Edit tour

Windows Analysis Report
vkXe5gkY34.exe

Overview

General Information

Sample name:	vkXe5gkY34.exe renamed because original name is a hash value
Original sample name:	88696cf17417a2339b63f9452404c839.exe
Analysis ID:	1483406
MD5:	88696cf17417a2339b63f9452404c839
SHA1:	2123ca0e3764ba65e421d3b5dd7453da955d36f2
SHA256:	a5f629e62e8012c0ead81b462bc05ec9d20395af3121f87961f9d2dfde908895
Tags:	32exe
Infos:

Detection

XenoRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected XenoRAT

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

PE file contains section with special chars

PE file has nameless sections

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SGDT)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

vkXe5gkY34.exe (PID: 6256 cmdline: "C:\Users\user\Desktop\vkXe5gkY34.exe" MD5: 88696CF17417A2339B63F9452404C839)

cmd.exe (PID: 6472 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\eystsdf.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

efthfxj.sfx.exe (PID: 3852 cmdline: efthfxj.sfx.exe -pgtrfdewscbsdyethnymkdesppodtyuhngfszafugyRhvqxsdfHbgnmeG -dC:\Users\user\AppData\Roaming MD5: 642A150BE5BBED12C85DFF794B955C01)

efthfxj.exe (PID: 4052 cmdline: "C:\Users\user\AppData\Roaming\efthfxj.exe" MD5: DCB591D1FC03274934709E24B502D719)

efthfxj.exe (PID: 3504 cmdline: C:\Users\user\AppData\Roaming\efthfxj.exe MD5: DCB591D1FC03274934709E24B502D719)

WerFault.exe (PID: 3448 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)

efthfxj.exe (PID: 1084 cmdline: C:\Users\user\AppData\Roaming\efthfxj.exe MD5: DCB591D1FC03274934709E24B502D719)

efthfxj.exe (PID: 3992 cmdline: "C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe" MD5: DCB591D1FC03274934709E24B502D719)

efthfxj.exe (PID: 1276 cmdline: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe MD5: DCB591D1FC03274934709E24B502D719)

efthfxj.exe (PID: 4276 cmdline: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe MD5: DCB591D1FC03274934709E24B502D719)

efthfxj.exe (PID: 5968 cmdline: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe MD5: DCB591D1FC03274934709E24B502D719)

efthfxj.exe (PID: 7196 cmdline: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe MD5: DCB591D1FC03274934709E24B502D719)

efthfxj.exe (PID: 6200 cmdline: C:\Users\user\AppData\Roaming\efthfxj.exe MD5: DCB591D1FC03274934709E24B502D719)

schtasks.exe (PID: 7676 cmdline: "schtasks.exe" /Create /TN "HDdisplay" /XML "C:\Users\user\AppData\Local\Temp\tmp3BF9.tmp" /F MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

efthfxj.exe (PID: 1076 cmdline: C:\Users\user\AppData\Roaming\efthfxj.exe MD5: DCB591D1FC03274934709E24B502D719)

efthfxj.exe (PID: 7740 cmdline: C:\Users\user\AppData\Roaming\efthfxj.exe MD5: DCB591D1FC03274934709E24B502D719)

efthfxj.exe (PID: 7800 cmdline: C:\Users\user\AppData\Roaming\efthfxj.exe MD5: DCB591D1FC03274934709E24B502D719)

efthfxj.exe (PID: 7808 cmdline: C:\Users\user\AppData\Roaming\efthfxj.exe MD5: DCB591D1FC03274934709E24B502D719)

efthfxj.exe (PID: 7836 cmdline: C:\Users\user\AppData\Roaming\efthfxj.exe MD5: DCB591D1FC03274934709E24B502D719)

efthfxj.exe (PID: 7868 cmdline: C:\Users\user\AppData\Roaming\efthfxj.exe MD5: DCB591D1FC03274934709E24B502D719)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XenoRAT		No Attribution	https://github.com/moom825/xeno-rat	https://malpedia.caad.fkie.fraunhofer.de/details/win.xenorat

Malware Configuration

Threatname: XenoRAT

{"C2 url": "45.66.231.63", "Mutex Name": "Holid_rat_nd8859g", "Install Folder": "appdata"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.2089629416.0000000002E75000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
0000000D.00000002.2089629416.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000005.00000002.2076384338.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
0000000D.00000002.2089629416.0000000002E93000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
0000000D.00000002.2089629416.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000005.00000002.2076384338.0000000002C94000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
0000000A.00000002.2060330225.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000005.00000002.2076384338.0000000002C85000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000017.00000002.2699568740.0000000002B22000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000005.00000002.2076384338.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000017.00000002.2699568740.00000000028F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
0000000D.00000002.2089629416.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000005.00000002.2076384338.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Process Memory Space: efthfxj.exe PID: 4052	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Process Memory Space: efthfxj.exe PID: 1076	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Process Memory Space: efthfxj.exe PID: 3992	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Process Memory Space: efthfxj.exe PID: 7740	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author
10.2.efthfxj.exe.400000.0.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
23.2.efthfxj.exe.28febf8.0.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
5.2.efthfxj.exe.2a6d5ec.2.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
13.2.efthfxj.exe.2c5bbcc.0.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
13.2.efthfxj.exe.2c5bbcc.0.raw.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
13.2.efthfxj.exe.2c5b3cc.1.raw.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
5.2.efthfxj.exe.2a6d5ec.2.raw.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
23.2.efthfxj.exe.28febf8.0.raw.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
23.2.efthfxj.exe.28fb324.1.raw.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /Create /TN "HDdisplay" /XML "C:\Users\user\AppData\Local\Temp\tmp3BF9.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "HDdisplay" /XML "C:\Users\user\AppData\Local\Temp\tmp3BF9.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\efthfxj.exe, ParentImage: C:\Users\user\AppData\Roaming\efthfxj.exe, ParentProcessId: 6200, ParentProcessName: efthfxj.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "HDdisplay" /XML "C:\Users\user\AppData\Local\Temp\tmp3BF9.tmp" /F, ProcessId: 7676, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "schtasks.exe" /Create /TN "HDdisplay" /XML "C:\Users\user\AppData\Local\Temp\tmp3BF9.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "HDdisplay" /XML "C:\Users\user\AppData\Local\Temp\tmp3BF9.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\efthfxj.exe, ParentImage: C:\Users\user\AppData\Roaming\efthfxj.exe, ParentProcessId: 6200, ParentProcessName: efthfxj.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "HDdisplay" /XML "C:\Users\user\AppData\Local\Temp\tmp3BF9.tmp" /F, ProcessId: 7676, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.5

Timestamp:	2024-07-27T10:22:21.901268+0200
SID:	2022930
Source Port:	443
Destination Port:	49704
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.5

Timestamp:	2024-07-27T10:23:00.133191+0200
SID:	2022930
Source Port:	443
Destination Port:	49709
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Avira: detection malicious, Label: HEUR/AGEN.1357819
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Avira: detection malicious, Label: HEUR/AGEN.1357819

Found malware configuration

Source: 10.2.efthfxj.exe.400000.0.unpack

Malware Configuration Extractor: XenoRAT {"C2 url": "45.66.231.63", "Mutex Name": "Holid_rat_nd8859g", "Install Folder": "appdata"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Virustotal: Detection: 50%	Perma Link
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Virustotal: Detection: 50%	Perma Link
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Virustotal: Detection: 14%	Perma Link

Multi AV Scanner detection for submitted file

Source: vkXe5gkY34.exe

Virustotal: Detection: 29%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Joe Sandbox ML: detected

Source: vkXe5gkY34.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: vkXe5gkY34.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: vkXe5gkY34.exe, efthfxj.sfx.exe.0.dr

Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00C9A2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00C9A2C3
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CB7D69 FindFirstFileExA,	0_2_00CB7D69
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CAA536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00CAA536
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0063A2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	4_2_0063A2C3
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_00657D69 FindFirstFileExA,	4_2_00657D69
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0064A536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	4_2_0064A536

Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 4x nop then jmp 026217B0h	7_2_02620B60
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 4x nop then jmp 00A617B0h	9_2_00A60B60
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 4x nop then jmp 00A617B0h	9_2_00A60B52
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 4x nop then jmp 00E417B0h	10_2_00E40B60
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 4x nop then jmp 012217B0h	14_2_01220B60
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 4x nop then jmp 010A17B0h	15_2_010A0B60
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 4x nop then jmp 015417B0h	16_2_01540B60
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 4x nop then jmp 013117B0h	17_2_01310B60
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 4x nop then jmp 030717B0h	24_2_03070B60
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 4x nop then jmp 012417B0h	25_2_01240B60
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 4x nop then jmp 012217B0h	26_2_01220B60
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 4x nop then jmp 019517B0h	27_2_01950B60

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.66.231.63

Source: global traffic

TCP traffic: 192.168.2.5:49710 -> 45.66.231.63:1243

Source: Joe Sandbox View

ASN Name: CMCSUS CMCSUS

Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.231.63
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.231.63
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.231.63
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.231.63
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.231.63
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.231.63
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.231.63
Source: unknown	TCP traffic detected without corresponding DNS query: 45.66.231.63

Source: efthfxj.exe, 00000018.00000002.2690514135.00000000013B7000.00000004.00000020.00020000.00000000.sdmp, efthfxj.exe, 0000001B.00000002.2694307250.0000000001786000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: http://go.microsoft.c

System Summary

PE file contains section with special chars

Source: efthfxj.exe.4.dr	Static PE information: section name: ?TBQo
Source: efthfxj.exe.7.dr	Static PE information: section name: ?TBQo

PE file has nameless sections

Source: efthfxj.exe.4.dr	Static PE information: section name:
Source: efthfxj.exe.7.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AFAC08 NtSetContextThread,	5_2_04AFAC08
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AFA508 NtReadVirtualMemory,	5_2_04AFA508
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AFA6C0 NtResumeThread,	5_2_04AFA6C0
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AFA8E0 NtWriteVirtualMemory,	5_2_04AFA8E0
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AFAC01 NtSetContextThread,	5_2_04AFAC01
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AFA500 NtReadVirtualMemory,	5_2_04AFA500
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AFA6B9 NtResumeThread,	5_2_04AFA6B9
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AFA8D8 NtWriteVirtualMemory,	5_2_04AFA8D8
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063AA6C0 NtResumeThread,	13_2_063AA6C0
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063AAC08 NtSetContextThread,	13_2_063AAC08
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063AA508 NtReadVirtualMemory,	13_2_063AA508
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063AA8E0 NtWriteVirtualMemory,	13_2_063AA8E0
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063AA6B9 NtResumeThread,	13_2_063AA6B9
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063AAC01 NtSetContextThread,	13_2_063AAC01
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063AA500 NtReadVirtualMemory,	13_2_063AA500
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063AA8D8 NtWriteVirtualMemory,	13_2_063AA8D8
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0725A6C0 NtUnmapViewOfSection,	23_2_0725A6C0
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0725A508 NtReadVirtualMemory,	23_2_0725A508
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0725AC08 NtSetContextThread,	23_2_0725AC08
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0725A8E0 NtWriteVirtualMemory,	23_2_0725A8E0
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0725A6B9 NtUnmapViewOfSection,	23_2_0725A6B9
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0725A500 NtReadVirtualMemory,	23_2_0725A500
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0725AC01 NtSetContextThread,	23_2_0725AC01
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0725A8D8 NtWriteVirtualMemory,	23_2_0725A8D8

Source: C:\Users\user\Desktop\vkXe5gkY34.exe

Code function: 0_2_00C97070: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00C97070

Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CA5983	0_2_00CA5983
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00C983EB	0_2_00C983EB
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CBE8D4	0_2_00CBE8D4
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CAE8EC	0_2_00CAE8EC
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CA30E5	0_2_00CA30E5
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00C9E097	0_2_00C9E097
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00C931F0	0_2_00C931F0
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CAFA6A	0_2_00CAFA6A
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00C9BA6A	0_2_00C9BA6A
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CAF200	0_2_00CAF200
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00C9D222	0_2_00C9D222
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CA63F1	0_2_00CA63F1
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CBA350	0_2_00CBA350
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CB2B68	0_2_00CB2B68
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CA2B39	0_2_00CA2B39
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00C9ECE9	0_2_00C9ECE9
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00C9DC32	0_2_00C9DC32
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CAEDE8	0_2_00CAEDE8
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CA5DB8	0_2_00CA5DB8
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CA2DB4	0_2_00CA2DB4
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00C95E83	0_2_00C95E83
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CB9EA0	0_2_00CB9EA0
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00C9D634	0_2_00C9D634
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CAF635	0_2_00CAF635
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00C93F95	0_2_00C93F95
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CA4FB4	0_2_00CA4FB4
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00C92759	0_2_00C92759
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_00645983	4_2_00645983
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_006383EB	4_2_006383EB
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_006430E5	4_2_006430E5
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0064E8EC	4_2_0064E8EC
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0065E8D4	4_2_0065E8D4
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0063E097	4_2_0063E097
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_006331F0	4_2_006331F0
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0063BA6A	4_2_0063BA6A
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0064FA6A	4_2_0064FA6A
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0063D222	4_2_0063D222
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0064F200	4_2_0064F200
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_00652B68	4_2_00652B68
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0065A350	4_2_0065A350
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_00642B39	4_2_00642B39
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_006463F1	4_2_006463F1
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0063DC32	4_2_0063DC32
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0063ECE9	4_2_0063ECE9
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0064EDE8	4_2_0064EDE8
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_00642DB4	4_2_00642DB4
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_00645DB8	4_2_00645DB8
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0064F635	4_2_0064F635
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0063D634	4_2_0063D634
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_00659EA0	4_2_00659EA0
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_00635E83	4_2_00635E83
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_00632759	4_2_00632759
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_00644FB4	4_2_00644FB4
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_00633F95	4_2_00633F95
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FB7CB8	5_2_00FB7CB8
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FBB450	5_2_00FBB450
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FB0848	5_2_00FB0848
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FBB190	5_2_00FBB190
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FBC970	5_2_00FBC970
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FB5A50	5_2_00FB5A50
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FB6378	5_2_00FB6378
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FB3B30	5_2_00FB3B30
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FBFC88	5_2_00FBFC88
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FBA038	5_2_00FBA038
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FB59A8	5_2_00FB59A8
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FBED48	5_2_00FBED48
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FBA2B0	5_2_00FBA2B0
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FB4EA8	5_2_00FB4EA8
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FB4E98	5_2_00FB4E98
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FB9E00	5_2_00FB9E00
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FB07C7	5_2_00FB07C7
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FB8B88	5_2_00FB8B88
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FB9758	5_2_00FB9758
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FBAB50	5_2_00FBAB50
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_0115D810	5_2_0115D810
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_01152B08	5_2_01152B08
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_01157D28	5_2_01157D28
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_0115D550	5_2_0115D550
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_01155E20	5_2_01155E20
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_011509B0	5_2_011509B0
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_011509C0	5_2_011509C0
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_01157020	5_2_01157020
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_01151078	5_2_01151078
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_01151080	5_2_01151080
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_0115C0C8	5_2_0115C0C8
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_011570F8	5_2_011570F8
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_01152AF7	5_2_01152AF7
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_0115AD60	5_2_0115AD60
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_01150CB0	5_2_01150CB0
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_0115E660	5_2_0115E660
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_0115BE90	5_2_0115BE90
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_01151698	5_2_01151698
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_01151688	5_2_01151688
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AF9880	5_2_04AF9880
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AF2B68	5_2_04AF2B68
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AF5440	5_2_04AF5440
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AF850B	5_2_04AF850B
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AF8518	5_2_04AF8518
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AF36F8	5_2_04AF36F8
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AFC710	5_2_04AFC710
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AF9875	5_2_04AF9875
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AFB1AC	5_2_04AFB1AC
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AFB1B8	5_2_04AFB1B8
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AFD1C9	5_2_04AFD1C9
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AFD1D8	5_2_04AFD1D8
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_0AA70040	5_2_0AA70040
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 7_2_02620B60	7_2_02620B60
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 9_2_00A62030	9_2_00A62030
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 9_2_00A64860	9_2_00A64860
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 9_2_00A63660	9_2_00A63660
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 9_2_00A60B60	9_2_00A60B60
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 9_2_00A63650	9_2_00A63650
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 9_2_00A60B52	9_2_00A60B52
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 10_2_00E40B60	10_2_00E40B60
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C3C6B0	13_2_02C3C6B0
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C35A50	13_2_02C35A50
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C33E7B	13_2_02C33E7B
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C363B7	13_2_02C363B7
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C3D498	13_2_02C3D498
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C37CB8	13_2_02C37CB8
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C30848	13_2_02C30848
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C36DE1	13_2_02C36DE1
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C3B190	13_2_02C3B190
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C34E98	13_2_02C34E98
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C34EA8	13_2_02C34EA8
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C3A2B0	13_2_02C3A2B0
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C39E00	13_2_02C39E00
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C35A37	13_2_02C35A37
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C363C7	13_2_02C363C7
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C38B88	13_2_02C38B88
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C3AB50	13_2_02C3AB50
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C39758	13_2_02C39758
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C3FC88	13_2_02C3FC88
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C3A038	13_2_02C3A038
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C30838	13_2_02C30838
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C3ED48	13_2_02C3ED48
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CDD550	13_2_04CDD550
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CD7D28	13_2_04CD7D28
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CDD8C8	13_2_04CDD8C8
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CD6047	13_2_04CD6047
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CD2B08	13_2_04CD2B08
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CD0CB0	13_2_04CD0CB0
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CDAD60	13_2_04CDAD60
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CD1688	13_2_04CD1688
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CD1698	13_2_04CD1698
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CDBE90	13_2_04CDBE90
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CDE660	13_2_04CDE660
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CDC0C8	13_2_04CDC0C8
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CD70F8	13_2_04CD70F8
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CD1080	13_2_04CD1080
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CD1073	13_2_04CD1073
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CD702E	13_2_04CD702E
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CD09C0	13_2_04CD09C0
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CD09B0	13_2_04CD09B0
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CD2AF7	13_2_04CD2AF7
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_053A0006	13_2_053A0006
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_053A0040	13_2_053A0040
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063A9880	13_2_063A9880
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063AC710	13_2_063AC710
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063A5440	13_2_063A5440
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063A8518	13_2_063A8518
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063A850A	13_2_063A850A
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063A9875	13_2_063A9875
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063AB1B8	13_2_063AB1B8
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063AB1AC	13_2_063AB1AC
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063AD1D8	13_2_063AD1D8
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_063AD1C9	13_2_063AD1C9
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 14_2_01220B60	14_2_01220B60
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 15_2_010A0B60	15_2_010A0B60
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 16_2_01540B60	16_2_01540B60
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 17_2_01310B60	17_2_01310B60
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026B5A50	23_2_026B5A50
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026B6378	23_2_026B6378
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026B0848	23_2_026B0848
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026BB450	23_2_026BB450
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026B7CB8	23_2_026B7CB8
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026BC970	23_2_026BC970
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026B3D2A	23_2_026B3D2A
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026B6DDB	23_2_026B6DDB
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026BB190	23_2_026BB190
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026B9E00	23_2_026B9E00
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026B4EA8	23_2_026B4EA8
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026BA2B0	23_2_026BA2B0
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026B4E98	23_2_026B4E98
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026B9758	23_2_026B9758
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026BAB50	23_2_026BAB50
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026B07C7	23_2_026B07C7
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026B8B88	23_2_026B8B88
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026BA038	23_2_026BA038
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026BFC88	23_2_026BFC88
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026BED48	23_2_026BED48
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026B5936	23_2_026B5936
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026B59A8	23_2_026B59A8
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_026B3DB2	23_2_026B3DB2
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_04977D28	23_2_04977D28
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0497D550	23_2_0497D550
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_04975E20	23_2_04975E20
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0497D8C8	23_2_0497D8C8
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_04972B08	23_2_04972B08
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0497F340	23_2_0497F340
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_04970CB0	23_2_04970CB0
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0497ED90	23_2_0497ED90
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0497AD60	23_2_0497AD60
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0497BE90	23_2_0497BE90
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_04971698	23_2_04971698
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_04971688	23_2_04971688
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0497E660	23_2_0497E660
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0497DF38	23_2_0497DF38
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_04971080	23_2_04971080
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0497C0C8	23_2_0497C0C8
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_049770F8	23_2_049770F8
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_04977020	23_2_04977020
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_04971073	23_2_04971073
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_049709B0	23_2_049709B0
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_049709C0	23_2_049709C0
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_04972AF7	23_2_04972AF7
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_06010007	23_2_06010007
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_06010027	23_2_06010027
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_06010040	23_2_06010040
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_07250D98	23_2_07250D98
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_07255440	23_2_07255440
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_07259880	23_2_07259880
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0725C710	23_2_0725C710
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_07258509	23_2_07258509
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_07258518	23_2_07258518
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0725B1AC	23_2_0725B1AC
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0725B1B8	23_2_0725B1B8
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0725D1C9	23_2_0725D1C9
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_0725D1D8	23_2_0725D1D8
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 23_2_07259875	23_2_07259875
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 24_2_03070B60	24_2_03070B60
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 25_2_01240B60	25_2_01240B60
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 26_2_01220B60	26_2_01220B60
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 27_2_01950B60	27_2_01950B60

Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: String function: 00CACDF0 appears 37 times
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: String function: 00CAD810 appears 31 times
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: String function: 00CACEC0 appears 53 times
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: String function: 0064CDF0 appears 37 times
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: String function: 0064CEC0 appears 53 times
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: String function: 0064D810 appears 31 times

Source: C:\Users\user\AppData\Roaming\efthfxj.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 80

Source: vkXe5gkY34.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: efthfxj.exe.4.dr	Static PE information: Section: ?TBQo ZLIB complexity 1.0003601866883116
Source: efthfxj.exe.7.dr	Static PE information: Section: ?TBQo ZLIB complexity 1.0003601866883116

Source: 5.2.efthfxj.exe.2a6d5ec.2.raw.unpack, Encryption.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.efthfxj.exe.2c5bbcc.0.raw.unpack, Encryption.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.efthfxj.exe.28febf8.0.raw.unpack, Encryption.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@40/6@0/1

Source: C:\Users\user\Desktop\vkXe5gkY34.exe

Code function: 0_2_00CA8BCF FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00CA8BCF

Source: C:\Users\user\Desktop\vkXe5gkY34.exe

File created: C:\Users\user\AppData\Roaming\__tmp_rar_sfx_access_check_4282234

Jump to behavior

Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Mutant created: \Sessions\1\BaseNamedObjects\Holid_rat_nd8859g-admin
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3504

Source: C:\Users\user\AppData\Roaming\efthfxj.exe

File created: C:\Users\user\AppData\Local\Temp\tmp3BF9.tmp

Jump to behavior

Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Command line argument: sfxname	0_2_00CAC130
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Command line argument: sfxstime	0_2_00CAC130
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Command line argument: STARTDLG	0_2_00CAC130
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Command line argument: *xh	4_2_0064C130
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Command line argument: *ag	4_2_0064C130
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Command line argument: 8yh	4_2_0064C130
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Command line argument: sfxname	4_2_0064C130
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Command line argument: sfxstime	4_2_0064C130
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Command line argument: STARTDLG	4_2_0064C130

Source: vkXe5gkY34.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\vkXe5gkY34.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\vkXe5gkY34.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: vkXe5gkY34.exe

Virustotal: Detection: 29%

Source: C:\Users\user\Desktop\vkXe5gkY34.exe

File read: C:\Users\user\Desktop\vkXe5gkY34.exe

Jump to behavior

Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Section loaded: ucrtbase_clr0400.dll

Source: C:\Users\user\Desktop\vkXe5gkY34.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\efthfxj.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: vkXe5gkY34.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: vkXe5gkY34.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: vkXe5gkY34.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: vkXe5gkY34.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: vkXe5gkY34.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: vkXe5gkY34.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: vkXe5gkY34.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: vkXe5gkY34.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: vkXe5gkY34.exe, efthfxj.sfx.exe.0.dr

Source: vkXe5gkY34.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: vkXe5gkY34.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: vkXe5gkY34.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: vkXe5gkY34.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: vkXe5gkY34.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Roaming\efthfxj.exe

Unpacked PE file: 5.2.efthfxj.exe.750000.0.unpack ?TBQo:EW;.text:ER;.rsrc:R;Unknown_Section3:ER;.reloc:R; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:ER;Unknown_Section4:R;

.NET source code contains potential unpacker

Source: 5.2.efthfxj.exe.2a6d5ec.2.raw.unpack, DllHandler.cs	.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: 5.2.efthfxj.exe.2a6d5ec.2.raw.unpack, DllHandler.cs	.Net Code: DllNodeHandler
Source: 13.2.efthfxj.exe.2c5bbcc.0.raw.unpack, DllHandler.cs	.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: 13.2.efthfxj.exe.2c5bbcc.0.raw.unpack, DllHandler.cs	.Net Code: DllNodeHandler
Source: 23.2.efthfxj.exe.28febf8.0.raw.unpack, DllHandler.cs	.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: 23.2.efthfxj.exe.28febf8.0.raw.unpack, DllHandler.cs	.Net Code: DllNodeHandler

Source: C:\Users\user\Desktop\vkXe5gkY34.exe

File created: C:\Users\user\AppData\Roaming\__tmp_rar_sfx_access_check_4282234

Jump to behavior

Source: efthfxj.exe.4.dr	Static PE information: section name: ?TBQo
Source: efthfxj.exe.4.dr	Static PE information: section name:
Source: efthfxj.exe.7.dr	Static PE information: section name: ?TBQo
Source: efthfxj.exe.7.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CAD856 push ecx; ret	0_2_00CAD869
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CACDF0 push eax; ret	0_2_00CACE0E
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0064D856 push ecx; ret	4_2_0064D869
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0064CDF0 push eax; ret	4_2_0064CE0E
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_00FB3A36 pushad ; iretd	5_2_00FB3A37
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_01154849 push ebp; retf	5_2_0115484A
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_011555E3 push cs; retf	5_2_011555E5
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_011557E2 push ecx; iretd	5_2_011557E4
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Code function: 5_2_04AF6B97 push 8BFFFFFFh; retf	5_2_04AF6B9D
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C36AC3 push 6A9902C3h; ret	13_2_02C36AD2
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C36AA1 push 698702C3h; ret	13_2_02C36AB6
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C35A1F push esp; ret	13_2_02C35A22
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C35A2F push ecx; ret	13_2_02C35A32
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C33A36 pushad ; iretd	13_2_02C33A37
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C33B57 push cs; ret	13_2_02C33B5E
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C33B6F push ds; ret	13_2_02C33B7E
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C33CFF push ss; ret	13_2_02C33D0A
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C359C7 push eax; ret	13_2_02C359CE
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C359D7 push ebp; ret	13_2_02C359DE
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C359DF push eax; ret	13_2_02C359E6
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C359EB push esp; ret	13_2_02C359EE
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C359EF push ebx; ret	13_2_02C359F6
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C359F7 push ebx; ret	13_2_02C359FA
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C359FB push edi; ret	13_2_02C359FE
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C359FF push edx; ret	13_2_02C35A06
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C359BB push edx; ret	13_2_02C359BE
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C359BF push ebp; ret	13_2_02C359C2
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_02C33D13 push ss; ret	13_2_02C33D1A
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CD55E3 push cs; retf	13_2_04CD55E5
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CD57E2 push ecx; iretd	13_2_04CD57E4
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Code function: 13_2_04CD4849 push ebp; retf	13_2_04CD484A

Source: efthfxj.exe.4.dr	Static PE information: section name: ?TBQo entropy: 7.999185110388199
Source: efthfxj.exe.7.dr	Static PE information: section name: ?TBQo entropy: 7.999185110388199

Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	File created: C:\Users\user\AppData\Roaming\efthfxj.exe	Jump to dropped file
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	File created: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	File created: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Roaming\efthfxj.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "HDdisplay" /XML "C:\Users\user\AppData\Local\Temp\tmp3BF9.tmp" /F

Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 2A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 4A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 5150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 6150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 6280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 7280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 75D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 85D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 95D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: A850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: B850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: BCE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: CCE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 5150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 6280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 75D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 85D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 95D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 25E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 2750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 27A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 47A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 47F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 2C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 2C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 4C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 5360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 6360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 6490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 7490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 77E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 87E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 5360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 87E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 98E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 77E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: A8E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 6AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 5360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 1220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 2C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 4C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 10A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 2B40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 4B40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 1540000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 1310000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 2FC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory allocated: 4FC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 2610000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 28F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 48F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 4FC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 5FC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 60F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 70F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 7440000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 8440000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 4FC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 60F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 7440000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 9640000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: A640000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 8940000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: B640000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 4FC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 5FD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 7440000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 3070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 31F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 51F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 1240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 2BB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 4BB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 1220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 1950000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 32D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory allocated: 52D0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Roaming\efthfxj.exe

Code function: 5_2_00FB6180 sgdt fword ptr [ecx]

5_2_00FB6180

Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Window / User API: threadDelayed 1248			Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Window / User API: threadDelayed 8607			Jump to behavior

Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 5504	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 6540	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -60400s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 6528	Thread sleep count: 1248 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -60275s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 6528	Thread sleep count: 8607 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -60163s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -60051s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -59931s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -59814s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -59666s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -59521s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -59400s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -59290s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -58977s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -58869s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -58759s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -58650s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -58540s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -58431s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -58322s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -58213s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -58103s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -57994s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -57885s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -57775s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -57666s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -57556s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -57447s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -57338s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -57228s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -57115s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -56994s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -56861s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -56728s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -56616s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -56508s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -56398s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -56291s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -56181s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -56072s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -55963s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -55853s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -55744s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -55634s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -55525s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -55415s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -55306s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -55197s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -55088s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -54978s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -54869s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -54759s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 3376	Thread sleep time: -54650s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 6204	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe TID: 6256	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe TID: 5908	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe TID: 7172	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe TID: 7204	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe TID: 7240	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 7760	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 7844	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 7864	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 7912	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\efthfxj.exe TID: 7920	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00C9A2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00C9A2C3
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CB7D69 FindFirstFileExA,	0_2_00CB7D69
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CAA536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00CAA536
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0063A2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	4_2_0063A2C3
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_00657D69 FindFirstFileExA,	4_2_00657D69
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0064A536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	4_2_0064A536

Source: C:\Users\user\Desktop\vkXe5gkY34.exe

Code function: 0_2_00CAC8D4 VirtualQuery,GetSystemInfo,

0_2_00CAC8D4

Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 60400	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 60275	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 60163	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 60051	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 59931	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 59814	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 59666	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 59521	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 59400	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 59290	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 58977	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 58869	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 58759	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 58650	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 58540	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 58431	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 58322	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 58213	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 58103	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 57994	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 57885	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 57775	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 57666	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 57556	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 57447	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 57338	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 57228	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 57115	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 56994	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 56861	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 56728	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 56616	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 56508	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 56398	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 56291	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 56181	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 56072	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 55963	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 55853	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 55744	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 55634	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 55525	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 55415	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 55306	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 55197	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 55088	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 54978	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 54869	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 54759	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 54650	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Thread delayed: delay time: 922337203685477

Source: vkXe5gkY34.exe, 00000000.00000003.2032555745.00000000007AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: efthfxj.sfx.exe, 00000004.00000003.2051399058.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: efthfxj.exe, 00000009.00000002.3278672788.0000000000B11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\vkXe5gkY34.exe	API call chain: ExitProcess graph end node			graph_0-23523
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	API call chain: ExitProcess graph end node			graph_4-22562

Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\vkXe5gkY34.exe

Code function: 0_2_00CADA15 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CADA15

Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CB49FA mov eax, dword ptr fs:[00000030h]		0_2_00CB49FA
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_006549FA mov eax, dword ptr fs:[00000030h]		4_2_006549FA

Source: C:\Users\user\Desktop\vkXe5gkY34.exe

Code function: 0_2_00CB8A9B GetProcessHeap,

0_2_00CB8A9B

Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CADA15 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CADA15
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CB5B43 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CB5B43
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CADB63 SetUnhandledExceptionFilter,	0_2_00CADB63
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: 0_2_00CADD1B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00CADD1B
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0064DA15 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0064DA15
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0064DB63 SetUnhandledExceptionFilter,	4_2_0064DB63
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_00655B43 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00655B43
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: 4_2_0064DD1B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0064DD1B

Source: C:\Users\user\AppData\Roaming\efthfxj.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory written: C:\Users\user\AppData\Roaming\efthfxj.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory written: C:\Users\user\AppData\Roaming\efthfxj.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory written: C:\Users\user\AppData\Roaming\efthfxj.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory written: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory written: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory written: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Memory written: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory written: C:\Users\user\AppData\Roaming\efthfxj.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory written: C:\Users\user\AppData\Roaming\efthfxj.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory written: C:\Users\user\AppData\Roaming\efthfxj.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Memory written: C:\Users\user\AppData\Roaming\efthfxj.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\vkXe5gkY34.exe

Code function: 0_2_00CAD86B cpuid

0_2_00CAD86B

Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		0_2_00CA932E
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		4_2_0064932E

Source: C:\Users\user\Desktop\vkXe5gkY34.exe

Code function: 0_2_00CAC130 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,

0_2_00CAC130

Source: C:\Users\user\Desktop\vkXe5gkY34.exe

Code function: 0_2_00C9A930 GetVersionExW,

0_2_00C9A930

Source: C:\Users\user\AppData\Roaming\efthfxj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected XenoRAT

Source: Yara match	File source: 10.2.efthfxj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.efthfxj.exe.28febf8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.efthfxj.exe.2a6d5ec.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.efthfxj.exe.2c5bbcc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.efthfxj.exe.2c5bbcc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.efthfxj.exe.2c5b3cc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.efthfxj.exe.2a6d5ec.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.efthfxj.exe.28febf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.efthfxj.exe.28fb324.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2089629416.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2089629416.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2076384338.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2089629416.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2089629416.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2076384338.0000000002C94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2060330225.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2076384338.0000000002C85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2699568740.0000000002B22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2076384338.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2699568740.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2089629416.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2076384338.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: efthfxj.exe PID: 4052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: efthfxj.exe PID: 1076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: efthfxj.exe PID: 3992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: efthfxj.exe PID: 7740, type: MEMORYSTR

Remote Access Functionality

Yara detected XenoRAT

Source: Yara match	File source: 10.2.efthfxj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.efthfxj.exe.28febf8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.efthfxj.exe.2a6d5ec.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.efthfxj.exe.2c5bbcc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.efthfxj.exe.2c5bbcc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.efthfxj.exe.2c5b3cc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.efthfxj.exe.2a6d5ec.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.efthfxj.exe.28febf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.efthfxj.exe.28fb324.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2089629416.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2089629416.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2076384338.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2089629416.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2089629416.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2076384338.0000000002C94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2060330225.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2076384338.0000000002C85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2699568740.0000000002B22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2076384338.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2699568740.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2089629416.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2076384338.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: efthfxj.exe PID: 4052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: efthfxj.exe PID: 1076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: efthfxj.exe PID: 3992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: efthfxj.exe PID: 7740, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	51 Virtualization/Sandbox Evasion	Security Account Manager	51 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	35 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	23 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
vkXe5gkY34.exe	30%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\efthfxj.exe	100%	Avira	HEUR/AGEN.1357819
C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	100%	Avira	HEUR/AGEN.1357819
C:\Users\user\AppData\Roaming\efthfxj.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	51%	Virustotal		Browse
C:\Users\user\AppData\Roaming\efthfxj.exe	51%	Virustotal		Browse
C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	15%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
45.66.231.63	0%	Avira URL Cloud	safe
http://go.microsoft.c	0%	Avira URL Cloud	safe
45.66.231.63	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
45.66.231.63	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.microsoft.c	efthfxj.exe, 00000018.00000002.2690514135.00000000013B7000.00000004.00000020.00020000.00000000.sdmp, efthfxj.exe, 0000001B.00000002.2694307250.0000000001786000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.66.231.63	unknown	Germany		33657	CMCSUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483406
Start date and time:	2024-07-27 10:21:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	vkXe5gkY34.exe renamed because original name is a hash value
Original Sample Name:	88696cf17417a2339b63f9452404c839.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@40/6@0/1
EGA Information:	Successful, ratio: 31.2%
HCA Information:	Successful, ratio: 92% Number of executed functions: 364 Number of non-executed functions: 139
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target efthfxj.exe, PID 1076 because it is empty
Execution Graph export aborted for target efthfxj.exe, PID 1084 because it is empty
Execution Graph export aborted for target efthfxj.exe, PID 1276 because it is empty
Execution Graph export aborted for target efthfxj.exe, PID 4276 because it is empty
Execution Graph export aborted for target efthfxj.exe, PID 5968 because it is empty
Execution Graph export aborted for target efthfxj.exe, PID 6200 because it is empty
Execution Graph export aborted for target efthfxj.exe, PID 7196 because it is empty
Execution Graph export aborted for target efthfxj.exe, PID 7800 because it is empty
Execution Graph export aborted for target efthfxj.exe, PID 7808 because it is empty
Execution Graph export aborted for target efthfxj.exe, PID 7836 because it is empty
Execution Graph export aborted for target efthfxj.exe, PID 7868 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:22:04	API Interceptor	63969x Sleep call for process: efthfxj.exe modified
10:23:07	Task Scheduler	Run new task: HDdisplay path: C:\Users\user\AppData\Roaming\efthfxj.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
45.66.231.63	ansUFyC1K3.exe	Get hash	malicious	XenoRAT	Browse
	qG18PE7Lnn.exe	Get hash	malicious	XenoRAT	Browse
	PAGO_Transferencia.lnk.lnk	Get hash	malicious	XenoRAT	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CMCSUS	ansUFyC1K3.exe	Get hash	malicious	XenoRAT	Browse	45.66.231.63
	qG18PE7Lnn.exe	Get hash	malicious	XenoRAT	Browse	45.66.231.63
	PAGO_Transferencia.lnk.lnk	Get hash	malicious	XenoRAT	Browse	45.66.231.63
	LisectAVT_2403002A_315.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	85.209.133.133
	042240724.xls	Get hash	malicious	Remcos	Browse	45.66.231.190
	Lisect_AVT_24003_G1B_122.exe	Get hash	malicious	Unknown	Browse	45.90.89.20
	Lisect_AVT_24003_G1B_122.exe	Get hash	malicious	Unknown	Browse	45.90.89.20
	d5a0aabdcffd82e4ef4eb190884c48b21291728680901dffae16813298a10830.exe	Get hash	malicious	Bdaejec, GCleaner, Nymaim	Browse	171.22.30.106
	9608e7d593a0671671e3b7e23d1b1fcfe49a5f84da9d2e0c5560d63b091acd83.exe	Get hash	malicious	Bdaejec, GCleaner, Nymaim	Browse	171.22.30.106
	508d7b73983eafe87b28017174258977f48fc25b9ad2e00595a9d43de40aafd7.exe	Get hash	malicious	Bdaejec, GCleaner, Nymaim	Browse	171.22.30.106

