy Hash: bb793f83cf918351cbff2b7b3bfe91608930f925fe669e520acc28447edb36fb
    • Instruction Fuzzy Hash: 5B524D75A1066ACFCB51DF64C844AE9B7B1FF49300F1486D9E409AB261EB31EE82DF40
    Function 05371C00 Relevance: .2, Instructions: 249COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2887186576.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5370000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c30446535b65ebe9057d61fed8226c10856f55863e7f774cdd8e9d4a02ef057b
    • Instruction ID: d6432794791a296e9f072b2aa65c5e7b60f611c289b6db6f33fc29ca747088bd
    • Opcode Fuzzy Hash: c30446535b65ebe9057d61fed8226c10856f55863e7f774cdd8e9d4a02ef057b
    • Instruction Fuzzy Hash: 7EA1A475E0031ACFCB14DFA4D8949DDFBBAFF89310F148219E41AAB2A5DB74A941CB50
    Function 05371BF1 Relevance: .2, Instructions: 214COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2887186576.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5370000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bedec8c390a16ebc0169fe2530ab2eb3db0c980b9bccaf184fd4163280a33392
    • Instruction ID: f49f97466d565023381c69fd3d8aee7b3280314d32c1022fb8d2486fc78e9a20
    • Opcode Fuzzy Hash: bedec8c390a16ebc0169fe2530ab2eb3db0c980b9bccaf184fd4163280a33392
    • Instruction Fuzzy Hash: 82919635E0030ADFCB14DFA0D8849DDFBBAFF99314F148219E419AB2A4DB74A946CB50
    Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 450 40cbf7-40cc06 451 40cc08-40cc14 450->451 452 40cc2f 450->452 451->452 453 40cc16-40cc1d 451->453 454 40cc33-40cc3d call 40d534 452->454 453->452 455 40cc1f-40cc2d 453->455 458 40cc47 454->458 459 40cc3f-40cc46 call 40cbb4 454->459 455->454 461 40cc47 call 41087e 458->461 459->458 463 40cc4c-40cc4e 461->463 464 40cc50-40cc57 call 40cbb4 463->464 465 40cc58-40cc68 call 4129c9 call 411a15 463->465 464->465 472 40cc72-40cc82 GetCommandLineA call 412892 465->472 473 40cc6a-40cc71 call 40e79a 465->473 478 40cc87 call 4127d7 472->478 473->472 479 40cc8c-40cc8e 478->479 480 40cc90-40cc97 call 40e79a 479->480 481 40cc98-40cc9f call 41255f 479->481 480->481 486 40cca1-40cca8 call 40e79a 481->486 487 40cca9-40ccb3 call 40e859 481->487 486->487 492 40ccb5-40ccbb call 40e79a 487->492 493 40ccbc-40ccd3 call 4019f0 487->493 492->493 497 40ccd8-40cce2 493->497 498 40cce4-40cce5 call 40ea0a 497->498 499 40ccea-40cd2e call 40ea36 call 40e21d 497->499 498->499
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
    • String ID:
    • API String ID: 2598563909-0
    • Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
    • Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
    • Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
    • Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C
    Function 04A8CE48 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132threadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 506 4a8ce48-4a8cee7 GetCurrentProcess 510 4a8cee9-4a8ceef 506->510 511 4a8cef0-4a8cf24 GetCurrentThread 506->511 510->511 512 4a8cf2d-4a8cf61 GetCurrentProcess 511->512 513 4a8cf26-4a8cf2c 511->513 514 4a8cf6a-4a8cf85 call 4a8d027 512->514 515 4a8cf63-4a8cf69 512->515 513->512 519 4a8cf8b-4a8cfba GetCurrentThreadId 514->519 515->514 520 4a8cfbc-4a8cfc2 519->520 521 4a8cfc3-4a8d025 519->521 520->521
    APIs
    • GetCurrentProcess.KERNEL32 ref: 04A8CED6
    • GetCurrentThread.KERNEL32 ref: 04A8CF13
    • GetCurrentProcess.KERNEL32 ref: 04A8CF50
    • GetCurrentThreadId.KERNEL32 ref: 04A8CFA9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2886976668.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a80000_wLw52XmkOM.jbxd
    Similarity
    • API ID: Current$ProcessThread
    • String ID: B^.
    • API String ID: 2063062207-176575641
    • Opcode ID: d83ac4e4a02a9428e128bc7540e3585a4e2b552866a5b965c0ffdf26b05248d2
    • Instruction ID: e4fa969f2e64a006fc8726a3f28f9ae3ac0785a1ab206b85bdd7f25d3beb4ad2
    • Opcode Fuzzy Hash: d83ac4e4a02a9428e128bc7540e3585a4e2b552866a5b965c0ffdf26b05248d2
    • Instruction Fuzzy Hash: 4E5159B09013098FEB14DFA9D548BDEBBF1EF88314F208059D559A72A0D734A985CF65
    Function 04A8CE58 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 528 4a8ce58-4a8cee7 GetCurrentProcess 532 4a8cee9-4a8ceef 528->532 533 4a8cef0-4a8cf24 GetCurrentThread 528->533 532->533 534 4a8cf2d-4a8cf61 GetCurrentProcess 533->534 535 4a8cf26-4a8cf2c 533->535 536 4a8cf6a-4a8cf85 call 4a8d027 534->536 537 4a8cf63-4a8cf69 534->537 535->534 541 4a8cf8b-4a8cfba GetCurrentThreadId 536->541 537->536 542 4a8cfbc-4a8cfc2 541->542 543 4a8cfc3-4a8d025 541->543 542->543
    APIs
    • GetCurrentProcess.KERNEL32 ref: 04A8CED6
    • GetCurrentThread.KERNEL32 ref: 04A8CF13
    • GetCurrentProcess.KERNEL32 ref: 04A8CF50
    • GetCurrentThreadId.KERNEL32 ref: 04A8CFA9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2886976668.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a80000_wLw52XmkOM.jbxd
    Similarity
    • API ID: Current$ProcessThread
    • String ID: B^.
    • API String ID: 2063062207-176575641
    • Opcode ID: 7ed57b1daf85e4857215ed625997ada82c8868eb590245ae3e45d728dbf2a7fc
    • Instruction ID: b78be956a78d1bd1ce4f468b532cef13048708111a7af4cb3cfa3947127f86a2
    • Opcode Fuzzy Hash: 7ed57b1daf85e4857215ed625997ada82c8868eb590245ae3e45d728dbf2a7fc
    • Instruction Fuzzy Hash: 5C5138B09003098FEB14DFA9D948BDEBBF1EF88314F208459E419A73A0D734A984CF65
    Function 05373288 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 508COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887186576.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5370000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID: B^.