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\efthfxj.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\efthfxj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.358731107079437
Encrypted:	false
SSDEEP:	12:Q3La/hz92n4M9tDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLU84qpE4KlKDE4KhKiKhk
MD5:	93E4C46884CB6EE7CDCC4AACE78CDFAC
SHA1:	29B12D9409BA9AFE4C949F02F7D232233C0B5228
SHA-256:	2690023A62F22AB7B27B09351205BA31173B50B77ACA89A5759EDF29A1FB17F7
SHA-512:	E9C3E2FCEE4E13F7776665295A4F6085002913E011BEEF32C8E7065140937DDE1963182B547CC75110BF32AE5130A6686D5862076D5FFED9241F183B9217FA4D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp3BF9.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\efthfxj.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1032
Entropy (8bit):	3.8334430427131263
Encrypted:	false
SSDEEP:	12:FLJ+DW2SFFkFmMMLGId1L6AEJl7XpShhJKShe/Q0QK1++SHXOdxv3n:FLJ+S3Mmd1L6ztMhEMOQ0Q+Txvn
MD5:	4F3C76DFEC5D54EF5E1441ABEE1254F8
SHA1:	5037A1ECCE0F04A17ADE209F6084D49DA27EB5FB
SHA-256:	703AB61DD98A2F61A384E25F4BB5E5CCC03F6816FB983FC68A71E66896F5DE70
SHA-512:	F29B42CB0A5CCF2107AED4ECD4C9DE25C99003BAFC1006806F19C9653B287891F632ADBFADBCB9E3F3F18464B9FEC404BCD566BE90861B0A5717337F60BF0FFC
Malicious:	true
Preview:	. <Task xmlns='http://schemas.microsoft.com/windows/2004/02/mit/task'>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id='Author'>. <LogonType>InteractiveToken</LogonType>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. </Settings>. <Actions>. <Exec>. <Command>C:\Users\user\AppData\Roaming\efthfxj.exe</Command>. </Exec>. </

C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe

Download File

Process:	C:\Users\user\AppData\Roaming\efthfxj.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	257024
Entropy (8bit):	7.713951947790994
Encrypted:	false
SSDEEP:	6144:lVlX/ZBmQzSmsjICshnbjEZHzsZ9fYoI:lTX/ZBmQzzsXWgzsZ9fYV
MD5:	DCB591D1FC03274934709E24B502D719
SHA1:	9D4172D007347A9AA54B48CB5A214A792AD03708
SHA-256:	C7E67928407DC0D2FE2A61E10E2F97104986770B6BA6E59F8FAA7B6FCC595028
SHA-512:	1D6748BDD0BBFBE4D1F15DDE0AF015FB08814FFC3360B215D4F56844B15AE1D4B29ADE922678439C3A07F1FA41DA287A1054B0EB5853A761AE2FABB4B08B2800
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 51%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.............................@...@... ....@.. ....................................`..................................a..K.... .......................`.......................................................@...............@..H...........?T.B.Qo...... ......................@....text...d....@...................... ..`.rsrc........ ......................@..@.............@...................... ..`.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\efthfxj.exe

Download File

Process:	C:\Users\user\AppData\Roaming\efthfxj.sfx.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	257024
Entropy (8bit):	7.713951947790994
Encrypted:	false
SSDEEP:	6144:lVlX/ZBmQzSmsjICshnbjEZHzsZ9fYoI:lTX/ZBmQzzsXWgzsZ9fYV
MD5:	DCB591D1FC03274934709E24B502D719
SHA1:	9D4172D007347A9AA54B48CB5A214A792AD03708
SHA-256:	C7E67928407DC0D2FE2A61E10E2F97104986770B6BA6E59F8FAA7B6FCC595028
SHA-512:	1D6748BDD0BBFBE4D1F15DDE0AF015FB08814FFC3360B215D4F56844B15AE1D4B29ADE922678439C3A07F1FA41DA287A1054B0EB5853A761AE2FABB4B08B2800
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 51%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.............................@...@... ....@.. ....................................`..................................a..K.... .......................`.......................................................@...............@..H...........?T.B.Qo...... ......................@....text...d....@...................... ..`.rsrc........ ......................@..@.............@...................... ..`.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\efthfxj.sfx.exe

Download File

Process:	C:\Users\user\Desktop\vkXe5gkY34.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	485886
Entropy (8bit):	7.478996506813336
Encrypted:	false
SSDEEP:	12288:WcrNS33L10QdrX2oVnaeIZuIlS+fc7Re7RR:FNA3R5drXxV/IUuG7077
MD5:	642A150BE5BBED12C85DFF794B955C01
SHA1:	115DE36F192E2BB10EC7C2C8BBA9BF3DD639B461
SHA-256:	DED2B1A499BA8AC097361B01B1E56BDAA67769C0B7130489AF489BEF58CB5DFC
SHA-512:	D4A8249BC53BD070BFB8C0CDD703980AC4B12E0A0354A31333D7BF0AF089EDC1317C3005E99CDD3247B883CE72D10158E928D54664941010EE884FB4A5B1CE42
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 15%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~............b......b..<....b.....)^......................................... ...... ......%...... ......Rich............PE..L......\............................Y.............@..........................@............@.............................4......<........N................... .......n..T...........................(...@...............\...L... ....................text...T........................... ..`.rdata..............................@..@.data...............................@....gfids..............................@..@.rsrc....N.......P..................@..@.reloc....... ... ..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\eystsdf.cmd

Download File

Process:	C:\Users\user\Desktop\vkXe5gkY34.exe
File Type:	DOS batch file, ASCII text, with very long lines (18697), with CRLF line terminators
Category:	dropped
Size (bytes):	18807
Entropy (8bit):	4.867858170902055
Encrypted:	false
SSDEEP:	384:b55S5l5LNraGP34HAXtn8tzv3kFjCSQGi:bKnP4HAdKzvGuEi
MD5:	FA0FDC18CCCB4A2FB162362848D10D73
SHA1:	9CCAB8577C310E19E1299FB7FCAD538C72A36420
SHA-256:	C3F004C34695080E75DF6DCCC39DAE9E269EBA7164AA0F95B9964078973F3736
SHA-512:	FCCE03713D22D8831CB8F792C9E367AEB4D3714FFB89F148F2B64AE32BB066F7AB0B5EA58778309A86584AF8169A75BB7325BA6505567881BD330CDEAD222FD3
Malicious:	false
Preview:	@echo off..hvcffaoshebasajwvdJVSgvCAGvdqueqfggwdvkavgififvyggiysyrfgbskffkevahegkyegrayveryfDVgygeqgbdsfysayXFDRTXJFSSTDJFKAFEWVFAVGDyskbgsyureigyreavshfvsafvvafvasygurigyaufyufgaygyueigaiygefyafetyfgayfdiaefaaugaryguaeiratakejgr67t44qgqvgmqvafbhjzddfhvababevwefsbfqyfekybfyugyetatfefevfhvemfHVfgdffertwgbfkiokkghsfaqwsaxxsferyrjgjggjhrjlnkuhhkhhhdgsgfgzsydgvfzhvfgesifaskfbbsamzhdvhHGfdawteufkksgkfskydsdygvgcjfdFDTRdrDCKVfTDufKCcftgfTFYFYTFTDXCDRYedrcyfvkvjfcfxydrcuvjvgjgdfstwarwzswzyxtfiytfrdeswzezesxfghjjkkpkoinbhvgceswwsexchghuijokpkiuhgytfdresdfygbniomplkonjbhvgtfdrdtfyhfgfdgfhgjvhgcdfdfygreaefyafetyfgayfXfdxDXJXFDRTXJFSSTDJFKAFETCGFXJrhddcjtzsdgkaufefyafduayfdtfaoshebasgkjdbkjdbKJBdgavskgheafgvegfvKSDHGvNiofhonagorhajebkakygrywberwveyfayfuvFUfvGjbgvbfhcdgxchCdccCHvmdvrvgjvjgvGAEFIVAYGEYWAIRIYBEHABHGDEVGAVEefuyfuaAVvskgheafgvegfvKSDHGvNiofhonagorhajebkakygrywberwveyfayfuvFUfvGjbgvbfhcdgxchCdccCHvmdvrvgjvjgvGAEFIVAYGEYWAIRIYBEHABHGDEVGAVEefuyfuaAVJDKUAYGDyuagfeugfghvhvjvgkghhogtsiojoi

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.650345996336696
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	vkXe5gkY34.exe
File size:	629'724 bytes
MD5:	88696cf17417a2339b63f9452404c839
SHA1:	2123ca0e3764ba65e421d3b5dd7453da955d36f2
SHA256:	a5f629e62e8012c0ead81b462bc05ec9d20395af3121f87961f9d2dfde908895
SHA512:	a4236f6d52b985420dc733998842815fd24f12236bdbf3b885ed9a15c0d4815dec439cf919925b4b903ac158aba1ba2a8bf9eff20af7134d2e4edbce226f7931
SSDEEP:	12288:WcrNS33L10QdrX2ZVncWqvo2GAhcWMuql8lPtahdkkB183kD:FNA3R5drXwVcWWyLZ8db3kD
TLSH:	47D40102B7D644B2E6721D364939B71169BCB9701F35DA2FB3C84D7ECA34180A625BB3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~..............b.......b..<....b......)^...................................................... ....... .......%....... ......

File Icon


Icon Hash:	1b31714d6c600107

Static PE Info

General

Entrypoint:	0x41d759
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5CC4B58F [Sat Apr 27 20:03:27 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	00be6e6c4f9e287672c8301b72bdabf3

Entrypoint Preview

Instruction
call 00007FE8410661DFh
jmp 00007FE841065C13h
cmp ecx, dword ptr [0043A1C8h]
jne 00007FE841065D85h
ret
jmp 00007FE841066355h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00430FE8h
mov dword ptr [ecx], 00431994h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE84105932Bh
mov dword ptr [esi], 004319A0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004319A8h
mov dword ptr [ecx], 004319A0h
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FE841065D2Ch
push 00437B74h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FE841068616h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FE841065D42h
push 00437DA4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FE8410685F9h
int3
jmp 00007FE84106A645h
jmp dword ptr [0043025Ch]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 004209A0h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x38cc0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x38cf4	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5d000	0x4eac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x62000	0x1fcc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x36ee0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x31928	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x30000	0x25c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3824c	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2e854	0x2ea00	ccad881ef663bb12d11d212ad8d163cf	False	0.5908910020107239	data	6.692309727721094	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x30000	0x9a9c	0x9c00	ebf57dd1488cef86d0b062881c11f0b5	False	0.45713141025641024	DOS executable (COM, 0x8C-variant)	5.132864674560433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3a000	0x213d0	0xc00	5ad01ef583f971c2dd5921663e32ad91	False	0.2802734375	data	3.2538110320804736	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x5c000	0xe8	0x200	c065e0fa9d7cb760ad786f44f86f68e4	False	0.33984375	data	2.1115417744603624	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x5d000	0x4eac	0x5000	9284a5fa8e3ef6a369520a2292cb904d	False	0.602099609375	data	6.310407478429721	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x62000	0x1fcc	0x2000	403c5d759dbe4b1bf3c74568f06c1359	False	0.7945556640625	data	6.645541352233445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x5d524	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x5e06c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x5f618	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.4559248554913295
RT_DIALOG	0x5fb80	0x286	data	English	United States	0.5030959752321982
RT_DIALOG	0x5fe08	0x13a	data	English	United States	0.6050955414012739
RT_DIALOG	0x5ff44	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x60030	0x12e	data	English	United States	0.5860927152317881
RT_DIALOG	0x60160	0x338	data	English	United States	0.44538834951456313
RT_DIALOG	0x60498	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x606ec	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x608d0	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x60a9c	0x1ee	data	English	United States	0.451417004048583
RT_STRING	0x60c8c	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x60dd4	0x446	data	English	United States	0.340036563071298
RT_STRING	0x6121c	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x61384	0x120	data	English	United States	0.5451388888888888
RT_STRING	0x614a4	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x615b0	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x6166c	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x61744	0x14	data			1.1
RT_MANIFEST	0x61758	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, GetTickCount, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-27T10:22:21.901268+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49704	20.114.59.183	192.168.2.5
2024-07-27T10:23:00.133191+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49709	20.114.59.183	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 10:23:08.860959053 CEST	49710	1243	192.168.2.5	45.66.231.63
Jul 27, 2024 10:23:08.866863012 CEST	1243	49710	45.66.231.63	192.168.2.5
Jul 27, 2024 10:23:08.866956949 CEST	49710	1243	192.168.2.5	45.66.231.63
Jul 27, 2024 10:23:30.235399008 CEST	1243	49710	45.66.231.63	192.168.2.5
Jul 27, 2024 10:23:30.235750914 CEST	49710	1243	192.168.2.5	45.66.231.63
Jul 27, 2024 10:23:40.245168924 CEST	49711	1243	192.168.2.5	45.66.231.63
Jul 27, 2024 10:23:40.250247002 CEST	1243	49711	45.66.231.63	192.168.2.5
Jul 27, 2024 10:23:40.250366926 CEST	49711	1243	192.168.2.5	45.66.231.63
Jul 27, 2024 10:24:01.643063068 CEST	1243	49711	45.66.231.63	192.168.2.5
Jul 27, 2024 10:24:01.643426895 CEST	49711	1243	192.168.2.5	45.66.231.63
Jul 27, 2024 10:24:02.632186890 CEST	49712	1243	192.168.2.5	45.66.231.63
Jul 27, 2024 10:24:02.637434959 CEST	1243	49712	45.66.231.63	192.168.2.5
Jul 27, 2024 10:24:02.637537003 CEST	49712	1243	192.168.2.5	45.66.231.63

Target ID:	0
Start time:	04:22:01
Start date:	27/07/2024
Path:	C:\Users\user\Desktop\vkXe5gkY34.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\vkXe5gkY34.exe"
Imagebase:	0xc90000
File size:	629'724 bytes
MD5 hash:	88696CF17417A2339B63F9452404C839
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:22:01
Start date:	27/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\eystsdf.cmd" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:22:02
Start date:	27/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:22:02
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\efthfxj.sfx.exe
Wow64 process (32bit):	true
Commandline:	efthfxj.sfx.exe -pgtrfdewscbsdyethnymkdesppodtyuhngfszafugyRhvqxsdfHbgnmeG -dC:\Users\user\AppData\Roaming
Imagebase:	0x630000
File size:	485'886 bytes
MD5 hash:	642A150BE5BBED12C85DFF794B955C01
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 15%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:22:03
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\efthfxj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\efthfxj.exe"
Imagebase:	0x750000
File size:	257'024 bytes
MD5 hash:	DCB591D1FC03274934709E24B502D719
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000005.00000002.2076384338.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000005.00000002.2076384338.0000000002C94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000005.00000002.2076384338.0000000002C85000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000005.00000002.2076384338.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000005.00000002.2076384338.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 51%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:22:04
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\efthfxj.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\efthfxj.exe
Imagebase:	0x100000
File size:	257'024 bytes
MD5 hash:	DCB591D1FC03274934709E24B502D719
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	04:22:04
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\efthfxj.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\efthfxj.exe
Imagebase:	0x460000
File size:	257'024 bytes
MD5 hash:	DCB591D1FC03274934709E24B502D719
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:22:04
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\efthfxj.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\efthfxj.exe
Imagebase:	0x4f0000
File size:	257'024 bytes
MD5 hash:	DCB591D1FC03274934709E24B502D719
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	04:22:04
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\efthfxj.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\efthfxj.exe
Imagebase:	0x4d0000
File size:	257'024 bytes
MD5 hash:	DCB591D1FC03274934709E24B502D719
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 0000000A.00000002.2060330225.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:22:04
Start date:	27/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 80
Imagebase:	0x4d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:22:04
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe"
Imagebase:	0x7ff6d64d0000
File size:	257'024 bytes
MD5 hash:	DCB591D1FC03274934709E24B502D719
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 0000000D.00000002.2089629416.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 0000000D.00000002.2089629416.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 0000000D.00000002.2089629416.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 0000000D.00000002.2089629416.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 0000000D.00000002.2089629416.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 51%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:22:05
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe
Imagebase:	0x8b0000
File size:	257'024 bytes
MD5 hash:	DCB591D1FC03274934709E24B502D719
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	04:22:05
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe
Imagebase:	0x820000
File size:	257'024 bytes
MD5 hash:	DCB591D1FC03274934709E24B502D719
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	04:22:05
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe
Imagebase:	0xb80000
File size:	257'024 bytes
MD5 hash:	DCB591D1FC03274934709E24B502D719
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	04:22:06
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe
Imagebase:	0xc80000
File size:	257'024 bytes
MD5 hash:	DCB591D1FC03274934709E24B502D719
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	04:23:05
Start date:	27/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /Create /TN "HDdisplay" /XML "C:\Users\user\AppData\Local\Temp\tmp3BF9.tmp" /F
Imagebase:	0x250000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	04:23:05
Start date:	27/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	04:23:07
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\efthfxj.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\efthfxj.exe
Imagebase:	0x5d0000
File size:	257'024 bytes
MD5 hash:	DCB591D1FC03274934709E24B502D719
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000017.00000002.2699568740.0000000002B22000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000017.00000002.2699568740.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	04:23:07
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\efthfxj.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\efthfxj.exe
Imagebase:	0xf50000
File size:	257'024 bytes
MD5 hash:	DCB591D1FC03274934709E24B502D719
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	04:23:07
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\efthfxj.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\efthfxj.exe
Imagebase:	0x8b0000
File size:	257'024 bytes
MD5 hash:	DCB591D1FC03274934709E24B502D719
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	04:23:07
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\efthfxj.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\efthfxj.exe
Imagebase:	0xbb0000
File size:	257'024 bytes
MD5 hash:	DCB591D1FC03274934709E24B502D719
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	04:23:07
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\efthfxj.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\efthfxj.exe
Imagebase:	0xfc0000
File size:	257'024 bytes
MD5 hash:	DCB591D1FC03274934709E24B502D719
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.8%
Total number of Nodes:	1452
Total number of Limit Nodes:	29

Executed Functions

Function 00CAC130 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 199
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C9F3A5: GetModuleHandleW.KERNEL32 ref: 00C9F3BD
Part of subcall function 00C9F3A5: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00C9F3D5
Part of subcall function 00C9F3A5: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00C9F3F8

Part of subcall function 00CA8B8D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00CA8B95

Part of subcall function 00CA9035: OleInitialize.OLE32(00000000), ref: 00CA904E
Part of subcall function 00CA9035: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00CA9085
Part of subcall function 00CA9035: SHGetMalloc.SHELL32(00CD20E8), ref: 00CA908F

Part of subcall function 00CA0710: GetCPInfo.KERNEL32(00000000,?), ref: 00CA0721
Part of subcall function 00CA0710: IsDBCSLeadByte.KERNEL32(00000000), ref: 00CA0735

GetCommandLineW.KERNEL32 ref: 00CAC178
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00CAC19F
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00CAC1B0
UnmapViewOfFile.KERNEL32(00000000), ref: 00CAC1EA

Part of subcall function 00CABE09: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00CABE1F
Part of subcall function 00CABE09: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00CABE5B

CloseHandle.KERNEL32(00000000), ref: 00CAC1F3
GetModuleFileNameW.KERNEL32(00000000,00CE7938,00000800), ref: 00CAC20E
SetEnvironmentVariableW.KERNEL32(sfxname,00CE7938), ref: 00CAC220
GetLocalTime.KERNEL32(?), ref: 00CAC227
_swprintf.LIBCMT ref: 00CAC266
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00CAC278
GetModuleHandleW.KERNEL32(00000000), ref: 00CAC27B
LoadIconW.USER32(00000000,00000064), ref: 00CAC292
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00019B4E,00000000), ref: 00CAC2E3
Sleep.KERNEL32(?), ref: 00CAC311
DeleteObject.GDI32 ref: 00CAC350
DeleteObject.GDI32(?), ref: 00CAC35C

Part of subcall function 00CAA8D3: CharUpperW.USER32(?,?,?,?,00001000), ref: 00CAA92B
Part of subcall function 00CAA8D3: CharUpperW.USER32(?,?,?,?,?,00001000), ref: 00CAA952

CloseHandle.KERNEL32 ref: 00CAC39B

Strings

winrarsfxmappingfile.tmp, xrefs: 00CAC193
sfxname, xrefs: 00CAC21B
STARTDLG, xrefs: 00CAC2D8
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00CAC257
sfxstime, xrefs: 00CAC273

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCharCloseDeleteObjectProcUpperView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 985665271-3710569615
Opcode ID: 371449cbcbb1ad94f527c4dff1613b702019a4af24cd1a6ce32c41e2a0ef093d
Instruction ID: bb5d16844bd8a872ada141d5e365f3b6efd47551610f09b9c3e38e117e09f1a3
Opcode Fuzzy Hash: 371449cbcbb1ad94f527c4dff1613b702019a4af24cd1a6ce32c41e2a0ef093d
Instruction Fuzzy Hash: 9F612D71905345AFD720ABA5EC8AF6F37ECEB4A708F04442AF905D21A2DB748D44D7A1

Function 00CA8BCF Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 92
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00000066,PNG,?,?,00CA9AC7,00000066), ref: 00CA8BE0
SizeofResource.KERNEL32(00000000,75FD5780,?,?,00CA9AC7,00000066), ref: 00CA8BF8
LoadResource.KERNEL32(00000000,?,?,00CA9AC7,00000066), ref: 00CA8C0B
LockResource.KERNEL32(00000000,?,?,00CA9AC7,00000066), ref: 00CA8C16
GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,00CA9AC7,00000066), ref: 00CA8C34
GlobalLock.KERNEL32(00000000,?,?,?,00CA9AC7,00000066), ref: 00CA8C41
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00CA8C9C
GlobalUnlock.KERNEL32(00000000), ref: 00CA8CB1
GlobalFree.KERNEL32(00000000), ref: 00CA8CB8

Strings

PNG, xrefs: 00CA8BD1

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: ae1daf429423a3e1aeb2fc8fb7d3bc24375a117e84e8000463c816f4359e10a5
Instruction ID: 006909c1acbdeab821246e5950588282c75692c8e5ecc4fdd1bf2c579e81c06f
Opcode Fuzzy Hash: ae1daf429423a3e1aeb2fc8fb7d3bc24375a117e84e8000463c816f4359e10a5
Instruction Fuzzy Hash: 27218F71602306AFC7219F61DC48F2FBBA8EF467A9B14452CF856C2260EF31DC04CAA0

Function 00C9A2C3 Relevance: 7.6, APIs: 5, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00C9A1BE,000000FF,?,?), ref: 00C9A2F8
FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00C9A1BE,000000FF,?,?), ref: 00C9A32E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00C9A1BE,000000FF,?,?), ref: 00C9A336
FindNextFileW.KERNEL32(?,?,?,?,?,?,00C9A1BE,000000FF,?,?), ref: 00C9A35E
GetLastError.KERNEL32(?,?,?,?,00C9A1BE,000000FF,?,?), ref: 00C9A36A

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 8afd715558be9295f21bbbfa58c890bd5cd52ac9d1fcbd44f9dd6753c807fcfa
Instruction ID: bce174e6a5ee10ae2b220a08d671c64382c1cc89a402d1a24b4a73805aa00927
Opcode Fuzzy Hash: 8afd715558be9295f21bbbfa58c890bd5cd52ac9d1fcbd44f9dd6753c807fcfa
Instruction Fuzzy Hash: 98417E72604245AFC724EF68C884AEEF7E8BB49340F044A2AF5E9D3250D734E9548B92

Function 00CB49FA Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00CB49D0,?,00CC7F60,0000000C,00CB4B27,?,00000002,00000000), ref: 00CB4A1B
TerminateProcess.KERNEL32(00000000,?,00CB49D0,?,00CC7F60,0000000C,00CB4B27,?,00000002,00000000), ref: 00CB4A22
ExitProcess.KERNEL32 ref: 00CB4A34

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 92726fd54c8d8aae254a99aee01dad85f742c98f8215b117fc093518b421a419
Instruction ID: fbab60bab7b812b61a76e8ce59329f244bafd97827a96ec6c42bcf43e83fb468
Opcode Fuzzy Hash: 92726fd54c8d8aae254a99aee01dad85f742c98f8215b117fc093518b421a419
Instruction Fuzzy Hash: 67E09931454608ABCF16AB64D909B9C7B69EB55382F120518F8099A132CB36EE82EB84

Function 00C983EB Relevance: 3.9, APIs: 2, Instructions: 931COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C983F0
_memcmp.LIBVCRUNTIME ref: 00C98858

Part of subcall function 00C980DA: CharUpperW.USER32(?,?,00000000,?,?,?,?,?,?,?,00000800,?,00C986CF,?,-00000930,?), ref: 00C9819D

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: CharH_prologUpper_memcmp
String ID:
API String ID: 4047935103-0
Opcode ID: 61cae352dbeaffac9d9b213f4a8888b442099854adbbc23e99fda392cd5a9602
Instruction ID: 27dd7e41ecdccfd7447af19631c39ee381f656ccd240b2f9c13dcf5148d79792
Opcode Fuzzy Hash: 61cae352dbeaffac9d9b213f4a8888b442099854adbbc23e99fda392cd5a9602
Instruction Fuzzy Hash: 70721971904185AEDF25DF64C899BF977A8AF06300F0840FAE9699B182DF319F8DD760

Function 00CA5983 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4b2d65133c5eac351394c952b72d2a0f5f6fdf5d6fdd6ef9761f2ba67c5de409
Instruction ID: 6194d51ccbc59554867204acf940910b7b6fcda0f03137b6f5c764e19f43676c
Opcode Fuzzy Hash: 4b2d65133c5eac351394c952b72d2a0f5f6fdf5d6fdd6ef9761f2ba67c5de409
Instruction Fuzzy Hash: ECD127B1A047468FCB14CF28D88479BBBE0BF9630CF08856DE8559B642D334EE55CB96

Function 00CA9B4E Relevance: 95.2, APIs: 46, Strings: 8, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CA9B53

Part of subcall function 00C912E7: GetDlgItem.USER32(00000000,00003021), ref: 00C9132B
Part of subcall function 00C912E7: SetWindowTextW.USER32(00000000,00CC02E4), ref: 00C91341

Strings

LICENSEDLG, xrefs: 00CAA3D3
winrarsfxmappingfile.tmp, xrefs: 00CA9F22
-el -s2 "-d%s" "-sp%s", xrefs: 00CA9EE7
<, xrefs: 00CA9F00
"%s"%s, xrefs: 00CAA089
__tmp_rar_sfx_access_check_%u, xrefs: 00CA9E2D
STARTDLG, xrefs: 00CA9B72
@, xrefs: 00CA9F0D

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-2803697902
Opcode ID: b3a9a835425c6d565f600f27132e6c01891441f5646cfcd35aca5af3bfea93d4
Instruction ID: 8671fec15c75767dbc459e23fadb4d115c4eaac78ab6a560b0954b248c0248d1
Opcode Fuzzy Hash: b3a9a835425c6d565f600f27132e6c01891441f5646cfcd35aca5af3bfea93d4
Instruction Fuzzy Hash: 5C42167194134ABFEB21AB60DD8AFAE3BBCEB16718F044055F611A60D2C7744E44EB62

Function 00C9F3A5 Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 314
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00C9F3BD
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00C9F3D5
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00C9F3F8
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00C9F6A3
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C9F6BB
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C9F6CD
ReadFile.KERNEL32(00000000,?,00007FFE,00CC0858,00000000), ref: 00C9F6EC
CloseHandle.KERNEL32(00000000), ref: 00C9F744
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00C9F75A
CompareStringW.KERNEL32(00000400,00001001,00CC08A4,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00C9F7B4
GetFileAttributesW.KERNELBASE(?,?,00CC0870,00000800,?,00000000,?,00000800), ref: 00C9F7DD
GetFileAttributesW.KERNEL32(?,?,00CC0930,00000800), ref: 00C9F816

Part of subcall function 00C9F35B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00C9F376
Part of subcall function 00C9F35B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00C9DF18,Crypt32.dll,?,00C9DF9C,?,00C9DF7E,?,?,?,?), ref: 00C9F398

_swprintf.LIBCMT ref: 00C9F886
_swprintf.LIBCMT ref: 00C9F8D2

Part of subcall function 00C93F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C93F3E

AllocConsole.KERNEL32 ref: 00C9F8DA
GetCurrentProcessId.KERNEL32 ref: 00C9F8E4
AttachConsole.KERNEL32(00000000), ref: 00C9F8EB
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00C9F911
WriteConsoleW.KERNEL32(00000000), ref: 00C9F918
Sleep.KERNEL32(00002710), ref: 00C9F923
FreeConsole.KERNEL32 ref: 00C9F929
ExitProcess.KERNEL32 ref: 00C9F931

Strings

Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00C9F8C0
dwmapi.dll, xrefs: 00C9F460, 00C9F849
SetDllDirectoryW, xrefs: 00C9F3CF
DXGIDebug.dll, xrefs: 00C9F435, 00C9F7A0
kernel32, xrefs: 00C9F3B3
SetDefaultDllDirectories, xrefs: 00C9F3F2
uxtheme.dll, xrefs: 00C9F853

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1201351596-3298887752
Opcode ID: 0364b1da6a6b23e93f76d1e0851ba5270f9657e743b8f4bcec760a4eda965398
Instruction ID: 8ef8f55ae8ce12e8972019c65170066a26ddb748db204a3982397c8edc0c056b
Opcode Fuzzy Hash: 0364b1da6a6b23e93f76d1e0851ba5270f9657e743b8f4bcec760a4eda965398
Instruction Fuzzy Hash: 85D16FF1048384EBDB70DF90D849F9FBBE8BB84704F60492DF59996181C7B09649CB66

Function 00CAAA44 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438
windowfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00CAAA49

Part of subcall function 00CA96EB: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00CA97B3

SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,00CAA35C,?,00000000), ref: 00CAAB7E
GetFileAttributesW.KERNEL32(?), ref: 00CAAC38
DeleteFileW.KERNEL32(?), ref: 00CAAC46
SetWindowTextW.USER32(?,?), ref: 00CAAD8F
_wcsrchr.LIBVCRUNTIME ref: 00CAAF19
GetDlgItem.USER32(?,00000066), ref: 00CAAF54
SetWindowTextW.USER32(00000000,?), ref: 00CAAF64
SendMessageW.USER32(00000000,00000143,00000000,00CD412A), ref: 00CAAF78
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CAAFA1

Strings

%s.%d.tmp, xrefs: 00CAAC5E
ProgramFilesDir, xrefs: 00CAAE63
Software\Microsoft\Windows\CurrentVersion, xrefs: 00CAAE38
<br>, xrefs: 00CAACF2

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3676479488-312220925
Opcode ID: 7fc31b9a797bb84284709cb8a826ef0d50b28841d70e095ea3f56b5bd95e67ff
Instruction ID: e232c2b699ddd4b5c081bc9cf90cea6438018d2c3084c352bd5b99815bbb7d43
Opcode Fuzzy Hash: 7fc31b9a797bb84284709cb8a826ef0d50b28841d70e095ea3f56b5bd95e67ff
Instruction Fuzzy Hash: F5E1517290011AAAEF24ABA0ED85EEE737CEF06354F1044A6F519E3051EF709F84DB61

Function 00C9CF27 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C9C8DE: _wcschr.LIBVCRUNTIME ref: 00C9C90D

GetWindowRect.USER32(?,?), ref: 00C9CF5E
GetClientRect.USER32(?,?), ref: 00C9CF6A
GetWindowLongW.USER32(?,000000F0), ref: 00C9D00B
GetWindowRect.USER32(?,?), ref: 00C9D038
GetWindowTextW.USER32(?,?,00000400), ref: 00C9D057
SetWindowTextW.USER32(?,?), ref: 00C9D07E
GetSystemMetrics.USER32(00000008), ref: 00C9D086
GetWindow.USER32(?,00000005), ref: 00C9D091
GetWindowTextW.USER32(00000000,?,00000400), ref: 00C9D0BC
SetWindowTextW.USER32(00000000,00000000), ref: 00C9D0E9
GetWindowRect.USER32(00000000,?), ref: 00C9D0FC
GetWindow.USER32(00000000,00000002), ref: 00C9D16E

Strings

d, xrefs: 00C9CF8A

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Window$RectText$ClientLongMetricsSystem_wcschr
String ID: d
API String ID: 4134264131-2564639436
Opcode ID: e011bd38340848f0e074dec28775c43830d9ac25f9ab0899e5d48a4bcbe4e6e6
Instruction ID: 7513574e4d73e594bda7302a3533ab085595d0b5032514866eae4e4278580a49
Opcode Fuzzy Hash: e011bd38340848f0e074dec28775c43830d9ac25f9ab0899e5d48a4bcbe4e6e6
Instruction Fuzzy Hash: 08615AB2208305AFD710DF69CD88F6FBBEAEB89714F04591DF68592290CA74E9058B52

Function 00CAB70D Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(00000068,00CE8958), ref: 00CAB71C
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00CA9324), ref: 00CAB747
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00CAB756
SendMessageW.USER32(00000000,000000C2,00000000,00CC02E4), ref: 00CAB760
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CAB776
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00CAB78C
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CAB7CC
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00CAB7D6
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CAB7E5
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CAB808
SendMessageW.USER32(00000000,000000C2,00000000,00CC1368), ref: 00CAB813

Strings

\, xrefs: 00CAB77C

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: MessageSend$ItemShowWindow
String ID: \
API String ID: 1207805008-2967466578
Opcode ID: 01447fb0394af2ed0c3d3044fc081bf1f63fc4e3bcbda528c081895255f46388
Instruction ID: 7599e365478a25c1706f3e028d843b1c4723472663780b21727e192f946b5fc5
Opcode Fuzzy Hash: 01447fb0394af2ed0c3d3044fc081bf1f63fc4e3bcbda528c081895255f46388
Instruction Fuzzy Hash: BF2146712857457BE311EB24DC45FAF7BDCEF82718F000619FAA0961D1C7A55E088AB7

Function 00CAB9A9 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(000001C0), ref: 00CABAD7
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 00CABB1C
GetExitCodeProcess.KERNEL32(?,?), ref: 00CABB54
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CABB7A
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 00CABC09

Part of subcall function 00CA0B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00C9AC99,?,?,?,00C9AC48,?,-00000002,?,00000000,?), ref: 00CA0B16

Strings

, xrefs: 00CABA29
.exe, xrefs: 00CABB84
.inf, xrefs: 00CABA93

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: dc1639d66ae36ec09b52c39fc9d06db758b3a1de7a55c0e0ad31b2374d7e30f1
Instruction ID: 06a923e80f22abe04013db6bff7e2458f759db6d8d85334ddc822eb7d6d306bb
Opcode Fuzzy Hash: dc1639d66ae36ec09b52c39fc9d06db758b3a1de7a55c0e0ad31b2374d7e30f1
Instruction Fuzzy Hash: 0551D1704093829BD7319F20E990BBFB7E8EF86708F04081DE4D597156E7B19E48D762

Function 00C9CB1C Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00C9CB21
_wcschr.LIBVCRUNTIME ref: 00C9CB3F
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00C9CB03,?), ref: 00C9CB5A

Part of subcall function 00CA06D7: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00C9B2AB,00000000,?,?,?,?), ref: 00CA06F3

Strings

a, xrefs: 00C9CC7B
*messages***, xrefs: 00C9CC5F
*messages***, xrefs: 00C9CC26
R, xrefs: 00C9CC71

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide_wcschr
String ID: *messages***$*messages***$R$a
API String ID: 803915177-2900423073
Opcode ID: de879d9b7f41e9becc6554badc8ce70077b28fe4e460c891242591478dd84b6b
Instruction ID: e760777b589de2955ef7a4e7a73e5ee2e33bda5fb67f47cfcac4205fb9eba0ef
Opcode Fuzzy Hash: de879d9b7f41e9becc6554badc8ce70077b28fe4e460c891242591478dd84b6b
Instruction Fuzzy Hash: E89115B2A002059BDF30DF68CC9DBEE7BA4EF55300F104469E669E7291DB709A85CB94

Function 00CB739F Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00CB2FB2,00CB2FB2,?,?,?,00CB75F0,00000001,00000001,F5E85006), ref: 00CB73F9
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00CB75F0,00000001,00000001,F5E85006,?,?,?), ref: 00CB747F
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00CB7579
__freea.LIBCMT ref: 00CB7586

Part of subcall function 00CB59EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CB239A,?,0000015D,?,?,?,?,00CB2F19,000000FF,00000000,?,?), ref: 00CB5A1E

__freea.LIBCMT ref: 00CB758F
__freea.LIBCMT ref: 00CB75B4

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 7f1f11d6805b9b49b02d8926f470822be63d01bc11f43aa06837ccab1f98f6f7
Instruction ID: 408d95f388c7b7a5eae19eb926ce267a695e993d3be885c4ee41fb0e64a7073a
Opcode Fuzzy Hash: 7f1f11d6805b9b49b02d8926f470822be63d01bc11f43aa06837ccab1f98f6f7
Instruction Fuzzy Hash: 1C51CF72A04216AFDB258F64CC81EFF7BAAEB84750F254768FC14D7180EB34DD449AA0

Function 00CA8FC7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00CA8FDE
SHAutoComplete.SHLWAPI(?,00000010), ref: 00CA9015

Part of subcall function 00CA0B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00C9AC99,?,?,?,00C9AC48,?,-00000002,?,00000000,?), ref: 00CA0B16

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00CA9005

Strings

EDIT, xrefs: 00CA8FE9, 00CA8FF4, 00CA9001
@Ut, xrefs: 00CA9015

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Ut$EDIT
API String ID: 4243998846-2065656831
Opcode ID: 207dca9558d0293e0940ed944e612aec055ede7764c26283270a6a9e9fb46b51
Instruction ID: b35341b518c3cefac184ca8ffcdf0cfb0450ed018fd0c35c141f621d611b5a23
Opcode Fuzzy Hash: 207dca9558d0293e0940ed944e612aec055ede7764c26283270a6a9e9fb46b51
Instruction Fuzzy Hash: 94F08932A0171D77E7305665AD09FDF766CDB4BB55F040055FD00E2180D7609901DAF6

Function 00CA9035 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C9F35B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00C9F376
Part of subcall function 00C9F35B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00C9DF18,Crypt32.dll,?,00C9DF9C,?,00C9DF7E,?,?,?,?), ref: 00C9F398

OleInitialize.OLE32(00000000), ref: 00CA904E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00CA9085
SHGetMalloc.SHELL32(00CD20E8), ref: 00CA908F

Strings

3So, xrefs: 00CA9066
riched20.dll, xrefs: 00CA903D

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3So
API String ID: 3498096277-3464455743
Opcode ID: f2faabdd4aadbdc155dd7b5ef36cc379e134a6b3d0b3110299d34ab5ccccd511
Instruction ID: 15a94dcf97daf4b71917202ec6016d5bada793efd1deb8fd3a253093e3ffcf4f
Opcode Fuzzy Hash: f2faabdd4aadbdc155dd7b5ef36cc379e134a6b3d0b3110299d34ab5ccccd511
Instruction Fuzzy Hash: 91F04FB1C0010DABCB10AF9AD849AEEFFFCEF84704F00416AE814E2211C7B45645CFA1

Function 00C9FA23 Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C9FDB7: ResetEvent.KERNEL32(?,0072D298,00C9FA45,00CD1E74,0072D298,?,-00000001,00CBF605,000000FF,?,00C9FC7B,?,?,00C9A5F0,?), ref: 00C9FDD7
Part of subcall function 00C9FDB7: ReleaseSemaphore.KERNEL32(?,?,00000000,?,-00000001,00CBF605,000000FF,?,00C9FC7B,?,?,00C9A5F0,?), ref: 00C9FDEB

ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 00C9FA57
FindCloseChangeNotification.KERNELBASE(0072D29C,0072D29C), ref: 00C9FA71
DeleteCriticalSection.KERNEL32(0072D438), ref: 00C9FA8A
FindCloseChangeNotification.KERNELBASE(?), ref: 00C9FA96
CloseHandle.KERNEL32(?), ref: 00C9FAA2

Part of subcall function 00C9FB19: WaitForSingleObject.KERNEL32(?,000000FF,00C9FCF9,?,?,00C9FD6E,?,?,?,?,?,00C9FD58), ref: 00C9FB1F
Part of subcall function 00C9FB19: GetLastError.KERNEL32(?,?,00C9FD6E,?,?,?,?,?,00C9FD58), ref: 00C9FB2B

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Close$ChangeFindNotificationReleaseSemaphore$CriticalDeleteErrorEventHandleLastObjectResetSectionSingleWait
String ID:
API String ID: 3803654862-0
Opcode ID: 1bddf7689d5fe08a29ba61e7c4d925873385a41e481065345f6c6b97b16285f0
Instruction ID: 3f37252b58064966f72fd640ad634cd041dd4eef24b92ad659222c6e32d8fd38
Opcode Fuzzy Hash: 1bddf7689d5fe08a29ba61e7c4d925873385a41e481065345f6c6b97b16285f0
Instruction Fuzzy Hash: BC018832100B44EBCB219F28DD88F8ABBAAFB45710F10456DF2AA92561CB712801DB60

Function 00CABE09 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00CABE1F
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00CABE5B

Strings

sfxpar, xrefs: 00CABE56
sfxcmd, xrefs: 00CABE1A

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 079ba407f0d69425bc611d675871856f3b17ee35fc5206a3415d76d896b75f61
Instruction ID: 9d7355fc14be04a89571240f46fb5ced55d6a65094d1dec6b95c2efb24681f1d
Opcode Fuzzy Hash: 079ba407f0d69425bc611d675871856f3b17ee35fc5206a3415d76d896b75f61
Instruction Fuzzy Hash: 27F0EC72801226AADB256BD2DC0DFFEB79CDF16B41B040016FD4896143D7618D40D7F1

Function 00C9978D Relevance: 6.1, APIs: 4, Instructions: 99
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,-00000001,00000000,?,00000000,?,?,00C9777A,?,00000005,?,00000011), ref: 00C9980D
GetLastError.KERNEL32(?,?,00C9777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00C9981A
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00C9777A,?,00000005,?), ref: 00C9984F
GetLastError.KERNEL32(?,?,00C9777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00C99857

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 6692484e052f9952e1b875d56eae077e8e300a3c116df18a1792fd2c4bd529b0
Instruction ID: cb683b42ffe5c8941fc27895dfdc067c4a8c4bc8a972de7ce0ea13f5c119c4c6
Opcode Fuzzy Hash: 6692484e052f9952e1b875d56eae077e8e300a3c116df18a1792fd2c4bd529b0
Instruction Fuzzy Hash: 6F3154708407456BDB209F68CC49BEABAA8FB49324F10472DF8A0872D1D7759A888B90

Function 00C99663 Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C99673
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00C9968B
GetLastError.KERNEL32 ref: 00C996BD
GetLastError.KERNEL32 ref: 00C996DC

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 0f201efce8b3ced63fbb3f4f2f31616e374ff8732630f51e3fac7999676ef63f
Instruction ID: 3fda79411b8df10c1c8f0510276a507d73a8dda90e1f83b91ce806cf537579eb
Opcode Fuzzy Hash: 0f201efce8b3ced63fbb3f4f2f31616e374ff8732630f51e3fac7999676ef63f
Instruction Fuzzy Hash: 6D118B30500214EFCFA0AFA9C848F6E77ACEB15321F10852EF92A85290DB368E50DF52

Function 00CB77C2 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00CB2203,00000000,00000000,?,00CB7769,00CB2203,00000000,00000000,00000000,?,00CB7966,00000006,FlsSetValue), ref: 00CB77F4
GetLastError.KERNEL32(?,00CB7769,00CB2203,00000000,00000000,00000000,?,00CB7966,00000006,FlsSetValue,00CC3768,00CC3770,00000000,00000364,?,00CB63E0), ref: 00CB7800
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00CB7769,00CB2203,00000000,00000000,00000000,?,00CB7966,00000006,FlsSetValue,00CC3768,00CC3770,00000000), ref: 00CB780E

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 739211b8d4a5f22fa2c7ca2d1513420d5edba424f2ab017de6b931b85ea2607b
Instruction ID: 84e268c0ce31367bf80e17bd50204c1360baa0f5b4d8689d77e42e9b3f75b93d
Opcode Fuzzy Hash: 739211b8d4a5f22fa2c7ca2d1513420d5edba424f2ab017de6b931b85ea2607b
Instruction Fuzzy Hash: 0301F7326492229BC7214A69EC48FAF7798AF95BA1F210720FD1AF7180D721DD01C6E0

Function 00CA991D Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CA992E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CA993F
TranslateMessage.USER32(?), ref: 00CA9949
DispatchMessageW.USER32(?), ref: 00CA9953

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 889a2d1a2308e780de4edbc371a85a54039fa385971a6d766855dfac7af2b3d4
Instruction ID: 15ceda1bf9c5a7052ef1b4b51924de5168cf47ceb30d5c49f530f1ffe7fd3dce
Opcode Fuzzy Hash: 889a2d1a2308e780de4edbc371a85a54039fa385971a6d766855dfac7af2b3d4
Instruction Fuzzy Hash: 90E0ED72C0212EB78B20ABF6EC4CEDFBF6CEE0A2A97004015F519D2000D6789506CBF1

Function 00C9FBBD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_0000FD4F,?,00000000,00000000), ref: 00C9FBE1
SetThreadPriority.KERNEL32(?,00000000), ref: 00C9FC28

Part of subcall function 00C96D8F: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C96DAD

Strings

CreateThread failed, xrefs: 00C9FBED

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 67c2b5c5b782874bd1c391f5dc6ce71c8923634aab98b9c925abeca2a19b3005
Instruction ID: 396ede0894bee776c261be287dac2507c15e25cce223be56a5eba28bd061d533
Opcode Fuzzy Hash: 67c2b5c5b782874bd1c391f5dc6ce71c8923634aab98b9c925abeca2a19b3005
Instruction Fuzzy Hash: B701F976345309BFDB206F98DC9AF667359EB41751F20003EF995D61C0CAE16C428760

Function 00C99C18 Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,00C9C8A3,00000001,?,?,?,00000000,00CA420A,?,?,?,?,?,00CA3CAF), ref: 00C99C33
WriteFile.KERNEL32(?,00000000,?,00CA3EB7,00000000,?,?,00000000,00CA420A,?,?,?,?,?,00CA3CAF,?), ref: 00C99C73
WriteFile.KERNELBASE(?,00000000,?,00CA3EB7,00000000,?,00000001,?,?,00C9C8A3,00000001,?,?,?,00000000,00CA420A), ref: 00C99CA0

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 3c3efa0668e96cc4462cc5da8fae2c60e4534763c1e23b292a6dfd3a07b85ddf
Instruction ID: 39be3da11c40ed847ccbb16d5bd100c78c421dd31f131706d785d9cef1596258
Opcode Fuzzy Hash: 3c3efa0668e96cc4462cc5da8fae2c60e4534763c1e23b292a6dfd3a07b85ddf
Instruction Fuzzy Hash: 6B312572148609AFDF209F18DC4DFAAB7A8FB51301F10411DF5A5935C0C775EA89CBA1

Function 00C99ED6 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00C99DE2,?,00000001,00000000,?,?), ref: 00C99EFD
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00C99DE2,?,00000001,00000000,?,?), ref: 00C99F30
GetLastError.KERNEL32(?,?,?,?,00C99DE2,?,00000001,00000000,?,?), ref: 00C99F4D

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: 7a66ed331c42dcf68c343b8573a9442f675738de0529472b535c629c76b374a7
Instruction ID: 8680322edbded15f0af2050565177f01f53e21cc355b5c8975ba01f4d3ff3c3f
Opcode Fuzzy Hash: 7a66ed331c42dcf68c343b8573a9442f675738de0529472b535c629c76b374a7
Instruction Fuzzy Hash: AE01BC31104258A6DF21ABAC8C4EFEEB34CEF0AB81F180489F815E6081D774DA80A7E5

Function 00C93A90 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C93A95

Strings

CMT, xrefs: 00C93AA4

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 51ab31198e46a9e2674d9b4d6c1612cb4c07f6420e630beecd77633617dd2ee6
Instruction ID: 5a36088283c3df671660385b4246be6969dd4f6b635cc16be64f4fc4716c592c
Opcode Fuzzy Hash: 51ab31198e46a9e2674d9b4d6c1612cb4c07f6420e630beecd77633617dd2ee6
Instruction Fuzzy Hash: 0861AA71100F84AADF21DF74CC99AEBB7E8AB14301F44496EE5AB87142DB326B48DF50

Function 00CB82B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00CB82D9

Strings

, xrefs: 00CB831E

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 3280bac2317e6425b92fb9eeaf129a45ebaaefd437667b7a0e70247a72726bc0
Instruction ID: b9fc4f2a6373985a0b373c69b4ce1b4eb4aeb1c5c6252f4c4f4173ea7bcf1e34
Opcode Fuzzy Hash: 3280bac2317e6425b92fb9eeaf129a45ebaaefd437667b7a0e70247a72726bc0
Instruction Fuzzy Hash: C541387050838C9BDF228E68CC84BFABBFDEB45708F1404ECE59A87142D6359A49DF60

Function 00C91DD2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C91DD7

Part of subcall function 00C93A90: __EH_prolog.LIBCMT ref: 00C93A95

Strings

CMT, xrefs: 00C91E0D

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: e4f1cacfd5fea63fef2ee3c8a89bd2cd79980e1e7bed261633cfd5207a8379b9
Instruction ID: 1d722d7a546920efc0a396529067b03f410803e4fc72fcba3b60fed0c98a5ef3
Opcode Fuzzy Hash: e4f1cacfd5fea63fef2ee3c8a89bd2cd79980e1e7bed261633cfd5207a8379b9
Instruction Fuzzy Hash: 58214B7190020A9FCF15EF98C94A9EEFBF6BF59300F14006DE855A3251C7326E11EB64

Function 00C9192C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C9192C

Strings

CMT, xrefs: 00C919A5

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: e42465eb3eaa5eff7d3c8305e42511feb188ab5e7bef33534ffc8b875b2da7a7
Instruction ID: e330dad2fbe31fa3509510c90649a3b1c691a6e3e2a92e3ea6d6937fca159b1e
Opcode Fuzzy Hash: e42465eb3eaa5eff7d3c8305e42511feb188ab5e7bef33534ffc8b875b2da7a7
Instruction Fuzzy Hash: 9D11D371A00206AFCF04DF65C49AABEF7AAFF55300F08401AEC5A97341DB349950EB90

Function 00CB79FA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,F5E85006,00000001,?,000000FF), ref: 00CB7A6B

Strings

LCMapStringEx, xrefs: 00CB7A0B, 00CB7A15

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 6c2146ab853ef8477cc46741a31a831fdea727a72fdf560a24f2a0def3d9d7ec
Instruction ID: fe1d76693b5a1cae1a0c7b59ecabffb87ca10e549e59f8d6d2bf3831f5e418d9
Opcode Fuzzy Hash: 6c2146ab853ef8477cc46741a31a831fdea727a72fdf560a24f2a0def3d9d7ec
Instruction Fuzzy Hash: 4601257654020DFBCF02AF90DD09EEE7FA2EF48750F148214FE1966160DA328A31EB80

Function 00CB7998 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00CB708B), ref: 00CB79E3

Strings

InitializeCriticalSectionEx, xrefs: 00CB79B3

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 910e8eefd6a8909b7ca8246ec57858c0c90c944500536e8a6a7b814b2eb1f52b
Instruction ID: c4c4e5bb1759539d011e870df303c9d16e70f6393a67230d43f63abdb3fd6e91
Opcode Fuzzy Hash: 910e8eefd6a8909b7ca8246ec57858c0c90c944500536e8a6a7b814b2eb1f52b
Instruction Fuzzy Hash: 88F0B475A45218FBCB01AF51DD05E9EBF61DB44720F144169FC1566160DE714E20E7D1

Function 00CB783D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00CB787C

Strings

FlsAlloc, xrefs: 00CB7858

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: c9fe68f86b2d6596fb0c3c16f6c8a6ffe74b750ceb7eabb01970180ee0f6527f
Instruction ID: 43d0a4f9a6760480d1b6e877ef9fee0052d9091d38d4878e9fd7cbe586065bd8
Opcode Fuzzy Hash: c9fe68f86b2d6596fb0c3c16f6c8a6ffe74b750ceb7eabb01970180ee0f6527f
Instruction Fuzzy Hash: 2CE0E570B45218BB8705BB61ED0AFAEBB94CB85B20F140169FD06B7281DE614F00D7D5

Function 00CB1D87 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00CB1D9C

Strings

FlsAlloc, xrefs: 00CB1D8B, 00CB1D95

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: cf30b194e32af2a7dc797603c9ec5a677bce8003bac48192645fd710d8ffceea
Instruction ID: db495aaab137651cf903abdc7ee2a026dc170db2caae288affc01e1db52257fe
Opcode Fuzzy Hash: cf30b194e32af2a7dc797603c9ec5a677bce8003bac48192645fd710d8ffceea
Instruction Fuzzy Hash: 96D05B35B823347BD51536D5DC02FDEBE84CB02FB1F4C0075FF096514795514590A5D1

Function 00CACD5B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CACD6D

Part of subcall function 00CACABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CACB38
Part of subcall function 00CACABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CACB49

Strings

3So, xrefs: 00CACD5B, 00CACD67

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3So
API String ID: 1269201914-1105799393
Opcode ID: 6ac72d1124a1a9b76d90b49441152868c03fbabefcb213d5b68c7f0968ef4c17
Instruction ID: aec4f2c6767c3b7351ce8b781282d7a3031d14afb7e5c044673b30880113009a
Opcode Fuzzy Hash: 6ac72d1124a1a9b76d90b49441152868c03fbabefcb213d5b68c7f0968ef4c17
Instruction Fuzzy Hash: C3B012C2668006FD35149219EE4ED37010CC2C1F19330843FF402D0041B8400C477032

Function 00CB8609 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00CB81DC: GetOEMCP.KERNEL32(00000000,?,?,00CB8465,?), ref: 00CB8207

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00CB84AA,?,00000000), ref: 00CB867D
GetCPInfo.KERNEL32(00000000,00CB84AA,?,?,?,00CB84AA,?,00000000), ref: 00CB8690

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 0434a34c6ae903672399e6b4dde774f0f82cb79f4f6bee39f9b2340a9c393d60
Instruction ID: 748a7ded0037bba6a6f9799e74355d791bf385c42b35efab7581363acab3ae4c
Opcode Fuzzy Hash: 0434a34c6ae903672399e6b4dde774f0f82cb79f4f6bee39f9b2340a9c393d60
Instruction Fuzzy Hash: C85138709002459EDB24CF35C485AFBBBEDEF41308F28406EE1569B151DF35DA4ADB91

Function 00C913B4 Relevance: 3.1, APIs: 2, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C913B4

Part of subcall function 00C95F9E: __EH_prolog.LIBCMT ref: 00C95FA3

Part of subcall function 00C9C463: __EH_prolog.LIBCMT ref: 00C9C468
Part of subcall function 00C9C463: new.LIBCMT ref: 00C9C4AB
Part of subcall function 00C9C463: new.LIBCMT ref: 00C9C4CF

new.LIBCMT ref: 00C9142C

Part of subcall function 00C9ACB6: __EH_prolog.LIBCMT ref: 00C9ACBB

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: daedf4c2b3d749e20f005035a20d81a5f85e06b9560c026f6eb73d85db3067e8
Instruction ID: bb24b82ce60bafd295073a8edf1f6492fcc635681e57206da63d64d9d4d63f1a
Opcode Fuzzy Hash: daedf4c2b3d749e20f005035a20d81a5f85e06b9560c026f6eb73d85db3067e8
Instruction Fuzzy Hash: AB4125B0905B41DEDB20CF7A8489AE6FBE5FF29300F54492ED5EE87282CB326554CB11

Function 00C913AF Relevance: 3.1, APIs: 2, Instructions: 94COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C913B4

Part of subcall function 00C95F9E: __EH_prolog.LIBCMT ref: 00C95FA3

Part of subcall function 00C9C463: __EH_prolog.LIBCMT ref: 00C9C468
Part of subcall function 00C9C463: new.LIBCMT ref: 00C9C4AB
Part of subcall function 00C9C463: new.LIBCMT ref: 00C9C4CF

new.LIBCMT ref: 00C9142C

Part of subcall function 00C9ACB6: __EH_prolog.LIBCMT ref: 00C9ACBB

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 674fc3e0963132aa36e6d66283312e5fdaac5d8cfd7b5cc298282815ba1091ff
Instruction ID: 9f573db0f74ce98b1e5678d11033e570993a39293f3d2544f623d656a148368f
Opcode Fuzzy Hash: 674fc3e0963132aa36e6d66283312e5fdaac5d8cfd7b5cc298282815ba1091ff
Instruction Fuzzy Hash: 404125B0805B40DED720CF7A8489AE6FBE5FF29300F54492ED5EE87282CB326554CB11

Function 00CB8448 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00CB630E: GetLastError.KERNEL32(?,00CCCBE8,00CB2664,00CCCBE8,?,?,00CB2203,?,?,00CCCBE8), ref: 00CB6312
Part of subcall function 00CB630E: _free.LIBCMT ref: 00CB6345
Part of subcall function 00CB630E: SetLastError.KERNEL32(00000000,?,00CCCBE8), ref: 00CB6386
Part of subcall function 00CB630E: _abort.LIBCMT ref: 00CB638C

Part of subcall function 00CB8567: _abort.LIBCMT ref: 00CB8599
Part of subcall function 00CB8567: _free.LIBCMT ref: 00CB85CD

Part of subcall function 00CB81DC: GetOEMCP.KERNEL32(00000000,?,?,00CB8465,?), ref: 00CB8207

_free.LIBCMT ref: 00CB84C0
_free.LIBCMT ref: 00CB84F6

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: b6b8cbed739c9a3fc2fe630a96ba66b15242c31d74e96260b119bba8fbe6ab0c
Instruction ID: 04294883097416ac23afa2f15604cb53822f3d3d248f93bba3719f970179f392
Opcode Fuzzy Hash: b6b8cbed739c9a3fc2fe630a96ba66b15242c31d74e96260b119bba8fbe6ab0c
Instruction Fuzzy Hash: 4C31B131904209AFDB10EBA9D445BEDB7F9EF40320F254099F9189B2A1EF369E49DF50

Function 00C99541 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00C99BD7,?,?,00C97735), ref: 00C995C9
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00C99BD7,?,?,00C97735), ref: 00C995FE

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7ed3b110ecbee8f0d204043ccde17a36b47e5dd8f5cd6a4720bc220a37dbed3c
Instruction ID: 0fbfb0abe1cda7637dd499f1ef30a38cff6ab64aeeac54324f991fcb1fdffff7
Opcode Fuzzy Hash: 7ed3b110ecbee8f0d204043ccde17a36b47e5dd8f5cd6a4720bc220a37dbed3c
Instruction Fuzzy Hash: A921F6B1404748AFDB308F28CC89BAB77ECEB09764F014A2DF4E5821D1C374AD499A61

Function 00C99A62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,00C97436,?,?,?), ref: 00C99A7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00C99B2C

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 2d9d08a43612be9bb4be866ceba0af3babacbbf108fbb369e4d8958335017dbe
Instruction ID: e9fa6da1c00aa21bf7a2bd29fcf282f1caca6e9590335f9ed60713a7c0fa331e
Opcode Fuzzy Hash: 2d9d08a43612be9bb4be866ceba0af3babacbbf108fbb369e4d8958335017dbe
Instruction Fuzzy Hash: 2E21E431158241ABCB11CE68C489ABABBD8EB92704F08091CF8E5C7141DB39DE08E751

Function 00CB7726 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00CB7786
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00CB7793

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: ca6f3373120bccdcafef71def553620cf69ff43d932ff9313b5932f341d16206
Instruction ID: 4bddcd5cebdb2794c763cb5b3550ead08b59b5d57aab0f0d532424b2a004a40e
Opcode Fuzzy Hash: ca6f3373120bccdcafef71def553620cf69ff43d932ff9313b5932f341d16206
Instruction Fuzzy Hash: 9B11E337A041249F9B239E29EC94EDE73A5ABC4724F1A4320ED24FB254EF31DD4186D1

Function 00C99B3B Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00C99B71
GetLastError.KERNEL32 ref: 00C99B7D

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fd56fb4d7f51d9c5aeb1b3942b53cc3acb7921dc5463d3a2ee9e8cc2f6e86a83
Instruction ID: fecf64a037ddfce82408d8cced38875c26356618aaa1641e4adc582d89686309
Opcode Fuzzy Hash: fd56fb4d7f51d9c5aeb1b3942b53cc3acb7921dc5463d3a2ee9e8cc2f6e86a83
Instruction Fuzzy Hash: 85019E70701304ABEF349E6DEC88B6AB7D9EB84319F14463EF162C36C0CA39DD088621

Function 00C998E7 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 00C9993B
GetLastError.KERNEL32 ref: 00C99948

Part of subcall function 00C996FA: __EH_prolog.LIBCMT ref: 00C996FF

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ErrorFileH_prologLastPointer
String ID:
API String ID: 4236474358-0
Opcode ID: f34aa98412099b48f354f0f06ad971d7b60d3bc4ccfa5e54b9058080d6b2f460
Instruction ID: d88b51e809bdc521a817ee85244ab7628148eea0cb8b71661df3acc39d10ce0d
Opcode Fuzzy Hash: f34aa98412099b48f354f0f06ad971d7b60d3bc4ccfa5e54b9058080d6b2f460
Instruction Fuzzy Hash: 6D019E32201246DB8F188E1E984CAAF7769FF52330716822DED3E8B290D630ED019662

Function 00CB5ADA Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CB5AFB

Part of subcall function 00CB59EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CB239A,?,0000015D,?,?,?,?,00CB2F19,000000FF,00000000,?,?), ref: 00CB5A1E

HeapReAlloc.KERNEL32(00000000,?,00200000,?,?,00CCCBE8,00C917D2,?,?,?,?,00000000,?,00C913A9,?,?), ref: 00CB5B37

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: ea26334c45fd10d7b179de44deb3e99fe58eff84f23b6f6a2b9158d6ec3532e6
Instruction ID: fe3d2a2b00b19acb7beaf1062f371dafe922041d947f2c78e167863026b0bc1f
Opcode Fuzzy Hash: ea26334c45fd10d7b179de44deb3e99fe58eff84f23b6f6a2b9158d6ec3532e6
Instruction Fuzzy Hash: 2AF0F632761E15ABDB312B26AC01FEF372C8F81771F144119F824961A0EE30DE01A160

Function 00C9FC94 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00C9FCA1
GetProcessAffinityMask.KERNEL32(00000000), ref: 00C9FCA8

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: b6de561ef86c5d70b1070f32f72fea904f86c0a975fa9489a1eeb5cb90062842
Instruction ID: e7e3d9a904becbd624cedfe7256f8ff0482407f4dcbc59d25c5b6a34857e0df8
Opcode Fuzzy Hash: b6de561ef86c5d70b1070f32f72fea904f86c0a975fa9489a1eeb5cb90062842
Instruction Fuzzy Hash: 22E09232B4011EA78F2886A89C09AEF739DEB14201B20857EEC17D3204F934EE4387A4

Function 00C9A113 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00C99F49,?,?,?,00C99DE2,?,00000001,00000000,?,?), ref: 00C9A127
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00C99F49,?,?,?,00C99DE2,?,00000001,00000000,?,?), ref: 00C9A158

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e90d74155827650cb8e49d68e3c539754b06b4e6b7bb8689f151cd8b574f1123
Instruction ID: b0d9976d3105c4fe4d0042634e82fd7c08b3af74d7868d4cac0266ad87028ad6
Opcode Fuzzy Hash: e90d74155827650cb8e49d68e3c539754b06b4e6b7bb8689f151cd8b574f1123
Instruction Fuzzy Hash: 87F0393124020DABDF116F60EC45BEE776DAF04385F448061F988D6160DB32DEA8AB90

Function 00CAC0CF Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00CAC0FD
SetDlgItemTextW.USER32(00000065,?), ref: 00CAC114

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 4f2efd8cd1523e02d5957c593e870a4107191f5c3540e62831799d8789aba493
Instruction ID: 9af756f81de161bef3b0b4facbfa3c3a0bb0658acd85d217859f4b7b3887bed9
Opcode Fuzzy Hash: 4f2efd8cd1523e02d5957c593e870a4107191f5c3540e62831799d8789aba493
Instruction Fuzzy Hash: 3BF05C32540349B6EB21A7708C0BF9E376D9B05345F004086B605920A2D6316A20A7A1

Function 00C99DFC Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,00C99661,?,?,00C994BC), ref: 00C99E0D
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00C99661,?,?,00C994BC), ref: 00C99E3B

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: d07d5eb3f9bdc70e268f5002b60445fa1e76355947504f6336e85736a575358e
Instruction ID: fda929d60a8acf29783121989d050caf713ff47acb126de577ca81b500c5cdd2
Opcode Fuzzy Hash: d07d5eb3f9bdc70e268f5002b60445fa1e76355947504f6336e85736a575358e
Instruction Fuzzy Hash: 01E09271640209ABDF119F65DC45FEE779DEF08781F844065F988C2050DB31DD94AA90

Function 00C99E63 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00C99E58,?,00C975A0,?,?,?,?), ref: 00C99E74
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00C99E58,?,00C975A0,?,?,?,?), ref: 00C99EA0

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4d02ace3eb57f4fbc629ad47ffca46e0e0fba9e9be01d36f062399a65cbd46fd
Instruction ID: 453e2bc39acf4551f82ebadb4f5d2f55fc844f03e2b1ddb15cd67d3817143d73
Opcode Fuzzy Hash: 4d02ace3eb57f4fbc629ad47ffca46e0e0fba9e9be01d36f062399a65cbd46fd
Instruction Fuzzy Hash: 2FE092325001286BDF10AB68DC09BDAB75CEB093E2F0002A1FD58E32A0D7719D949BD0

Function 00C9F35B Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00C9F376
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00C9DF18,Crypt32.dll,?,00C9DF9C,?,00C9DF7E,?,?,?,?), ref: 00C9F398

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 61a333d32d2ce890cefd564555df85abde90190f63d2d09a2275e6260bdf3416
Instruction ID: fe91afd542dbdd257646d34e0a8205e14ba14c00b9e7bc9cd135ea174b781de1
Opcode Fuzzy Hash: 61a333d32d2ce890cefd564555df85abde90190f63d2d09a2275e6260bdf3416
Instruction Fuzzy Hash: 95E0127281012CA7DB119AA4DC09FDA776CEB09381F0540A6F948D2004DA749A808BF0

Function 00CA8923 Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00CA8944
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00CA894B

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 3476a53300bc0ba3ba072631d0f21d637c189fc37d84acadf84bef3626f34f6c
Instruction ID: 2d6e3034bc9e501b9cd90f3ddb3baba5dd78953db22addf5bc7101bc65c43fb2
Opcode Fuzzy Hash: 3476a53300bc0ba3ba072631d0f21d637c189fc37d84acadf84bef3626f34f6c
Instruction Fuzzy Hash: 9CE06D71800209EFCB20DFA9C541BEABBE8EB05325F10806AE85493601D670AE04AB92

Function 00CA909D Relevance: 3.0, APIs: 2, Instructions: 22comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,00CBF605,000000FF), ref: 00CA90C6
OleUninitialize.OLE32(?,?,?,00CBF605,000000FF), ref: 00CA90CB

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 4bf8a40ca2a6634b92ee98067b3266fb782fdb4e1183a41d40eeb412cccc2242
Instruction ID: bb03dcbe364a0bc81e5eb4bdc77baae7166b6e0ff719029e02036785b8200b76
Opcode Fuzzy Hash: 4bf8a40ca2a6634b92ee98067b3266fb782fdb4e1183a41d40eeb412cccc2242
Instruction Fuzzy Hash: ADE01A76548644DFC311DB48DD45F45BBE9FB09B20F10476AF81A83B60DB386C00CA95

Function 00CB0C46 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00CB1D87: try_get_function.LIBVCRUNTIME ref: 00CB1D9C

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CB0C64
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00CB0C6F

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 3eb4326d52d2e314c3214977d48b418b2e8ec586803ecbf6b45053d77bdcc0cf
Instruction ID: bd92d409b5ec63c1c7c29f78c6cb6af64a72333ae3b1524a0aa9f560bd262690
Opcode Fuzzy Hash: 3eb4326d52d2e314c3214977d48b418b2e8ec586803ecbf6b45053d77bdcc0cf
Instruction Fuzzy Hash: 68D022AC2483424C6D0436B0B8279CF1F8069227BAFB00396E831891C2EF2285427017

Function 00C912C2 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00C912D7
ShowWindow.USER32(00000000), ref: 00C912DE

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: d40ccc4f4b50b78b777d2ddcb62c503c3d5733c3bd53e7480e89bf13baf8a13c
Instruction ID: ab29b1ead2d9b2709e09c71bddf72241e62b30b4bddebb0587c1f008e947b00f
Opcode Fuzzy Hash: d40ccc4f4b50b78b777d2ddcb62c503c3d5733c3bd53e7480e89bf13baf8a13c
Instruction Fuzzy Hash: AAC01232058204BFCB010BB0DC1DE2EFBAAABA5216F00C908F4A5C00A0C238C820DB12

Function 00C9FC3C Relevance: 2.5, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00CD1E74,?,?,00C9A5F0,?,?,?,?,00CBF605,000000FF), ref: 00C9FC4B
LeaveCriticalSection.KERNEL32(00CD1E74,?,?,00C9A5F0,?,?,?,?,00CBF605,000000FF), ref: 00C9FC89

Part of subcall function 00C9FA23: ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 00C9FA57
Part of subcall function 00C9FA23: FindCloseChangeNotification.KERNELBASE(0072D29C,0072D29C), ref: 00C9FA71
Part of subcall function 00C9FA23: DeleteCriticalSection.KERNEL32(0072D438), ref: 00C9FA8A
Part of subcall function 00C9FA23: FindCloseChangeNotification.KERNELBASE(?), ref: 00C9FA96
Part of subcall function 00C9FA23: CloseHandle.KERNEL32(?), ref: 00C9FAA2

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: CloseCriticalSection$ChangeFindNotification$DeleteEnterHandleLeaveReleaseSemaphore
String ID:
API String ID: 2076764878-0
Opcode ID: e7fd57d0bd447b867678d7fa0d435b025fbb5e2dfb7f557e6d71d476ae4d7a88
Instruction ID: 151205045b43d4957437e328362a08a6c09ac5cd37c9a1422b48938b160b7fec
Opcode Fuzzy Hash: e7fd57d0bd447b867678d7fa0d435b025fbb5e2dfb7f557e6d71d476ae4d7a88
Instruction Fuzzy Hash: F2F0A032A02214AB8B215B14E80DBAE7768AB86B65B08803EFC04E3990CB708D03D791

Function 00C919E2 Relevance: 1.8, APIs: 1, Instructions: 275COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C919E7

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7c78d05ac8a4e660be1edc7c923600c003e638fe35c9a3732b806087cac71f66
Instruction ID: 91a08de1c80765c1dec4b46e2869a2cf036c4547e8252fead8eabdbc447843f9
Opcode Fuzzy Hash: 7c78d05ac8a4e660be1edc7c923600c003e638fe35c9a3732b806087cac71f66
Instruction Fuzzy Hash: 63B1D470A00647AFEF19CF78C44EAB9FBA6FF05314F1C4159E86693281CB319A64DB91

Function 00C981ED Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C981F2

Part of subcall function 00C913AF: __EH_prolog.LIBCMT ref: 00C913B4
Part of subcall function 00C913AF: new.LIBCMT ref: 00C9142C

Part of subcall function 00C919E2: __EH_prolog.LIBCMT ref: 00C919E7

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e15e1e5a809938161fb864cd633d79b8a88a030f374063c45bf57aee5efb0358
Instruction ID: 1f7cffa3252b30af1b7883071cc9ec4ded5174af4e1cf4e1c8600cf9188b80bc
Opcode Fuzzy Hash: e15e1e5a809938161fb864cd633d79b8a88a030f374063c45bf57aee5efb0358
Instruction Fuzzy Hash: EE41B3719406549EDF24EB60CC5ABEA73A9AF51704F0400EAE58AA3093DF745FCCEB50

Function 00CA21E5 Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CA21EA

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 947ed9705924fd0ea6f1a77161938c1cb8dac220454061977fbeae400a1ea332
Instruction ID: 85a1bb1a62289e051d795e8e082aa8989e2aae010e954cc8422daa0ffdc224f8
Opcode Fuzzy Hash: 947ed9705924fd0ea6f1a77161938c1cb8dac220454061977fbeae400a1ea332
Instruction Fuzzy Hash: DB21DBB1E402276FDB14DFB8CC45B6A7668FB16318F00463AE515EB681D7749D40C7A4

Function 00CA9484 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CA9489

Part of subcall function 00C913AF: __EH_prolog.LIBCMT ref: 00C913B4
Part of subcall function 00C913AF: new.LIBCMT ref: 00C9142C

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8b3cf3cc0695ea0b243dab7be3ca2172e71fb6d5a95798d4feea68baa0b2ed7
Instruction ID: 8b9f9590dc4ed18ae54013928b526d1c457498280fb02ca9621242d3581f6df3
Opcode Fuzzy Hash: e8b3cf3cc0695ea0b243dab7be3ca2172e71fb6d5a95798d4feea68baa0b2ed7
Instruction Fuzzy Hash: 9D213B71C0424A9ECF15DF99D9929EEB7B4EF1A304F1404EAE809A7212D635AE05EB60

Function 00C99120 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C99125

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7ad6e02d48e1296a2ca4b2518ab99ac740788a6d00d2dae32b846ad9906da5d0
Instruction ID: d575affb66fc1b29137f8479f20e55e837e831ff9aba648d251620c5f833bdc3
Opcode Fuzzy Hash: 7ad6e02d48e1296a2ca4b2518ab99ac740788a6d00d2dae32b846ad9906da5d0
Instruction Fuzzy Hash: F5117073E0092A9BCF12AE58CC999DEB735FF88740F054169F81567211CA308D1096A0