    • API String ID: 0-176575641
    • Opcode ID: e9274e843275177e56049a4970dd373080d47f5fa363eade7282a3d239974e2a
    • Instruction ID: dae804dff9264ec9789c40a1b5663a5cb38838ed5a81a37d4b45ee7176253c56
    • Opcode Fuzzy Hash: e9274e843275177e56049a4970dd373080d47f5fa363eade7282a3d239974e2a
    • Instruction Fuzzy Hash: 9D224D74E0424DCFDB34DB58C589ABEBBB6FB88310F248856D812AB764C77C9881DB51
    Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 877 4018f0-4018fa 878 401903-40193e lstrlenA call 4017e0 MultiByteToWideChar 877->878 879 4018fc-401900 877->879 882 401940-401949 GetLastError 878->882 883 401996-40199a 878->883 884 40194b-40198c MultiByteToWideChar call 4017e0 MultiByteToWideChar 882->884 885 40198d-40198f 882->885 884->885 885->883 887 401991 call 401030 885->887 887->883
    APIs
    • lstrlenA.KERNEL32(?), ref: 00401906
    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
    • GetLastError.KERNEL32 ref: 00401940
    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: ByteCharMultiWide$ErrorLastlstrlen
    • String ID:
    • API String ID: 3322701435-0
    • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
    • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
    • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
    • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
    Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 890 40af66-40af6e 891 40af7d-40af88 call 40b84d 890->891 894 40af70-40af7b call 40d2e3 891->894 895 40af8a-40af8b 891->895 894->891 898 40af8c-40af98 894->898 899 40afb3-40afca call 40af49 call 40cd39 898->899 900 40af9a-40afb2 call 40aefc call 40d2bd 898->900 900->899
    APIs
    • _malloc.LIBCMT ref: 0040AF80
      • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
      • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
      • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
    • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
      • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
    • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
    • __CxxThrowException@8.LIBCMT ref: 0040AFC5
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
    • String ID:
    • API String ID: 1411284514-0
    • Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
    • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
    • Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
    • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
    Function 066F4DFC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 294COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 990 66f4dfc-66f6097 993 66f6099-66f60a3 990->993 994 66f60d0-66f60f0 990->994 993->994 995 66f60a5-66f60a7 993->995 1001 66f6129-66f6149 994->1001 1002 66f60f2-66f60fc 994->1002 996 66f60ca-66f60cd 995->996 997 66f60a9-66f60b3 995->997 996->994 999 66f60b7-66f60c6 997->999 1000 66f60b5 997->1000 999->999 1003 66f60c8 999->1003 1000->999 1008 66f614b-66f6155 1001->1008 1009 66f6182-66f61a4 1001->1009 1002->1001 1004 66f60fe-66f6100 1002->1004 1003->996 1006 66f6123-66f6126 1004->1006 1007 66f6102-66f610c 1004->1007 1006->1001 1010 66f610e 1007->1010 1011 66f6110-66f611f 1007->1011 1008->1009 1013 66f6157-66f6159 1008->1013 1019 66f61a6-66f61ca 1009->1019 1020 66f6212-66f6216 1009->1020 1010->1011 1011->1011 1012 66f6121 1011->1012 1012->1006 1014 66f617c-66f617f 1013->1014 1015 66f615b-66f6165 1013->1015 1014->1009 1017 66f6169-66f6178 1015->1017 1018 66f6167 1015->1018 1017->1017 1021 66f617a 1017->1021 1018->1017 1027 66f61cc-66f61ce 1019->1027 1028 66f61fa-66f61ff 1019->1028 1022 66f625a-66f626a 1020->1022 1023 66f6218-66f6256 1020->1023 1021->1014 1025 66f626c-66f6279 1022->1025 1026 66f62a6-66f630e GetPrivateProfileStringA 1022->1026 1023->1022 1025->1026 1029 66f627b-66f627d 1025->1029 1036 66f6317-66f6328 1026->1036 1037 66f6310-66f6316 1026->1037 1032 66f61f0-66f61f8 1027->1032 1033 66f61d0-66f61da 1027->1033 1041 66f6201-66f620d 1028->1041 1034 66f627f-66f6289 1029->1034 1035 66f62a0-66f62a3 1029->1035 1032->1041 1039 66f61de-66f61ec 1033->1039 1040 66f61dc 1033->1040 1043 66f628d-66f629c 1034->1043 1044 66f628b 1034->1044 1035->1026 1045 66f633e-66f6365 1036->1045 1046 66f632a-66f6336 1036->1046 1037->1036 1039->1039 1047 66f61ee 1039->1047 1040->1039 1041->1020 1043->1043 1048 66f629e 1043->1048 1044->1043 1053 66f6367-66f636b 1045->1053 1054 66f6375-66f6379 1045->1054 1046->1045 1047->1032 1048->1035 1053->1054 1056 66f636d 1053->1056 1057 66f637b-66f637f 1054->1057 1058 66f6389-66f638d 1054->1058 1056->1054 1057->1058 1059 66f6381 1057->1059 1060 66f638f-66f6393 1058->1060 1061 66f639d-66f63a1 1058->1061 1059->1058 1060->1061 1062 66f6395 1060->1062 1063 66f63a3-66f63a7 1061->1063 1064 66f63b1-66f63b5 1061->1064 1062->1061 1063->1064 1065 66f63a9 1063->1065 1066 66f63b7-66f63bb 1064->1066 1067 66f63c5 1064->1067 1065->1064 1066->1067 1068 66f63bd 1066->1068 1069 66f63c6 1067->1069 1068->1067 1069->1069
    APIs
    • GetPrivateProfileStringA.KERNEL32(?,?,?,00000000,?,?), ref: 066F62FE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887560348.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66f0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: PrivateProfileString
    • String ID: B^.$ B^.
    • API String ID: 1096422788-1586472816
    • Opcode ID: f7a5fe0c09032137e87eb384e527925bae44c88bb0924d7fa4895eba1bba8ba4
    • Instruction ID: 1b0bb6ed0ce16be602c896c6cab68d82f25c0c95515d2cddf006dc8aa8985a59
    • Opcode Fuzzy Hash: f7a5fe0c09032137e87eb384e527925bae44c88bb0924d7fa4895eba1bba8ba4
    • Instruction Fuzzy Hash: 8FC19B71D20219CFDB54CFA8C9817AEBBF2BF48304F148529E959E7395DB749881CB82
    Function 066F1E10 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 226COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1070 66f1e10-66f1e23 call 66f1544 1073 66f1eab-66f1f1f 1070->1073 1074 66f1e29-66f1e41 1070->1074 1091 66f1f26-66f1f31 1073->1091 1079 66f1e97-66f1ea8 1074->1079 1080 66f1e43-66f1e7b call 66f1554 call 66f1564 1074->1080 1080->1091 1092 66f1e81-66f1e94 1080->1092 1096 66f1f6b-66f1f70 1091->1096 1097 66f1f33-66f1f39 1091->1097 1100 66f1f54-66f1f63 1096->1100 1101 66f1f72 1096->1101 1098 66f1f3b-66f1f50 1097->1098 1099 66f1f73-66f1f84 1097->1099 1098->1100 1104 66f1f8a-66f1fc1 1099->1104 1105 66f1f86-66f1f89 1099->1105 1101->1099 1112 66f1ffb-66f2001 1104->1112 1113 66f1fc3-66f1fc9 1104->1113 1115 66f2003-66f2072 SendMessageW 1112->1115 1114 66f1fcb-66f1ff4 call 66f1570 1113->1114 1113->1115 1117 66f207b-66f208f 1115->1117 1118 66f2074-66f207a 1115->1118 1118->1117
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887560348.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66f0000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID: B^.$Hbq
    • API String ID: 0-2870721958
    • Opcode ID: 9e49719ac7ef687cb6bf4d1005ee29cfb3664750d370b2c53d1f622170e3cdd2
    • Instruction ID: 1e40d9207d19780e61a340fc90181b01d9f4e7089e57ab10b8be4c511bab88df
    • Opcode Fuzzy Hash: 9e49719ac7ef687cb6bf4d1005ee29cfb3664750d370b2c53d1f622170e3cdd2
    • Instruction Fuzzy Hash: B071F272A002049FC754DB69D855BAFBFFAEB99350F14806AE1099B351DA30AD45CBE0
    Function 066F6DE8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 217threadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1123 66f6de8-66f6e4c 1126 66f70da-66f71a6 1123->1126 1127 66f6e52-66f6e6a 1123->1127 1155 66f71af-66f71c3 1126->1155 1156 66f71a8-66f71ae 1126->1156 1132 66f6e6c-66f6e72 1127->1132 1133 66f6e82-66f6e84 1127->1133 1134 66f6e76-66f6e78 1132->1134 1135 66f6e74 1132->1135 1137 66f6e86-66f6e8d 1133->1137 1138 66f6e94-66f6ef5 GetCurrentThreadId 1133->1138 1134->1133 1135->1133 1137->1138 1146 66f6efe-66f6f07 1138->1146 1147 66f6ef7-66f6efd 1138->1147 1148 66f6f09-66f6f0f 1146->1148 1149 66f6f18-66f6f1e 1146->1149 1147->1146 1148->1149 1152 66f6f11 1148->1152 1153 66f6f27-66f6f6d 1149->1153 1154 66f6f20 1149->1154 1152->1149 1162 66f6f6f-66f6f85 1153->1162 1163 66f6f8d-66f6fa8 1153->1163 1157 66f6f25 1154->1157 1156->1155 1157->1153 1162->1163 1166 66f6faa 1163->1166 1167 66f6fb2 1163->1167 1166->1167 1167->1126
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 066F6EE1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887560348.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66f0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: CurrentThread
    • String ID: B^.$ B^.
    • API String ID: 2882836952-1586472816
    • Opcode ID: 9c02be315ea3e6938edd3af643def56eb3ebeebef1340145a7f165b6bdab5039
    • Instruction ID: de02551ff77199564583c564ddddd719fcdb3bda660d0da844d14c1904f28109
    • Opcode Fuzzy Hash: 9c02be315ea3e6938edd3af643def56eb3ebeebef1340145a7f165b6bdab5039
    • Instruction Fuzzy Hash: 9F818870E102488FDB54DFA9D944ADEBFF6BF88310F14842AD515AB3A0DB34A945CFA1
    Function 053718E4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1169 53718e4-5371956 1170 5371961-5371968 1169->1170 1171 5371958-537195e 1169->1171 1172 5371973-5371a12 CreateWindowExW 1170->1172 1173 537196a-5371970 1170->1173 1171->1170 1175 5371a14-5371a1a 1172->1175 1176 5371a1b-5371a53 1172->1176 1173->1172 1175->1176 1180 5371a55-5371a58 1176->1180 1181 5371a60 1176->1181 1180->1181 1182 5371a61 1181->1182 1182->1182
    APIs
    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05371A02
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887186576.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5370000_wLw52XmkOM.jbxd
    Similarity
    • API ID: CreateWindow
    • String ID: B^.$ B^.
    • API String ID: 716092398-1586472816
    • Opcode ID: 440741d687e9a772873dc6a5845e53586181740c71218df18dbeddab8801e3c0
    • Instruction ID: 6e295cfdf0fe928bf57b78d61bb4d4c8ac47244abac0d8d34b11054f40fce08f
    • Opcode Fuzzy Hash: 440741d687e9a772873dc6a5845e53586181740c71218df18dbeddab8801e3c0
    • Instruction Fuzzy Hash: C451CFB1D10349DFDB14CFA9D984ADEBBF5BF48310F24812AE819AB210D7749985CF91
    Function 053718F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1183 53718f0-5371956 1184 5371961-5371968 1183->1184 1185 5371958-537195e 1183->1185 1186 5371973-5371a12 CreateWindowExW 1184->1186 1187 537196a-5371970 1184->1187 1185->1184 1189 5371a14-5371a1a 1186->1189 1190 5371a1b-5371a53 1186->1190 1187->1186 1189->1190 1194 5371a55-5371a58 1190->1194 1195 5371a60 1190->1195 1194->1195 1196 5371a61 1195->1196 1196->1196
    APIs
    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05371A02
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887186576.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5370000_wLw52XmkOM.jbxd
    Similarity
    • API ID: CreateWindow
    • String ID: B^.$ B^.
    • API String ID: 716092398-1586472816
    • Opcode ID: a2c057cf240085b4d6f7f4eee17ec49350e72dc4995e96ff9e6983010a014092
    • Instruction ID: 1bee7a965bbbea51c50878ce7c96852c8fe5b33ee19adf4dd0c9658e3d6ed23a
    • Opcode Fuzzy Hash: a2c057cf240085b4d6f7f4eee17ec49350e72dc4995e96ff9e6983010a014092
    • Instruction Fuzzy Hash: 6241BEB1D103499FDB14CFA9D984ADEBBF5BF48310F24812AE819AB210D7749985CF91
    Function 0216B440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1197 216b440-216b49f 1199 216b4a1-216b4ab 1197->1199 1200 216b4d8-216b524 LoadLibraryA 1197->1200 1199->1200 1201 216b4ad-216b4af 1199->1201 1207 216b526-216b52c 1200->1207 1208 216b52d-216b55e 1200->1208 1202 216b4d2-216b4d5 1201->1202 1203 216b4b1-216b4bb 1201->1203 1202->1200 1205 216b4bf-216b4ce 1203->1205 1206 216b4bd 1203->1206 1205->1205 1210 216b4d0 1205->1210 1206->1205 1207->1208 1212 216b560-216b564 1208->1212 1213 216b56e 1208->1213 1210->1202 1212->1213 1214 216b566-216b569 call 2160260 1212->1214 1214->1213
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0216B514
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2883138040.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2160000_wLw52XmkOM.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: B^.$ B^.
    • API String ID: 1029625771-1586472816
    • Opcode ID: 0072949e803c69f0f83e70be2b2fec7c4733c153f453932f6c841eb80277a1a1
    • Instruction ID: f7bad0de1b87f4f6b47797db2367eabe2c058a92f38849f9ba50dbd68d1cbe68
    • Opcode Fuzzy Hash: 0072949e803c69f0f83e70be2b2fec7c4733c153f453932f6c841eb80277a1a1
    • Instruction Fuzzy Hash: F13132B1D142588FDB10CFA9D9897AEBBF1AB48318F148129E819FB350D7749941CF92
    Function 04A8AEC8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNELBASE(00000000), ref: 04A8B11E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2886976668.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a80000_wLw52XmkOM.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: B^.
    • API String ID: 4139908857-176575641
    • Opcode ID: 9fbc456e8d36522878f21e574d7f6f1f4f64bda0b78a8511ef5d288e64ccc651
    • Instruction ID: 0b45fe4d936900a00e5e66ccc70fdeae6b576e8acf6b69af6dd285c64369f59d
    • Opcode Fuzzy Hash: 9fbc456e8d36522878f21e574d7f6f1f4f64bda0b78a8511ef5d288e64ccc651
    • Instruction Fuzzy Hash: 087115B0A00B058FD724EF29D54475ABBF5FF88304F108A2EE48A9BA50D775F946CB91
    Function 066F6DD1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 144threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 066F6EE1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887560348.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66f0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: CurrentThread
    • String ID: B^.
    • API String ID: 2882836952-176575641
    • Opcode ID: 42c09fe988d40cbdc98b73daf4c3607410f1de4bf6ec568419f0c187bd014110
    • Instruction ID: 25bd4668066232b05847c3a852aa36f2aae23f344f407a13a662888d555bb9af
    • Opcode Fuzzy Hash: 42c09fe988d40cbdc98b73daf4c3607410f1de4bf6ec568419f0c187bd014110
    • Instruction Fuzzy Hash: 6251AA70E102889FDB55DFA8C940ADDBFF6AF85300F18842AE555EB3A0CB34A845CB91
    Function 04A80318 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
    Download Yara Rule
    APIs
    • CreateActCtxA.KERNEL32(?), ref: 04A85B19
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2886976668.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a80000_wLw52XmkOM.jbxd
    Similarity
    • API ID: Create
    • String ID: B^.
    • API String ID: 2289755597-176575641
    • Opcode ID: 978339b5974b554533439407e17801477b8b611ce1934727215f454a055c798d
    • Instruction ID: 6c098ac0f0bb853a225cd0cf133e7c833fe2431230f743b5cb273d48a155a3a8
    • Opcode Fuzzy Hash: 978339b5974b554533439407e17801477b8b611ce1934727215f454a055c798d
    • Instruction Fuzzy Hash: AD41D2B0C00619DFDB24DFA9C884B9EBBF5FF58304F2480AAD408AB255EB756945CF90
    Function 04A85A5D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94COMMON
    Download Yara Rule
    APIs
    • CreateActCtxA.KERNEL32(?), ref: 04A85B19
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2886976668.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a80000_wLw52XmkOM.jbxd
    Similarity
    • API ID: Create
    • String ID: B^.
    • API String ID: 2289755597-176575641
    • Opcode ID: 26c2777c505e0f69fb404c560d3db9b3ff33fd0b8769a8aa88e0cfadea33074f
    • Instruction ID: 4f87eeee007290c9f57c706254ffaa53bb880d000aa8500403093df82d3af9a2
    • Opcode Fuzzy Hash: 26c2777c505e0f69fb404c560d3db9b3ff33fd0b8769a8aa88e0cfadea33074f
    • Instruction Fuzzy Hash: 4041D2B0C00619DFDB24DFA9C88478EBBF5FF58304F24809AD408AB254EB756945CF91
    Function 05373EC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93COMMON
    Download Yara Rule
    APIs
    • CallWindowProcW.USER32(?,?,?,?,?), ref: 05373F81
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887186576.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5370000_wLw52XmkOM.jbxd
    Similarity
    • API ID: CallProcWindow
    • String ID: B^.
    • API String ID: 2714655100-176575641
    • Opcode ID: 6ebf33fb4e3f4f6ebd587eca889aca62ac1037312f5662a13bb9f50b90495b84
    • Instruction ID: 4c77eb84d18ef36880f2c1cf6d46c3e9dd3108774afd6a2c487dd4be0e5a971e
    • Opcode Fuzzy Hash: 6ebf33fb4e3f4f6ebd587eca889aca62ac1037312f5662a13bb9f50b90495b84
    • Instruction Fuzzy Hash: D841FBB9900309CFDB14CF99C448AAABBF5FF88314F24C859E519AB321D774A841CFA1
    Function 066F7301 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73windowCOMMON
    Download Yara Rule
    APIs
    • PostMessageW.USER32(?,?,?,?), ref: 066F7385
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887560348.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66f0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: MessagePost
    • String ID: B^.
    • API String ID: 410705778-176575641
    • Opcode ID: 9795ad64d60f96a8a08c657eff997d3f54773134a80a7e238da5f0a5caf1c425
    • Instruction ID: 29c0e87f646c28b1e03320d296998e6ff53d8ecc8ed12c761b3d0c22b4804c6d
    • Opcode Fuzzy Hash: 9795ad64d60f96a8a08c657eff997d3f54773134a80a7e238da5f0a5caf1c425
    • Instruction Fuzzy Hash: 3821B1718093859FCB11CF69E885BDABFF4EF0A314F18409AD554A7252C3349949CFA2
    Function 066BD108 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • MonitorFromPoint.USER32(?,?,00000002), ref: 066BD197
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887486446.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66b0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: FromMonitorPoint
    • String ID: B^.
    • API String ID: 1566494148-176575641
    • Opcode ID: 23ae85fe273469bc70a5abcda3dc7361ffcd9e8bdd24b68ecb458af948421c77
    • Instruction ID: bc9ed45db70d82cdb442b5a392ce2f5fa2cee1d7ab7c9e0f926f40591dd0e7ed
    • Opcode Fuzzy Hash: 23ae85fe273469bc70a5abcda3dc7361ffcd9e8bdd24b68ecb458af948421c77
    • Instruction Fuzzy Hash: 1A219CB4A00248DFDB10DF99D849BEEBFF4EB48310F548019E949AB380C778A944CFA5
    Function 066F37A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • GetClassInfoW.USER32(?,00000000), ref: 066F382C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887560348.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66f0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: ClassInfo
    • String ID: B^.
    • API String ID: 3534257612-176575641
    • Opcode ID: d93ec9654f25ab75bf25c88ec6595e33449f827c32655972dca3275a71a63930
    • Instruction ID: 39b13223a6278ca52e04c7c611b75f88377fffe9a4bd97c379bb08347043814a
    • Opcode Fuzzy Hash: d93ec9654f25ab75bf25c88ec6595e33449f827c32655972dca3275a71a63930
    • Instruction Fuzzy Hash: CF2107B5D017499FDB14CF9AD984ADEFBF4BB48320F14802AE958A7340D378A944CBA5
    Function 04A8D4A1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04A8D52F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2886976668.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a80000_wLw52XmkOM.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID: B^.