Function 00CB59EC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00CB239A,?,0000015D,?,?,?,?,00CB2F19,000000FF,00000000,?,?), ref: 00CB5A1E

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5a3d783d65df11afaf1116d3b50527f69f50afcac2089257c2d4751cf0e69cb2
Instruction ID: 7d77a82f93c4704379f73576149b89815a5cd1e93f427bc1af93a2ba1e3ac3ef
Opcode Fuzzy Hash: 5a3d783d65df11afaf1116d3b50527f69f50afcac2089257c2d4751cf0e69cb2
Instruction Fuzzy Hash: 82E0E531160A605AE62027619C82BFB375CDB063A1F150324AC25B6090EB51CE00A5A0

Function 00C95B05 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C95B0A

Part of subcall function 00C9ACB6: __EH_prolog.LIBCMT ref: 00C9ACBB

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 47fab304b298264ae56fdcbca33bd26ebd55de22c8597b28180b7c3ba9fe26d3
Instruction ID: a0e4e3393f57fa5ce6caa07bfab15bd3eb41f0569384ea4969f41a828dd08fef
Opcode Fuzzy Hash: 47fab304b298264ae56fdcbca33bd26ebd55de22c8597b28180b7c3ba9fe26d3
Instruction Fuzzy Hash: BD018634900A45DACB05E7A4D4597DDF7E49F15300F00809DB85963242CFB41B09D7E3

Function 00C994F3 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00C994C3), ref: 00C9950E

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e8996764402e90b7bb00fa45b8843220b0bc909db6a01c454d773602fe850229
Instruction ID: 3d509527b7669381c10795aec1cb80d908c8e80c827381b078e3ae239bcb2e60
Opcode Fuzzy Hash: e8996764402e90b7bb00fa45b8843220b0bc909db6a01c454d773602fe850229
Instruction Fuzzy Hash: 8CF0BEB0482B448FDF318A28D54DB93B3E49B11721F048B1EC0F6838E08372AA488F10

Function 00C9A195 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00C9A1C4

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 1d1ec689013a7f2a333a552df4cb083a24fbb6b7a82f40ac42a16cb4b79472f1
Instruction ID: aea0e646c7bc37e0d2d042f8d02d016ec85d50711cab93a78d042e7d291ef50c
Opcode Fuzzy Hash: 1d1ec689013a7f2a333a552df4cb083a24fbb6b7a82f40ac42a16cb4b79472f1
Instruction Fuzzy Hash: 3EF08231408790EECF229BB48809BCBBBA59F1A331F148A4DF1FD521D2C37554D9A762

Function 00C91EBF Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C91EC4

Part of subcall function 00C91927: __EH_prolog.LIBCMT ref: 00C9192C

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 83143faf9785862e34772e9d4979997323e13d55cd2782fca3ecd7d1df3b8669
Instruction ID: dc07200fcdecb7569a4a4b5369a2a86a24f2225fa55a18955eb38f32e764b389
Opcode Fuzzy Hash: 83143faf9785862e34772e9d4979997323e13d55cd2782fca3ecd7d1df3b8669
Instruction Fuzzy Hash: C3F0ACB1D006898ECF41DFE8C54A6EEBBF4FB19304F0845BED819E7202E73556049B91

Function 00C91EC4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C91EC4

Part of subcall function 00C91927: __EH_prolog.LIBCMT ref: 00C9192C

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9174b26c55bc6689883bf4742441a397630375c3705d662e38516824eb19a35e
Instruction ID: 4c07911133daca55b6bafd49d18c2c3a5ee7a41fbe37f3e454eb358a1c12d495
Opcode Fuzzy Hash: 9174b26c55bc6689883bf4742441a397630375c3705d662e38516824eb19a35e
Instruction Fuzzy Hash: BFF0ACB1C006498ECF41DFA8C54A6EEBBF0BB19304F0845BED809E7202E73556048B91

Function 00C9F944 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00C9F979

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 1eee7e77b741c6b0ee82948ffa32c4bbf93a3cbafd4126e4470a422c30081444
Instruction ID: 27f94580d11cbee08ccc57df3ff0c1ab22e89c9098b05a6a463c2b0b18c6f6a3
Opcode Fuzzy Hash: 1eee7e77b741c6b0ee82948ffa32c4bbf93a3cbafd4126e4470a422c30081444
Instruction Fuzzy Hash: B7D02E1270001222EE213368A84FFFD161A0FC239CF1E00BEF469A72C2CA950C43B2A2

Function 00CA8B64 Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00CA8B6A

Part of subcall function 00CA8923: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00CA8944

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: b3ecc342144db532c8dedf8b776bc33c6e15ccf428a3dce563ad8a90b77a80c7
Instruction ID: 7539f9192f65297e0db9e7ac07595e7e201ce5bc520be7ae77e5c1fbf43da229
Opcode Fuzzy Hash: b3ecc342144db532c8dedf8b776bc33c6e15ccf428a3dce563ad8a90b77a80c7
Instruction Fuzzy Hash: 8AD0A77060010E7BDF41AF719C0697E7A98EB03364F408135BC0485150FE71CD247261

Function 00C9976A Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00C9969C), ref: 00C99776

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 8f789859f2c8038d854a5af45ae6f6ebcce8261558be23aefba79e108cb2a19f
Instruction ID: 0f4c8e041963b3e3d5740d67ffc7333872ee9abb6010470f393be1d266fa4dec
Opcode Fuzzy Hash: 8f789859f2c8038d854a5af45ae6f6ebcce8261558be23aefba79e108cb2a19f
Instruction Fuzzy Hash: 30D01230021200958F610E7C9D8D1696651DB833A7728CAECE135C40B1CB32C943F540

Function 00CABF76 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00CABF9B

Part of subcall function 00CA991D: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CA992E
Part of subcall function 00CA991D: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CA993F
Part of subcall function 00CA991D: TranslateMessage.USER32(?), ref: 00CA9949
Part of subcall function 00CA991D: DispatchMessageW.USER32(?), ref: 00CA9953

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Message$DispatchItemPeekSendTranslate
String ID:
API String ID: 4142818094-0
Opcode ID: aedc4b8d91da6ff8cca89b61c44f84092b45c104170265d23c1974921f17f3af
Instruction ID: 307b71a2577b8ce1f41920dc08ad282c8fefa7fc772eb28175ea9ab78949fd75
Opcode Fuzzy Hash: aedc4b8d91da6ff8cca89b61c44f84092b45c104170265d23c1974921f17f3af
Instruction Fuzzy Hash: EAD09E31144200BADB112B51CE0AF0E7AE3BB98B08F404554B248340B18662AD20EB02

Function 00CAC786 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CAC798

Part of subcall function 00CACABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CACB38
Part of subcall function 00CACABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CACB49

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 99189316ac86ae990c8fc63f46fcb67a0f9a57e042042a31ba0a74a396e0f9fa
Instruction ID: b7b3c7a7bcfa73171f01a729c21a2f0b9357ec30ea577b25cb3ac51517bcdcea
Opcode Fuzzy Hash: 99189316ac86ae990c8fc63f46fcb67a0f9a57e042042a31ba0a74a396e0f9fa
Instruction Fuzzy Hash: F3B012F22781067D3144D1C2AC8EE37010DC2C3F19330C02FF800C004098402C09203A

Function 00CAC7BF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CAC798

Part of subcall function 00CACABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CACB38
Part of subcall function 00CACABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CACB49

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e8d629907f052c493cc67f1182219612fa88770b00ad312ee16430c75c276926
Instruction ID: 4e7f6cd3f0181914595f93e2c267645bee9c64a74a4e0ee6edbd55f12f0ea1d8
Opcode Fuzzy Hash: e8d629907f052c493cc67f1182219612fa88770b00ad312ee16430c75c276926
Instruction Fuzzy Hash: 46B012E227C0066D3144D1C6AD4EE37010DC2C6F19330C02FF400C1140D8400C0E3036

Function 00CAC7B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CAC798

Part of subcall function 00CACABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CACB38
Part of subcall function 00CACABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CACB49

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 90cad05744a9d611d39e5b7d17ea36861b66a32497c22151cc232b7010c9678f
Instruction ID: f201cdc2b27b1bdbd6333ddc4916c83307c7222ea546d81b03a62fc676b1e2c1
Opcode Fuzzy Hash: 90cad05744a9d611d39e5b7d17ea36861b66a32497c22151cc232b7010c9678f
Instruction Fuzzy Hash: A2B012E227810A6D3148D1C7AC9EE37010CC2C6F19330C02FF400C0140D8404C05213A

Function 00CAC74A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CAC737

Part of subcall function 00CACABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CACB38
Part of subcall function 00CACABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CACB49

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 92eda664378cf54f87feacecd8174885a68a5d0d0012681954131bc610637ddb
Instruction ID: df7294423e3916af196c99152efab022ed6facd5bea07d813245363941b9e4f5
Opcode Fuzzy Hash: 92eda664378cf54f87feacecd8174885a68a5d0d0012681954131bc610637ddb
Instruction Fuzzy Hash: 9CB012D22685077C3104E209AD8EE37010CC2C2F18330C02FF800C0140DC404C093C32

Function 00CAC740 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CAC737

Part of subcall function 00CACABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CACB38
Part of subcall function 00CACABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CACB49

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 242cc84b14c97ec26045f4ee80106c8a778829771f4f411a7dbf07b931f89fa7
Instruction ID: 54bdaa3d978330890f04ac440c9a10524a3f6c44a4846f2f3018104b3d21c171
Opcode Fuzzy Hash: 242cc84b14c97ec26045f4ee80106c8a778829771f4f411a7dbf07b931f89fa7
Instruction Fuzzy Hash: 9EB012D22684076C3104E20AED4EE37010CC2C2F18330812FF401C0140DC400C093832

Function 00CAC75E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CAC737

Part of subcall function 00CACABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CACB38
Part of subcall function 00CACABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CACB49

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3183ed70f7deecc64bf41077e8bb31d31135037f132649fe3d3e009216f11635
Instruction ID: 2f1f8e3597faa698fccc6310e3918c86f22f80b1c5ab31247a990372c24f1dc1
Opcode Fuzzy Hash: 3183ed70f7deecc64bf41077e8bb31d31135037f132649fe3d3e009216f11635
Instruction Fuzzy Hash: 8FB012D22586076D3104E209BF8EE37010CC2C2F18330802FF400C0140DC404C0A3C32

Function 00CAC725 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CAC737

Part of subcall function 00CACABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CACB38
Part of subcall function 00CACABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CACB49

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 65a98ce7ec301ea975e17364888610547688aef163a009ea11479ce4febd9d6f
Instruction ID: 39d9d1aa5835f424ec421712c04ed04085ca4fb0f47f82d4beb0035753bb932e
Opcode Fuzzy Hash: 65a98ce7ec301ea975e17364888610547688aef163a009ea11479ce4febd9d6f
Instruction Fuzzy Hash: 8FB012D22586077C3508A205ADCED37011CC2C6F28330812FF400C0040DC404C497C32

Function 00CAC781 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CAC737

Part of subcall function 00CACABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CACB38
Part of subcall function 00CACABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CACB49

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fa2d1920ae46412ff152a6f6f434b52b7476ea56bffb256e75f900d2f0b84ee2
Instruction ID: 6612e93fde8c6650a0e4276f69f3235c1ad30290dca2514649be5216c2908eaa
Opcode Fuzzy Hash: fa2d1920ae46412ff152a6f6f434b52b7476ea56bffb256e75f900d2f0b84ee2
Instruction Fuzzy Hash: 18A001E66A9917BC7108A256AD8AD3B021CC6D6FA9331892EF802C4181AD801C4A2831

Function 00CAC7A6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CAC798

Part of subcall function 00CACABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CACB38
Part of subcall function 00CACABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CACB49

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ddb1b54f158f4c55cc996130f14781f0e20fd36275a6eefcf2ee4a257ea9dadd
Instruction ID: eaaa1bab62ed27c8f623cbe8f7e0bd44430b5f241be423ee4865dda55254f6b8
Opcode Fuzzy Hash: ddb1b54f158f4c55cc996130f14781f0e20fd36275a6eefcf2ee4a257ea9dadd
Instruction Fuzzy Hash: 30A001E62B9507BC7148A2D2AD8AD3B021CC6DAF6A331892EF802C4181A9801C4A2439

Function 00CAC7B0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CAC798

Part of subcall function 00CACABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CACB38
Part of subcall function 00CACABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CACB49

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 84242982ed3cf84ab1650e48c870a837827d1bcf482bfe0bfb82586cfd5d65bc
Instruction ID: eaaa1bab62ed27c8f623cbe8f7e0bd44430b5f241be423ee4865dda55254f6b8
Opcode Fuzzy Hash: 84242982ed3cf84ab1650e48c870a837827d1bcf482bfe0bfb82586cfd5d65bc
Instruction Fuzzy Hash: 30A001E62B9507BC7148A2D2AD8AD3B021CC6DAF6A331892EF802C4181A9801C4A2439

Function 00CAC759 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CAC737

Part of subcall function 00CACABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CACB38
Part of subcall function 00CACABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CACB49

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bee7351ddfcd06ef21418bbd95ebcba5a6496c8544336efe16579df5b888b98d
Instruction ID: 6612e93fde8c6650a0e4276f69f3235c1ad30290dca2514649be5216c2908eaa
Opcode Fuzzy Hash: bee7351ddfcd06ef21418bbd95ebcba5a6496c8544336efe16579df5b888b98d
Instruction Fuzzy Hash: 18A001E66A9917BC7108A256AD8AD3B021CC6D6FA9331892EF802C4181AD801C4A2831

Function 00CAC76D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CAC737

Part of subcall function 00CACABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CACB38
Part of subcall function 00CACABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CACB49

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 56c415526d609654ac28cd27287dc0527fb54180a96eacbef28d74f95917c878
Instruction ID: 6612e93fde8c6650a0e4276f69f3235c1ad30290dca2514649be5216c2908eaa
Opcode Fuzzy Hash: 56c415526d609654ac28cd27287dc0527fb54180a96eacbef28d74f95917c878
Instruction Fuzzy Hash: 18A001E66A9917BC7108A256AD8AD3B021CC6D6FA9331892EF802C4181AD801C4A2831

Function 00CAC777 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CAC737

Part of subcall function 00CACABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CACB38
Part of subcall function 00CACABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CACB49

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 00c828b1deb70e5aa26b0dc97464a8352dfd9f2021646e8b762617bb98feeecb
Instruction ID: 6612e93fde8c6650a0e4276f69f3235c1ad30290dca2514649be5216c2908eaa
Opcode Fuzzy Hash: 00c828b1deb70e5aa26b0dc97464a8352dfd9f2021646e8b762617bb98feeecb
Instruction Fuzzy Hash: 18A001E66A9917BC7108A256AD8AD3B021CC6D6FA9331892EF802C4181AD801C4A2831

Function 00CA9022 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00CA9279,00CD2120,00000000,00CD3122,00000006), ref: 00CA9026

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: cacca53e74b28e2d659caa339bafe61c0eeb876f8070c9c394df1939c358a022
Instruction ID: 37766ab9b66068f9886858583dd342bf2ace17e417c36ec38de66464f0333ed1
Opcode Fuzzy Hash: cacca53e74b28e2d659caa339bafe61c0eeb876f8070c9c394df1939c358a022
Instruction Fuzzy Hash: 6DA0123019410686CA000B30CC09D1DB6505760702F108624B002C00A0CB30C810E500

Non-executed Functions

Function 00CAA536 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C912E7: GetDlgItem.USER32(00000000,00003021), ref: 00C9132B
Part of subcall function 00C912E7: SetWindowTextW.USER32(00000000,00CC02E4), ref: 00C91341

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00CAA5C7
EndDialog.USER32(?,00000006), ref: 00CAA5DA
GetDlgItem.USER32(?,0000006C), ref: 00CAA5F6
SetFocus.USER32(00000000), ref: 00CAA5FD
SetDlgItemTextW.USER32(?,00000065,?), ref: 00CAA63D
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00CAA670
FindFirstFileW.KERNEL32(?,?), ref: 00CAA686
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CAA6A4
FileTimeToSystemTime.KERNEL32(?,?), ref: 00CAA6B4
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00CAA6D1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00CAA6EF

Part of subcall function 00C9D192: LoadStringW.USER32(?,?,00000200,?), ref: 00C9D1D7
Part of subcall function 00C9D192: LoadStringW.USER32(?,?,00000200,?), ref: 00C9D1ED

_swprintf.LIBCMT ref: 00CAA71F

Part of subcall function 00C93F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C93F3E

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00CAA732
FindClose.KERNEL32(00000000), ref: 00CAA735
_swprintf.LIBCMT ref: 00CAA790
SetDlgItemTextW.USER32(?,00000068,?), ref: 00CAA7A3
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00CAA7B9
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00CAA7D9
FileTimeToSystemTime.KERNEL32(?,?), ref: 00CAA7E9
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00CAA803
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00CAA81B
_swprintf.LIBCMT ref: 00CAA84C
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00CAA85F
_swprintf.LIBCMT ref: 00CAA8AF
SetDlgItemTextW.USER32(?,00000069,?), ref: 00CAA8C2

Part of subcall function 00CA932E: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00CA9354
Part of subcall function 00CA932E: GetNumberFormatW.KERNEL32(00000400,00000000,?,00CCA154,?,?), ref: 00CA93A3

Strings

%s %s, xrefs: 00CAA77E, 00CAA8A1
REPLACEFILEDLG, xrefs: 00CAA55D
%s %s %s, xrefs: 00CAA70D, 00CAA839

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLoadLocalStringSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 3227067027-1840816070
Opcode ID: 669796713de4a15e15047d926d0135e762a5dbc23fe8bd6de9010f6275558fd7
Instruction ID: 3ab30d3fd077515b79407569895bbca3e0083818e8dc0d75a95f81815330dbf6
Opcode Fuzzy Hash: 669796713de4a15e15047d926d0135e762a5dbc23fe8bd6de9010f6275558fd7
Instruction Fuzzy Hash: 7E91CE72548349BBE621DBA0CC49FFF77ACEB4A708F044819F649D2081D775AA05DB63

Function 00C97070 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C97075
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00C971D5
CloseHandle.KERNEL32(00000000), ref: 00C971E5

Part of subcall function 00C97A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00C97AAC
Part of subcall function 00C97A9D: GetLastError.KERNEL32 ref: 00C97AF2
Part of subcall function 00C97A9D: CloseHandle.KERNEL32(?), ref: 00C97B01

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00C971F0
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00C972FE
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00C9732A
CloseHandle.KERNEL32(?), ref: 00C9733C
GetLastError.KERNEL32(00000015,00000000,?), ref: 00C9734C
RemoveDirectoryW.KERNEL32(?), ref: 00C97398
DeleteFileW.KERNEL32(?), ref: 00C973C0

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00C970A0
SeRestorePrivilege, xrefs: 00C97096
\??\, xrefs: 00C970FB
UNC\, xrefs: 00C97120

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: bf5ccd2c2116af0b7b82926c873d55d95498063656e5290b2ec48bbd91275bf7
Instruction ID: 99616d18d7c1f2d22378a9e7a18f794eb44e106c4af0ace72ac685f6fc6f164c
Opcode Fuzzy Hash: bf5ccd2c2116af0b7b82926c873d55d95498063656e5290b2ec48bbd91275bf7
Instruction Fuzzy Hash: 0EB1BF71914208EBDF20DFA4DC89BEE77B8EF08700F1445A9F929E7152D730AA45DB61

Function 00C931F0 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 604COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C931F9
_memcmp.LIBVCRUNTIME ref: 00C932DC

Strings

hc%u, xrefs: 00C935DC
CMT, xrefs: 00C938F1
h%u, xrefs: 00C9358E

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: e5706fc77c162e5ec41b53ecfc7b36f90163bbf96dbf0b97e3dff90b2ba77e52
Instruction ID: db43bdc7abc515c7268d20fde2851b638a1cc1cace0b1b4f8440e42cf8634ab9
Opcode Fuzzy Hash: e5706fc77c162e5ec41b53ecfc7b36f90163bbf96dbf0b97e3dff90b2ba77e52
Instruction Fuzzy Hash: C232B2715143849FDF14DF74C89ABEA37A5AF15300F08447EFD9A8B282EB709A49CB60

Function 00CBA350 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00CBA496

Strings

1#SNAN, xrefs: 00CBB695
1#QNAN, xrefs: 00CBB69C
1#IND, xrefs: 00CBB68E
1#INF, xrefs: 00CBB6A3

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 20a14ccd284da2fd0d12fb808975c4cf96fd99f46096c44916201ac89c5870e4
Instruction ID: 3da50799a66819597ef8013a077e4a793cb82dc79d78fcf514148273768812ff
Opcode Fuzzy Hash: 20a14ccd284da2fd0d12fb808975c4cf96fd99f46096c44916201ac89c5870e4
Instruction Fuzzy Hash: 29C25B71E086288FDF25CE28DD407EAB7B9EB44305F1441EAE85EE7240E775AE858F41

Function 00C92759 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 793COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C92762
_strlen.LIBCMT ref: 00C92CEC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C92E43

Strings

CMT, xrefs: 00C92E76

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: H_prologUnothrow_t@std@@@__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 3741668355-2756464174
Opcode ID: 8226521d85d3c9c189736e6305512feb2adaa381b30e2c711eed8a4e64d4d068
Instruction ID: 1129810a62099c3da647d07afd39ef46d0fb5d919c943bb4bd55ccd075ed3ec2
Opcode Fuzzy Hash: 8226521d85d3c9c189736e6305512feb2adaa381b30e2c711eed8a4e64d4d068
Instruction Fuzzy Hash: BD6217725006849FDF18DF78C899BEA3BE1EF54304F04457EEC9A9B282DB709A45DB60

Function 00CB5B43 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00CB5C3B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00CB5C45
UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00CB5C52

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ee5254e024340c5d596c1666a63ff7a4f26b68d7aa65b9a36f0732a3916aac23
Instruction ID: ef29d11fd35f1ed4f58005c75be3f506c862b945025df042a93361f6fe56c355
Opcode Fuzzy Hash: ee5254e024340c5d596c1666a63ff7a4f26b68d7aa65b9a36f0732a3916aac23
Instruction Fuzzy Hash: B531B375901319ABCB21DF64D889BDDBBB8BF08310F5041EAE81DA7290EB709B818F44

Function 00CB7D69 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00CB7EFC

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 0d9d431053ae4f7d07f8e38d81630d7fcd21a0a0abb1b2c59078c952e9f37d93
Instruction ID: 72c7aad25e57f0365de9121ee1d8fc401bddd569f1357c1bae9f0fd064d13a63
Opcode Fuzzy Hash: 0d9d431053ae4f7d07f8e38d81630d7fcd21a0a0abb1b2c59078c952e9f37d93
Instruction Fuzzy Hash: D8310372804249AFCB249E78CC88EFE7BBDDF85344F1402A8F829D7251E630DE408B50

Function 00CB9EA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8cca871330e4123537bb6ab64568d03676673747229a1061e8821d119ab4a2
Instruction ID: 0cabc82c3861ef6d321f0392cd7ac4c8db92e81dd5940b00739bef314a6300dc
Opcode Fuzzy Hash: 1d8cca871330e4123537bb6ab64568d03676673747229a1061e8821d119ab4a2
Instruction Fuzzy Hash: 85021B71E002199FDF14CFA9D8806EEBBF5EF48314F25826AD969E7240D731AE418B91

Function 00CA932E Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00CA9354
GetNumberFormatW.KERNEL32(00000400,00000000,?,00CCA154,?,?), ref: 00CA93A3

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 1346e64f9efa5fc83fdd7dadfd4b81ed3a2d9a6cc6dcb30fbd47b54218027b58
Instruction ID: 27923a9750e8d1868fe9460c50b113816114a403029309e977bcdd4bef29d851
Opcode Fuzzy Hash: 1346e64f9efa5fc83fdd7dadfd4b81ed3a2d9a6cc6dcb30fbd47b54218027b58
Instruction Fuzzy Hash: 2A015A75500349AADB10CFA5DC49FAFB7BCEF09714F105426FA08E71A1D7709928CBA6

Function 00CBE8D4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CBE8CF,?,?,00000008,?,?,00CBE56F,00000000), ref: 00CBEB01

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4d545fc806f663bb9e451d4ceee8587b27e31e6ba8e9bc834718cb2c99bd697c
Instruction ID: 74200178a2002b9d0175aa49c6c87a60306738eb1836000b39814d37f763a762
Opcode Fuzzy Hash: 4d545fc806f663bb9e451d4ceee8587b27e31e6ba8e9bc834718cb2c99bd697c
Instruction Fuzzy Hash: E7B13B31610608DFD715CF28C48ABE57BE0FF45765F258658E8AACF2A1C335EA81CB44

Function 00C93F95 Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

gj, xrefs: 00C93FD8

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 8fbe8f9c448a747aac16472a266e87d33145a64bb69ee035d78bb27984e03b4c
Instruction ID: fc8a07993305d76c28a900edea476b537e6506f0420c8753ed737c2350e57c87
Opcode Fuzzy Hash: 8fbe8f9c448a747aac16472a266e87d33145a64bb69ee035d78bb27984e03b4c
Instruction Fuzzy Hash: CCF1D4B1A083818FD748CF29D880A1AFBE1BFC8208F19892EF598D7715D734E9558F56

Function 00C9A930 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00C9A955

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: df54ddcd648e1dbcbe20a5ee37e6bb1ce83ee4bca8a3610a706da20a3fd5f754
Instruction ID: 8cc8078dd702523c6d4dd5c35455f8efdf802ca485d320fb4c9cd643b97384c2
Opcode Fuzzy Hash: df54ddcd648e1dbcbe20a5ee37e6bb1ce83ee4bca8a3610a706da20a3fd5f754
Instruction Fuzzy Hash: 5FF030B4D002088BCB28CF58EC9AFED77B5F759314F224295D92953390D771AD808F96

Function 00CADB63 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001DB6F,00CAD5E4), ref: 00CADB68

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0d53abc38d217af532aa2cc5af50c8d8342953e962c85aec709613aecd08d837
Instruction ID: 519f221c54da4bf79b22241764a876487a6773d0ce02a5fcfe0a22d5370dfd19
Opcode Fuzzy Hash: 0d53abc38d217af532aa2cc5af50c8d8342953e962c85aec709613aecd08d837
Instruction Fuzzy Hash:

Function 00CB8A9B Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00CB8A9B

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 60009a43f9412ffe0daea3cbdbed54f5d2a34e007b23e4ef271dbae7769d2c1c
Instruction ID: 40ecb67cb0efcee18bcb871a0df855fae57ebcaaf0623019f54131cbc07ffd6f
Opcode Fuzzy Hash: 60009a43f9412ffe0daea3cbdbed54f5d2a34e007b23e4ef271dbae7769d2c1c
Instruction Fuzzy Hash: 8DA02430101140CF53004F31DF0730D35D475013C0715501CD004C5130DF3044004700

Function 00CA4FB4 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289fefe8c5a67303e04c4f7979b92612d24f26a9e9caf40240c5c4cc4755c92c
Instruction ID: 48f2dd7acfd2067c1fa275d7a4bd636ad33a46cf0054fb86b5ad101752530ac8
Opcode Fuzzy Hash: 289fefe8c5a67303e04c4f7979b92612d24f26a9e9caf40240c5c4cc4755c92c
Instruction Fuzzy Hash: D2620971604B869FCB25CF38C8906B9B7E1AF96308F08C96DD9AB8F746D630A945D710

Function 00CA63F1 Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7df07331dc8246d27593e118a7ee815c0dd8300ee0f02b9d281ebf78cfae13a
Instruction ID: 1baadc1de382425623ef34a094671f4b6dd4a1b650d7605e41ceb43fe9c24c83
Opcode Fuzzy Hash: a7df07331dc8246d27593e118a7ee815c0dd8300ee0f02b9d281ebf78cfae13a
Instruction Fuzzy Hash: 8462037160478B9FC719CF28C9805A9FBE0FB5630CF18866DD9A687742D730EA56DB80

Function 00C9E097 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd2caf385a59822b9a14fbc93f7aaa4fbbe767d050e2cf75e0f52348a67b4f0
Instruction ID: 2542a1765f7b90fab08ea1a8d6381997fedc413fa7b33d51184bf3d6648756df
Opcode Fuzzy Hash: 4dd2caf385a59822b9a14fbc93f7aaa4fbbe767d050e2cf75e0f52348a67b4f0
Instruction Fuzzy Hash: 575248B26087019FC758CF18C891A6AF7E1FFC8304F89892DF99687255D334E919CB82

Function 00CA5DB8 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4ec420f9a3a83c7509315784d948476334718c13a2b8fa695bea50c2831fae
Instruction ID: 3cff1b083a31bf19a06a04af00fe058052831b13fa19df069eee9b39794fc518
Opcode Fuzzy Hash: ab4ec420f9a3a83c7509315784d948476334718c13a2b8fa695bea50c2831fae
Instruction Fuzzy Hash: 8512E2B1604B078FCB28CF28C8946B9B7E0FB55308F14892EE997C7A81D774A995CB45

Function 00C9BA6A Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a1520f1181234eb45886932516cb36103320c246dc55b64259d5223f3ba13e
Instruction ID: 6ca0242b70bdafcfaf074341294705fbc0add15cf4ce01b169662bcde921c473
Opcode Fuzzy Hash: f7a1520f1181234eb45886932516cb36103320c246dc55b64259d5223f3ba13e
Instruction Fuzzy Hash: 41F17A72608345AFCB14CF29D68866ABBE6FFC9714F144A2EF49587345D730EE068B42

Function 00CAF635 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: b40cbed9cf7e0ca3a40d79002bf462c6e666844f0fc11694004b5b6f0def7946
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 7FC1763220519349EB2D467EC83453EBAA1AE937B531A077ED4B3CB1D4EE30C626D710

Function 00CAFA6A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: ba6c84e9bbd358a79f41ea499566939090712b6b9cefb12d9976f26f366e8a42
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 7EC1783220519349EF2D467EC87413EBAA19A937B931A077ED4B3DB1D5EE30C625D720

Function 00CAF200 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 54aa80a2e078d9063f91a50a0eb1908653e4a9989ac64695ff393d0df9e810cc
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: CFC189322051934AEF2D467EC87413EBAA19A937B531A077ED4B3DB1D5EE30C626D720

Function 00CAEDE8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: b990d2e3265ccc2e612000421999d9feda0f08157330a2cfb107966639be4525
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 93C1633220519349EF6D467EC87413EBAA1AAA37B531A077ED4B3CB1D5EE30C625D720

Function 00C9D634 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5353bd877d51368d6a14d3c75ce38d78d59749625536757f9d4f0580f28ef633
Instruction ID: feeda89a8cb1c3ba7dbdd50a02b4411e9be84ef5142003130702e1a3c696f562
Opcode Fuzzy Hash: 5353bd877d51368d6a14d3c75ce38d78d59749625536757f9d4f0580f28ef633
Instruction Fuzzy Hash: C7E11A755093808FC344CF29D894A6ABBF0EFCA300F89495EF9D597362C234D656DB62

Function 00CA2DB4 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f2a4d6ddd3b585317645cc5051d726e6ea8aecf25b64319d1df32cbac21ee2
Instruction ID: 87ef663a4cf49f7755c44654c142dba825aa4744f55fb510f4a129e584b9f24f
Opcode Fuzzy Hash: 27f2a4d6ddd3b585317645cc5051d726e6ea8aecf25b64319d1df32cbac21ee2
Instruction Fuzzy Hash: 1E91587120035B9BDB24EF68C894BBE73E5AB52308F10092DF59BC7282DA74A645D792

Function 00CB2B68 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa97faab0b08c63e2f347ad96aeeece54a108284c4a0e99a0bea3a3684bfa44
Instruction ID: b280a979a153cdbf43ea222c2238f5c1fdfb893d3e19e7a6f400af54e86e5f6f
Opcode Fuzzy Hash: bfa97faab0b08c63e2f347ad96aeeece54a108284c4a0e99a0bea3a3684bfa44
Instruction Fuzzy Hash: F3619B7170070867EF385E688899BFF7794EF01300F240919E8A3DB281DA55DF86D756

Function 00CA30E5 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00179462e72e715994715ee1dba655cee4073e68508d321703d4c828cdcba7bf
Instruction ID: f5f7bd0b943a901ec50aaa91aaa1672bd176d54c87714f08a30f2c9fcdb6c563
Opcode Fuzzy Hash: 00179462e72e715994715ee1dba655cee4073e68508d321703d4c828cdcba7bf
Instruction Fuzzy Hash: 227159713043C75BDF24DE68C8E5BAD77D1AB9230CF00092DFA868B283CA748B858756

Function 00C9D222 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed4608e1ca69652c31ed93df1bed4b83036c159a4f9d114a37eb6237f94628f
Instruction ID: c21934e4218b3e5f88251eb928b49c0cc4ecd3fb075aef000c12239595c8d87d
Opcode Fuzzy Hash: 7ed4608e1ca69652c31ed93df1bed4b83036c159a4f9d114a37eb6237f94628f
Instruction Fuzzy Hash: 85816F9221A2D4ADC7064F7D78D83E93FA15777341F1D44BBD8C6862B3C0368659E722

Function 00C9DC32 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e662ccabb22cc6e0a887168dea41e7f6bdb26cba6a7cd321da45add5257b48ff
Instruction ID: 8bb2decc5af9ee9b0e5276c46cba1493b5e8eca4f38d3c20bc14399eb4bf36e0
Opcode Fuzzy Hash: e662ccabb22cc6e0a887168dea41e7f6bdb26cba6a7cd321da45add5257b48ff
Instruction Fuzzy Hash: 1651E3725083954ECB12CF29C1844AEBFE1AFDB314F49489DE4E66B252C230D789DB63

Function 00C9ECE9 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17163c1a8474e91f72bcd754284e3c91bd2c31dece9804a3816e690b7fd1d418
Instruction ID: 476d2a400afded64994c699a7aacf7fd43d84f74a99f748a47ce5f6dc9c2d5d2
Opcode Fuzzy Hash: 17163c1a8474e91f72bcd754284e3c91bd2c31dece9804a3816e690b7fd1d418
Instruction Fuzzy Hash: C7511571A083129FC748CF19D48059AF7E1FF88314F054A2EE899A7741DB34EA59CBD6

Function 00CA2B39 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d8200d211fb2155360bb18f1da6528e951efe338ec765a37701bdcb59cc893
Instruction ID: 65c4bb96a5404fc36796460d9ebc78a3fd48d790cd2dd089d7a728368c8eebb6
Opcode Fuzzy Hash: 03d8200d211fb2155360bb18f1da6528e951efe338ec765a37701bdcb59cc893
Instruction Fuzzy Hash: 0531F6716047569FCB14DF28D8552AEFBE0FB96304F00452DE4DAD7741C678EA09CBA2

Function 00C95E83 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6349af770d6e6546b5ec63ad831dcd2688bad15d1e0777dd29277d614d0a322
Instruction ID: 66a0394ab4b8557004ecb6f5ae94ada8eb2b5f83937357501c15b6f681a98f13
Opcode Fuzzy Hash: c6349af770d6e6546b5ec63ad831dcd2688bad15d1e0777dd29277d614d0a322
Instruction Fuzzy Hash: 3F210D31A200655BCB08CF6DECECA3E73559746301786812BED468B2D0C535DE65CBA0

Function 00CB957E Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00CB95C2

Part of subcall function 00CB915D: _free.LIBCMT ref: 00CB917A
Part of subcall function 00CB915D: _free.LIBCMT ref: 00CB918C
Part of subcall function 00CB915D: _free.LIBCMT ref: 00CB919E
Part of subcall function 00CB915D: _free.LIBCMT ref: 00CB91B0
Part of subcall function 00CB915D: _free.LIBCMT ref: 00CB91C2
Part of subcall function 00CB915D: _free.LIBCMT ref: 00CB91D4
Part of subcall function 00CB915D: _free.LIBCMT ref: 00CB91E6
Part of subcall function 00CB915D: _free.LIBCMT ref: 00CB91F8
Part of subcall function 00CB915D: _free.LIBCMT ref: 00CB920A
Part of subcall function 00CB915D: _free.LIBCMT ref: 00CB921C
Part of subcall function 00CB915D: _free.LIBCMT ref: 00CB922E
Part of subcall function 00CB915D: _free.LIBCMT ref: 00CB9240
Part of subcall function 00CB915D: _free.LIBCMT ref: 00CB9252

_free.LIBCMT ref: 00CB95B7

Part of subcall function 00CB59B2: RtlFreeHeap.NTDLL(00000000,00000000,?,00CB92F2,?,00000000,?,00000000,?,00CB9319,?,00000007,?,?,00CB9716,?), ref: 00CB59C8
Part of subcall function 00CB59B2: GetLastError.KERNEL32(?,?,00CB92F2,?,00000000,?,00000000,?,00CB9319,?,00000007,?,?,00CB9716,?,?), ref: 00CB59DA

_free.LIBCMT ref: 00CB95D9
_free.LIBCMT ref: 00CB95EE
_free.LIBCMT ref: 00CB95F9
_free.LIBCMT ref: 00CB961B
_free.LIBCMT ref: 00CB962E
_free.LIBCMT ref: 00CB963C
_free.LIBCMT ref: 00CB9647
_free.LIBCMT ref: 00CB967F
_free.LIBCMT ref: 00CB9686
_free.LIBCMT ref: 00CB96A3
_free.LIBCMT ref: 00CB96BB