    • API String ID: 3793708945-176575641
    • Opcode ID: e394de1cba88a2f2d2eee948258d0fb75074d184b16588c2351c7ab6c2943f5b
    • Instruction ID: c52bdece20bb27f79d1229de71ef8f4060b490a0615ec0f301388fc9ac855881
    • Opcode Fuzzy Hash: e394de1cba88a2f2d2eee948258d0fb75074d184b16588c2351c7ab6c2943f5b
    • Instruction Fuzzy Hash: D121E3B59002489FDB10CFA9D584ADEBFF4EB48314F14841AE918A7250D374AA54CFA5
    Function 04A8D4A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04A8D52F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2886976668.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a80000_wLw52XmkOM.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID: B^.
    • API String ID: 3793708945-176575641
    • Opcode ID: 211e832344bf77313ffdb8aaf93384a5ab667bef69cfa523df556df0d9346fc7
    • Instruction ID: d2789a1315ef07728bdca4773a462253e10ed6d7ce986d602ce5014a911018ee
    • Opcode Fuzzy Hash: 211e832344bf77313ffdb8aaf93384a5ab667bef69cfa523df556df0d9346fc7
    • Instruction Fuzzy Hash: AD21D3B59002589FDB10CFAAD984ADEFFF8FB48324F14841AE958A7350D374A944CFA5
    Function 066F37B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON
    Download Yara Rule
    APIs
    • GetClassInfoW.USER32(?,00000000), ref: 066F382C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887560348.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66f0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: ClassInfo
    • String ID: B^.
    • API String ID: 3534257612-176575641
    • Opcode ID: 24630321b9d4f4029b8783c7c6c879461041891cea99c57655037c1aa6514ad8
    • Instruction ID: 7af57ab665fa676f54f3ab1a0a83b70b8a4186281e1367f71d64f2aaffa8c8db
    • Opcode Fuzzy Hash: 24630321b9d4f4029b8783c7c6c879461041891cea99c57655037c1aa6514ad8
    • Instruction Fuzzy Hash: 8E2115B5D017499FDB10CF9AD884ADEFBF4FB48310F14802AE958A7340D378A944CBA5
    Function 066F13B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • SetWindowTextW.USER32(?,00000000), ref: 066F1422
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887560348.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66f0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: TextWindow
    • String ID: B^.
    • API String ID: 530164218-176575641
    • Opcode ID: 3fb3b8460eb97353a0925858119cd996e14e16d862806c9d75cbd2e2c2a72e38
    • Instruction ID: 6028c1da75dff31b3eeb8681c3903c5211507745a297e019ef530968bf02767f
    • Opcode Fuzzy Hash: 3fb3b8460eb97353a0925858119cd996e14e16d862806c9d75cbd2e2c2a72e38
    • Instruction Fuzzy Hash: 5F2130B2C002498FCB10CF9AD844BEEFBF4EF89324F14842AD858A7640C339A545CFA5
    Function 070208D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 0702093D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887992307.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7020000_wLw52XmkOM.jbxd
    Similarity
    • API ID: CallbackDispatcherUser
    • String ID: B^.
    • API String ID: 2492992576-176575641
    • Opcode ID: 68afbbc50a543091c91babba9c45c355ccc16fa8de7aeac64faf326b791e828f
    • Instruction ID: e0d7c82adff6e1e144c43c42e1dd6344596a3784bfcea1cf346bf50de60fb273
    • Opcode Fuzzy Hash: 68afbbc50a543091c91babba9c45c355ccc16fa8de7aeac64faf326b791e828f
    • Instruction Fuzzy Hash: 77110AB5800359DFDB10CF9AD844BDEFBF8EB48314F14842AE554A7251C378A545CFA5
    Function 04A8AAE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04A8B199,00000800,00000000,00000000), ref: 04A8B38A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2886976668.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a80000_wLw52XmkOM.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: B^.
    • API String ID: 1029625771-176575641
    • Opcode ID: fc620cc41ccf825b971c43f49dee9dfcf1e957184e4df39ae186ecce51e728b5
    • Instruction ID: 4756c3fc1c182625dd4688c575cc390fafad6c09dd6e160069af16c062fa9c85
    • Opcode Fuzzy Hash: fc620cc41ccf825b971c43f49dee9dfcf1e957184e4df39ae186ecce51e728b5
    • Instruction Fuzzy Hash: 9011F3B69003099FDB20DF9AD444ADEFBF4EB48310F14842EE559B7610C375A945CFA5
    Function 04A8B319 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54libraryCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04A8B199,00000800,00000000,00000000), ref: 04A8B38A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2886976668.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a80000_wLw52XmkOM.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: B^.
    • API String ID: 1029625771-176575641
    • Opcode ID: 1226999b1a884ca17c5b2461647f9cc7fd170f4d93b13a3393377715834bfafc
    • Instruction ID: 6656b0a100c5902490dac4b642c2d42f424723c4162e74bb2d036909918d036a
    • Opcode Fuzzy Hash: 1226999b1a884ca17c5b2461647f9cc7fd170f4d93b13a3393377715834bfafc
    • Instruction Fuzzy Hash: 5B11E2B6D002099FDB10DF9AD444ADEFBF4EB88310F14842EE559A7610C375A945CFA5
    Function 066F13B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMON
    Download Yara Rule
    APIs
    • SetWindowTextW.USER32(?,00000000), ref: 066F1422
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887560348.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66f0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: TextWindow
    • String ID: B^.
    • API String ID: 530164218-176575641
    • Opcode ID: 202a19de8176904cccf6d7e4f5a69fc5cda1013b3500e722d9a211a305526149
    • Instruction ID: 3730004376e2c404f19cdbfe8a1892600cd9b11d4553bb3d31789181001fc2b3
    • Opcode Fuzzy Hash: 202a19de8176904cccf6d7e4f5a69fc5cda1013b3500e722d9a211a305526149
    • Instruction Fuzzy Hash: 7A111FB2C002498FDB14CF9AD844ADEFBF4EB88324F14C02AD968A7240D338A545CFA5
    Function 07020603 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53windowCOMMON
    Download Yara Rule
    APIs
    • PeekMessageW.USER32(?,?,?,?,?), ref: 07020670
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887992307.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7020000_wLw52XmkOM.jbxd
    Similarity
    • API ID: MessagePeek
    • String ID: B^.
    • API String ID: 2222842502-176575641
    • Opcode ID: 0102a64a9b310301578dc88b0e704df787f072ad6f04f947746491f99be92034
    • Instruction ID: 5bc4d2c69e6e9dd11c69a8d07f6a2ece8855da99125229dbebe1d467872a0cbb
    • Opcode Fuzzy Hash: 0102a64a9b310301578dc88b0e704df787f072ad6f04f947746491f99be92034
    • Instruction Fuzzy Hash: 801126B1900219DFCB10CF9AD884BDEFBF8EB48314F10842AE558A7250C378A944DFA5
    Function 07020608 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52windowCOMMON
    Download Yara Rule
    APIs
    • PeekMessageW.USER32(?,?,?,?,?), ref: 07020670
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887992307.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7020000_wLw52XmkOM.jbxd
    Similarity
    • API ID: MessagePeek
    • String ID: B^.
    • API String ID: 2222842502-176575641
    • Opcode ID: ea3806b1be6adc4b3c5fd31146302143f15967aa7b1d5aa9920027c3e0b5f6ef
    • Instruction ID: 85e718aac0efd5df22c594b538c0a8d2205db7f64f4398f4efcbdb9f46cadf2a
    • Opcode Fuzzy Hash: ea3806b1be6adc4b3c5fd31146302143f15967aa7b1d5aa9920027c3e0b5f6ef
    • Instruction Fuzzy Hash: 491107B5D00259DFDB10CF9AD544BDEFBF8EB48320F10842AE558A7250C378A944DFA5
    Function 0216B290 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0216B303
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2883138040.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2160000_wLw52XmkOM.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: B^.
    • API String ID: 544645111-176575641
    • Opcode ID: 1bf3c28a2685fd05a1cfec38ce824a6853a54d9881ada6e0c2682f0da2f9a4ab
    • Instruction ID: 104efc0e0d3b26cffcdda50bf6ac4b6ec21880067cca600d2d6ba6db3d4cfd2d
    • Opcode Fuzzy Hash: 1bf3c28a2685fd05a1cfec38ce824a6853a54d9881ada6e0c2682f0da2f9a4ab
    • Instruction Fuzzy Hash: C011C0B59042499FCB10DF9AD584ADFFBF4FB48324F14842AE958A7250C374AA44CFA5
    Function 070208D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON
    Download Yara Rule
    APIs
    • KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 0702093D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887992307.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7020000_wLw52XmkOM.jbxd
    Similarity
    • API ID: CallbackDispatcherUser
    • String ID: B^.
    • API String ID: 2492992576-176575641
    • Opcode ID: c1e454bbdde4306336daa3441dfce707aa159b388dc8fe79da5570ed6839f457
    • Instruction ID: cae7611b824ea80029dc4e71307bcec82f7eca0646b261bd458137d4528fe176
    • Opcode Fuzzy Hash: c1e454bbdde4306336daa3441dfce707aa159b388dc8fe79da5570ed6839f457
    • Instruction Fuzzy Hash: 681104B18003599FDB10CF9AD884BDEFBF8EB48320F10842AE558A3240C378A944CFA5
    Function 07020DA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887992307.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7020000_wLw52XmkOM.jbxd
    Similarity
    • API ID: DispatchMessage
    • String ID: B^.
    • API String ID: 2061451462-176575641
    • Opcode ID: 55b9b7abdaf120b4e651b8b98d4d2c1c83d196d655863349b424780e19156913
    • Instruction ID: 43532d9cbe55f9f5cec7a3ca0101c83a59819e794e8d7d16ccb6b82dcb3b3863
    • Opcode Fuzzy Hash: 55b9b7abdaf120b4e651b8b98d4d2c1c83d196d655863349b424780e19156913
    • Instruction Fuzzy Hash: DA1122B5C006599FCB20CF9AD444BDEFBF4EB48324F10852AE458A3200C378A940CFA5
    Function 066F7328 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48windowCOMMON
    Download Yara Rule
    APIs
    • PostMessageW.USER32(?,?,?,?), ref: 066F7385
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887560348.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66f0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: MessagePost
    • String ID: B^.
    • API String ID: 410705778-176575641
    • Opcode ID: 4efeccb9e1af6a20642b5fd89325f51ea5c13b63dbf927bdcbd780829a5a8509
    • Instruction ID: ddda947f87c76cb7c4d3a794c0d8f143a0b0ecc248af28695edc0d293de7b3ed
    • Opcode Fuzzy Hash: 4efeccb9e1af6a20642b5fd89325f51ea5c13b63dbf927bdcbd780829a5a8509
    • Instruction Fuzzy Hash: 501125B28003499FDB10CF9AD845BDEFBF8EB48320F108419E958A3240C378A984CFA5
    Function 0702EA28 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887992307.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7020000_wLw52XmkOM.jbxd
    Similarity
    • API ID: DispatchMessage
    • String ID: B^.
    • API String ID: 2061451462-176575641
    • Opcode ID: db317875e7996355db4d78eaa037868979013ebd9273945b0ddcaf9be1dcc5f4
    • Instruction ID: 1931e57f81f6e7950f0d0edacc9038c51e54c675a865988691c2ba84487c1422
    • Opcode Fuzzy Hash: db317875e7996355db4d78eaa037868979013ebd9273945b0ddcaf9be1dcc5f4
    • Instruction Fuzzy Hash: 6D1103B5C006599FCB10DFAAE848BDEFBF4EB48320F10852AE518A7350D374A545CFA5
    Function 066F1570 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,?,?,?), ref: 066F2065
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887560348.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66f0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: B^.
    • API String ID: 3850602802-176575641
    • Opcode ID: 3d5b99e08b120cf9d22030b8528e05633d26ea1938ef93708b92963ed1c1f87d
    • Instruction ID: f92b556db540b5af0c2af3bcbdf0ae6291eda359fe1864daee2c876b499a86eb
    • Opcode Fuzzy Hash: 3d5b99e08b120cf9d22030b8528e05633d26ea1938ef93708b92963ed1c1f87d
    • Instruction Fuzzy Hash: 9511F5B58003489FDB60DF99D894BDEBBF8EB48314F108419E558A7210C375A984CFA5
    Function 04A8B0B8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNELBASE(00000000), ref: 04A8B11E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2886976668.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a80000_wLw52XmkOM.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: B^.
    • API String ID: 4139908857-176575641
    • Opcode ID: 27ed359dbd67bd277e87ede71ce57dc1fb8ecbceee8409473e9c432b6bda47fb
    • Instruction ID: f5265c93eb7dbe394c9c7e54bd4f8efe2d6e0c985462bfadc0132d9116246cc6
    • Opcode Fuzzy Hash: 27ed359dbd67bd277e87ede71ce57dc1fb8ecbceee8409473e9c432b6bda47fb
    • Instruction Fuzzy Hash: 3F1122B5C002498FCB10DF9AD844ADEFBF4EF88324F10842AD418AB210C378A545CFA5
    Function 066F2000 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,?,?,?), ref: 066F2065
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887560348.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66f0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: B^.
    • API String ID: 3850602802-176575641
    • Opcode ID: d5ecacad5237ec85cd800073225bb2e076110d954091a46c5da802c58ffa7e12
    • Instruction ID: 3c76c7c35e3ef484881ff7cdd191a0c9bc5a919dbe4da5b6d922d8f88658e71e
    • Opcode Fuzzy Hash: d5ecacad5237ec85cd800073225bb2e076110d954091a46c5da802c58ffa7e12
    • Instruction Fuzzy Hash: B01103B58003489FDB50CF9AD884BDEFFF8EB48324F24841AE558A7210C375A984CFA5
    Function 05371B30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • SetWindowLongW.USER32(?,?,?), ref: 05371B95
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887186576.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5370000_wLw52XmkOM.jbxd
    Similarity
    • API ID: LongWindow
    • String ID: B^.
    • API String ID: 1378638983-176575641
    • Opcode ID: 70ddccb3f280fc58b2aaf1ba123964c6dd19a78a40659e83ddcc2bf9469e16f2
    • Instruction ID: 995a9f0a069eb6a02b78abbd8c6ccb0e1883269b52eda9394b30f47092f7dcce
    • Opcode Fuzzy Hash: 70ddccb3f280fc58b2aaf1ba123964c6dd19a78a40659e83ddcc2bf9469e16f2
    • Instruction Fuzzy Hash: 7B11F5B5800249DFDB10DF9AD588BDEBBF4EB48324F20845AD559A7700D374AA44CFA5
    Function 05371B38 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
    Download Yara Rule
    APIs
    • SetWindowLongW.USER32(?,?,?), ref: 05371B95
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887186576.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5370000_wLw52XmkOM.jbxd
    Similarity
    • API ID: LongWindow
    • String ID: B^.
    • API String ID: 1378638983-176575641
    • Opcode ID: 7b7d3da8a74c8715fb622799a40df91ab543fc2a239087d1671e9f4dae072658
    • Instruction ID: 43a161d7586218a9b499e122dd75fd8e926ca7abfe3d36dacdf1f22859c761ff
    • Opcode Fuzzy Hash: 7b7d3da8a74c8715fb622799a40df91ab543fc2a239087d1671e9f4dae072658
    • Instruction Fuzzy Hash: 491115B5800248CFDB10CF9AD584BDEFBF8EB48320F10841AD958A7300C374A944CFA5
    Function 07020DA8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887992307.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7020000_wLw52XmkOM.jbxd
    Similarity
    • API ID: DispatchMessage
    • String ID: B^.
    • API String ID: 2061451462-176575641
    • Opcode ID: 21925f56757a46b23ddd132a05f43c9721358008a061e2babfe8aacb4723d9c1
    • Instruction ID: 9fbeb11986f5199a0f84bb341b5d3497d6d584bee40074c1250fc1d190a5acb8
    • Opcode Fuzzy Hash: 21925f56757a46b23ddd132a05f43c9721358008a061e2babfe8aacb4723d9c1
    • Instruction Fuzzy Hash: DF110DB1C00259DFCB20CF9AE444BCEFBF4EB48324F10852AD558A7210C378A984CFA5
    Function 0702EA30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887992307.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7020000_wLw52XmkOM.jbxd
    Similarity
    • API ID: DispatchMessage
    • String ID: B^.
    • API String ID: 2061451462-176575641
    • Opcode ID: 6023a6d236a6923f60bcc1401f52ecaef72f841d04ee826bfdca52601e4beaf7
    • Instruction ID: 2d478884cd7ebe2eea8b2266f110ed244bb7838d659b10ce3eee575694f681c4
    • Opcode Fuzzy Hash: 6023a6d236a6923f60bcc1401f52ecaef72f841d04ee826bfdca52601e4beaf7
    • Instruction Fuzzy Hash: E811DDB5D006598FCB10DF9AE548BDEFBF4EB48324F10852AD558A7210D378A944CFA5
    Function 0216BEE0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 0216BF48
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2883138040.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2160000_wLw52XmkOM.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID: B^.