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 070091288b5dee80622e8f660e80d5d7157695acd3ac0141f95a0f57e8316123
Instruction ID: f70030eafef37bd3213eca2e6bcdae09ab28d96a00e91bbab085f0c6ce2158b9
Opcode Fuzzy Hash: 070091288b5dee80622e8f660e80d5d7157695acd3ac0141f95a0f57e8316123
Instruction Fuzzy Hash: 27313971A05600DFEB71AB79D845BD6B3E8EF00320F10841AF569D7251DA31AE82DB60

Function 00CAB8BB Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00CAB8DC
GetClassNameW.USER32(00000000,?,00000800), ref: 00CAB90B

Part of subcall function 00CA0B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00C9AC99,?,?,?,00C9AC48,?,-00000002,?,00000000,?), ref: 00CA0B16

GetWindowLongW.USER32(00000000,000000F0), ref: 00CAB929
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00CAB940
GetObjectW.GDI32(00000000,00000018,?), ref: 00CAB953

Part of subcall function 00CA8B21: GetDC.USER32(00000000), ref: 00CA8B2D
Part of subcall function 00CA8B21: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CA8B3C
Part of subcall function 00CA8B21: ReleaseDC.USER32(00000000,00000000), ref: 00CA8B4A

Part of subcall function 00CA8ADE: GetDC.USER32(00000000), ref: 00CA8AEA
Part of subcall function 00CA8ADE: GetDeviceCaps.GDI32(00000000,00000058), ref: 00CA8AF9
Part of subcall function 00CA8ADE: ReleaseDC.USER32(00000000,00000000), ref: 00CA8B07

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00CAB97A
DeleteObject.GDI32(00000000), ref: 00CAB981
GetWindow.USER32(00000000,00000002), ref: 00CAB98A

Strings

STATIC, xrefs: 00CAB911

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 1444658586-1882779555
Opcode ID: bb4f39a8ddb529b3ef5cba49306e6ea26dea2942c455fcecb84c99281ba7a6a2
Instruction ID: 1e00fb5392972b94932047850af1a9e40c91d05f2a5f026eee8e448f949b5a5d
Opcode Fuzzy Hash: bb4f39a8ddb529b3ef5cba49306e6ea26dea2942c455fcecb84c99281ba7a6a2
Instruction Fuzzy Hash: F721D57250022A7FEB216B74DC4EFEF766CEF06718F004111FA11E6092DB745E42AAB6

Function 00CB621A Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CB622E

Part of subcall function 00CB59B2: RtlFreeHeap.NTDLL(00000000,00000000,?,00CB92F2,?,00000000,?,00000000,?,00CB9319,?,00000007,?,?,00CB9716,?), ref: 00CB59C8
Part of subcall function 00CB59B2: GetLastError.KERNEL32(?,?,00CB92F2,?,00000000,?,00000000,?,00CB9319,?,00000007,?,?,00CB9716,?,?), ref: 00CB59DA

_free.LIBCMT ref: 00CB623A
_free.LIBCMT ref: 00CB6245
_free.LIBCMT ref: 00CB6250
_free.LIBCMT ref: 00CB625B
_free.LIBCMT ref: 00CB6266
_free.LIBCMT ref: 00CB6271
_free.LIBCMT ref: 00CB627C
_free.LIBCMT ref: 00CB6287
_free.LIBCMT ref: 00CB6295

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6cf9a246873f6e73156877d561b37f1083bc5bcda362b08ff6955727642d721c
Instruction ID: 13315006c7d37f6f90d248e329f09dae74ffc58d892de7f113ba67a2ab15e5bd
Opcode Fuzzy Hash: 6cf9a246873f6e73156877d561b37f1083bc5bcda362b08ff6955727642d721c
Instruction Fuzzy Hash: 5E117775921508FFDF01EF94C942DD93BB5FF04360F5140A5F9894B222DA31DA92AB80

Function 00C920D3 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

;%u, xrefs: 00C92408
xc%u, xrefs: 00C92648
x%u, xrefs: 00C925EB

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: aa72a91630868498ce3c1e6bbafed81a777c91bb85156a390d404dea09acc481
Instruction ID: f239b2353e886a4ae10e46abda7a75385582db0b7469cdff0a37654f65544c81
Opcode Fuzzy Hash: aa72a91630868498ce3c1e6bbafed81a777c91bb85156a390d404dea09acc481
Instruction Fuzzy Hash: 69F14371604380AADF14EB64C8DDBFE7799AF91300F08446DF8D59B683DA24DA89C762

Function 00CA995E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C912E7: GetDlgItem.USER32(00000000,00003021), ref: 00C9132B
Part of subcall function 00C912E7: SetWindowTextW.USER32(00000000,00CC02E4), ref: 00C91341

EndDialog.USER32(?,00000001), ref: 00CA99AE
SendMessageW.USER32(?,00000080,00000001,?), ref: 00CA99DB
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00CA99F0
SetWindowTextW.USER32(?,?), ref: 00CA9A01
GetDlgItem.USER32(?,00000065), ref: 00CA9A0A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00CA9A1E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00CA9A30

Strings

LICENSEDLG, xrefs: 00CA9972

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 09c8427e84346ee2e46f392c425489737cc8acff130d49ba358dd614a5fd0ec0
Instruction ID: a5a60ffd9757c4b86d4ee40226775a0e23c847408ab66f7ca32a7e6dcdc5a799
Opcode Fuzzy Hash: 09c8427e84346ee2e46f392c425489737cc8acff130d49ba358dd614a5fd0ec0
Instruction Fuzzy Hash: 1021F9322002097FE6116B72ED8AF7F7BACEB4BB8DF004019F604A5491CB769D01E632

Function 00C9927D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C99282
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00C992A5
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00C992C4

Part of subcall function 00CA0B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00C9AC99,?,?,?,00C9AC48,?,-00000002,?,00000000,?), ref: 00CA0B16

_swprintf.LIBCMT ref: 00C99360

Part of subcall function 00C93F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C93F3E

MoveFileW.KERNEL32(?,?), ref: 00C993D5
MoveFileW.KERNEL32(?,?), ref: 00C99411

Strings

rtmp%d, xrefs: 00C99349

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: e66319dcad405d2b5a893d399418d15143c7e3cd30004fcfed0c0f6298a82067
Instruction ID: 0da0adde03e191230ac1ece5b854442b696dc2b0489109303fc6f074ddc1e8d6
Opcode Fuzzy Hash: e66319dcad405d2b5a893d399418d15143c7e3cd30004fcfed0c0f6298a82067
Instruction Fuzzy Hash: B041AE72911159AACF21EBA4CE49FDE777CEF44381F4044A9F905E3042EA309B46DF64

Function 00CA7D95 Relevance: 12.1, APIs: 8, Instructions: 135windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00CA7DAE
GetTickCount.KERNEL32 ref: 00CA7DCC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CA7DE2
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CA7DF6
TranslateMessage.USER32(?), ref: 00CA7E01
DispatchMessageW.USER32(?), ref: 00CA7E0C
ShowWindow.USER32(?,00000005,?,00000000,?,?,?,?,00000000,00000000,00000000,<html>,00000006), ref: 00CA7EBC
SetWindowTextW.USER32(?,00000000), ref: 00CA7EC6

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Message$CountTickWindow$DispatchPeekShowTextTranslate
String ID:
API String ID: 4150546248-0
Opcode ID: 8028eb135fb8ae33a062e71b9d3c7c83580225ad061a06b3d88d4deae2748189
Instruction ID: d673b22be43e45d3b84b56747b349121ba0b3dbc1309eedddc07cbbe2a3544cc
Opcode Fuzzy Hash: 8028eb135fb8ae33a062e71b9d3c7c83580225ad061a06b3d88d4deae2748189
Instruction Fuzzy Hash: A1413871208306AFD710DF65DD88E2BBBE9FF89708B00096DF555C6251DB21ED45CB62

Function 00C9FE0E Relevance: 12.1, APIs: 8, Instructions: 117timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00C9FE21

Part of subcall function 00C9A930: GetVersionExW.KERNEL32(?), ref: 00C9A955

FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 00C9FE4A
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 00C9FE5C
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00C9FE69
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C9FE7F
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C9FE8B
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C9FEC1
__aullrem.LIBCMT ref: 00C9FF4B

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: e0b180b1f3a58531603036ffd82af4fd7eadb739eaa8d956fc0173c35cceadde
Instruction ID: 9ab84c143cf71f5e0109ee3d4f5637a8cd4edfc718b5884156806593dab7fa03
Opcode Fuzzy Hash: e0b180b1f3a58531603036ffd82af4fd7eadb739eaa8d956fc0173c35cceadde
Instruction Fuzzy Hash: E94147B24083059FC710DFA5C884AAFFBF8FB88704F004A2EF59692650E775E649DB52

Function 00CBC56D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00CBCCE2,00000000,00000000,00000000,00000000,00000000,00CB2C3E), ref: 00CBC5AF
__fassign.LIBCMT ref: 00CBC62A
__fassign.LIBCMT ref: 00CBC645
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00CBC66B
WriteFile.KERNEL32(?,00000000,00000000,00CBCCE2,00000000,?,?,?,?,?,?,?,?,?,00CBCCE2,00000000), ref: 00CBC68A
WriteFile.KERNEL32(?,00000000,00000001,00CBCCE2,00000000,?,?,?,?,?,?,?,?,?,00CBCCE2,00000000), ref: 00CBC6C3

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 45fbb591180f2a2ebbd98883932161b48d6b3281c0195a3638f24215965e4594
Instruction ID: dfb0396bf75806a861d34f959e5b24ea945cbbdaf9e1af859b21b380d1753c8b
Opcode Fuzzy Hash: 45fbb591180f2a2ebbd98883932161b48d6b3281c0195a3638f24215965e4594
Instruction Fuzzy Hash: 15517EB1A002499FCB10CFA8D885FEEBBF8EF19300F15415AE955F7251E730AA41CB65

Function 00CAB0D8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00CAB0EE
_swprintf.LIBCMT ref: 00CAB122

Part of subcall function 00C93F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C93F3E

SetDlgItemTextW.USER32(?,00000066,00CD3122), ref: 00CAB142
_wcschr.LIBVCRUNTIME ref: 00CAB175
EndDialog.USER32(?,00000001), ref: 00CAB256

Strings

%s%s%u, xrefs: 00CAB117

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: 549b1ba5cad9b08cd9fd3eb004b01022163b01c25853ee5feb8fed60e61e1c09
Instruction ID: e48f51807be907deb738f1a99905f65bade5f497d0eddb8f00921694ee92f4e2
Opcode Fuzzy Hash: 549b1ba5cad9b08cd9fd3eb004b01022163b01c25853ee5feb8fed60e61e1c09
Instruction Fuzzy Hash: 1A418E7190025AAEEF25DB60DD85FEE77BCEB05308F0040A6F519E6052EB709F849FA5

Function 00C9C96F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00C9C9F5
_strlen.LIBCMT ref: 00C9CA25
_swprintf.LIBCMT ref: 00C9CA46
_wcschr.LIBVCRUNTIME ref: 00C9CA6F
_wcsrchr.LIBVCRUNTIME ref: 00C9CABB

Strings

%08x, xrefs: 00C9CA3A

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: _strlen$_swprintf_wcschr_wcsrchr
String ID: %08x
API String ID: 1593746830-3682738293
Opcode ID: 2d451bb66520e86e7db14a6d6a8fc36a442bc11e91f21ac5effe2b7e611b6116
Instruction ID: 00903df038d26f41c42a78fceaad4994a2154335655f419ea3c2500417743775
Opcode Fuzzy Hash: 2d451bb66520e86e7db14a6d6a8fc36a442bc11e91f21ac5effe2b7e611b6116
Instruction Fuzzy Hash: F4410573904344AEEB31EA64CC8DFFB73ECEB84310F15052AF95597182DA359E05E2A1

Function 00CA7EE4 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,?,00CA8704,?), ref: 00CA7FB9
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000003,00000000,00000000), ref: 00CA7FDA

Strings

<html>, xrefs: 00CA7F28, 00CA7F61
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00CA7F33
utf-8"></head>, xrefs: 00CA7F3E
</html>, xrefs: 00CA7F8B

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3286310052-4209811716
Opcode ID: ded1af9821fbcce1f57681a6eeba26d587561c9025f410c59f76dab95fcfb5c1
Instruction ID: a9f4b8b0f30d6204796cd97fdb216ff72b4566387408f29bb82683f28fea0ba0
Opcode Fuzzy Hash: ded1af9821fbcce1f57681a6eeba26d587561c9025f410c59f76dab95fcfb5c1
Instruction Fuzzy Hash: EE3103321083167ED728ABA5DC06FAFB798EF53724F14421EF510961C2EB749A0987A6

Function 00CA859B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00CA85B4
GetWindowRect.USER32(?,?), ref: 00CA85D9
ShowWindow.USER32(?,00000005,?), ref: 00CA8670
SetWindowTextW.USER32(?,00000000), ref: 00CA8678
ShowWindow.USER32(00000000,00000005), ref: 00CA868E

Strings

RarHtmlClassName, xrefs: 00CA863A

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 7fa885fa196d195cb57a91f1f2f01fe9241bab5eb5c4e9c5535a584fb3f81d56
Instruction ID: 38450822f9a50e9acd76817d60e9474d947b60dba0452026a072f721c6895fdb
Opcode Fuzzy Hash: 7fa885fa196d195cb57a91f1f2f01fe9241bab5eb5c4e9c5535a584fb3f81d56
Instruction Fuzzy Hash: A531AE32101204AFDB119FA4DD4CF5FBFA8EB49709F044459FD09AA192DB30E914CFA2

Function 00CB9300 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CB92C4: _free.LIBCMT ref: 00CB92ED

_free.LIBCMT ref: 00CB934E

Part of subcall function 00CB59B2: RtlFreeHeap.NTDLL(00000000,00000000,?,00CB92F2,?,00000000,?,00000000,?,00CB9319,?,00000007,?,?,00CB9716,?), ref: 00CB59C8
Part of subcall function 00CB59B2: GetLastError.KERNEL32(?,?,00CB92F2,?,00000000,?,00000000,?,00CB9319,?,00000007,?,?,00CB9716,?,?), ref: 00CB59DA

_free.LIBCMT ref: 00CB9359
_free.LIBCMT ref: 00CB9364
_free.LIBCMT ref: 00CB93B8
_free.LIBCMT ref: 00CB93C3
_free.LIBCMT ref: 00CB93CE
_free.LIBCMT ref: 00CB93D9

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f1ac33a155eeba0822e17f5f402666ce6a004e9925b6c7aeea596f78182db2dd
Instruction ID: 45de236429b69a228206c939fb677a5b4b692e18b0fbc324b9d11da41c3f4c2f
Opcode Fuzzy Hash: f1ac33a155eeba0822e17f5f402666ce6a004e9925b6c7aeea596f78182db2dd
Instruction Fuzzy Hash: 13114C71D42B04FAEE30BBB0CC47FCB77ACEF00710F404915B7A9A6092DA75B94AA651

Function 00CB0BB4 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CB0BAB,00CAE602), ref: 00CB0BC2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CB0BD0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CB0BE9
SetLastError.KERNEL32(00000000,?,00CB0BAB,00CAE602), ref: 00CB0C3B

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 01907e36626a0a96a4f3e33e6792cd794efe78f4c2ec8625f48c4cd34842151f
Instruction ID: 229c43e539c07555c554783d9956e025c1285fcc47c90bf82b6aa9c9098ae10f
Opcode Fuzzy Hash: 01907e36626a0a96a4f3e33e6792cd794efe78f4c2ec8625f48c4cd34842151f
Instruction Fuzzy Hash: 3A01D4321596169EEB252775FC8DBEF2B54EB113B8F38032AF920411E1EF214D02A141

Function 00CAC7FC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

AcquireSRWLockExclusive, xrefs: 00CAC82B
ReleaseSRWLockExclusive, xrefs: 00CAC83B
KERNEL32.DLL, xrefs: 00CAC816

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: 6fbcaa89fa0aeca86eae85742497b674343553b24aba0579497ea1ecdd010fdf
Instruction ID: 1c0cd2772a9af89aff509c8966f893f06315e83d632003d0cd7efe46f1720c9a
Opcode Fuzzy Hash: 6fbcaa89fa0aeca86eae85742497b674343553b24aba0579497ea1ecdd010fdf
Instruction Fuzzy Hash: DD01F471A42323DB4F204F76ACC4FAA27887B03759326013AE931D71D1EB29C980A7A0

Function 00CA003E Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00CA009C

Part of subcall function 00C9A930: GetVersionExW.KERNEL32(?), ref: 00C9A955

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CA00BE
FileTimeToSystemTime.KERNEL32(?,?), ref: 00CA00D8
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00CA00E9
SystemTimeToFileTime.KERNEL32(?,?), ref: 00CA00F9
SystemTimeToFileTime.KERNEL32(?,?), ref: 00CA0105

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 11089dd099a5ff13b0f41cd20ddf482a660421b7354b1664d7195bb2c39e7ce2
Instruction ID: ccbd6c415de265e998aadec795e2fe81aa8a05f4143f635461a0dd92abf18565
Opcode Fuzzy Hash: 11089dd099a5ff13b0f41cd20ddf482a660421b7354b1664d7195bb2c39e7ce2
Instruction Fuzzy Hash: 7731C47A1083469BC700DFA5C98099FB7F8BF98704F04491EFA99C3210E630D549CB6A

Function 00CA820D Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00CA8231
_memcmp.LIBVCRUNTIME ref: 00CA8248

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 15d2b62b8e6e0d0f8aac48adb0d7a358055d9ac0b024e779914418c2f884a7ba
Instruction ID: a309c8a959abce1b2da59ab8aa60371845f54445d41f2e3b092ff52c929d082a
Opcode Fuzzy Hash: 15d2b62b8e6e0d0f8aac48adb0d7a358055d9ac0b024e779914418c2f884a7ba
Instruction Fuzzy Hash: 7321C5B1A0050BAFD7049A16DC82F7BB7ACAF5274CB148238FC049A142F734DE49A7D0

Function 00CB630E Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00CCCBE8,00CB2664,00CCCBE8,?,?,00CB2203,?,?,00CCCBE8), ref: 00CB6312
_free.LIBCMT ref: 00CB6345
_free.LIBCMT ref: 00CB636D
SetLastError.KERNEL32(00000000,?,00CCCBE8), ref: 00CB637A
SetLastError.KERNEL32(00000000,?,00CCCBE8), ref: 00CB6386
_abort.LIBCMT ref: 00CB638C

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ea006c2c2116a05e962ee04f0fa0abc0951460e51c1b598f1253a2657840d87c
Instruction ID: 595fa8cbec2875727ab2a6a4224bdd23868822edf17550348f00abde415f7d5a
Opcode Fuzzy Hash: ea006c2c2116a05e962ee04f0fa0abc0951460e51c1b598f1253a2657840d87c
Instruction Fuzzy Hash: BDF0C835505910AAD7113775EC0EFEF22A99BD1775F350214F924A22A1FF29CD036251

Function 00CB4B7A Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\vkXe5gkY34.exe,00000104), ref: 00CB4BBA
_free.LIBCMT ref: 00CB4C85
_free.LIBCMT ref: 00CB4C8F

Strings

C:\Users\user\Desktop\vkXe5gkY34.exe, xrefs: 00CB4BB1, 00CB4BB8, 00CB4BE7, 00CB4C1F
%n, xrefs: 00CB4BC0

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\vkXe5gkY34.exe$%n
API String ID: 2506810119-3034941397
Opcode ID: 08b97686da4023bb39c78085996dd439275290597dd6760877769b6783dbab48
Instruction ID: 9e79c5a06ccc59482bd2378b4202de0909017efd2ca785a7208bbed5b28e16ec
Opcode Fuzzy Hash: 08b97686da4023bb39c78085996dd439275290597dd6760877769b6783dbab48
Instruction Fuzzy Hash: 3F316F71A05658EFDB25DF999981EEEBBFCEB88710F104066F9149B212DB708E40DB90

Function 00CAB81F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00C912E7: GetDlgItem.USER32(00000000,00003021), ref: 00C9132B
Part of subcall function 00C912E7: SetWindowTextW.USER32(00000000,00CC02E4), ref: 00C91341

EndDialog.USER32(?,00000001), ref: 00CAB86A
GetDlgItemTextW.USER32(?,00000066,00000800), ref: 00CAB880
SetDlgItemTextW.USER32(?,00000065,?), ref: 00CAB89A
SetDlgItemTextW.USER32(?,00000066), ref: 00CAB8A5

Strings

RENAMEDLG, xrefs: 00CAB837

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: d87b5d5974482569ee4b18df14da9ba04fdd13a85dbbfafd21b9b5971f2716eb
Instruction ID: 6324303827cd3628859edb7626d68b668ea8de65258b297e180cf5a46f5b6944
Opcode Fuzzy Hash: d87b5d5974482569ee4b18df14da9ba04fdd13a85dbbfafd21b9b5971f2716eb
Instruction Fuzzy Hash: 9A01B9329442177AD1114F6A9E89F7B776CA747B48F000419F245B64D2C75A9D04AA72

Function 00CB4A7F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00CB4A30,?,?,00CB49D0,?,00CC7F60,0000000C,00CB4B27,?,00000002), ref: 00CB4A9F
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CB4AB2
FreeLibrary.KERNEL32(00000000,?,?,?,00CB4A30,?,?,00CB49D0,?,00CC7F60,0000000C,00CB4B27,?,00000002,00000000), ref: 00CB4AD5

Strings

CorExitProcess, xrefs: 00CB4AAA
mscoree.dll, xrefs: 00CB4A98

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 15a525eddfa3fae7bd8dbbc764b57225d6a67bd41b5c0db5be8cf44a6bae2592
Instruction ID: af09dde023a332544d729552958b8a7ae84d40f38c4291e40c6393ea59df38ff
Opcode Fuzzy Hash: 15a525eddfa3fae7bd8dbbc764b57225d6a67bd41b5c0db5be8cf44a6bae2592
Instruction Fuzzy Hash: 18F04930A44219FBCB199F90DC09FEEBFB8EF44B15F184169F805A21A1DB758A80DA94

Function 00C9DF05 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9F35B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00C9F376
Part of subcall function 00C9F35B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00C9DF18,Crypt32.dll,?,00C9DF9C,?,00C9DF7E,?,?,?,?), ref: 00C9F398

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00C9DF24
GetProcAddress.KERNEL32(00CD1E58,CryptUnprotectMemory), ref: 00C9DF34

Strings

CryptUnprotectMemory, xrefs: 00C9DF2A
Crypt32.dll, xrefs: 00C9DF0E
CryptProtectMemory, xrefs: 00C9DF1E

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 687ed74b716fbdc9dcdb9280d7c5fb374b0790b38bf2d0924d6a638bb8287a4a
Instruction ID: 4615e2d999b64e82b2b8d8b95f2da626b383354d214831c84090a5008399bb9f
Opcode Fuzzy Hash: 687ed74b716fbdc9dcdb9280d7c5fb374b0790b38bf2d0924d6a638bb8287a4a
Instruction Fuzzy Hash: CAE046B0508B42EEDF415F74D80DF08FBA47B90710F258269F46AD2650DBB4D0A59B50

Function 00CB52C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CB5333
_free.LIBCMT ref: 00CB5353

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a353dae794e864a503866beaffbff03600980c01495e6240937bc419b8e2a188
Instruction ID: 87ca3ccb4dae811515324080e062b392785d2ecefa76ab35b06bc781279e964f
Opcode Fuzzy Hash: a353dae794e864a503866beaffbff03600980c01495e6240937bc419b8e2a188
Instruction Fuzzy Hash: 1141C132E006049FCB24DFB9C885B9DB7F5EF88324F154569E515EB391DA71AE01DB80

Function 00CB89A0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00CB89A9
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CB89CC

Part of subcall function 00CB59EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CB239A,?,0000015D,?,?,?,?,00CB2F19,000000FF,00000000,?,?), ref: 00CB5A1E

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CB89F2
_free.LIBCMT ref: 00CB8A05
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CB8A14

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 052eca019d468e04604a5278a73ff456010bd553cc8435b8b46cdf7f01bda9f2
Instruction ID: c8ac0d285f1cff112f384fdec365b2868657530715a660474a01194411d1c9c6
Opcode Fuzzy Hash: 052eca019d468e04604a5278a73ff456010bd553cc8435b8b46cdf7f01bda9f2
Instruction Fuzzy Hash: 6F01F7B2A02655BF272156B7AC4DEFF696DDEC6FB0724012AF804D3100EE608D05E1B0

Function 00CB6392 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00CB5E33,00CB5ACF,?,00CB633C,00000001,00000364,?,00CB2203,?,?,00CCCBE8), ref: 00CB6397
_free.LIBCMT ref: 00CB63CC
_free.LIBCMT ref: 00CB63F3
SetLastError.KERNEL32(00000000,?,00CCCBE8), ref: 00CB6400
SetLastError.KERNEL32(00000000,?,00CCCBE8), ref: 00CB6409

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 735ae2e69d92f6544808ddd488aa2a7f2ec0094834169ab89ad69800ae9220f5
Instruction ID: 759807d9de70bd883ae6f438f0361a7b32e547968c0793b9f579b5d530f7715c
Opcode Fuzzy Hash: 735ae2e69d92f6544808ddd488aa2a7f2ec0094834169ab89ad69800ae9220f5
Instruction Fuzzy Hash: C9017D72541A106BC7017375EC85FEF226DCBD0375F310124F824921A2EF79CC036120

Function 00CB925B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CB9273

Part of subcall function 00CB59B2: RtlFreeHeap.NTDLL(00000000,00000000,?,00CB92F2,?,00000000,?,00000000,?,00CB9319,?,00000007,?,?,00CB9716,?), ref: 00CB59C8
Part of subcall function 00CB59B2: GetLastError.KERNEL32(?,?,00CB92F2,?,00000000,?,00000000,?,00CB9319,?,00000007,?,?,00CB9716,?,?), ref: 00CB59DA

_free.LIBCMT ref: 00CB9285
_free.LIBCMT ref: 00CB9297
_free.LIBCMT ref: 00CB92A9
_free.LIBCMT ref: 00CB92BB

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4ee3a526465b19d1d2014a11adc446a07b06620ae1f3d9cf6b9c503daa7aa443
Instruction ID: dbb9142ca8540697c6882501854e074f5f945aa293bc29076355409daca705b2
Opcode Fuzzy Hash: 4ee3a526465b19d1d2014a11adc446a07b06620ae1f3d9cf6b9c503daa7aa443
Instruction Fuzzy Hash: ADF01232D16604FBDA20EBA8F886E9A77F9EA00720B644805F518D7641C734FD829665

Function 00CB5513 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CB5531

Part of subcall function 00CB59B2: RtlFreeHeap.NTDLL(00000000,00000000,?,00CB92F2,?,00000000,?,00000000,?,00CB9319,?,00000007,?,?,00CB9716,?), ref: 00CB59C8
Part of subcall function 00CB59B2: GetLastError.KERNEL32(?,?,00CB92F2,?,00000000,?,00000000,?,00CB9319,?,00000007,?,?,00CB9716,?,?), ref: 00CB59DA

_free.LIBCMT ref: 00CB5543
_free.LIBCMT ref: 00CB5556
_free.LIBCMT ref: 00CB5567
_free.LIBCMT ref: 00CB5578

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 117c5b59d83ff43a50cd0991dfe0aecf5450aa91e81c5cfecc28ec6d3eb4d45a
Instruction ID: f2902dedb8c59e78059044b99c8fe8296acb95fec63421c1a15a04e56470443f
Opcode Fuzzy Hash: 117c5b59d83ff43a50cd0991dfe0aecf5450aa91e81c5cfecc28ec6d3eb4d45a
Instruction Fuzzy Hash: C9F030B1C226548F9F116F98FC82B5E3B70F704721741010AF4145A2B1DB385D83AB82

Function 00C97463 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C97468

Part of subcall function 00C93A90: __EH_prolog.LIBCMT ref: 00C93A95

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000), ref: 00C9752E

Part of subcall function 00C97A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00C97AAC
Part of subcall function 00C97A9D: GetLastError.KERNEL32 ref: 00C97AF2
Part of subcall function 00C97A9D: CloseHandle.KERNEL32(?), ref: 00C97B01

Strings

SeRestorePrivilege, xrefs: 00C974C1
SeSecurityPrivilege, xrefs: 00C974AC

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: bf16fa2bba2174f662e8cc560b7e2786c3281bb9c964df8b04a9f16b487a4aed
Instruction ID: a885e5d370b535dbb356b078b03e43eca3272998766900048ee5a432ee83654b
Opcode Fuzzy Hash: bf16fa2bba2174f662e8cc560b7e2786c3281bb9c964df8b04a9f16b487a4aed
Instruction Fuzzy Hash: A531EE71A05208AFDF60EFA4DC4AFEE7B68AF04314F004169F859A7282DB709F44DB61

Function 00CAA8D3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,?,?,?,00001000), ref: 00CAA92B
CharUpperW.USER32(?,?,?,?,?,00001000), ref: 00CAA952

Strings

-, xrefs: 00CAA919

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: CharUpper
String ID: -
API String ID: 9403516-2547889144
Opcode ID: 95d7ddb86cbed95d289924c48d79db32dd6f087c29c9ce1bf55a33ea5218b099
Instruction ID: 64e1684aacd2339e60038739f4c46b8df8a01a69dcf51460bf10fdf733efd812
Opcode Fuzzy Hash: 95d7ddb86cbed95d289924c48d79db32dd6f087c29c9ce1bf55a33ea5218b099
Instruction Fuzzy Hash: 52210572004307A5C724EA79980DB7FA7A89B9B35DF02041BF5A5C2541E775CA88E363

Function 00CA9122 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00C912E7: GetDlgItem.USER32(00000000,00003021), ref: 00C9132B
Part of subcall function 00C912E7: SetWindowTextW.USER32(00000000,00CC02E4), ref: 00C91341

EndDialog.USER32(?,00000001), ref: 00CA91AA
GetDlgItemTextW.USER32(?,00000065,00000000,?), ref: 00CA91BF
SetDlgItemTextW.USER32(?,00000065,?), ref: 00CA91D4

Strings

ASKNEXTVOL, xrefs: 00CA913A

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 6c9dd90e560eae22ba0f9298c22b9936b44b61b44cbc824a014915daf31bd0cd
Instruction ID: 98797efee3118c341fc5de1b86f8bcce3634ace8f4adc417cbbefbd15338d161
Opcode Fuzzy Hash: 6c9dd90e560eae22ba0f9298c22b9936b44b61b44cbc824a014915daf31bd0cd
Instruction Fuzzy Hash: 6B11B632241257BFDA159BA5ED4FF5E3BA9EB4B708F004010F701AB5B1C376AD01AB66

Function 00CA9645 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00C912E7: GetDlgItem.USER32(00000000,00003021), ref: 00C9132B
Part of subcall function 00C912E7: SetWindowTextW.USER32(00000000,00CC02E4), ref: 00C91341

EndDialog.USER32(?,00000001), ref: 00CA9693
GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 00CA96AB
SetDlgItemTextW.USER32(?,00000066,?), ref: 00CA96D9

Strings

GETPASSWORD1, xrefs: 00CA965E

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 8b79f12ec89ed12db629b0a7bc8f2d6f8ba5c44d3a43a7fbe17ba3ddc97fa27d
Instruction ID: 476f3281d5f66533cf058f4e06e2d3cf6d3efb18e6948ebd89bd467b5f923611
Opcode Fuzzy Hash: 8b79f12ec89ed12db629b0a7bc8f2d6f8ba5c44d3a43a7fbe17ba3ddc97fa27d
Instruction Fuzzy Hash: 8E11043290012A77DB219EB59D4FFFB377CEF1A708F000021FA04E3090C2B5AE10AAA5

Function 00C9B150 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00C9B177

Part of subcall function 00C93F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C93F3E

_wcschr.LIBVCRUNTIME ref: 00C9B195
_wcschr.LIBVCRUNTIME ref: 00C9B1A5

Strings

%c:\, xrefs: 00C9B16D

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: f41bb54e658e7a97658adeccc0d85fb5e72a869fb82ede6bf7f40e47762903eb
Instruction ID: 4c2a20659278f5ecf9a35e65b6c844d88e4f44637f08db38559125fcf18daba1
Opcode Fuzzy Hash: f41bb54e658e7a97658adeccc0d85fb5e72a869fb82ede6bf7f40e47762903eb
Instruction Fuzzy Hash: 9A01F563500321BADE306B65AE4ADAFA7ACEF96360B10441BFD54D2082FB20DD50D3B1

Function 00C9F982 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(000001A0,00000000,00CD1E74,?,?,00C9FB9D,00000020,?,00C9A812,?,00C9C79B,?,00000000,?,00000001,?), ref: 00C9F9BB
CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,00C9A812,?,00C9C79B,?,00000000,?,00000001,?,?,?,00CA3AFE), ref: 00C9F9C5
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,00C9A812,?,00C9C79B,?,00000000,?,00000001,?,?,?,00CA3AFE), ref: 00C9F9D5

Strings

Thread pool initialization failed., xrefs: 00C9F9ED

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 8f43362896e588eecf570a03a19d0adece8e0b791bc89dbfdad22cde0536e2fe
Instruction ID: cbfcaa821fb4bbf675dd28e84c3b9769eef049f0355c44200b703be63bf234e7
Opcode Fuzzy Hash: 8f43362896e588eecf570a03a19d0adece8e0b791bc89dbfdad22cde0536e2fe
Instruction Fuzzy Hash: 46112EB1641704AFD7205F65D889BABFBECFB95355F21482EE2EAC2240DA716881DB10

Function 00CABEE6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00CABF2B, 00CABF5D
RENAMEDLG, xrefs: 00CABF41

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 87f4ddfa5d56b9d0438f082d389165f130d023e56d9b504546ad8f22427cc18c
Instruction ID: 70aca34fad235eadb5f32372cf2b82f334315909149edf19ceb9ec1fc6522ebd
Opcode Fuzzy Hash: 87f4ddfa5d56b9d0438f082d389165f130d023e56d9b504546ad8f22427cc18c
Instruction Fuzzy Hash: 4101B17560A246BFC7118B99FD44F2ABBD8EB5A388F08452AF95492132D3329C41EF61

Function 00C9CE98 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00C9CEA7
FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 00C9CEB6

Strings

LTR, xrefs: 00C9CEC6, 00C9CED1, 00C9CEDA
RTL, xrefs: 00C9CEAF, 00C9CEB4, 00C9CEE8

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: LTR$RTL
API String ID: 3537982541-719208805
Opcode ID: a4888f18a966d4ad5245ca2960be00723daa3ab2cbc4dc85ac83a6d892ef7d1c
Instruction ID: 1c11a346acd469e67f4f2277f0b0bdd93e7106620770d46f32c3d7a697f4c51f
Opcode Fuzzy Hash: a4888f18a966d4ad5245ca2960be00723daa3ab2cbc4dc85ac83a6d892ef7d1c
Instruction Fuzzy Hash: 14F05071644354A7EB346B75AC0EFA73BACE781B00F10065DF646971C0DFA0950887F4

Function 00CB6541 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00CB65CC
__alldvrm.LIBCMT ref: 00CB67CD
__alldvrm.LIBCMT ref: 00CB67EF

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: be6c9d0d7c1be526505d416ba69bbcf9729ec644743c8de63497f1cd699fda8f
Instruction ID: 575144aa275cb9118eb5dc7a3ba8ae91b5c20a2d5104e7eca6ddbf93fa2431f5
Opcode Fuzzy Hash: be6c9d0d7c1be526505d416ba69bbcf9729ec644743c8de63497f1cd699fda8f
Instruction Fuzzy Hash: F9A17A729007869FDB21CF28C891BEEBFE5EF55314F1841ADE595AB281CA3D8E41CB50

Function 00C99F7A Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00C97F55,?,?,?), ref: 00C9A020
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00C97F55,?,?), ref: 00C9A064
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00C97F55,?,?,?,?,?,?,?,?), ref: 00C9A0E5
CloseHandle.KERNEL32(?,?,00000000,?,00C97F55,?,?,?,?,?,?,?,?,?,?,?), ref: 00C9A0EC

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 824a0a62d8dab8148a5f224a3d498bf6d085a022ab721aa5f62fcbdcc20d3604
Instruction ID: 8ebe1e0424cd64777cb7239696ba07fb70922bbaefe77f5c4f790a876de8993d
Opcode Fuzzy Hash: 824a0a62d8dab8148a5f224a3d498bf6d085a022ab721aa5f62fcbdcc20d3604
Instruction Fuzzy Hash: 9141CF312483819AEB31DF68DC49FAEBBE8AB85700F04091DF5E5D3181D6749A48DB93

Function 00CB93E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,F5E85006,00CB2784,00000000,00000000,00CB2FB2,?,00CB2FB2,?,00000001,00CB2784,F5E85006,00000001,00CB2FB2,00CB2FB2), ref: 00CB9431
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CB94BA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00CB94CC
__freea.LIBCMT ref: 00CB94D5

Part of subcall function 00CB59EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CB239A,?,0000015D,?,?,?,?,00CB2F19,000000FF,00000000,?,?), ref: 00CB5A1E

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 3318141fffd420cc9252d33e403c58f49496454400f4ed0c3adc3b0f917b9526
Instruction ID: f7ba5058812516e74d073a1da80e5cdaf866dbeae13b485ce2cefad4cf23b610
Opcode Fuzzy Hash: 3318141fffd420cc9252d33e403c58f49496454400f4ed0c3adc3b0f917b9526
Instruction Fuzzy Hash: 8D31BC72A0021AABDF258F64CC85EEE7BA5EF40310F154168FD25D7291E735CD51DB90

Function 00CA9A75 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00CA9A85
GetObjectW.GDI32(00000000,00000018,?), ref: 00CA9AA6
DeleteObject.GDI32(00000000), ref: 00CA9ACE
DeleteObject.GDI32(00000000), ref: 00CA9AED