    • API String ID: 4275171209-176575641
    • Opcode ID: 20b1a323ecf317ddb32c1af7a31f1596a9b8af88814c6373011d0b901143c0ea
    • Instruction ID: 0b36946d401ea7db3d0af0fd116c966565a6752b55ca5d16c30aed7949ffa414
    • Opcode Fuzzy Hash: 20b1a323ecf317ddb32c1af7a31f1596a9b8af88814c6373011d0b901143c0ea
    • Instruction Fuzzy Hash: 011128B59002489FCB10DF9AD544BDFFFF4EB48324F208469E558A7210C375A944CFA5
    Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
    • SysAllocString.OLEAUT32 ref: 00401898
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: AllocString_malloc
    • String ID:
    • API String ID: 959018026-0
    • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
    • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
    • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
    • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
    Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
    Download Yara Rule
    APIs
    • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: CreateHeap
    • String ID:
    • API String ID: 10892065-0
    • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
    • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
    • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
    • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
    Function 0071D524 Relevance: .1, Instructions: 75COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2882123524.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_71d000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ff381f8190f24c84aa9f109163805e67f9f01b8ba5f9ab4e3d0f9f75a3971183
    • Instruction ID: 3167c75b75370bfa687690d2d377ad2fc415de6e30b2a686146f75d646ac8b5a
    • Opcode Fuzzy Hash: ff381f8190f24c84aa9f109163805e67f9f01b8ba5f9ab4e3d0f9f75a3971183
    • Instruction Fuzzy Hash: CD212BB1500240DFCB15DF18D5C0B67BF66FB94318F20C569D9054B296C339DCA6CAA1
    Function 020CD01C Relevance: .1, Instructions: 74COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2882692423.00000000020CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020CD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_20cd000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 44ae0e0112a5008edb1ff50dcc9250b458a42b46865386fe5ea5c558d3ca2e57
    • Instruction ID: d570af2255844346ede780f7c5ea475f329886483f3ac06c1738458c24a787ac
    • Opcode Fuzzy Hash: 44ae0e0112a5008edb1ff50dcc9250b458a42b46865386fe5ea5c558d3ca2e57
    • Instruction Fuzzy Hash: 912100B1104340DFDB11EF18DA84B2EBFA5EB84324F30C57DE9090B246C336D84ADAA2
    Function 020CD2BC Relevance: .1, Instructions: 72COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2882692423.00000000020CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020CD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_20cd000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c280a52ce6c6c2278f704bc12bd61ed7ab24fede959d705cb01ed6e77392c928
    • Instruction ID: cbb4665eb65cc4f87f785c7ef4ae5b3939b8a1597bc1d17b2dfc7d0cc0498554
    • Opcode Fuzzy Hash: c280a52ce6c6c2278f704bc12bd61ed7ab24fede959d705cb01ed6e77392c928
    • Instruction Fuzzy Hash: A621CCB1604304EFDB05DF14DAC0B2ABBA5EB84314F24C67DE8494B296C33AD846DA61
    Function 020CD104 Relevance: .1, Instructions: 72COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2882692423.00000000020CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020CD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_20cd000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c89b2e61ac04b060c869a9da19c798e23ce9a0564c9c73c70e5a0dd5b43d187b
    • Instruction ID: 395b5e24578be26e058d2bb6032566a422b3a92c05af46517bcd28d2eab20949
    • Opcode Fuzzy Hash: c89b2e61ac04b060c869a9da19c798e23ce9a0564c9c73c70e5a0dd5b43d187b
    • Instruction Fuzzy Hash: ED21D0B1604344EFDB05DF14D984B2ABBA5EB88314F30C5BDDD494A351C33AD846DA61
    Function 020CD006 Relevance: .1, Instructions: 65COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2882692423.00000000020CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020CD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_20cd000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: dabfb5da31589cb065e1f088c2c9ebde4aeb547b1eb29faeaa01cc7f9382ec20
    • Instruction ID: 0cc28593e543d7282ca574b4de9f3946381034c5b535cee9aaf2e8a14b532221
    • Opcode Fuzzy Hash: dabfb5da31589cb065e1f088c2c9ebde4aeb547b1eb29faeaa01cc7f9382ec20
    • Instruction Fuzzy Hash: 0B2183B15083809FCB13CF14D994716BFB1EB86324F2985EAD8454B656C33AD81ADB62
    Function 0071D51F Relevance: .1, Instructions: 56COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2882123524.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_71d000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
    • Instruction ID: 96eedce137a4f9344363358b0c549b3a6fa7ae2c41851be1053c749c7c8f348d
    • Opcode Fuzzy Hash: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
    • Instruction Fuzzy Hash: 3111D376504280CFCB16CF14D5C4B56BF72FB98314F24C5A9D8094B656C33AD86ACFA1
    Function 020CD0FF Relevance: .1, Instructions: 53COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2882692423.00000000020CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020CD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_20cd000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
    • Instruction ID: bd21195d8afcb174773af5bdc4c3156ef9fc65073a65928eddaf6eeb9a9690c5
    • Opcode Fuzzy Hash: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
    • Instruction Fuzzy Hash: E711BBB5504384EFDB06CF10C9C4B19BBA2FB88218F24C6AEDC494B752C33AD44ADB61
    Function 020CD2B7 Relevance: .1, Instructions: 53COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2882692423.00000000020CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020CD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_20cd000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
    • Instruction ID: 116222dbb97aed32d993b7419847bdd2630582ec02f8882eda1b0b9f96ae3884
    • Opcode Fuzzy Hash: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
    • Instruction Fuzzy Hash: A1119DB5504780DFDB06CF14D5C4B19BFA2FB84318F28C6AED8494B656C33AD44ADBA1
    Function 0071D01D Relevance: .0, Instructions: 45COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2882123524.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_71d000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bda91825e813ee2d51382143b02c76bb2ec9ea8b802701b4347d4706f0fce0bb
    • Instruction ID: 398ebe1f41ea4e257752979a77f8562c4428cc7143857fdb9cf7bd2a0f295303
    • Opcode Fuzzy Hash: bda91825e813ee2d51382143b02c76bb2ec9ea8b802701b4347d4706f0fce0bb
    • Instruction Fuzzy Hash: 7901A7715083409AE7204A2DDDC47A7BFD8DF59324F18C529ED484A2C6C27D9C81CAB1
    Function 0071D01C Relevance: .0, Instructions: 36COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2882123524.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_71d000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cbd9e351406262f74a487278a7b6212dba51d393f2da3cfdb7a63aabfe8d4c35
    • Instruction ID: 6393d7a9b5758ffa518d6037f7dd328164a6bc984a85baa7165ae9d3f4129bb2
    • Opcode Fuzzy Hash: cbd9e351406262f74a487278a7b6212dba51d393f2da3cfdb7a63aabfe8d4c35
    • Instruction Fuzzy Hash: 56F06271404344AEE7208A1ADDC4BA6FFE8EB55724F18C55AED484E286C2799C85CAB1

    Non-executed Functions

    Function 0702F186 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111keyboardCOMMON
    Download Yara Rule
    APIs
    • GetKeyState.USER32(00000001), ref: 0702F1D5
    • GetKeyState.USER32(00000002), ref: 0702F21A
    • GetKeyState.USER32(00000004), ref: 0702F25F
    • GetKeyState.USER32(00000005), ref: 0702F2A4
    • GetKeyState.USER32(00000006), ref: 0702F2E9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887992307.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7020000_wLw52XmkOM.jbxd
    Similarity
    • API ID: State
    • String ID: B^.
    • API String ID: 1649606143-176575641
    • Opcode ID: 80223584be0680886504bb184e7e4a4496bbaf06fcbb99873a87829be3a66471
    • Instruction ID: 06162ebbb2218d5b6472aa331c65403242a8c447c8366785425d0e2081ab1af3
    • Opcode Fuzzy Hash: 80223584be0680886504bb184e7e4a4496bbaf06fcbb99873a87829be3a66471
    • Instruction Fuzzy Hash: 394181F5800756CEEB21DF99C9483AFBFF4AB05358F208419D449B7240C779A58ACFA6
    Function 066B1E0C Relevance: 8.2, Strings: 6, Instructions: 651COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887486446.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66b0000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID: B^.$Hbq$Hbq$Hbq$Hbq$Hbq
    • API String ID: 0-1342982874
    • Opcode ID: 4a60a44c4b184460fdd8f6d084ed5842ff13f553fb4765ca50b2be4d9c3c2611
    • Instruction ID: 74d9b01d7c60ccb373fb26c25cc60986bfce9b22370fc1870e9e00be50d744f1
    • Opcode Fuzzy Hash: 4a60a44c4b184460fdd8f6d084ed5842ff13f553fb4765ca50b2be4d9c3c2611
    • Instruction Fuzzy Hash: 4F429C70E00218CFDB98DFA9C85479EBBF2AF89300F1485A9D109AB395DB349D85CF95
    Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32 ref: 004136F4
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
    • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
    • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
    • TerminateProcess.KERNEL32(00000000), ref: 00413737
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
    • String ID:
    • API String ID: 2579439406-0
    • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
    • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
    • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
    • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
    Function 07022750 Relevance: 5.3, Strings: 4, Instructions: 268COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887992307.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7020000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID: $(&^q$(bq$Hbq
    • API String ID: 0-1723523991
    • Opcode ID: fd8b2f1dc4ac8542a1f448c4db3945e6a6b6d06eda3143b33e372dd8b0c5657e
    • Instruction ID: c8fe441bcf97b8fe9da813cde8f7080c01a0c43edb7194a80eee727997444277
    • Opcode Fuzzy Hash: fd8b2f1dc4ac8542a1f448c4db3945e6a6b6d06eda3143b33e372dd8b0c5657e
    • Instruction Fuzzy Hash: 5E9191B1E002159FDB68DFB9C844AAFBAF6FF88310F118529E415EB250DF34D9028B95
    Function 00408C60 Relevance: 4.1, Strings: 3, Instructions: 377COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID: @$@$PA
    • API String ID: 0-3039612711
    • Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
    • Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
    • Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
    • Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A
    Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32 ref: 0040ADD0
    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: Heap$FreeProcess
    • String ID:
    • API String ID: 3859560861-0
    • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
    • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
    • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
    • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
    Function 0702563F Relevance: 1.9, Strings: 1, Instructions: 697COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887992307.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7020000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID: fff?