Part of subcall function 00CA8BCF: FindResourceW.KERNEL32(00000066,PNG,?,?,00CA9AC7,00000066), ref: 00CA8BE0
Part of subcall function 00CA8BCF: SizeofResource.KERNEL32(00000000,75FD5780,?,?,00CA9AC7,00000066), ref: 00CA8BF8
Part of subcall function 00CA8BCF: LoadResource.KERNEL32(00000000,?,?,00CA9AC7,00000066), ref: 00CA8C0B
Part of subcall function 00CA8BCF: LockResource.KERNEL32(00000000,?,?,00CA9AC7,00000066), ref: 00CA8C16

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID:
API String ID: 142272564-0
Opcode ID: 4138fdde94d03d03c69d7dda6f9cb218154da7cb87ed4522f65f144d20be32b2
Instruction ID: 95fed0c8722e51fbee22b2843ddcb6923f28a15b1e7c48eb061918a04b75b5ed
Opcode Fuzzy Hash: 4138fdde94d03d03c69d7dda6f9cb218154da7cb87ed4522f65f144d20be32b2
Instruction Fuzzy Hash: 7B01F23254021627C61177749D4BFBE766EEF8AB69F080012FD04E76A1EE618C19B6B1

Function 00CB0FD6 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00CB0FED

Part of subcall function 00CB1625: ___AdjustPointer.LIBCMT ref: 00CB166F

_UnwindNestedFrames.LIBCMT ref: 00CB1004
___FrameUnwindToState.LIBVCRUNTIME ref: 00CB1016
CallCatchBlock.LIBVCRUNTIME ref: 00CB103A

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: b9fa4c2ca776b65944230fb083eb0fa8b0de912ee33a1d220a96a688825d65b2
Instruction ID: 88cfe6b3b227bdbb6148850cee86158f09ec252dec10744cf9d01e4b4b1864d3
Opcode Fuzzy Hash: b9fa4c2ca776b65944230fb083eb0fa8b0de912ee33a1d220a96a688825d65b2
Instruction Fuzzy Hash: E2012532000149BBCF226F95DC05EDA3BBAFF59758F194414FE1862121C776E9A1EBA0

Function 00C9FB54 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C9FB59
EnterCriticalSection.KERNEL32(00CD1E74,?,?,00C9A812,?,00C9C79B,?,00000000,?,00000001,?,?,?,00CA3AFE,?,00008000), ref: 00C9FB66
new.LIBCMT ref: 00C9FB82

Part of subcall function 00C9F982: InitializeCriticalSection.KERNEL32(000001A0,00000000,00CD1E74,?,?,00C9FB9D,00000020,?,00C9A812,?,00C9C79B,?,00000000,?,00000001,?), ref: 00C9F9BB
Part of subcall function 00C9F982: CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,00C9A812,?,00C9C79B,?,00000000,?,00000001,?,?,?,00CA3AFE), ref: 00C9F9C5
Part of subcall function 00C9F982: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,00C9A812,?,00C9C79B,?,00000000,?,00000001,?,?,?,00CA3AFE), ref: 00C9F9D5

LeaveCriticalSection.KERNEL32(00CD1E74,?,00C9A812,?,00C9C79B,?,00000000,?,00000001,?,?,?,00CA3AFE,?,00008000,?), ref: 00C9FBA3

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: CriticalSection$Create$EnterEventH_prologInitializeLeaveSemaphore
String ID:
API String ID: 3780591329-0
Opcode ID: ba23696cb173fd309a43a1d6d5db9c170a29ca335dcf32804a3335da26c11cdf
Instruction ID: 1590c7e362fccbaca5de23c59d9ca22a9ed60f165f6d3349f5b800bc66a7a5cf
Opcode Fuzzy Hash: ba23696cb173fd309a43a1d6d5db9c170a29ca335dcf32804a3335da26c11cdf
Instruction Fuzzy Hash: CDF09A74E02616ABDB08AF68EC19BADB7A8EB49304F00413FFC09D3750DB7089008B51

Function 00CB0B06 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00CB0B06
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00CB0B0B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00CB0B10

Part of subcall function 00CB1BDE: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00CB1BEF

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00CB0B25

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 531e6f4e0a03c94a47563f5691ee99a7aac98bf87a5ed1e2fb88b7d1485fc598
Instruction ID: c4491eff64290a564f6311639254bcc0943c05236523ff251192a55dd63e4c3b
Opcode Fuzzy Hash: 531e6f4e0a03c94a47563f5691ee99a7aac98bf87a5ed1e2fb88b7d1485fc598
Instruction Fuzzy Hash: 28C04864AA02A59A1C243AF222622EF2B401CA27CCFF815C1BC641B107AE464A1BB033

Function 00CA8CF2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00CA8BA4: GetDC.USER32(00000000), ref: 00CA8BA8
Part of subcall function 00CA8BA4: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CA8BB3
Part of subcall function 00CA8BA4: ReleaseDC.USER32(00000000,00000000), ref: 00CA8BBE

GetObjectW.GDI32(?,00000018,?), ref: 00CA8D23

Part of subcall function 00CA8EE9: GetDC.USER32(00000000), ref: 00CA8EF2
Part of subcall function 00CA8EE9: GetObjectW.GDI32(?,00000018,?), ref: 00CA8F21
Part of subcall function 00CA8EE9: ReleaseDC.USER32(00000000,?), ref: 00CA8FB5

Strings

(, xrefs: 00CA8DEE

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 3bad5cc8aaac4202a9aef36eb628183a73749a45e0c56e654e9a290df83b5437
Instruction ID: af457c1ea45f7e06eb763edc3c6c2110bf0adcfa58e521b965c320ec1953611b
Opcode Fuzzy Hash: 3bad5cc8aaac4202a9aef36eb628183a73749a45e0c56e654e9a290df83b5437
Instruction Fuzzy Hash: C7611671608206AFD310DF64C888E6BBBE9FF8A708F10495DF599C7261CB31D909CB62

Function 00CA01CD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00CA0393

Strings

%s: %s, xrefs: 00CA03A2
%ls, xrefs: 00CA020C, 00CA0222

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 19628108cf6a53c6291a338649bac71fbe7e670d096e3d28584ff181f8cb4eb0
Instruction ID: 1f2092c100b0f43b83a84451096ae8a93a897869bb4026a48c7cd8b7868a3bff
Opcode Fuzzy Hash: 19628108cf6a53c6291a338649bac71fbe7e670d096e3d28584ff181f8cb4eb0
Instruction Fuzzy Hash: 1A51D971188703F6EA3116958C4FF357655AB07BCCF30870AF79B644E1C5A2A950B717

Function 00CB7BD9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CB7D45

Part of subcall function 00CB5D1D: IsProcessorFeaturePresent.KERNEL32(00000017,00CB5D0C,0000002C,00CC80C8,00CB8D62,00000000,00000000,00CB6391,?,?,00CB5D19,00000000,00000000,00000000,00000000,00000000), ref: 00CB5D1F
Part of subcall function 00CB5D1D: GetCurrentProcess.KERNEL32(C0000417,00CC80C8,0000002C,00CB5A4A,00000016,00CB6391), ref: 00CB5D41
Part of subcall function 00CB5D1D: TerminateProcess.KERNEL32(00000000), ref: 00CB5D48

Strings

*?, xrefs: 00CB7C1C
., xrefs: 00CB7EFC

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 7b97f05bead931982e7a23c9cf534e270e960d3348eeadaf4e8a2cba3451af48
Instruction ID: 8ab05096d1a019c61c1cbca98c802fa8ad88ebe688ef652bd794f91b49db173f
Opcode Fuzzy Hash: 7b97f05bead931982e7a23c9cf534e270e960d3348eeadaf4e8a2cba3451af48
Instruction Fuzzy Hash: D4518D75E0421AAFDF14DFA8C881AEDBBB5EF88310F24426EE854E7341E6719E019B50

Function 00C97619 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00C9761E
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00C97799

Part of subcall function 00C9A113: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00C99F49,?,?,?,00C99DE2,?,00000001,00000000,?,?), ref: 00C9A127
Part of subcall function 00C9A113: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00C99F49,?,?,?,00C99DE2,?,00000001,00000000,?,?), ref: 00C9A158

Strings

:, xrefs: 00C9768F

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: e94e9059ba028f7c5d74986681e47dd06579f3e9a8813d689b0c620e94af415c
Instruction ID: 569352ad990af4656c8da192ce9391f80b4090367e33c5204b7a7c9d29d40360
Opcode Fuzzy Hash: e94e9059ba028f7c5d74986681e47dd06579f3e9a8813d689b0c620e94af415c
Instruction Fuzzy Hash: F641D271805618AADF25EBA4CC4DEEF777CEF44340F0001E9B605A2082DB709F85EBA0

Function 00C9B2C5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

UNC, xrefs: 00C9B361
\\?\, xrefs: 00C9B317, 00C9B353, 00C9B3B4, 00C9B407

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: d14dcceacae747a0e8f95bb9b3d3dd282b656024fe77861a2cea227da59c5f64
Instruction ID: 28dd26ccf9f81319f60130fd306a7569482ac8b733a885f82f1ade804a14e316
Opcode Fuzzy Hash: d14dcceacae747a0e8f95bb9b3d3dd282b656024fe77861a2cea227da59c5f64
Instruction Fuzzy Hash: 5541C431400219FACF21AF21ED4DEEF77AAAF01350F50442AF86493052E7B0DE91FAA1

Function 00CA802C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00CA8039

Strings

about:blank, xrefs: 00CA80D1
Shell.Explorer, xrefs: 00CA8065

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 2613f06992db16f6497492fa1fcb316b324325ae61260533d478b79b77657e11
Instruction ID: 2807d10f139318c0c0c6224c90d486d8e267c6124b8e198954c488625ca597b9
Opcode Fuzzy Hash: 2613f06992db16f6497492fa1fcb316b324325ae61260533d478b79b77657e11
Instruction Fuzzy Hash: 9621AE75700607AFD7049F61C890E2AB768BF96718B18862DF5158B682CF75ED48CBA0

Function 00C9DF86 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C9DF05: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00C9DF24
Part of subcall function 00C9DF05: GetProcAddress.KERNEL32(00CD1E58,CryptUnprotectMemory), ref: 00C9DF34

GetCurrentProcessId.KERNEL32(?,?,?,00C9DF7E), ref: 00C9E007

Strings

CryptUnprotectMemory failed, xrefs: 00C9DFFF
CryptProtectMemory failed, xrefs: 00C9DFC7

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: ff769b39e945794d3bbef85c2b0dc3e7b63a37a6e555def353fba7764d80d0c0
Instruction ID: beac11b11187862889c805b2848a08c4f0de8edef4f119f17b88307149719743
Opcode Fuzzy Hash: ff769b39e945794d3bbef85c2b0dc3e7b63a37a6e555def353fba7764d80d0c0
Instruction Fuzzy Hash: 62113D31705251ABDF25DF79DC5DF6E3399EF94750B08402AFC12DB291DBA0EE00A290

Function 00C912E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00C9CF27: GetWindowRect.USER32(?,?), ref: 00C9CF5E
Part of subcall function 00C9CF27: GetClientRect.USER32(?,?), ref: 00C9CF6A
Part of subcall function 00C9CF27: GetWindowLongW.USER32(?,000000F0), ref: 00C9D00B
Part of subcall function 00C9CF27: GetWindowRect.USER32(?,?), ref: 00C9D038
Part of subcall function 00C9CF27: GetWindowTextW.USER32(?,?,00000400), ref: 00C9D057

GetDlgItem.USER32(00000000,00003021), ref: 00C9132B
SetWindowTextW.USER32(00000000,00CC02E4), ref: 00C91341

Strings

0, xrefs: 00C912EA

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: Window$Rect$Text$ClientItemLong
String ID: 0
API String ID: 660763476-4108050209
Opcode ID: da1c46cb562b5945d15e225eea184efbf41317fc6831b257765733a4656419e8
Instruction ID: 8cd5b92961c953db7d192ba6e75e068f09ae94e9403ed6789ba61632f0f30903
Opcode Fuzzy Hash: da1c46cb562b5945d15e225eea184efbf41317fc6831b257765733a4656419e8
Instruction Fuzzy Hash: 3CF03CB154024DABDF251EA1C81EFB93B6AAB04749F4C8058FD58948A1CB74CA91AB14

Function 00C9FB19 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00C9FCF9,?,?,00C9FD6E,?,?,?,?,?,00C9FD58), ref: 00C9FB1F
GetLastError.KERNEL32(?,?,00C9FD6E,?,?,?,?,?,00C9FD58), ref: 00C9FB2B

Part of subcall function 00C96D8F: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00C96DAD

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00C9FB34

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 7b4a85aa499ffa8d1e7115480cd474bb1c706cf16daceea7f34c4f53e1ee2940
Instruction ID: ee63295e335712fbea30dbb406e8f24beee79dbf52ac8486e3d57b8495f7d975
Opcode Fuzzy Hash: 7b4a85aa499ffa8d1e7115480cd474bb1c706cf16daceea7f34c4f53e1ee2940
Instruction Fuzzy Hash: 6CD05E72608430A7DE012768DC1EFAE3904AB52775F35076DF139A52E1CA204D8256A1

Function 00CB88EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00CB88EC
GetCommandLineW.KERNEL32 ref: 00CB88F7

Strings

%n, xrefs: 00CB88F2

Memory Dump Source

Source File: 00000000.00000002.2034515073.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2034490465.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034551748.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034645673.0000000000CEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034720791.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_vkXe5gkY34.jbxd

Similarity

API ID: CommandLine
String ID: %n
API String ID: 3253501508-2798127140
Opcode ID: ef245288248d0039b4dd4f60eb5b372277616b5ca7c457084c401e58cfa9f1fa
Instruction ID: 57c374167a471236965fa9adf293d9d69997767f9f24df7b183076a21513e402
Opcode Fuzzy Hash: ef245288248d0039b4dd4f60eb5b372277616b5ca7c457084c401e58cfa9f1fa
Instruction Fuzzy Hash: 73B04878800240CB87008F61F88D71D7BE0B2087023A01055D4018A770DB388408AF01

Analysis Process: efthfxj.sfx.exePID: 3852, Parent PID: 6472COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1510
Total number of Limit Nodes:	25

Executed Functions

Function 0064C130 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 199
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0063F3A5: GetModuleHandleW.KERNEL32 ref: 0063F3BD
Part of subcall function 0063F3A5: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0063F3D5
Part of subcall function 0063F3A5: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0063F3F8

Part of subcall function 00648B8D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00648B95

Part of subcall function 00649035: OleInitialize.OLE32(00000000), ref: 0064904E
Part of subcall function 00649035: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00649085
Part of subcall function 00649035: SHGetMalloc.SHELL32(006720E8), ref: 0064908F

Part of subcall function 00640710: GetCPInfo.KERNEL32(00000000,?), ref: 00640721
Part of subcall function 00640710: IsDBCSLeadByte.KERNEL32(00000000), ref: 00640735

GetCommandLineW.KERNEL32 ref: 0064C178
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0064C19F
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0064C1B0
UnmapViewOfFile.KERNEL32(00000000), ref: 0064C1EA

Part of subcall function 0064BE09: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0064BE1F
Part of subcall function 0064BE09: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0064BE5B

CloseHandle.KERNEL32(00000000), ref: 0064C1F3
GetModuleFileNameW.KERNEL32(00000000,00687938,00000800), ref: 0064C20E
SetEnvironmentVariableW.KERNEL32(sfxname,00687938), ref: 0064C220
GetLocalTime.KERNEL32(?), ref: 0064C227
_swprintf.LIBCMT ref: 0064C266
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0064C278
GetModuleHandleW.KERNEL32(00000000), ref: 0064C27B
LoadIconW.USER32(00000000,00000064), ref: 0064C292
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00019B4E,00000000), ref: 0064C2E3
Sleep.KERNEL32(?), ref: 0064C311
DeleteObject.GDI32 ref: 0064C350
DeleteObject.GDI32(?), ref: 0064C35C

Part of subcall function 0064A8D3: CharUpperW.USER32(?,?,?,?,00001000), ref: 0064A92B
Part of subcall function 0064A8D3: CharUpperW.USER32(?,?,?,?,?,00001000), ref: 0064A952

CloseHandle.KERNEL32 ref: 0064C39B

Strings

STARTDLG, xrefs: 0064C2D8
sfxstime, xrefs: 0064C273
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0064C257
*xh, xrefs: 0064C1DB
sfxname, xrefs: 0064C21B
winrarsfxmappingfile.tmp, xrefs: 0064C193
8yh, xrefs: 0064C207
*ag, xrefs: 0064C1E0

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCharCloseDeleteObjectProcUpperView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$*ag$*xh$8yh$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 985665271-930965650
Opcode ID: f15ad309cd9f0c55357385f5091f30b5232110d37e3a214fc2fc85072df97976
Instruction ID: 42bb4f22fea6321a459184ae5dbdab65b7f51bfefde367b859357cd02565c96c
Opcode Fuzzy Hash: f15ad309cd9f0c55357385f5091f30b5232110d37e3a214fc2fc85072df97976
Instruction Fuzzy Hash: 3361F771905300AFE7A1AFA4DC49E7B3BEBEB49714F445429F644932A1DBB48C44CBA1

Function 0063A2C3 Relevance: 7.6, APIs: 5, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0063A1BE,000000FF,?,?), ref: 0063A2F8
FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0063A1BE,000000FF,?,?), ref: 0063A32E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0063A1BE,000000FF,?,?), ref: 0063A336
FindNextFileW.KERNEL32(?,?,?,?,?,?,0063A1BE,000000FF,?,?), ref: 0063A35E
GetLastError.KERNEL32(?,?,?,?,0063A1BE,000000FF,?,?), ref: 0063A36A

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 70093335965f02b5f9a72f8bac51af22db305b88f84cb8d1021385a937247629
Instruction ID: de641369d5ccfdd7b11c646bd869d3e3472dbd6a985ba882e4cd3000c835b3c4
Opcode Fuzzy Hash: 70093335965f02b5f9a72f8bac51af22db305b88f84cb8d1021385a937247629
Instruction Fuzzy Hash: 0E419372608241AFD324DFB8C880ADBF7E9BF49340F040A2EF5D9D3240D774A9589B92

Function 006549FA Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,006549D0,?,00667F60,0000000C,00654B27,?,00000002,00000000), ref: 00654A1B
TerminateProcess.KERNEL32(00000000,?,006549D0,?,00667F60,0000000C,00654B27,?,00000002,00000000), ref: 00654A22
ExitProcess.KERNEL32 ref: 00654A34

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fd40527d463d8655906f329f5a360f1d5d0c28a908769a5c74c95ea103bbf6d7
Instruction ID: 3a04ded7df011d7b53b7927b5be8b8a1967a33523b109ad3cd79bc4a47504890
Opcode Fuzzy Hash: fd40527d463d8655906f329f5a360f1d5d0c28a908769a5c74c95ea103bbf6d7
Instruction Fuzzy Hash: 15E04631048108AFCF91AF60DD08A893B6BEB01347F001068FC098A236CFB5DD86DB84

Function 006383EB Relevance: 3.9, APIs: 2, Instructions: 931COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006383F0
_memcmp.LIBVCRUNTIME ref: 00638858

Part of subcall function 006380DA: CharUpperW.USER32(?,?,00000000,?,?,?,?,?,?,?,00000800,?,006386CF,?,-00000930,?), ref: 0063819D

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: CharH_prologUpper_memcmp
String ID:
API String ID: 4047935103-0
Opcode ID: 8ff911fd46c44698c2772bc3c3dc4ecdaf586d9b9a6c439a2e91c2c00cd381ed
Instruction ID: 733dd246030fea15b52b6cb6488aac6307257319ad376a726a1c4ad791a3190e
Opcode Fuzzy Hash: 8ff911fd46c44698c2772bc3c3dc4ecdaf586d9b9a6c439a2e91c2c00cd381ed
Instruction Fuzzy Hash: 53720971904285AEDF25DF64C885BF9B7BBAF15300F0840BAF9499B243DB715A85CBE0

Function 00649B4E Relevance: 102.2, APIs: 46, Strings: 12, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00649B53

Part of subcall function 006312E7: GetDlgItem.USER32(00000000,00003021), ref: 0063132B
Part of subcall function 006312E7: SetWindowTextW.USER32(00000000,006602E4), ref: 00631341

Strings

__tmp_rar_sfx_access_check_%u, xrefs: 00649E2D
STARTDLG, xrefs: 00649B72
"%s"%s, xrefs: 0064A089
-el -s2 "-d%s" "-sp%s", xrefs: 00649EE7
*Ag, xrefs: 0064A2B9
@, xrefs: 00649F0D
*xh, xrefs: 00649FB1
winrarsfxmappingfile.tmp, xrefs: 00649F22
LICENSEDLG, xrefs: 0064A3D3
<, xrefs: 00649F00
!g, xrefs: 00649F45
*ag, xrefs: 00649ED0

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: !g$"%s"%s$*Ag$*ag$*xh$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-270440012
Opcode ID: b97034aee5d99b2ae2c43ddfc02bf72857af6c09842095330b9a25008671ee48
Instruction ID: eec1884df55e5083ab5112a20040056e5fabe77f762bad1cc84903e4cd5c86f8
Opcode Fuzzy Hash: b97034aee5d99b2ae2c43ddfc02bf72857af6c09842095330b9a25008671ee48
Instruction Fuzzy Hash: EA42E371980345BFEB25AFA09D4AFFF3BABAB06704F401059F605A61D1CBB44D84CB66

Function 0063F3A5 Relevance: 77.3, APIs: 22, Strings: 22, Instructions: 314
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 0063F3BD
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0063F3D5
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0063F3F8
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0063F6A3
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0063F6BB
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0063F6CD
ReadFile.KERNEL32(00000000,?,00007FFE,00660858,00000000), ref: 0063F6EC
CloseHandle.KERNEL32(00000000), ref: 0063F744
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0063F75A
CompareStringW.KERNEL32(00000400,00001001,006608A4,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 0063F7B4
GetFileAttributesW.KERNELBASE(?,?,00660870,00000800,?,00000000,?,00000800), ref: 0063F7DD
GetFileAttributesW.KERNEL32(?,?,0f,00000800), ref: 0063F816

Part of subcall function 0063F35B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0063F376
Part of subcall function 0063F35B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0063DF18,Crypt32.dll,?,0063DF9C,?,0063DF7E,?,?,?,?), ref: 0063F398

_swprintf.LIBCMT ref: 0063F886
_swprintf.LIBCMT ref: 0063F8D2

Part of subcall function 00633F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00633F3E

AllocConsole.KERNEL32 ref: 0063F8DA
GetCurrentProcessId.KERNEL32 ref: 0063F8E4
AttachConsole.KERNEL32(00000000), ref: 0063F8EB
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 0063F911
WriteConsoleW.KERNEL32(00000000), ref: 0063F918
Sleep.KERNEL32(00002710), ref: 0063F923
FreeConsole.KERNEL32 ref: 0063F929
ExitProcess.KERNEL32 ref: 0063F931

Strings

@f, xrefs: 0063F61E
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 0063F8C0
xf, xrefs: 0063F4E8
f, xrefs: 0063F470
0f, xrefs: 0063F7FD
\f, xrefs: 0063F488
DXGIDebug.dll, xrefs: 0063F435, 0063F7A0
xf, xrefs: 0063F634
$f, xrefs: 0063F613
kernel32, xrefs: 0063F3B3
Df, xrefs: 0063F4D8
Df, xrefs: 0063F480
`f, xrefs: 0063F4E0
SetDefaultDllDirectories, xrefs: 0063F3F2
,f, xrefs: 0063F4D0
dwmapi.dll, xrefs: 0063F460, 0063F849
f, xrefs: 0063F660
tf, xrefs: 0063F490
\f, xrefs: 0063F629
f, xrefs: 0063F4B8
uxtheme.dll, xrefs: 0063F853
SetDllDirectoryW, xrefs: 0063F3CF

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: f$$f$,f$0f$@f$Df$Df$DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$\f$\f$`f$dwmapi.dll$kernel32$tf$uxtheme.dll$xf$xf$f$f
API String ID: 1201351596-3061208827
Opcode ID: b77e61490b25dd351471d85a0a50cdd05d245de194ceef59d23572409539e542
Instruction ID: c75694aa96ef2193abdd49a01ba1603015a559d35074d3203daf494afbc1a3d5
Opcode Fuzzy Hash: b77e61490b25dd351471d85a0a50cdd05d245de194ceef59d23572409539e542
Instruction Fuzzy Hash: A5D16EB1408384ABF770DF60D849BDFBBEAAF84304F505D3DE58996281C7B09549CBA6

Function 0064AA44 Relevance: 33.7, APIs: 14, Strings: 5, Instructions: 438
windowfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0064AA49

Part of subcall function 006496EB: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 006497B3

SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,0064A35C,?,00000000), ref: 0064AB7E
GetFileAttributesW.KERNEL32(?), ref: 0064AC38
DeleteFileW.KERNEL32(?), ref: 0064AC46
SetWindowTextW.USER32(?,?), ref: 0064AD8F
_wcsrchr.LIBVCRUNTIME ref: 0064AF19
GetDlgItem.USER32(?,00000066), ref: 0064AF54
SetWindowTextW.USER32(00000000,?), ref: 0064AF64
SendMessageW.USER32(00000000,00000143,00000000,0067412A), ref: 0064AF78
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0064AFA1

Strings

ProgramFilesDir, xrefs: 0064AE63
Software\Microsoft\Windows\CurrentVersion, xrefs: 0064AE38
%s.%d.tmp, xrefs: 0064AC5E
<br>, xrefs: 0064ACF2
*Ag, xrefs: 0064AF36

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$*Ag$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3676479488-2267958582
Opcode ID: 480750853353160863caa67fede2307816693cb85ee919cf968a83b769ca14a4
Instruction ID: ef441068e8eb9983974671fbe59f93f2b402644a7fd5f987694a59f2d7f37df0
Opcode Fuzzy Hash: 480750853353160863caa67fede2307816693cb85ee919cf968a83b769ca14a4
Instruction Fuzzy Hash: 74E17072940129AAEF64EBA0DD85EEE777EEF05350F0044AAF905E3141EF709B84CB65

Function 0063CF27 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0063C8DE: _wcschr.LIBVCRUNTIME ref: 0063C90D

GetWindowRect.USER32(?,?), ref: 0063CF5E
GetClientRect.USER32(?,?), ref: 0063CF6A
GetWindowLongW.USER32(?,000000F0), ref: 0063D00B
GetWindowRect.USER32(?,?), ref: 0063D038
GetWindowTextW.USER32(?,?,00000400), ref: 0063D057
SetWindowTextW.USER32(?,?), ref: 0063D07E
GetSystemMetrics.USER32(00000008), ref: 0063D086
GetWindow.USER32(?,00000005), ref: 0063D091
GetWindowTextW.USER32(00000000,?,00000400), ref: 0063D0BC
SetWindowTextW.USER32(00000000,00000000), ref: 0063D0E9
GetWindowRect.USER32(00000000,?), ref: 0063D0FC
GetWindow.USER32(00000000,00000002), ref: 0063D16E

Strings

d, xrefs: 0063CF8A

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Window$RectText$ClientLongMetricsSystem_wcschr
String ID: d
API String ID: 4134264131-2564639436
Opcode ID: 23a16a259ae1762535810e7cf7bfcdc4f7fc7410a905476f23985a813bbd5934
Instruction ID: 39dc952f3c1762d34a1355fa6b1c558b4a9a8df474233635807d16c0f55bcb08
Opcode Fuzzy Hash: 23a16a259ae1762535810e7cf7bfcdc4f7fc7410a905476f23985a813bbd5934
Instruction Fuzzy Hash: E1617F71208300AFD314DFA8DD88E6BBBEAFBC9714F04551DF684A2290C774E9058B92

Function 0064B70D Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(00000068,00688958), ref: 0064B71C
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00649324), ref: 0064B747
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0064B756
SendMessageW.USER32(00000000,000000C2,00000000,006602E4), ref: 0064B760
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0064B776
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0064B78C
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0064B7CC
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0064B7D6
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0064B7E5
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0064B808
SendMessageW.USER32(00000000,000000C2,00000000,00661368), ref: 0064B813

Strings

\, xrefs: 0064B77C

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: MessageSend$ItemShowWindow
String ID: \
API String ID: 1207805008-2967466578
Opcode ID: 006a5465d690388688532a0ed9c64a982959166d174419575db4b367ea38d5f8
Instruction ID: f90b02a07c1ad58334a00f39242168b61bf41a42718868ed0e42ed86bce94f10
Opcode Fuzzy Hash: 006a5465d690388688532a0ed9c64a982959166d174419575db4b367ea38d5f8
Instruction Fuzzy Hash: 582146712857457BE310EB24DC41FAB7ADEEF82714F000518FA90A61D0C7A59A088ABB

Function 00648BCF Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 92
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00000066,PNG,?,?,00649AC7,00000066), ref: 00648BE0
SizeofResource.KERNEL32(00000000,75FD5780,?,?,00649AC7,00000066), ref: 00648BF8
LoadResource.KERNEL32(00000000,?,?,00649AC7,00000066), ref: 00648C0B
LockResource.KERNEL32(00000000,?,?,00649AC7,00000066), ref: 00648C16
GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,00649AC7,00000066), ref: 00648C34
GlobalLock.KERNEL32(00000000,?,?,?,00649AC7,00000066), ref: 00648C41
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00648C9C
GlobalUnlock.KERNEL32(00000000), ref: 00648CB1
GlobalFree.KERNEL32(00000000), ref: 00648CB8

Strings

PNG, xrefs: 00648BD1

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: db997a3809e0dd6460e0a1b742a1f42070e58764a79b05c3b080283a2c3c54a2
Instruction ID: 40e50fca2eddaca5ed0eddc0c82cd00932dba3b25946290d216e989e789cb722
Opcode Fuzzy Hash: db997a3809e0dd6460e0a1b742a1f42070e58764a79b05c3b080283a2c3c54a2
Instruction Fuzzy Hash: 6E217171602701AFD7219F61ED8996FBBAAEF86751B00552CF846D7360DF71DC00CAA1

Function 0064B9A9 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(000001C0), ref: 0064BAD7
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 0064BB1C
GetExitCodeProcess.KERNEL32(?,?), ref: 0064BB54
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0064BB7A
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 0064BC09

Part of subcall function 00640B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0063AC99,?,?,?,0063AC48,?,-00000002,?,00000000,?), ref: 00640B16

Strings

, xrefs: 0064BA29
.inf, xrefs: 0064BA93
*Qg, xrefs: 0064BA77
.exe, xrefs: 0064BB84

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $*Qg$.exe$.inf
API String ID: 3686203788-2751137138
Opcode ID: a1e4e351cf75452ac3281eec287c75fce1c022dcda65d310d69cb32f50a32ebe
Instruction ID: 9aa4c0ec270e0c031cd952e46e6171cb1da3b5e49bb2a6ea394025a6cef503df
Opcode Fuzzy Hash: a1e4e351cf75452ac3281eec287c75fce1c022dcda65d310d69cb32f50a32ebe
Instruction Fuzzy Hash: A751D0705093809ADB31EF64D9806FBBBEBEF85304F04281DE5C197264EBB1C989CB56

Function 0063CB1C Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0063CB21
_wcschr.LIBVCRUNTIME ref: 0063CB3F
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0063CB03,?), ref: 0063CB5A

Part of subcall function 006406D7: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0063B2AB,00000000,?,?,?,?), ref: 006406F3

Strings

a, xrefs: 0063CC7B
R, xrefs: 0063CC71
*messages***, xrefs: 0063CC26
*messages***, xrefs: 0063CC5F

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide_wcschr
String ID: *messages***$*messages***$R$a
API String ID: 803915177-2900423073
Opcode ID: 603913000041f2732e97306a50c79a905c1222fbdc07f9f18bb0fc3a9715df80
Instruction ID: 3fa620beaab030c2d39df2efd1015734fb9268ebf5d878c098cb1a7582978966
Opcode Fuzzy Hash: 603913000041f2732e97306a50c79a905c1222fbdc07f9f18bb0fc3a9715df80
Instruction Fuzzy Hash: E49113B2A002059ADB30DF68CC55BEEBBA6EF54320F10446EF649F7391DA709985CBD4

Function 0065739F Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00652FB2,00652FB2,?,?,?,006575F0,00000001,00000001,F5E85006), ref: 006573F9
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006575F0,00000001,00000001,F5E85006,?,?,?), ref: 0065747F
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00657579
__freea.LIBCMT ref: 00657586

Part of subcall function 006559EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,0065239A,?,0000015D,?,?,?,?,00652F19,000000FF,00000000,?,?), ref: 00655A1E

__freea.LIBCMT ref: 0065758F
__freea.LIBCMT ref: 006575B4

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: fb5781d842aa9b1c81d5e160ff868b309afa580dca6e7737dcc6ca92f0e67f08
Instruction ID: d7e03a09172cd327bed09b8962881d7083fc513997f7bd0eb844c4fd27c585cf
Opcode Fuzzy Hash: fb5781d842aa9b1c81d5e160ff868b309afa580dca6e7737dcc6ca92f0e67f08
Instruction Fuzzy Hash: E351E072614216AFEB258F64EC41EAF7BABEB40752F244668FC04D7240EB34DC48C6A4

Function 00648FC7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00648FDE
SHAutoComplete.SHLWAPI(?,00000010), ref: 00649015

Part of subcall function 00640B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0063AC99,?,?,?,0063AC48,?,-00000002,?,00000000,?), ref: 00640B16

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00649005

Strings

EDIT, xrefs: 00648FE9, 00648FF4, 00649001
@Ut, xrefs: 00649015

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Ut$EDIT
API String ID: 4243998846-2065656831
Opcode ID: 5e29b049fa8c77c201a2b46b9a35d5e17df95f87eb4e769af1f2968ae67a16fa
Instruction ID: 021c9fbf42bf2b5fc37ff9656cc968f658a90637e1c548fd2c31b549f4dc8f22
Opcode Fuzzy Hash: 5e29b049fa8c77c201a2b46b9a35d5e17df95f87eb4e769af1f2968ae67a16fa
Instruction Fuzzy Hash: FCF0893264172867E7305AA55D05FDB766D9B47B11F04015AFA00F6280D7A1A901CAF6

Function 00649035 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0063F35B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0063F376
Part of subcall function 0063F35B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0063DF18,Crypt32.dll,?,0063DF9C,?,0063DF7E,?,?,?,?), ref: 0063F398

OleInitialize.OLE32(00000000), ref: 0064904E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00649085
SHGetMalloc.SHELL32(006720E8), ref: 0064908F

Strings

3So, xrefs: 00649066
riched20.dll, xrefs: 0064903D

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3So
API String ID: 3498096277-3464455743
Opcode ID: c12d5d1620e83a0f0f85cc85bb4217a8d45d55f56076c53dc8d3bc9c236448fd
Instruction ID: 1143e2585ab9e84101aefafd60537f2211e7ed121e15da4d585843fa03d27f41
Opcode Fuzzy Hash: c12d5d1620e83a0f0f85cc85bb4217a8d45d55f56076c53dc8d3bc9c236448fd
Instruction Fuzzy Hash: 17F0E7B5D00209ABCB50AF9AD8499AEFBBDEF85711F00416AE815A2210DBB45645CFA2

Function 0063DF05 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0063F35B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0063F376
Part of subcall function 0063F35B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0063DF18,Crypt32.dll,?,0063DF9C,?,0063DF7E,?,?,?,?), ref: 0063F398

GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 0063DF24
GetProcAddress.KERNEL32(00671E58,CryptUnprotectMemory), ref: 0063DF34

Strings

Crypt32.dll, xrefs: 0063DF0E
CryptProtectMemory, xrefs: 0063DF1E
CryptUnprotectMemory, xrefs: 0063DF2A

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: bc809b5d1638479eb5dbb70ac7a8dcd6abd13a4c1f5c6b385d59ca40bbc2b724
Instruction ID: 827aca66ddd8277592837e25c71a841fa9eb75f13e940b837a443e11fefa2d72
Opcode Fuzzy Hash: bc809b5d1638479eb5dbb70ac7a8dcd6abd13a4c1f5c6b385d59ca40bbc2b724
Instruction Fuzzy Hash: 07E046B0904B42BEEF415B35EC48B46FBA67F90710F058579E01AC2241DBF4D0A48B90

Function 0063FA23 Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0063FDB7: ResetEvent.KERNEL32(?,00D5E128,0063FA45,00671E74,00D5E128,?,-00000001,0065F605,000000FF,?,0063FC7B,?,?,0063A5F0,?), ref: 0063FDD7
Part of subcall function 0063FDB7: ReleaseSemaphore.KERNEL32(?,?,00000000,?,-00000001,0065F605,000000FF,?,0063FC7B,?,?,0063A5F0,?), ref: 0063FDEB

ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 0063FA57
FindCloseChangeNotification.KERNELBASE(00D5E12C,00D5E12C), ref: 0063FA71
DeleteCriticalSection.KERNEL32(00D5E2C8), ref: 0063FA8A
FindCloseChangeNotification.KERNELBASE(?), ref: 0063FA96
CloseHandle.KERNEL32(?), ref: 0063FAA2

Part of subcall function 0063FB19: WaitForSingleObject.KERNEL32(?,000000FF,0063FCF9,?,?,0063FD6E,?,?,?,?,?,0063FD58), ref: 0063FB1F
Part of subcall function 0063FB19: GetLastError.KERNEL32(?,?,0063FD6E,?,?,?,?,?,0063FD58), ref: 0063FB2B