    • API String ID: 0-4136771917
    • Opcode ID: e3e0d8d6762e4b340fb6b91790f50bf9e6088d46fa8708e18060b6f537b62606
    • Instruction ID: d3e269af8c0666489072be05e4a7582a3d1f7e520a9888fa03c1b0287c80e349
    • Opcode Fuzzy Hash: e3e0d8d6762e4b340fb6b91790f50bf9e6088d46fa8708e18060b6f537b62606
    • Instruction Fuzzy Hash: 9062183281061ADFCF11DF50C884AD9BBB2FF99304F1586D5E9086B125E772AAD6DF80
    Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
    • Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
    • Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
    • Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569
    Function 00407C3F Relevance: .8, Instructions: 783COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
    • Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
    • Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
    • Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95
    Function 004073A0 Relevance: .6, Instructions: 633COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
    • Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
    • Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
    • Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA
    Function 00406CA0 Relevance: .4, Instructions: 401COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
    • Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
    • Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
    • Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55
    Function 05370040 Relevance: .3, Instructions: 315COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2887186576.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5370000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f4f6535fb3c97e5c7bc5dfe1058a723d46b79329d8cf1e30dfb329958b7d67fa
    • Instruction ID: c0f9544992c4031d989c3d8831dbfc106d42999e5a70f13596be4af89a7fa797
    • Opcode Fuzzy Hash: f4f6535fb3c97e5c7bc5dfe1058a723d46b79329d8cf1e30dfb329958b7d67fa
    • Instruction Fuzzy Hash: DE1295F1C817458AD710CF65E84C1897BB9BB51318FF08A0AD2617A2E5DBB835AACF44
    Function 066B8B8B Relevance: .3, Instructions: 292COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2887486446.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66b0000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c8feccb5240fb9fd79036e6a983d6e69274eeff31369cabbbb18cc6db9eeb305
    • Instruction ID: 656b079c3ecd0ae66b6f028ed9eff168e6336eb4064326212d5e93a713df6c9c
    • Opcode Fuzzy Hash: c8feccb5240fb9fd79036e6a983d6e69274eeff31369cabbbb18cc6db9eeb305
    • Instruction Fuzzy Hash: 13B17EB1E10209CFDB54CBA8C8553EEBBBAEF85304F14906ED512AB385C7359C46CBA4
    Function 066B1E08 Relevance: .3, Instructions: 281COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2887486446.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66b0000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 34f4c90f06fe8791703872e9c2ca79f2d0c46b2b97237e43102b2647866390bb
    • Instruction ID: b556a16f923ef2b51774e47a24a888c3b3f73b00c945fb38550a94b0b578171c
    • Opcode Fuzzy Hash: 34f4c90f06fe8791703872e9c2ca79f2d0c46b2b97237e43102b2647866390bb
    • Instruction Fuzzy Hash: 6AC15771E00258DFDBA4CF65C8807DDBBB2AF8A300F04D2A9D519AB255DB34D985CF94
    Function 066B9188 Relevance: .3, Instructions: 279COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2887486446.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66b0000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2b21b035193776cbc4ae10a67ad33e3ce2e9c831554b85b2120bd0dfb6b37d3f
    • Instruction ID: 38d137823949dad18ae9787811867c71179d6f0ba599f1e55aedccdd8ceeae35
    • Opcode Fuzzy Hash: 2b21b035193776cbc4ae10a67ad33e3ce2e9c831554b85b2120bd0dfb6b37d3f
    • Instruction Fuzzy Hash: E9C16971E00258DFDBA4CF65C8807DDBBB2AF8A300F08D2AAD519AB255DB34D985CF54
    Function 04A8D3CC Relevance: .3, Instructions: 264COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2886976668.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a80000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d8c81021ac3381426b3c47e82b132e55fe04a1ba74c8626606f57e07f40469e4
    • Instruction ID: 95bcc90fde8ea62e5895e96a6122257d69fc1463456f814245f5f12fbb4b335b
    • Opcode Fuzzy Hash: d8c81021ac3381426b3c47e82b132e55fe04a1ba74c8626606f57e07f40469e4
    • Instruction Fuzzy Hash: 6EA15032E0020A8FDF09EFB4C94459EB7B6FF89304B15856EE805AB265DB71F956CB40
    Function 00402B90 Relevance: .2, Instructions: 212COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
    • Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
    • Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
    • Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688
    Function 004028B0 Relevance: .2, Instructions: 184COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
    • Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
    • Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
    • Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC
    Function 02161020 Relevance: .1, Instructions: 127COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2883138040.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2160000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 546a428a8e36440a41a54e18e216f7f14babaa16cceb99985a5e993f08cf69df
    • Instruction ID: 3d947f6a687cdc5d18cdd6ea15431bbace969fd653b2f801ea09981644af1d87
    • Opcode Fuzzy Hash: 546a428a8e36440a41a54e18e216f7f14babaa16cceb99985a5e993f08cf69df
    • Instruction Fuzzy Hash: 34519574D402048FD709EF3AE84079ABBEBBF84304F14C928D4559B369EB746A5A8F50
    Function 02161030 Relevance: .1, Instructions: 121COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2883138040.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_2160000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bd473d34676837f0902f474a525adf8d889c16346f29cb9b065cad2816d79167
    • Instruction ID: 43aec2dd72a402ab64f4518100bb0121cc47381dd3172b489b8eda573eb5c660
    • Opcode Fuzzy Hash: bd473d34676837f0902f474a525adf8d889c16346f29cb9b065cad2816d79167
    • Instruction Fuzzy Hash: CF517374D402048FD708EF3AED40B9ABBEBBF84304F10C928D4159B369EB746A599B90
    Function 00401650 Relevance: .1, Instructions: 111COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
    • Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
    • Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
    • Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77
    Function 00402F20 Relevance: .1, Instructions: 103COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
    • Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
    • Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
    • Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795
    Function 00402F89 Relevance: .1, Instructions: 77COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
    • Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
    • Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
    • Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785
    Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
    • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,022118C0), ref: 004170C5
    • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
    • _malloc.LIBCMT ref: 0041718A
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
    • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
    • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
    • _malloc.LIBCMT ref: 0041724C
    • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
    • __freea.LIBCMT ref: 004172A4
    • __freea.LIBCMT ref: 004172AD
    • ___ansicp.LIBCMT ref: 004172DE
    • ___convertcp.LIBCMT ref: 00417309
    • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
    • _malloc.LIBCMT ref: 00417362
    • _memset.LIBCMT ref: 00417384
    • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
    • ___convertcp.LIBCMT ref: 004173BA
    • __freea.LIBCMT ref: 004173CF
    • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
    • String ID:
    • API String ID: 3809854901-0
    • Opcode ID: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
    • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
    • Opcode Fuzzy Hash: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
    • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
    Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
    Download Yara Rule
    APIs
    • _malloc.LIBCMT ref: 004057DE
      • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
      • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
      • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
    • _malloc.LIBCMT ref: 00405842
    • _malloc.LIBCMT ref: 00405906
    • _malloc.LIBCMT ref: 00405930
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: _malloc$AllocateHeap
    • String ID: 1.2.3
    • API String ID: 680241177-2310465506
    • Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
    • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
    • Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
    • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
    Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
    • String ID:
    • API String ID: 3886058894-0
    • Opcode ID: 61b9ef8a6f765c58139a33a573ef994292dae8fcc9e916c915b81b6d9ebba236
    • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
    • Opcode Fuzzy Hash: 61b9ef8a6f765c58139a33a573ef994292dae8fcc9e916c915b81b6d9ebba236
    • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
    Function 0040C73D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON
    Download Yara Rule
    APIs
    • __lock_file.LIBCMT ref: 0040C6C8
    • __fileno.LIBCMT ref: 0040C6D6
    • __fileno.LIBCMT ref: 0040C6E2
    • __fileno.LIBCMT ref: 0040C6EE
    • __fileno.LIBCMT ref: 0040C6FE
      • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
      • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
    • String ID: 'B
    • API String ID: 2805327698-2787509829
    • Opcode ID: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
    • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
    • Opcode Fuzzy Hash: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
    • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
    Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __getptd.LIBCMT ref: 00414744
      • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
      • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
    • __getptd.LIBCMT ref: 0041475B
    • __amsg_exit.LIBCMT ref: 00414769
    • __lock.LIBCMT ref: 00414779
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: __amsg_exit__getptd$__getptd_noexit__lock
    • String ID: @.B
    • API String ID: 3521780317-470711618
    • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
    • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
    • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
    • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
    Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __getptd.LIBCMT ref: 00413FD8
      • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
      • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
    • __amsg_exit.LIBCMT ref: 00413FF8
    • __lock.LIBCMT ref: 00414008
    • InterlockedDecrement.KERNEL32(?), ref: 00414025
    • InterlockedIncrement.KERNEL32(02211660), ref: 00414050
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
    • String ID:
    • API String ID: 4271482742-0
    • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
    • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
    • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
    • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
    Function 0040FA58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: __calloc_crt
    • String ID: P$B$`$B
    • API String ID: 3494438863-235554963
    • Opcode ID: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
    • Instruction ID: 4bdca0f49684ef71ac3198dcc3f656e5d5ce7fed137673697bf40858e87bd1f9
    • Opcode Fuzzy Hash: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
    • Instruction Fuzzy Hash: 6011A3327446115BE7348B1DBD50F662391EB84728BA4423BE619EA7E0E77CD8864A4C
    Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
    • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: IsProcessorFeaturePresent$KERNEL32
    • API String ID: 1646373207-3105848591
    • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
    • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
    • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
    • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
    Function 004146FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___addlocaleref.LIBCMT ref: 0041470C
      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(00000001), ref: 004145E4
      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145F1
      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145FE
      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041460B
      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414618
      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414634
      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414644
      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041465A
    • ___removelocaleref.LIBCMT ref: 00414717
      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 0041467B
      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414688
      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414695
      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146A2
      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146AF
      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146CB
      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(00000000), ref: 004146DB
      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146F1
    • ___freetlocinfo.LIBCMT ref: 0041472B
      • Part of subcall function 00414489: ___free_lconv_mon.LIBCMT ref: 004144CF
      • Part of subcall function 00414489: ___free_lconv_num.LIBCMT ref: 004144F0
      • Part of subcall function 00414489: ___free_lc_time.LIBCMT ref: 00414575
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
    • String ID: @.B
    • API String ID: 467427115-470711618
    • Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
    • Instruction ID: 8e9b8205a585dc9325c25650a27042e0212317e7447dcce9b0fe23aa5a8dd77f
    • Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
    • Instruction Fuzzy Hash: BDE0863250192255CE35261D76806EF93A98FD3725B3A017FF864AF7D8EB2C4CC0809D
    Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __fileno.LIBCMT ref: 0040C77C
    • __locking.LIBCMT ref: 0040C791
      • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
      • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: __decode_pointer__fileno__getptd_noexit__locking
    • String ID:
    • API String ID: 2395185920-0
    • Opcode ID: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
    • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
    • Opcode Fuzzy Hash: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
    • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
    Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: _fseek_malloc_memset
    • String ID:
    • API String ID: 208892515-0
    • Opcode ID: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
    • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
    • Opcode Fuzzy Hash: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
    • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
    Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
    • __isleadbyte_l.LIBCMT ref: 00415307
    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,?,?,00000000,?,?,?), ref: 00415338
    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,00000001,?,00000000,?,?,?), ref: 004153A6
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
    • String ID:
    • API String ID: 3058430110-0
    • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
    • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
    • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
    • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
    Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2881375196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2881332756.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881420001.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881467063.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881507410.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881554486.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2881648097.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_wLw52XmkOM.jbxd
    Similarity
    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
    • String ID:
    • API String ID: 3016257755-0
    • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
    • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
    • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
    • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89
    Function 066F1D08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
    Download Yara Rule
    APIs
    • GetSystemMetrics.USER32(00000031), ref: 066F1D66
    • GetSystemMetrics.USER32(00000032), ref: 066F1DA0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887560348.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66f0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: MetricsSystem
    • String ID: B^.
    • API String ID: 4116985748-176575641
    • Opcode ID: 1662e9f8996e380df8d11a024c18c657b131a20222c79d770ebe3864ca7ac11b
    • Instruction ID: 21a4973a653c14f462bd65d6371d1071a57367e9680356adb39b855c2efc577d
    • Opcode Fuzzy Hash: 1662e9f8996e380df8d11a024c18c657b131a20222c79d770ebe3864ca7ac11b
    • Instruction Fuzzy Hash: 732102B0800349CFDB60DF99D8487DEBFF4EB49364F14841AD659AB251C378A584CFA5
    Function 0537D3D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • GetSystemMetrics.USER32(00000005), ref: 0537D42E
    • GetSystemMetrics.USER32(00000006), ref: 0537D468
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887186576.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5370000_wLw52XmkOM.jbxd
    Similarity
    • API ID: MetricsSystem
    • String ID: B^.
    • API String ID: 4116985748-176575641
    • Opcode ID: af160fe690e856d8a81914253268938d52397ad137fc2ac1807f148e03bc3095
    • Instruction ID: 71dea968f98279a82305da897160cc7777d10c5d51b3175a8d687fd65e7be212
    • Opcode Fuzzy Hash: af160fe690e856d8a81914253268938d52397ad137fc2ac1807f148e03bc3095
    • Instruction Fuzzy Hash: FF2123B18003498FDB20DF99D84979EBFF4EB08314F14842AD559AB650C778A984CFA5
    Function 066B2D78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
    Download Yara Rule
    APIs
    • GetSystemMetrics.USER32(00000022), ref: 066B2DD6
    • GetSystemMetrics.USER32(00000023), ref: 066B2E10
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887486446.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66b0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: MetricsSystem
    • String ID: B^.
    • API String ID: 4116985748-176575641
    • Opcode ID: ccdde4e2ebfbb7fdb46e28d9b96759f999759e1f31bcbd94c42a5a79eee50ffd
    • Instruction ID: cbecfc8559b92386ea7c183c799498094ed4c07a7a7ec69beca671739950bd3d
    • Opcode Fuzzy Hash: ccdde4e2ebfbb7fdb46e28d9b96759f999759e1f31bcbd94c42a5a79eee50ffd
    • Instruction Fuzzy Hash: B12134B0800349CFDB20CFAAE8497EEBFF4EB09314F24842AD559A7250C3786584CFA5
    Function 066B2CA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • GetSystemMetrics.USER32(0000003B), ref: 066B2CFE
    • GetSystemMetrics.USER32(0000003C), ref: 066B2D38
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887486446.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66b0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: MetricsSystem
    • String ID: B^.
    • API String ID: 4116985748-176575641
    • Opcode ID: 01a942369cc7c9b8deaffd920b9d89c1369f86c0c3564f69423263e1bea74195
    • Instruction ID: d6a2b9683fb473c0896d0b686c254d3dac6e29b069d673d3b8f13f89305eaaab
    • Opcode Fuzzy Hash: 01a942369cc7c9b8deaffd920b9d89c1369f86c0c3564f69423263e1bea74195
    • Instruction Fuzzy Hash: FD2103B0901349CFDB20DF99E8497EEBFF8EB08314F24841AD559A7251C3786985CFA5
    Function 066BD1FB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • GetSystemMetrics.USER32(00000050), ref: 066BD28B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887486446.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66b0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: MetricsSystem
    • String ID: B^.$4'^q
    • API String ID: 4116985748-876356118
    • Opcode ID: cbe823798a958353d328a0507bf1d7bd9ef6f54ade424bf70658d038f3befed7
    • Instruction ID: 3e6735fd7ecc34f18a83e5faeaf615113a8b20648ddb349d593ca438fb195343
    • Opcode Fuzzy Hash: cbe823798a958353d328a0507bf1d7bd9ef6f54ade424bf70658d038f3befed7
    • Instruction Fuzzy Hash: 022103B5D00249CFCB14DF99D8456EEBBF4EB08320F14855AD419B7281C738A945CFA5
    Function 066F1D18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • GetSystemMetrics.USER32(00000031), ref: 066F1D66
    • GetSystemMetrics.USER32(00000032), ref: 066F1DA0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887560348.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66f0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: MetricsSystem
    • String ID: B^.
    • API String ID: 4116985748-176575641
    • Opcode ID: ecc62d11ea0f1be7f2cbbc2e21b5897a2ea743dc3a8c367e5366a1669c48e1ea
    • Instruction ID: bcd46571a7363f189523c427814aa8d4ac688149f476db3d336b87eeb6f0bbc1
    • Opcode Fuzzy Hash: ecc62d11ea0f1be7f2cbbc2e21b5897a2ea743dc3a8c367e5366a1669c48e1ea
    • Instruction Fuzzy Hash: 6321F0B4800349CFDB60DF9AD84979EFFF4AB09364F24841AD559A7250C378A984CFA5
    Function 066BD208 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • GetSystemMetrics.USER32(00000050), ref: 066BD28B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2887486446.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_66b0000_wLw52XmkOM.jbxd
    Similarity
    • API ID: MetricsSystem
    • String ID: B^.$4'^q
    • API String ID: 4116985748-876356118
    • Opcode ID: 75b665d3cfb1cf98e2c1ecb4c2d70ec95387d9852cb80ccc51d31a2e6e6431eb
    • Instruction ID: 14ee0029fde899ced11dcf58b826de7946cc6e4bcafd7b3a1eafb74f45d9297d
    • Opcode Fuzzy Hash: 75b665d3cfb1cf98e2c1ecb4c2d70ec95387d9852cb80ccc51d31a2e6e6431eb
    • Instruction Fuzzy Hash: 652104B0D0025ACFCB14DF99D8456EEBBF4EB08320F10855AD959BB390C738A945CFA5