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Close$ChangeFindNotificationReleaseSemaphore$CriticalDeleteErrorEventHandleLastObjectResetSectionSingleWait
String ID:
API String ID: 3803654862-0
Opcode ID: 144308e7ef7e3b4bcc4f5851aa2cf6fe35073cefb5b5dec9ba625bfc09470aa0
Instruction ID: 64740f744851eec5353a620418225ab8d976c61788dcdd5ed5d080dbb4deb893
Opcode Fuzzy Hash: 144308e7ef7e3b4bcc4f5851aa2cf6fe35073cefb5b5dec9ba625bfc09470aa0
Instruction Fuzzy Hash: 33015E32540B44EFD7219B68DD49FC6BBEBFB45714F004979F29E92560CBB16804CB61

Function 0064BE09 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0064BE1F
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0064BE5B

Strings

sfxcmd, xrefs: 0064BE1A
sfxpar, xrefs: 0064BE56

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: d9a5508d669d7c87a4549d351ce040941f0ee836a943d2ca216140a602e5158d
Instruction ID: 48d7e22baa6ae19baf4556c67c5e24257d5a50af89ebe3b2283596b79a20e4c2
Opcode Fuzzy Hash: d9a5508d669d7c87a4549d351ce040941f0ee836a943d2ca216140a602e5158d
Instruction Fuzzy Hash: 9CF0A772811224ABD7612BD5DC09AEB7B9BDF05B91F041115FE485A251DBA18840C6F1

Function 0063978D Relevance: 6.1, APIs: 4, Instructions: 99fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,-00000001,00000000,?,00000000,?,?,0063777A,?,00000005,?,00000011), ref: 0063980D
GetLastError.KERNEL32(?,?,0063777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0063981A
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,0063777A,?,00000005,?), ref: 0063984F
GetLastError.KERNEL32(?,?,0063777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00639857

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 59ddc5ad441d05ff5e5f08f10bb33ef66c94317a7e3ebf7f5d58d7b8697124bb
Instruction ID: 6316674448a6026714ee5ccf684ef4f6149c1736e5a7514c773a0db1fcaf8069
Opcode Fuzzy Hash: 59ddc5ad441d05ff5e5f08f10bb33ef66c94317a7e3ebf7f5d58d7b8697124bb
Instruction Fuzzy Hash: 513134719447556FE3209F249C45BE7BAA6FB89324F104B29F990873D1D3B59888CBE0

Function 00639663 Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00639673
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 0063968B
GetLastError.KERNEL32 ref: 006396BD
GetLastError.KERNEL32 ref: 006396DC

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 67b1e18c85151a2933fcd8ae4019779bc0e2b438dfe1cbb9c46926f57269a898
Instruction ID: 514bb22f2375f74c91ff8362f01f1b1edbe4dbfc0c6c52031c6617a07786d38f
Opcode Fuzzy Hash: 67b1e18c85151a2933fcd8ae4019779bc0e2b438dfe1cbb9c46926f57269a898
Instruction Fuzzy Hash: EB115A30906214EBFF206F65CD46AAA77ABEB16325F10852AF92685290D7B58D40CFF1

Function 006577C2 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00652203,00000000,00000000,?,00657769,00652203,00000000,00000000,00000000,?,00657966,00000006,FlsSetValue), ref: 006577F4
GetLastError.KERNEL32(?,00657769,00652203,00000000,00000000,00000000,?,00657966,00000006,FlsSetValue,00663768,00663770,00000000,00000364,?,006563E0), ref: 00657800
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00657769,00652203,00000000,00000000,00000000,?,00657966,00000006,FlsSetValue,00663768,00663770,00000000), ref: 0065780E

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 1e324cde3218435028802983ddbf35e4ac02f588a2928c6aaf437ff979dd706a
Instruction ID: d7f200a58b65e9f872aae2d025eabcbb67e107c1ef2aca324dfec155c0c665bc
Opcode Fuzzy Hash: 1e324cde3218435028802983ddbf35e4ac02f588a2928c6aaf437ff979dd706a
Instruction Fuzzy Hash: FA01A732659222ABD7214E69BC48AAB779AEF15BA3F100630FD0AD7240D760D905C6E0

Function 0064991D Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0064992E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0064993F
TranslateMessage.USER32(?), ref: 00649949
DispatchMessageW.USER32(?), ref: 00649953

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 1ca62229c086171de68e9181bcb664dc30c59d2ec31be2eafb2fd998248f0370
Instruction ID: d0e52332703a1df0b85fe3a9762e2b548e2cf331faa8cccfadac4fa62bd56217
Opcode Fuzzy Hash: 1ca62229c086171de68e9181bcb664dc30c59d2ec31be2eafb2fd998248f0370
Instruction Fuzzy Hash: D1E0ED72C0212EA78B20AFE6AD4CDDB7F6DEF062657004016F519E2000D6A89505CBF1

Function 0063DF86 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0063DF05: GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 0063DF24
Part of subcall function 0063DF05: GetProcAddress.KERNEL32(00671E58,CryptUnprotectMemory), ref: 0063DF34

GetCurrentProcessId.KERNEL32(?,?,?,0063DF7E), ref: 0063E007

Strings

CryptUnprotectMemory failed, xrefs: 0063DFFF
CryptProtectMemory failed, xrefs: 0063DFC7

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 70fa791cb36ef5392ae42d53496ca1584da0f88f86d626960bb7dec2f921b004
Instruction ID: 2b7739cf4ea850a66328c5bd830436c051785c1e7f7edfb2881cbf329266e07a
Opcode Fuzzy Hash: 70fa791cb36ef5392ae42d53496ca1584da0f88f86d626960bb7dec2f921b004
Instruction Fuzzy Hash: FC115B303042056BEB299B28DC41AAF379B9F85B50F04402EF801DB2D1EBE1DC5042E0

Function 0063FBBD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_0000FD4F,?,00000000,00000000), ref: 0063FBE1
SetThreadPriority.KERNEL32(?,00000000), ref: 0063FC28

Part of subcall function 00636D8F: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00636DAD

Strings

CreateThread failed, xrefs: 0063FBED

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: c72e84ca036e09e76ba9927fec83bf2a4a28a3e9f418fc5ba7322a45734f2605
Instruction ID: 790a976de83b967040162024e5b2df4f3d2aaa4117f73c5c376d09a604dba75e
Opcode Fuzzy Hash: c72e84ca036e09e76ba9927fec83bf2a4a28a3e9f418fc5ba7322a45734f2605
Instruction Fuzzy Hash: 340126713447097BE3206F58DC42FB3735BEB45761F10103FF98296180CAE2684086A0

Function 00639C18 Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,0063C8A3,00000001,?,?,?,00000000,0064420A,?,?,?,?,?,00643CAF), ref: 00639C33
WriteFile.KERNEL32(?,00000000,?,00643EB7,00000000,?,?,00000000,0064420A,?,?,?,?,?,00643CAF,?), ref: 00639C73
WriteFile.KERNELBASE(?,00000000,?,00643EB7,00000000,?,00000001,?,?,0063C8A3,00000001,?,?,?,00000000,0064420A), ref: 00639CA0

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 8c569e88bda6dd525819b176df3d81267177ee0120871ef9587a3ffb515ba3b7
Instruction ID: 1af1a6cc7fa0e9d88c1a96d007e713fa881a3009d694acc8aeffb0abc9b4101d
Opcode Fuzzy Hash: 8c569e88bda6dd525819b176df3d81267177ee0120871ef9587a3ffb515ba3b7
Instruction Fuzzy Hash: DA310371148A0AAFDB209F24DC49BA7BBAAEF61310F109119F59593280C7F5E849CFF1

Function 00639ED6 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00639DE2,?,00000001,00000000,?,?), ref: 00639EFD
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00639DE2,?,00000001,00000000,?,?), ref: 00639F30
GetLastError.KERNEL32(?,?,?,?,00639DE2,?,00000001,00000000,?,?), ref: 00639F4D

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: c0909fccf1d1731cfbcbe2fdcdbbf51bc97bcec0080f704eb057ee69f34032a3
Instruction ID: 64c199797c774e86584beb761c5317e2f3875bfc481ce4104a032513ff9b1c33
Opcode Fuzzy Hash: c0909fccf1d1731cfbcbe2fdcdbbf51bc97bcec0080f704eb057ee69f34032a3
Instruction Fuzzy Hash: CA01B13250825866EB61AB684C46FFE374F9F06741F08049DF945E6280D7E4D981DFF5

Function 00633A90 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00633A95

Strings

CMT, xrefs: 00633AA4

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 4ab3c8d103a0cc2503ebcc233a88e1f01b4e0fdc5bf3fe6480412dfd03063a11
Instruction ID: cdeeaddec4cb80333fdd230a45acaea85ca526ea9d26707fecd1696ce2ff7bfc
Opcode Fuzzy Hash: 4ab3c8d103a0cc2503ebcc233a88e1f01b4e0fdc5bf3fe6480412dfd03063a11
Instruction Fuzzy Hash: 0F61CF71504F54AEDB21DF34CC419E7B7EAAF15301F44896EE5AB87242DB326A48CF90

Function 006582B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 006582D9

Strings

, xrefs: 0065831E

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 771fa93052a36c4b0c374a5ce3b2934b01045e9d427f4094978d75df75164783
Instruction ID: 9075b1c2725483c09b7e07b203310d3c6d1683d84956e24f77aacdb996f7a178
Opcode Fuzzy Hash: 771fa93052a36c4b0c374a5ce3b2934b01045e9d427f4094978d75df75164783
Instruction Fuzzy Hash: 55411A705083489FDF218E64CC84AFABBEADB55705F1404EDE98A97142D635994ACF60

Function 00631DD2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00631DD7

Part of subcall function 00633A90: __EH_prolog.LIBCMT ref: 00633A95

Strings

CMT, xrefs: 00631E0D

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 4e8a5d77f250aa52ea1344488680bdacb8ddab50626f665868d4e5720f59e938
Instruction ID: 32a02bd06fec4f8b1ffdf58169725059afb7c8f94ee4680164c58aaa7b36e7da
Opcode Fuzzy Hash: 4e8a5d77f250aa52ea1344488680bdacb8ddab50626f665868d4e5720f59e938
Instruction Fuzzy Hash: 39215C719001199FCB55DF98C9419EEFBF7BF59300F10006DE945A7252C7325E11CBA4

Function 0063192C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0063192C

Strings

CMT, xrefs: 006319A5

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 956d04d6562ffb5d674d69b96deaae9aa27afe9a8a04c6c7ad21c39f984ecdf3
Instruction ID: e229616ccc750a562eb444c9a6bea771585e91a012f129881798466dc93cbdc5
Opcode Fuzzy Hash: 956d04d6562ffb5d674d69b96deaae9aa27afe9a8a04c6c7ad21c39f984ecdf3
Instruction Fuzzy Hash: 9E119371E00205AFCB14DF65C9A1ABEF7ABBF46340F04405EE8459B381DB359951DBD0

Function 006579FA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,F5E85006,00000001,?,000000FF), ref: 00657A6B

Strings

LCMapStringEx, xrefs: 00657A0B, 00657A15

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 4f63131dd272a6e7ee1c74d3c62e1436ce1ee7b805e2fc322ca605401e2c23ff
Instruction ID: 8e37cabac813e4e186d81e34b93b12e4556bebf8175677284d3109bedd3d50c0
Opcode Fuzzy Hash: 4f63131dd272a6e7ee1c74d3c62e1436ce1ee7b805e2fc322ca605401e2c23ff
Instruction Fuzzy Hash: 8F012576544219BBCF029F90EC05DEE7FA7EF08761F014114FE1926260D6728A31EB84

Function 00657998 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0065708B), ref: 006579E3

Strings

InitializeCriticalSectionEx, xrefs: 006579B3

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: b0aafa863921cccb99c9807c1876a8a14cf9fb5654f54ea5db54eff5bb92ff7a
Instruction ID: f7347defcbc0d09ce986c5faf708aa332fe4753f59103e1de0e0ad229cbce261
Opcode Fuzzy Hash: b0aafa863921cccb99c9807c1876a8a14cf9fb5654f54ea5db54eff5bb92ff7a
Instruction Fuzzy Hash: 3AF0E975A4521DBBCF015F50EC05C9EBF63EF44721F014129FC155A260DAB14E10EBD4

Function 0065783D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0065787C

Strings

FlsAlloc, xrefs: 00657858

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: b276b902efaedfc20db31e879fb4fd44c120eca24c37d5bf7bd40e092535b618
Instruction ID: 3cab1e7029f894caeac6efa7588e4b040aa4dcec85f44c0562fb13a26d5e51cf
Opcode Fuzzy Hash: b276b902efaedfc20db31e879fb4fd44c120eca24c37d5bf7bd40e092535b618
Instruction Fuzzy Hash: B6E0E574B452187B9705BFA0BC0AD6EBF9BCB49B21F010079FD0567340DEA14E0187C9

Function 00651D87 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00651D9C

Strings

FlsAlloc, xrefs: 00651D8B, 00651D95

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 02ec4fb3880a7ceb3892f2cd15d230bd9e365a6f997f8815dc1de65037df68e5
Instruction ID: 18345f87cee868e818dff519d82deb8684653f575a15a114f833b375be18e12a
Opcode Fuzzy Hash: 02ec4fb3880a7ceb3892f2cd15d230bd9e365a6f997f8815dc1de65037df68e5
Instruction Fuzzy Hash: 5DD05B35F8233877D65036D4DC02AEABA47CB02FB2F090165FF086D28195A5455045D5

Function 0064CD5B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0064CD6D

Part of subcall function 0064CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0064CB38
Part of subcall function 0064CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0064CB49

Strings

3So, xrefs: 0064CD5B, 0064CD67

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3So
API String ID: 1269201914-1105799393
Opcode ID: 21370450da63c7be11ae9cde304e8fec2ac8ed80824385c06b70389ec51675b6
Instruction ID: 63d14a6df760305f9a26e37f7b255a1520be120c50ae533b461ab89f0ecc1d7b
Opcode Fuzzy Hash: 21370450da63c7be11ae9cde304e8fec2ac8ed80824385c06b70389ec51675b6
Instruction Fuzzy Hash: 0AB012D175A004BD739492E86E0AC37050FC4C0F31330812FF401F0340F8444C878032

Function 00636551 Relevance: 3.2, APIs: 2, Instructions: 187COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 006365A5
_strlen.LIBCMT ref: 00636600

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: _memcmp_strlen
String ID:
API String ID: 2682527083-0
Opcode ID: 34014315e53433bc50b9aca7c081bf968f22ce7fbf4c8ab8bd2f833f69c526e1
Instruction ID: 9127801aa010d3173a359a30bf74dbaf220925234015d7025194f0cfc34b7058
Opcode Fuzzy Hash: 34014315e53433bc50b9aca7c081bf968f22ce7fbf4c8ab8bd2f833f69c526e1
Instruction Fuzzy Hash: E051D6B2504304ABD770EE60DC89FDBB3EEEB85300F04092DFA49D7146DA35A548C7A6

Function 00658609 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 006581DC: GetOEMCP.KERNEL32(00000000,?,?,00658465,?), ref: 00658207

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,006584AA,?,00000000), ref: 0065867D
GetCPInfo.KERNEL32(00000000,006584AA,?,?,?,006584AA,?,00000000), ref: 00658690

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: f9f0070a25a45a09d4e885990b70d15dde89d35d15b693eee9b194dc86cfe9a8
Instruction ID: 4054e706f4c75a5738bfcfc112f24bdd517bc31a2135e92e860be6e01e00aacc
Opcode Fuzzy Hash: f9f0070a25a45a09d4e885990b70d15dde89d35d15b693eee9b194dc86cfe9a8
Instruction Fuzzy Hash: EA5125709002059FDB208F71C8806FFBBE7AF45312F24406ED886ABA51EF75994ACB91

Function 00641FA8 Relevance: 3.1, APIs: 2, Instructions: 115COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00642111
__CxxThrowException@8.LIBVCRUNTIME ref: 00642134

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: eb3b3af32b06b06a7a65145d10f9cd5802aa3a43880dada6c30b3ff9696099ac
Instruction ID: e66761f33794b60f534610911bd05252b56f6a1fb339511e5486ffcd632395ca
Opcode Fuzzy Hash: eb3b3af32b06b06a7a65145d10f9cd5802aa3a43880dada6c30b3ff9696099ac
Instruction Fuzzy Hash: DC416EB0609383AFD328DF34D4907AAFBD6BB55704F50062EF65857242D771D888C7A6

Function 006313B4 Relevance: 3.1, APIs: 2, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006313B4

Part of subcall function 00635F9E: __EH_prolog.LIBCMT ref: 00635FA3

Part of subcall function 0063C463: __EH_prolog.LIBCMT ref: 0063C468
Part of subcall function 0063C463: new.LIBCMT ref: 0063C4AB
Part of subcall function 0063C463: new.LIBCMT ref: 0063C4CF

new.LIBCMT ref: 0063142C

Part of subcall function 0063ACB6: __EH_prolog.LIBCMT ref: 0063ACBB

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1da45a42d7a1fb251ee5b4adcc1da02a488be901aac84bf6d3d92cb8c5f645bb
Instruction ID: ba43d13e8aea2b348e99c228a75b1971dd65826f5f207e56a3b9b13f44fa4711
Opcode Fuzzy Hash: 1da45a42d7a1fb251ee5b4adcc1da02a488be901aac84bf6d3d92cb8c5f645bb
Instruction Fuzzy Hash: 224144B0905B40DEE720CF7988859E6FBE6FF29310F404A2ED5EE87282CB326154CB55

Function 006313AF Relevance: 3.1, APIs: 2, Instructions: 94COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006313B4

Part of subcall function 00635F9E: __EH_prolog.LIBCMT ref: 00635FA3

Part of subcall function 0063C463: __EH_prolog.LIBCMT ref: 0063C468
Part of subcall function 0063C463: new.LIBCMT ref: 0063C4AB
Part of subcall function 0063C463: new.LIBCMT ref: 0063C4CF

new.LIBCMT ref: 0063142C

Part of subcall function 0063ACB6: __EH_prolog.LIBCMT ref: 0063ACBB

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9cb7c281da0e8e67d71677d55f90913cc8324ccc831af6f309bd531accb0406c
Instruction ID: e984f4aa68805347c238b60f261f17d73e40f1604fef9b113f2165eef690bc36
Opcode Fuzzy Hash: 9cb7c281da0e8e67d71677d55f90913cc8324ccc831af6f309bd531accb0406c
Instruction Fuzzy Hash: AD4134B0805B409EE720CF7984859E7FAE6FF28310F404A2ED5EE87282CB326154CB55

Function 00658448 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0065630E: GetLastError.KERNEL32(?,0066CBE8,00652664,0066CBE8,?,?,00652203,?,?,0066CBE8), ref: 00656312
Part of subcall function 0065630E: _free.LIBCMT ref: 00656345
Part of subcall function 0065630E: SetLastError.KERNEL32(00000000,?,0066CBE8), ref: 00656386
Part of subcall function 0065630E: _abort.LIBCMT ref: 0065638C

Part of subcall function 00658567: _abort.LIBCMT ref: 00658599
Part of subcall function 00658567: _free.LIBCMT ref: 006585CD

Part of subcall function 006581DC: GetOEMCP.KERNEL32(00000000,?,?,00658465,?), ref: 00658207

_free.LIBCMT ref: 006584C0
_free.LIBCMT ref: 006584F6

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: a5235e63780ce12f7797238d750fd4fb035052a42219c2e3b8b8eef2670fba96
Instruction ID: f84f473d9932b108a2d681a9a67ff2d51f4f9250d8c372388350e23d413b6168
Opcode Fuzzy Hash: a5235e63780ce12f7797238d750fd4fb035052a42219c2e3b8b8eef2670fba96
Instruction Fuzzy Hash: D731D131904105AFDB10EBA8D441BADB7F6EF40322F25409DED04AB7A1EF359E48CB54

Function 00639541 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00639BD7,?,?,00637735), ref: 006395C9
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00639BD7,?,?,00637735), ref: 006395FE

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 060d4e07d2a8e07cf094c9ca2b16080599c9ba65cb81cc40fdd6f34f24852954
Instruction ID: 18bd6f4c4157fbb2d631def8e78e42ca7626fc1c4ed0b0ad756d5784dfd417de
Opcode Fuzzy Hash: 060d4e07d2a8e07cf094c9ca2b16080599c9ba65cb81cc40fdd6f34f24852954
Instruction Fuzzy Hash: 9621E6B1404748AEE7318F24CC45BE777E9EB05764F00492DF5D582291C3B4AC898AB1

Function 00639A62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,00637436,?,?,?), ref: 00639A7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00639B2C

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: c175445f82cb72c83de8eaac2f2f09103a58df87962b160c59ab76aa5a8e8673
Instruction ID: cf36e30656411c2dffd4e42fbe22d4084416121ff5ec8a688d45ae706c18d404
Opcode Fuzzy Hash: c175445f82cb72c83de8eaac2f2f09103a58df87962b160c59ab76aa5a8e8673
Instruction Fuzzy Hash: E021B431158285ABD714DB24C891AEABBE5AF96704F084A1DF8D5C7241D3A9DD08CBE1

Function 00657726 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00657786
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00657793

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: b56c1aeb29962fdca713cb64ff34f7f57b57777fc5b26b19baff54e761f6cd51
Instruction ID: d5efbf59c96ad1be718294febb15e69b03af9a682a715113ce500c0312d3d5b0
Opcode Fuzzy Hash: b56c1aeb29962fdca713cb64ff34f7f57b57777fc5b26b19baff54e761f6cd51
Instruction Fuzzy Hash: 84110637A041209FAB259E68FC9099A7397AB89722F164230FC15EB354E731EC458BD1

Function 00639B3B Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00639B71
GetLastError.KERNEL32 ref: 00639B7D

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 9f1ecf7eab7a798374227d994211e94471ec918e5105bc1db05743325e21f0f3
Instruction ID: 3002ecbf32bb2c6491ebcd413e65b6f41dbff6d563675a379cd5dcd7e9c77df6
Opcode Fuzzy Hash: 9f1ecf7eab7a798374227d994211e94471ec918e5105bc1db05743325e21f0f3
Instruction Fuzzy Hash: 3B0152717052046BEB349E29EC447ABF7DB9B84719F14853EF153C3680DAB5DC0D8A61

Function 006398E7 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 0063993B
GetLastError.KERNEL32 ref: 00639948

Part of subcall function 006396FA: __EH_prolog.LIBCMT ref: 006396FF

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ErrorFileH_prologLastPointer
String ID:
API String ID: 4236474358-0
Opcode ID: 01371a5c3662f332ab90a7e1bf109e80a6613a24f232c56b80705d5adf17446c
Instruction ID: aa35e444be0153af2e8e9466ddeea2a7588d75a35486c4567ba28ea405a59456
Opcode Fuzzy Hash: 01371a5c3662f332ab90a7e1bf109e80a6613a24f232c56b80705d5adf17446c
Instruction Fuzzy Hash: 020192322051099B9F189E199C447EB776BBF52321B0C422DE92A8B3D1D6B0EC019EF0

Function 00655ADA Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00655AFB

Part of subcall function 006559EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,0065239A,?,0000015D,?,?,?,?,00652F19,000000FF,00000000,?,?), ref: 00655A1E

HeapReAlloc.KERNEL32(00000000,?,00200000,?,?,0066CBE8,006317D2,?,?,?,?,00000000,?,006313A9,?,?), ref: 00655B37

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: fdc78dcad5c49eab280187bb5e25a5a931b9a631e149e64551dc858a4a80740e
Instruction ID: 32582671a7e557a0c4f2b0a8f72fb912bdc3f23ec3a1c5597a66cd4c8fcfd3d1
Opcode Fuzzy Hash: fdc78dcad5c49eab280187bb5e25a5a931b9a631e149e64551dc858a4a80740e
Instruction Fuzzy Hash: C8F0C2316119166ADB712A25AC3DEAB375F8F82773F10421AFC17962A0EE30990981A4

Function 0063FC94 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 0063FCA1
GetProcessAffinityMask.KERNEL32(00000000), ref: 0063FCA8

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 68bb656d332ea6f73abcea73b574b8fdbd94e144f6bbad4162d76b2d85d409ab
Instruction ID: 3ed98ce657edef9ea73347147e5d3940a166d32c3f1c76b4845a6fac7622f4d8
Opcode Fuzzy Hash: 68bb656d332ea6f73abcea73b574b8fdbd94e144f6bbad4162d76b2d85d409ab
Instruction Fuzzy Hash: 1AE06D32E8010E679B088BA89C059EB729EDB14201F20257AEC07D3315E964DD4247E4

Function 00654E74 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 006589A0: GetEnvironmentStringsW.KERNEL32 ref: 006589A9
Part of subcall function 006589A0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006589CC
Part of subcall function 006589A0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 006589F2
Part of subcall function 006589A0: _free.LIBCMT ref: 00658A05
Part of subcall function 006589A0: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00658A14

_free.LIBCMT ref: 00654EBA
_free.LIBCMT ref: 00654EC1

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 400815659-0
Opcode ID: d8c45b17fc3bec50ff7e550511059ded809909be945988d78ec7e731c7b4c941
Instruction ID: 0e60a179de4affbd2531828c79b76f5bc06750250819f4cff2d6c2ba06ae56d7
Opcode Fuzzy Hash: d8c45b17fc3bec50ff7e550511059ded809909be945988d78ec7e731c7b4c941
Instruction Fuzzy Hash: 06E0EC22A0590145A7B171BD6C1B65B16075BC133BF11075EFC10971D2DD54448E119F

Function 0063A113 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00639F49,?,?,?,00639DE2,?,00000001,00000000,?,?), ref: 0063A127
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00639F49,?,?,?,00639DE2,?,00000001,00000000,?,?), ref: 0063A158

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c890c545018fcefbc21d0d3d9674074617fb4a5f4186643cd5bb838141b7b02c
Instruction ID: fe48f9617bdaf663a3d43e33b301b8481acc7ea6e7cc9aae3222b7f31f9761bb
Opcode Fuzzy Hash: c890c545018fcefbc21d0d3d9674074617fb4a5f4186643cd5bb838141b7b02c
Instruction Fuzzy Hash: DEF030352411097BEF515FA0DC41BEB776EAF04385F448065FD88D6260DB72DAA8AB90

Function 0064C0CF Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0064C0FD
SetDlgItemTextW.USER32(00000065,?), ref: 0064C114

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: dce83a7446c6eede1f22945917e9a14b3a46784f9bb1422e309af799b3d15efb
Instruction ID: 4e4670804e8d520a6750dc963b8078467b39b8dda7153f15520da9b41806ccef
Opcode Fuzzy Hash: dce83a7446c6eede1f22945917e9a14b3a46784f9bb1422e309af799b3d15efb
Instruction Fuzzy Hash: D5F0EC72550348BBE751A7A09C07FDB3B1FA704741F04445AB605921A2D6725A609BB9

Function 00639DFC Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,00639661,?,?,006394BC), ref: 00639E0D
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00639661,?,?,006394BC), ref: 00639E3B

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: a0d256ab3fcfa4055e08050f60b8ccf26faa37632992e54c128cc56c81ce7849
Instruction ID: 02cbeae6b9b13a105e963e8db91e341007702db381f36281c5e36f4bd0402869
Opcode Fuzzy Hash: a0d256ab3fcfa4055e08050f60b8ccf26faa37632992e54c128cc56c81ce7849
Instruction Fuzzy Hash: 10E09231641209ABEB11AF61DC41BEB779FAF08781F844065F988C2150DBB1DD949EA4

Function 00639E63 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00639E58,?,006375A0,?,?,?,?), ref: 00639E74
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00639E58,?,006375A0,?,?,?,?), ref: 00639EA0

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e420442383343815e347b7385873552614c134c766c0c79c7b628fc8c4f5cbe2
Instruction ID: edc79005825e73eccb103ea849387b55a994709bad3d5472d51e71097562699f
Opcode Fuzzy Hash: e420442383343815e347b7385873552614c134c766c0c79c7b628fc8c4f5cbe2
Instruction Fuzzy Hash: DAE09B365001185BDB51AB68DC05BDA776E9F083F2F000271FD48E3290D7B19D948BD0

Function 0063F35B Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0063F376
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0063DF18,Crypt32.dll,?,0063DF9C,?,0063DF7E,?,?,?,?), ref: 0063F398

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: e5279dd454544292a4d9fdf8cda6bb497ae0c1ae3753642a126ab351550ddfcd
Instruction ID: 7260f2223ce352239903bec2b29f5e63f413de5d2a41bf11b3bfaac5550fb6a3
Opcode Fuzzy Hash: e5279dd454544292a4d9fdf8cda6bb497ae0c1ae3753642a126ab351550ddfcd
Instruction Fuzzy Hash: D3E0127281111C67DB519BA4DC05FD7776DEB08391F0444A5F948D2105DAB499808BF4

Function 00648923 Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00648944
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0064894B

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 4f1a76fa1b1a23d66458e4279ceec892368b9347a59b4833eea27ce45766de34
Instruction ID: 2f2f63f28aeda9df0574e897c86ff4f86adb86479bfd80e034878bca60220740
Opcode Fuzzy Hash: 4f1a76fa1b1a23d66458e4279ceec892368b9347a59b4833eea27ce45766de34
Instruction Fuzzy Hash: EBE0ED75905218EFCB60EF99C901BEDBBE9EF04761F10806EE85593701D6716E04EB92

Function 0064909D Relevance: 3.0, APIs: 2, Instructions: 22comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,0065F605,000000FF), ref: 006490C6
OleUninitialize.OLE32(?,?,?,0065F605,000000FF), ref: 006490CB

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 14454d320d8f9ceb7e17b1995278ab844232a64a7d6a73b728804615cfcf8c40
Instruction ID: c83719eb97a36cd97235a47def29b7288a4abb84ae70786e8e06534ac2f116c1
Opcode Fuzzy Hash: 14454d320d8f9ceb7e17b1995278ab844232a64a7d6a73b728804615cfcf8c40
Instruction Fuzzy Hash: 66E01A32948644DFC351DF88DD05B45BBEAFB09B20F104769B81A93B60DB796844CA95

Function 00650C46 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00651D87: try_get_function.LIBVCRUNTIME ref: 00651D9C

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00650C64
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00650C6F

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: d3ecc20f1e49b163351f5b2f7e8ac412579597a74fa636573714f5183eb1c8b7
Instruction ID: 44b70c57d94fd9ea58e96e2bee388a381330dac5da279a6523e54e94eb127a52
Opcode Fuzzy Hash: d3ecc20f1e49b163351f5b2f7e8ac412579597a74fa636573714f5183eb1c8b7
Instruction Fuzzy Hash: 3DD0A9BD24830218798436B0A80258A13435E137B7F60134EEC208D6D2EEB2C04F651A

Function 006312C2 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 006312D7
ShowWindow.USER32(00000000), ref: 006312DE

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 11fa087c8991d459688e9fac6f126d806b4b5eed863fc7d556b1b0b2b8274d61
Instruction ID: 34980896887c762ed77f5e9f205108505fead11f8c7e64dcae26a68a40fff899
Opcode Fuzzy Hash: 11fa087c8991d459688e9fac6f126d806b4b5eed863fc7d556b1b0b2b8274d61
Instruction Fuzzy Hash: 59C01232058200BFCB010BB0DC09C2EBBAAEBA5212F00C908F4A5D00A4C238C020DF12

Function 0063FC3C Relevance: 2.5, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00671E74,?,?,0063A5F0,?,?,?,?,0065F605,000000FF), ref: 0063FC4B
LeaveCriticalSection.KERNEL32(00671E74,?,?,0063A5F0,?,?,?,?,0065F605,000000FF), ref: 0063FC89

Part of subcall function 0063FA23: ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 0063FA57
Part of subcall function 0063FA23: FindCloseChangeNotification.KERNELBASE(00D5E12C,00D5E12C), ref: 0063FA71
Part of subcall function 0063FA23: DeleteCriticalSection.KERNEL32(00D5E2C8), ref: 0063FA8A
Part of subcall function 0063FA23: FindCloseChangeNotification.KERNELBASE(?), ref: 0063FA96
Part of subcall function 0063FA23: CloseHandle.KERNEL32(?), ref: 0063FAA2

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: CloseCriticalSection$ChangeFindNotification$DeleteEnterHandleLeaveReleaseSemaphore
String ID:
API String ID: 2076764878-0
Opcode ID: 35ccd6be82f0ab6da62aed051a054b33fff9ecf46eb6d3b1ced6862f324cf976
Instruction ID: e2b5d710e427823a98cb6c455d1aa5c1913e83991eadc516587ab4540bb9d556
Opcode Fuzzy Hash: 35ccd6be82f0ab6da62aed051a054b33fff9ecf46eb6d3b1ced6862f324cf976
Instruction Fuzzy Hash: 79F0A032A412109BD3155B18E9056EF766BAB86B65F04A03EFC086B290CBB08C41CBE5

Function 006319E2 Relevance: 1.8, APIs: 1, Instructions: 275COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006319E7

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: bee0fce899c691cb1832f8bc90ae416d03b769969932c1e46fad9db357e796f9
Instruction ID: 77dc1089f00af1f5d0c8d99771e28c618a448d688d7dad7659c7e157975fc63d
Opcode Fuzzy Hash: bee0fce899c691cb1832f8bc90ae416d03b769969932c1e46fad9db357e796f9
Instruction Fuzzy Hash: D4B19E70A04646AFEB29CF78C444AF9FBA7BF07304F14425AE4569B381CB35A964CBD1

Function 006381ED Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006381F2

Part of subcall function 006313AF: __EH_prolog.LIBCMT ref: 006313B4
Part of subcall function 006313AF: new.LIBCMT ref: 0063142C

Part of subcall function 006319E2: __EH_prolog.LIBCMT ref: 006319E7

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5414fba5ec5207d107594e1757ebbc22166f101893bc2edca3a244808166c411
Instruction ID: 4eef44392f2d5fdb45fc835ef45ff051cf743b60fb91e1cfea100f445b57cb9c
Opcode Fuzzy Hash: 5414fba5ec5207d107594e1757ebbc22166f101893bc2edca3a244808166c411
Instruction Fuzzy Hash: 2041B2719407549EEB20EBA0C851BEAB36AAF50700F0400EEF58A97292DF745FC8DB94

Function 006421E5 Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006421EA

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8b22ee87311c5cab7bb702efa61b5ed43d6aa2bed2a56ffa1e356ebf4cfc82e2
Instruction ID: 098c98d09e5debe9f84f8b19c6ccb2d9eb04a9641adc040968f75ec728145689
Opcode Fuzzy Hash: 8b22ee87311c5cab7bb702efa61b5ed43d6aa2bed2a56ffa1e356ebf4cfc82e2
Instruction Fuzzy Hash: 5E21E6B1E40216ABDB149FB9CC51AAB766AEF08714F10453EF505EB681D7B49E00C6A8

Function 00649484 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00649489

Part of subcall function 006313AF: __EH_prolog.LIBCMT ref: 006313B4
Part of subcall function 006313AF: new.LIBCMT ref: 0063142C

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 45992861ac51bb4e2bb47d2fa998b22952ff9492a8527610f547d43858f7eb2b
Instruction ID: 0551dc3ad4f1da68938c87ab1ec227907f2f0b5eea55c6b83e57c4680a23170b
Opcode Fuzzy Hash: 45992861ac51bb4e2bb47d2fa998b22952ff9492a8527610f547d43858f7eb2b
Instruction Fuzzy Hash: 40213B71C052499ECF55DFA4D9529EEBBF6AF1A300F1000AEE809A7242D7356E06DBA4

Function 00639120 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00639125

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ced9050eff72e375eb627fa1f9571c1a124763e8889dfffbce9a1e6ddb310b74
Instruction ID: d7ca305375f4040bb280c56cc4ecb6bdd1d1495b971924308c1d4dc4835e0b53
Opcode Fuzzy Hash: ced9050eff72e375eb627fa1f9571c1a124763e8889dfffbce9a1e6ddb310b74
Instruction Fuzzy Hash: D3117073E009299BCB12AF68CC919DEBB37AF88750F004529FC05B7211CA708D148BE4

Function 006559EC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0065239A,?,0000015D,?,?,?,?,00652F19,000000FF,00000000,?,?), ref: 00655A1E

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7881ffb6389d183694f81545168c39b1e172c28ce1b6ee3b97e9f6854f1d5a45
Instruction ID: d211ecce3e57b4a7d733d77f05e73f038ac90f73495d46d410daf14bd009135d
Opcode Fuzzy Hash: 7881ffb6389d183694f81545168c39b1e172c28ce1b6ee3b97e9f6854f1d5a45
Instruction Fuzzy Hash: DBE0E531120A216BE72126629C6E7DA364F9F023A3F010328AC0792690EB50CD0885A4

Function 00635B05 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00635B0A

Part of subcall function 0063ACB6: __EH_prolog.LIBCMT ref: 0063ACBB

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3a42631f320c44215b48ef62f5b07eebf016351144ba6ed536578997e3121474
Instruction ID: 387af3437210928b464fbf83901a87a133f0da1bc13af37d56e1d079cf8e81bc
Opcode Fuzzy Hash: 3a42631f320c44215b48ef62f5b07eebf016351144ba6ed536578997e3121474
Instruction Fuzzy Hash: C0018134901A89DAC744EBA8D4157DEFBE69F15300F0081ADA85A63286CFB42B08C7E7

Function 006394F3 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,006394C3), ref: 0063950E

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5c814943b966d8e0d0dbe3bdc68adf8e0c8c8a1b6f39eca1e3c6303c3c80bdb5
Instruction ID: 95b60c1ed5a3c186022a465fc1ced0b768ffa6f69c14378998b75c3dbd4a66dd
Opcode Fuzzy Hash: 5c814943b966d8e0d0dbe3bdc68adf8e0c8c8a1b6f39eca1e3c6303c3c80bdb5
Instruction Fuzzy Hash: C0F0E271582B445FDF318A34D9487D2B7E69B12735F048B1ED0E643AE0C3B1A888CFA0

Function 0063A195 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0063A1C4

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9c468626dd00adfadcb0aac480bdedf295a36305055294b1a492995a1fc1a787
Instruction ID: dc435ca5db95f0873a683f18cc126e63e1147e5f89872ec10a1e3e40376393be
Opcode Fuzzy Hash: 9c468626dd00adfadcb0aac480bdedf295a36305055294b1a492995a1fc1a787
Instruction Fuzzy Hash: 5CF08935408790EECA625BF44405BC7BB975F15331F048E4DF1FD122D1C2B554999BB2

Function 00631EBF Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00631EC4

Part of subcall function 00631927: __EH_prolog.LIBCMT ref: 0063192C

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c9cf32c143d60d73fdc5452f5d7f291d1552d15eb4e03628421aafaa3cbcb4c7
Instruction ID: 2fab902ec9f12205be380aed6120126dfc39722a31fe73854c372016d7f439a2
Opcode Fuzzy Hash: c9cf32c143d60d73fdc5452f5d7f291d1552d15eb4e03628421aafaa3cbcb4c7
Instruction Fuzzy Hash: 08F098B1D012898ECF81DFA8C546AEEBBF5AB1A300F0445BED519E7202E73556148B95

Function 00631EC4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00631EC4

Part of subcall function 00631927: __EH_prolog.LIBCMT ref: 0063192C

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9174b26c55bc6689883bf4742441a397630375c3705d662e38516824eb19a35e
Instruction ID: 3f75a6623cd30e48345190086597fb737fe8e0993cf33745088f3fb9213721bc
Opcode Fuzzy Hash: 9174b26c55bc6689883bf4742441a397630375c3705d662e38516824eb19a35e
Instruction Fuzzy Hash: BFF092B1C012488ECF81DFA8C946AEEBBF1AB1A200F0445BED409A7202EB3556048B95

Function 0063F944 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 0063F979

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 85ba79bfa77104cf214bf0091eeb93997f7a9f92f31a784ebab1965e3be25132
Instruction ID: 293126b0d198f5ba401bf319395b07db35ae3ffb0549a38d4245c6c3e41bd3a1
Opcode Fuzzy Hash: 85ba79bfa77104cf214bf0091eeb93997f7a9f92f31a784ebab1965e3be25132
Instruction Fuzzy Hash: 27D02B00B0007035EB513728AC0ABFD15070FC2360F0D107DF186672D2CAD5084256E2

Function 00648B64 Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00648B6A

Part of subcall function 00648923: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00648944

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: b3ecc342144db532c8dedf8b776bc33c6e15ccf428a3dce563ad8a90b77a80c7
Instruction ID: d53c504b2cbb6f2fe2b35401738b9e8365c31f6b430071d711b3574e04822164
Opcode Fuzzy Hash: b3ecc342144db532c8dedf8b776bc33c6e15ccf428a3dce563ad8a90b77a80c7
Instruction Fuzzy Hash: EED0A77060110D7FDF817B658C029BD7B9AEB01360F008139BC0487250FE71CD10B256

Function 0063976A Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,0063969C), ref: 00639776

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 82d926efd74f9b6e147a6e92eed26681fa65a640235a469ccaa3526992f354c8
Instruction ID: 020b17384069df29c45b9bba35eb49fff24ac8935850859e4529e909adff7ac7
Opcode Fuzzy Hash: 82d926efd74f9b6e147a6e92eed26681fa65a640235a469ccaa3526992f354c8
Instruction Fuzzy Hash: BAD01230021200558F690E345D0A0A66673DB833A6F28DAE4E025C41F1C7B2CC43F990

Function 0064BF76 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0064BF9B

Part of subcall function 0064991D: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0064992E
Part of subcall function 0064991D: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0064993F
Part of subcall function 0064991D: TranslateMessage.USER32(?), ref: 00649949
Part of subcall function 0064991D: DispatchMessageW.USER32(?), ref: 00649953

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Message$DispatchItemPeekSendTranslate
String ID:
API String ID: 4142818094-0
Opcode ID: 66cba75d74988e98394fe96edf72922a8ad40b3dee1ebbdec9c5a4c2ea80a37e
Instruction ID: 71c6a8b5c806250adb8ebefcc006ec71d8b27a00d4365d58a8febc0496a4ca1c
Opcode Fuzzy Hash: 66cba75d74988e98394fe96edf72922a8ad40b3dee1ebbdec9c5a4c2ea80a37e
Instruction Fuzzy Hash: 73D09E31144200AADB012B91CD06F0B7AA7FB88B04F404558B344340F1C6629D20EF56

Function 0063DE2A Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE ref: 0063DE34

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 93edabf0331fcfb83de69afad2a092a3d98a2cf363146f8394bdb6acabfd7446
Instruction ID: 9dc39f62f6b3c019004fde16718bf19a04459301757dfc195fb100d2a13b4ea5
Opcode Fuzzy Hash: 93edabf0331fcfb83de69afad2a092a3d98a2cf363146f8394bdb6acabfd7446
Instruction Fuzzy Hash: BCD0CA70410221DFE7A08F28E804782BBE5BF28311B22883ED0CAC2224E2B08880CF80

Function 0064C740 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0064C737

Part of subcall function 0064CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0064CB38
Part of subcall function 0064CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0064CB49

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 368aaa620f6cf794487e3b8ebdc6d7b69ff5e3111021b614394be7f33c1a42b1
Instruction ID: 3b6f1df5588910fe4bf6d90b8252a3947e4bf876c510ded64375274bd668dad7
Opcode Fuzzy Hash: 368aaa620f6cf794487e3b8ebdc6d7b69ff5e3111021b614394be7f33c1a42b1
Instruction Fuzzy Hash: 15B012E526A4056D73C4E1946D16C37010FC1C0F30330821FF401C1341E8409D4A0436

Function 0064C74A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0064C737

Part of subcall function 0064CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0064CB38
Part of subcall function 0064CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0064CB49

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d476f61c8b48813582ce165acd18e87fef102ec1136e53ed9b0729e39ca50f0d
Instruction ID: 42f3bed47835ad6008b27a42cc6f67bd90c402f459abfbcb743fe952a12248e1
Opcode Fuzzy Hash: d476f61c8b48813582ce165acd18e87fef102ec1136e53ed9b0729e39ca50f0d
Instruction Fuzzy Hash: 55B012E126A5056D73C4E5992D16C36010FC0C0F30330C11FF800C1341E8405E4A0832

Function 0064C75E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0064C737

Part of subcall function 0064CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0064CB38
Part of subcall function 0064CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0064CB49

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c092098d482c8989c5fa351a16cb3bea45d70fa65f0a23ae6f4e0463cce5a2bb
Instruction ID: 62fda44abcfa8714d8cfa7a8dc79428e78741fe7f8983cd35cba198aa8231807
Opcode Fuzzy Hash: c092098d482c8989c5fa351a16cb3bea45d70fa65f0a23ae6f4e0463cce5a2bb
Instruction Fuzzy Hash: C9B012E125A6056E73C4E1993F26C37010FC0C0F30330811FF400C1341E8404E4B0832

Function 0064C725 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0064C737

Part of subcall function 0064CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0064CB38
Part of subcall function 0064CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0064CB49

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 16619cf1d89c251237ba9c890f502bf2b7ac7aeb77aaf0fcd177ccdab3e716d4
Instruction ID: 59bbf743693883cd3847da1f3022a68c548cbf64ff9ab3f4140c72a93d18a8cd
Opcode Fuzzy Hash: 16619cf1d89c251237ba9c890f502bf2b7ac7aeb77aaf0fcd177ccdab3e716d4
Instruction Fuzzy Hash: F2B012E125A6057D73C4A1952D56C36010FC0C5F30330821FF400D0341E8404E8A4832

Function 0064C7B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0064C798

Part of subcall function 0064CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0064CB38
Part of subcall function 0064CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0064CB49

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a5e518149bd1e72d619e971b17c06f75715ca41a23aca7ed00cfe694cc088abd
Instruction ID: aa3411a8ff4c00cb1dd4e2455e2caa480611d9d68bd4271fae45a5245494cc8d
Opcode Fuzzy Hash: a5e518149bd1e72d619e971b17c06f75715ca41a23aca7ed00cfe694cc088abd
Instruction Fuzzy Hash: 46B012E127A108AD73C4D2A72C1AC36050FC1C4F30330C11FF400C1340E8400D46063E

Function 0064C7BF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0064C798

Part of subcall function 0064CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0064CB38
Part of subcall function 0064CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0064CB49

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0b776240573afdc9aee10b53e9dd4196b40f54cd4628e6df2706c175bb4abcfc
Instruction ID: 40659f98444ceaad31e2082037fc1900fb241a2330802fc10e1d342c5dfc4630
Opcode Fuzzy Hash: 0b776240573afdc9aee10b53e9dd4196b40f54cd4628e6df2706c175bb4abcfc
Instruction Fuzzy Hash: 72B092A126A004AD728496A5690A836050FC084F20320811AB400C2240A840094A053A

Function 0064C786 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0064C798

Part of subcall function 0064CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0064CB38
Part of subcall function 0064CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0064CB49

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bdb4c2573a855821964a2582381c515cdaca2e4479ab8fe5dae39b047ef9f95a
Instruction ID: 7adabf89032ee30e61b6a6523dd6700a01c914f858a99582f11494076c3777d5
Opcode Fuzzy Hash: bdb4c2573a855821964a2582381c515cdaca2e4479ab8fe5dae39b047ef9f95a
Instruction Fuzzy Hash: 3CB012F127A104BD73C4D6A16C0AC36050FC0C1F30330C11FF800D1240A8402D4A043E

Function 0064C76D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0064C737

Part of subcall function 0064CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0064CB38
Part of subcall function 0064CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0064CB49

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4e595145fe68774a93ea2087c02083a2dfc42df176fdc78aa74689b5a4115ae3
Instruction ID: cd3781115ec9215e74c38418fb43a6b2966d12a5659dd457f51f0c245f946c0e
Opcode Fuzzy Hash: 4e595145fe68774a93ea2087c02083a2dfc42df176fdc78aa74689b5a4115ae3
Instruction Fuzzy Hash: 0BA002D515A5167D72C4A1516D16C76011EC4C5F71331851EF501C5241A940594A1475

Function 0064C777 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0064C737

Part of subcall function 0064CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0064CB38
Part of subcall function 0064CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0064CB49

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 64654d93fb012b8a1a5355d760d083f2362cbf33f771425ec1e2041f342b700f
Instruction ID: cd3781115ec9215e74c38418fb43a6b2966d12a5659dd457f51f0c245f946c0e
Opcode Fuzzy Hash: 64654d93fb012b8a1a5355d760d083f2362cbf33f771425ec1e2041f342b700f
Instruction Fuzzy Hash: 0BA002D515A5167D72C4A1516D16C76011EC4C5F71331851EF501C5241A940594A1475

Function 0064C759 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0064C737

Part of subcall function 0064CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0064CB38
Part of subcall function 0064CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0064CB49

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 41533ca9bd8ecb74a77c7b82024f7e788253c9684006758df2e9ac6693f87048
Instruction ID: cd3781115ec9215e74c38418fb43a6b2966d12a5659dd457f51f0c245f946c0e
Opcode Fuzzy Hash: 41533ca9bd8ecb74a77c7b82024f7e788253c9684006758df2e9ac6693f87048
Instruction Fuzzy Hash: 0BA002D515A5167D72C4A1516D16C76011EC4C5F71331851EF501C5241A940594A1475

Function 0064C7A6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0064C798

Part of subcall function 0064CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0064CB38
Part of subcall function 0064CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0064CB49

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a0cd1218abb3d69b789cace0d62194d429a05ff7bab5ac0cda166b4c90434e1c
Instruction ID: 2ece0ada5e12ce1735c1ef88acfa6fe0f0287005ee620d53020088d1f9fe5445
Opcode Fuzzy Hash: a0cd1218abb3d69b789cace0d62194d429a05ff7bab5ac0cda166b4c90434e1c
Instruction Fuzzy Hash: 87A002D517A545BD728492616D1AC36051EC4C5F71331851EF501C5241694019461579

Function 0064C7B0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0064C798

Part of subcall function 0064CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0064CB38
Part of subcall function 0064CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0064CB49

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 52c1aa64e26798fdfc5d5dffea1a90af328a5e6c9ec4c4b03b5d4039e7afe2a7
Instruction ID: 2ece0ada5e12ce1735c1ef88acfa6fe0f0287005ee620d53020088d1f9fe5445
Opcode Fuzzy Hash: 52c1aa64e26798fdfc5d5dffea1a90af328a5e6c9ec4c4b03b5d4039e7afe2a7
Instruction Fuzzy Hash: 87A002D517A545BD728492616D1AC36051EC4C5F71331851EF501C5241694019461579

Function 0064C781 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0064C737

Part of subcall function 0064CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0064CB38
Part of subcall function 0064CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0064CB49

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b2ade6ef58f2c6c371e7352e3732f0787328b428b3b3e93ed870d9c1de1fec01
Instruction ID: cd3781115ec9215e74c38418fb43a6b2966d12a5659dd457f51f0c245f946c0e
Opcode Fuzzy Hash: b2ade6ef58f2c6c371e7352e3732f0787328b428b3b3e93ed870d9c1de1fec01
Instruction Fuzzy Hash: 0BA002D515A5167D72C4A1516D16C76011EC4C5F71331851EF501C5241A940594A1475

Non-executed Functions

Function 0064A536 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 006312E7: GetDlgItem.USER32(00000000,00003021), ref: 0063132B
Part of subcall function 006312E7: SetWindowTextW.USER32(00000000,006602E4), ref: 00631341

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0064A5C7
EndDialog.USER32(?,00000006), ref: 0064A5DA
GetDlgItem.USER32(?,0000006C), ref: 0064A5F6
SetFocus.USER32(00000000), ref: 0064A5FD
SetDlgItemTextW.USER32(?,00000065,?), ref: 0064A63D
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0064A670
FindFirstFileW.KERNEL32(?,?), ref: 0064A686
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0064A6A4
FileTimeToSystemTime.KERNEL32(?,?), ref: 0064A6B4
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0064A6D1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0064A6EF

Part of subcall function 0063D192: LoadStringW.USER32(?,?,00000200,?), ref: 0063D1D7
Part of subcall function 0063D192: LoadStringW.USER32(?,?,00000200,?), ref: 0063D1ED

_swprintf.LIBCMT ref: 0064A71F

Part of subcall function 00633F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00633F3E

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0064A732
FindClose.KERNEL32(00000000), ref: 0064A735
_swprintf.LIBCMT ref: 0064A790
SetDlgItemTextW.USER32(?,00000068,?), ref: 0064A7A3
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0064A7B9
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0064A7D9
FileTimeToSystemTime.KERNEL32(?,?), ref: 0064A7E9
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0064A803
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0064A81B
_swprintf.LIBCMT ref: 0064A84C
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0064A85F
_swprintf.LIBCMT ref: 0064A8AF
SetDlgItemTextW.USER32(?,00000069,?), ref: 0064A8C2

Part of subcall function 0064932E: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00649354
Part of subcall function 0064932E: GetNumberFormatW.KERNEL32(00000400,00000000,?,0066A154,?,?), ref: 006493A3

Strings

%s %s %s, xrefs: 0064A70D, 0064A839
%s %s, xrefs: 0064A77E, 0064A8A1
REPLACEFILEDLG, xrefs: 0064A55D

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLoadLocalStringSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 3227067027-1840816070
Opcode ID: 33d53ea576fcd1614af99b8d5618b1ff54ab1f026c6fc23e40f8a0067c3b4bf0
Instruction ID: cebe4fa6578ea5f5d337d73c08409db040edffa282fd73966fe8a5656c052091
Opcode Fuzzy Hash: 33d53ea576fcd1614af99b8d5618b1ff54ab1f026c6fc23e40f8a0067c3b4bf0
Instruction Fuzzy Hash: 7F919372588348BBE3219BE0CD49FFB77AEEB4A700F044919F649D6181D771AA058B63

Function 00637070 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00637075
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 006371D5
CloseHandle.KERNEL32(00000000), ref: 006371E5

Part of subcall function 00637A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00637AAC
Part of subcall function 00637A9D: GetLastError.KERNEL32 ref: 00637AF2
Part of subcall function 00637A9D: CloseHandle.KERNEL32(?), ref: 00637B01

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 006371F0
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 006372FE
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 0063732A
CloseHandle.KERNEL32(?), ref: 0063733C
GetLastError.KERNEL32(00000015,00000000,?), ref: 0063734C
RemoveDirectoryW.KERNEL32(?), ref: 00637398
DeleteFileW.KERNEL32(?), ref: 006373C0

Strings

UNC\, xrefs: 00637120
\??\, xrefs: 006370FB
SeRestorePrivilege, xrefs: 00637096
SeCreateSymbolicLinkPrivilege, xrefs: 006370A0

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: 12ce12ccf04cf6058146ce53f1d8a0569884b57277685870babf5228731ea520
Instruction ID: 9dc3dd51d5392a9f23707c3168d2b70e631d0db64a2fb8a742fc623be773c506
Opcode Fuzzy Hash: 12ce12ccf04cf6058146ce53f1d8a0569884b57277685870babf5228731ea520
Instruction Fuzzy Hash: ABB1C2B1904218AFEB20DF64DC45BEF77BAEF09300F1444A9F919E7242D770AA45CBA4

Function 0065957E Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 006595C2

Part of subcall function 0065915D: _free.LIBCMT ref: 0065917A
Part of subcall function 0065915D: _free.LIBCMT ref: 0065918C
Part of subcall function 0065915D: _free.LIBCMT ref: 0065919E
Part of subcall function 0065915D: _free.LIBCMT ref: 006591B0
Part of subcall function 0065915D: _free.LIBCMT ref: 006591C2
Part of subcall function 0065915D: _free.LIBCMT ref: 006591D4
Part of subcall function 0065915D: _free.LIBCMT ref: 006591E6
Part of subcall function 0065915D: _free.LIBCMT ref: 006591F8
Part of subcall function 0065915D: _free.LIBCMT ref: 0065920A
Part of subcall function 0065915D: _free.LIBCMT ref: 0065921C
Part of subcall function 0065915D: _free.LIBCMT ref: 0065922E
Part of subcall function 0065915D: _free.LIBCMT ref: 00659240
Part of subcall function 0065915D: _free.LIBCMT ref: 00659252

_free.LIBCMT ref: 006595B7

Part of subcall function 006559B2: RtlFreeHeap.NTDLL(00000000,00000000,?,006592F2,?,00000000,?,00000000,?,00659319,?,00000007,?,?,00659716,?), ref: 006559C8
Part of subcall function 006559B2: GetLastError.KERNEL32(?,?,006592F2,?,00000000,?,00000000,?,00659319,?,00000007,?,?,00659716,?,?), ref: 006559DA

_free.LIBCMT ref: 006595D9
_free.LIBCMT ref: 006595EE
_free.LIBCMT ref: 006595F9
_free.LIBCMT ref: 0065961B
_free.LIBCMT ref: 0065962E
_free.LIBCMT ref: 0065963C
_free.LIBCMT ref: 00659647
_free.LIBCMT ref: 0065967F
_free.LIBCMT ref: 00659686
_free.LIBCMT ref: 006596A3
_free.LIBCMT ref: 006596BB

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 5ef2210afaa3e7164fd3efdb808faa5229ef352993a8c6f88c551be5a9a2e30b
Instruction ID: 08dc9dde4f5bad66799a02e4602b514c37ddc6650fd0c90b3fb93dd7042cadef
Opcode Fuzzy Hash: 5ef2210afaa3e7164fd3efdb808faa5229ef352993a8c6f88c551be5a9a2e30b
Instruction Fuzzy Hash: 30313931605601DFFB71AAB9D859B9AB3EAEF00322F10841DEC49D6251DB35AC9CCB64

Function 0064B8BB Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0064B8DC
GetClassNameW.USER32(00000000,?,00000800), ref: 0064B90B

Part of subcall function 00640B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0063AC99,?,?,?,0063AC48,?,-00000002,?,00000000,?), ref: 00640B16

GetWindowLongW.USER32(00000000,000000F0), ref: 0064B929
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0064B940
GetObjectW.GDI32(00000000,00000018,?), ref: 0064B953

Part of subcall function 00648B21: GetDC.USER32(00000000), ref: 00648B2D
Part of subcall function 00648B21: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00648B3C
Part of subcall function 00648B21: ReleaseDC.USER32(00000000,00000000), ref: 00648B4A

Part of subcall function 00648ADE: GetDC.USER32(00000000), ref: 00648AEA
Part of subcall function 00648ADE: GetDeviceCaps.GDI32(00000000,00000058), ref: 00648AF9
Part of subcall function 00648ADE: ReleaseDC.USER32(00000000,00000000), ref: 00648B07

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0064B97A
DeleteObject.GDI32(00000000), ref: 0064B981
GetWindow.USER32(00000000,00000002), ref: 0064B98A

Strings

STATIC, xrefs: 0064B911

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 1444658586-1882779555
Opcode ID: 8f8a371af19fccea5471b735634b5b5a43aab24b34519f536a7ff486f68d954f
Instruction ID: edc070b2ca7bd646ce6dd494e02d4cd437068a19156af6f782abda07fb4f1d4d
Opcode Fuzzy Hash: 8f8a371af19fccea5471b735634b5b5a43aab24b34519f536a7ff486f68d954f
Instruction Fuzzy Hash: C521D5725002247FEB216BA4DC4AFEE766FEF05710F005012FB01B6291CBB49D418ABA

Function 0065621A Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0065622E

Part of subcall function 006559B2: RtlFreeHeap.NTDLL(00000000,00000000,?,006592F2,?,00000000,?,00000000,?,00659319,?,00000007,?,?,00659716,?), ref: 006559C8
Part of subcall function 006559B2: GetLastError.KERNEL32(?,?,006592F2,?,00000000,?,00000000,?,00659319,?,00000007,?,?,00659716,?,?), ref: 006559DA

_free.LIBCMT ref: 0065623A
_free.LIBCMT ref: 00656245
_free.LIBCMT ref: 00656250
_free.LIBCMT ref: 0065625B
_free.LIBCMT ref: 00656266
_free.LIBCMT ref: 00656271
_free.LIBCMT ref: 0065627C
_free.LIBCMT ref: 00656287
_free.LIBCMT ref: 00656295

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0940846d9b2035b032de0c62279d0f21f59c6654b6b401cf03e80bd8afc1bdfd
Instruction ID: d9725ff713c78f65b1a86468a00e2813677652829c6ae41c81159b0bb203c55d
Opcode Fuzzy Hash: 0940846d9b2035b032de0c62279d0f21f59c6654b6b401cf03e80bd8afc1bdfd
Instruction Fuzzy Hash: 9911C376105448EFDF41EF94C856CD97BBAFF04361F4140A8BE8A8B222DA35DA949B84

Function 006320D3 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

xc%u, xrefs: 00632648
x%u, xrefs: 006325EB
;%u, xrefs: 00632408

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: 6270e7b1b780d87d88ec50ab30303f0dded233ac51fb9d986c784018b44fb1ce
Instruction ID: a3aac4b32be94e90410ca9e0aac98ddb40e0dc4e773eca0c8bdbfc6b65149351
Opcode Fuzzy Hash: 6270e7b1b780d87d88ec50ab30303f0dded233ac51fb9d986c784018b44fb1ce
Instruction Fuzzy Hash: 26F126716043825BEB14EB248CA5BFE77EB6F91310F08446DFD859B383CA249945CBE6

Function 0064995E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006312E7: GetDlgItem.USER32(00000000,00003021), ref: 0063132B
Part of subcall function 006312E7: SetWindowTextW.USER32(00000000,006602E4), ref: 00631341

EndDialog.USER32(?,00000001), ref: 006499AE
SendMessageW.USER32(?,00000080,00000001,?), ref: 006499DB
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 006499F0
SetWindowTextW.USER32(?,?), ref: 00649A01
GetDlgItem.USER32(?,00000065), ref: 00649A0A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00649A1E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00649A30

Strings

LICENSEDLG, xrefs: 00649972

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 0477f12df3d0becdf217f51be588c76be1c86c2d7f5906c7b83f9c9e3d7d70ef
Instruction ID: bb12ef5572ffa0b5ed01ee52d992407e57489914b6281c2ed65d313a15f40c34
Opcode Fuzzy Hash: 0477f12df3d0becdf217f51be588c76be1c86c2d7f5906c7b83f9c9e3d7d70ef
Instruction Fuzzy Hash: BC2108322402047FE7215FA5DD85E7B3B6FEB4AB85F051008F644B21A0CBA29D41DB77

Function 00656541 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 006565CC
__alldvrm.LIBCMT ref: 006567CD
__alldvrm.LIBCMT ref: 006567EF

Strings

>,e, xrefs: 0065678E
>,e, xrefs: 0065654B
>,e, xrefs: 00656557, 006565B2, 006565CB, 00656751

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: >,e$>,e$>,e
API String ID: 1036877536-4087248666
Opcode ID: be6c9d0d7c1be526505d416ba69bbcf9729ec644743c8de63497f1cd699fda8f
Instruction ID: 099f3c1efbb3d079434536258da101e3125d1afd82e6f9c5cf8be51591170ed0
Opcode Fuzzy Hash: be6c9d0d7c1be526505d416ba69bbcf9729ec644743c8de63497f1cd699fda8f
Instruction Fuzzy Hash: 20A14772A003869FDB21CF18C8917AEBBE6EF55315F5841ADFC859B381C6388949C751

Function 0063927D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00639282
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 006392A5
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 006392C4

Part of subcall function 00640B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0063AC99,?,?,?,0063AC48,?,-00000002,?,00000000,?), ref: 00640B16

_swprintf.LIBCMT ref: 00639360

Part of subcall function 00633F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00633F3E

MoveFileW.KERNEL32(?,?), ref: 006393D5
MoveFileW.KERNEL32(?,?), ref: 00639411

Strings

rtmp%d, xrefs: 00639349

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: d986e3f4960a94f57023af921fe00fc08f0029883995a6d832e8229cabd8e02d
Instruction ID: e1dc8d0c832e87dd4257a9fafeeeed8f101b628d9e6f32d9c32b7ae35cee6056
Opcode Fuzzy Hash: d986e3f4960a94f57023af921fe00fc08f0029883995a6d832e8229cabd8e02d
Instruction Fuzzy Hash: FA418071911158A6DF50AB708D84EDB77BEAF45341F4040AAB905E3142EB749B46CFB8

Function 00647D95 Relevance: 12.1, APIs: 8, Instructions: 135windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00647DAE
GetTickCount.KERNEL32 ref: 00647DCC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00647DE2
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00647DF6
TranslateMessage.USER32(?), ref: 00647E01
DispatchMessageW.USER32(?), ref: 00647E0C
ShowWindow.USER32(?,00000005,?,00000000,?,?,?,?,00000000,00000000,00000000,<html>,00000006), ref: 00647EBC
SetWindowTextW.USER32(?,00000000), ref: 00647EC6

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Message$CountTickWindow$DispatchPeekShowTextTranslate
String ID:
API String ID: 4150546248-0
Opcode ID: 33c35a9c741344daa81de2bd32b09b7793aab653d6b48356b0709a54cb8f46a2
Instruction ID: 232e4a3604adc6aab874b0a0cc41c30d55cd47edf7a8a55672567a744047c284
Opcode Fuzzy Hash: 33c35a9c741344daa81de2bd32b09b7793aab653d6b48356b0709a54cb8f46a2
Instruction Fuzzy Hash: 62416A71208306AFD710DFA5D98896BBBEAEF89704B00096DF646C7251DB71EC49CB62

Function 0063FE0E Relevance: 12.1, APIs: 8, Instructions: 117timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0063FE21

Part of subcall function 0063A930: GetVersionExW.KERNEL32(?), ref: 0063A955

FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0063FE4A
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0063FE5C
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0063FE69
SystemTimeToFileTime.KERNEL32(?,?), ref: 0063FE7F
SystemTimeToFileTime.KERNEL32(?,?), ref: 0063FE8B
FileTimeToSystemTime.KERNEL32(?,?), ref: 0063FEC1
__aullrem.LIBCMT ref: 0063FF4B

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: db67ccfbd3a84d35f755d1becbbe0d1a12d0dc58356afb88ac1a9b1ba4cfe859
Instruction ID: a2699022e60fc964c82c080aab75067488385658e9510b58ef4bb00ca9fe3578
Opcode Fuzzy Hash: db67ccfbd3a84d35f755d1becbbe0d1a12d0dc58356afb88ac1a9b1ba4cfe859
Instruction Fuzzy Hash: 66412AB2808305AFC314DF65C8809ABF7F9FF88714F004A2EF99692650E775E548DB96

Function 0065C56D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0065CCE2,00000000,00000000,00000000,00000000,00000000,?), ref: 0065C5AF
__fassign.LIBCMT ref: 0065C62A
__fassign.LIBCMT ref: 0065C645
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0065C66B
WriteFile.KERNEL32(?,00000000,00000000,0065CCE2,00000000,?,?,?,?,?,?,?,?,?,0065CCE2,00000000), ref: 0065C68A
WriteFile.KERNEL32(?,00000000,00000001,0065CCE2,00000000,?,?,?,?,?,?,?,?,?,0065CCE2,00000000), ref: 0065C6C3

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b8f7d7edefdff3b7e0bd3e191e865e23ea773c384deec94fdc9b2a7e698fe6a9
Instruction ID: e7edd3c05fe3cecaee93fd3ff655fbfdf2a04e29a64f7b6b29b6bc5ad2f07a63
Opcode Fuzzy Hash: b8f7d7edefdff3b7e0bd3e191e865e23ea773c384deec94fdc9b2a7e698fe6a9
Instruction Fuzzy Hash: BE51D0B4900308AFDB10CFA8D885AEEBBF6EF18311F14415AE951F7251E734AA44CF61

Function 0064B0D8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0064B0EE
_swprintf.LIBCMT ref: 0064B122

Part of subcall function 00633F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00633F3E

SetDlgItemTextW.USER32(?,00000066,00673122), ref: 0064B142
_wcschr.LIBVCRUNTIME ref: 0064B175
EndDialog.USER32(?,00000001), ref: 0064B256

Strings

%s%s%u, xrefs: 0064B117

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: bce084c5852e3d9870befeb9fcc9134de536fdd0700b7a7c2419df13b2e97370
Instruction ID: 3b5f16a815892dc7d68d525bc54cdd76bf32fce97ff2241059c307271a9253f9
Opcode Fuzzy Hash: bce084c5852e3d9870befeb9fcc9134de536fdd0700b7a7c2419df13b2e97370
Instruction Fuzzy Hash: 6C418D71900219AEEF65DB60CD85EEE77BEEB09304F4050A6F409E7151EFB09A848FA4

Function 0063C96F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0063C9F5
_strlen.LIBCMT ref: 0063CA25
_swprintf.LIBCMT ref: 0063CA46
_wcschr.LIBVCRUNTIME ref: 0063CA6F
_wcsrchr.LIBVCRUNTIME ref: 0063CABB

Strings

%08x, xrefs: 0063CA3A

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: _strlen$_swprintf_wcschr_wcsrchr
String ID: %08x
API String ID: 1593746830-3682738293
Opcode ID: 59ee27a02107d401d04c20890d8594d80645ad5ddd52a0666fc4e9bd2233e05a
Instruction ID: b8f17f26697714b2feae49a99e7eb9cad902f578bd82be4d70aa8177dca3f3b4
Opcode Fuzzy Hash: 59ee27a02107d401d04c20890d8594d80645ad5ddd52a0666fc4e9bd2233e05a
Instruction Fuzzy Hash: 1941D332904354AAE730E624CC49EFB769FEB84720F05052AF949E7282D6749D05C3E6

Function 00647EE4 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,?,00648704,?), ref: 00647FB9
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000003,00000000,00000000), ref: 00647FDA

Strings

<html>, xrefs: 00647F28, 00647F61
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00647F33
utf-8"></head>, xrefs: 00647F3E
</html>, xrefs: 00647F8B

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3286310052-4209811716
Opcode ID: 617897eca9be3a01b1ac51cdc5034b47c0c15177eb9028bc695bea1dd55fcff1
Instruction ID: 9e045adf675de5062b525a6698536342fcbeefe53ba14e2f146d176306cb609d
Opcode Fuzzy Hash: 617897eca9be3a01b1ac51cdc5034b47c0c15177eb9028bc695bea1dd55fcff1
Instruction Fuzzy Hash: 4F31F3321083117EE764AB60DC06FAFB79BDF52760F14411EF510962C2EFB4990987A9

Function 0064859B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 006485B4
GetWindowRect.USER32(?,?), ref: 006485D9
ShowWindow.USER32(?,00000005,?), ref: 00648670
SetWindowTextW.USER32(?,00000000), ref: 00648678
ShowWindow.USER32(00000000,00000005), ref: 0064868E

Strings

RarHtmlClassName, xrefs: 0064863A

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: e9bc6f5b6d51acef837d54ab743506f06161d60db1dc9cc11b3b9eb8b23cecae
Instruction ID: 308f3690d10e27bfe81d93add0ccdabb63ff87e019b69f2da75a630b79a1bb00
Opcode Fuzzy Hash: e9bc6f5b6d51acef837d54ab743506f06161d60db1dc9cc11b3b9eb8b23cecae
Instruction Fuzzy Hash: EB31AE32101210EFC7119FA4DD48E5FBFAAEB49701F054459FD49AA296DB70E904CFA2

Function 00659300 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006592C4: _free.LIBCMT ref: 006592ED

_free.LIBCMT ref: 0065934E

Part of subcall function 006559B2: RtlFreeHeap.NTDLL(00000000,00000000,?,006592F2,?,00000000,?,00000000,?,00659319,?,00000007,?,?,00659716,?), ref: 006559C8
Part of subcall function 006559B2: GetLastError.KERNEL32(?,?,006592F2,?,00000000,?,00000000,?,00659319,?,00000007,?,?,00659716,?,?), ref: 006559DA

_free.LIBCMT ref: 00659359
_free.LIBCMT ref: 00659364
_free.LIBCMT ref: 006593B8
_free.LIBCMT ref: 006593C3
_free.LIBCMT ref: 006593CE
_free.LIBCMT ref: 006593D9

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f1ac33a155eeba0822e17f5f402666ce6a004e9925b6c7aeea596f78182db2dd
Instruction ID: 8d9fea253ca21ebac3913fbc1dfe47d5ccf6136377073e26ea76ca35f6e1e4dd
Opcode Fuzzy Hash: f1ac33a155eeba0822e17f5f402666ce6a004e9925b6c7aeea596f78182db2dd
Instruction Fuzzy Hash: 72119631551B04F6DA70B7B0CC07FCBB79E9F00712F40481CBA9A66092D678F64C4764

Function 00650BB4 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00650BAB,0064E602), ref: 00650BC2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00650BD0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00650BE9
SetLastError.KERNEL32(00000000,?,00650BAB,0064E602), ref: 00650C3B

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 865b0e3209d42614c6690d0b9e9bf88934a06ed97476ec41c9793ddb167dde8b
Instruction ID: 2fe336b5d9f68379720d602b2e571aae2bc514be7e1d26fd48205f4389923510
Opcode Fuzzy Hash: 865b0e3209d42614c6690d0b9e9bf88934a06ed97476ec41c9793ddb167dde8b
Instruction Fuzzy Hash: E60124321192125EF7602AB4ACC66A72A57FB133B7F20032EFC11552F1EFA18C0B9544

Function 0064C7FC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

KERNEL32.DLL, xrefs: 0064C816
AcquireSRWLockExclusive, xrefs: 0064C82B
ReleaseSRWLockExclusive, xrefs: 0064C83B

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: c286f6994b51a613549e22e923e1c56665f4e32a335e07d5ee838479c746ae30
Instruction ID: cc90e426abd9f7cd3ed7cfa695177730ff3614edf3df96f691d41e071f3d52d8
Opcode Fuzzy Hash: c286f6994b51a613549e22e923e1c56665f4e32a335e07d5ee838479c746ae30
Instruction Fuzzy Hash: 2E01F471753222AFEFA05FB55C94AE72F9B9B03771316223AE911D7350E760C841A7A0

Function 0064003E Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 0064009C

Part of subcall function 0063A930: GetVersionExW.KERNEL32(?), ref: 0063A955

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 006400BE
FileTimeToSystemTime.KERNEL32(?,?), ref: 006400D8
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 006400E9
SystemTimeToFileTime.KERNEL32(?,?), ref: 006400F9
SystemTimeToFileTime.KERNEL32(?,?), ref: 00640105

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 91b321cae91e79ac0c90abf4542d8c162f210f85c481d3e4cd1e8c6a40c134b6
Instruction ID: 4c7429e321cf5436bfe14458a5d31d63bae6a3c76e5b11293cc34c4da88c28b8
Opcode Fuzzy Hash: 91b321cae91e79ac0c90abf4542d8c162f210f85c481d3e4cd1e8c6a40c134b6
Instruction Fuzzy Hash: 4331F57A1083459BD700DFA5C88099BB7F9BF98704F04592EFA99C3210E730D549CB6A

Function 0064820D Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00648231
_memcmp.LIBVCRUNTIME ref: 00648248

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f01affc40d095a72dff3a018264228eb9d594f32fe23201c6ee16061f354da78
Instruction ID: 65a66eaadd80e7fe07702fab6186c0dbe83121f3e9e899fb3c3b3583ecf5f7d7
Opcode Fuzzy Hash: f01affc40d095a72dff3a018264228eb9d594f32fe23201c6ee16061f354da78
Instruction Fuzzy Hash: 0F21C2B1A0060AAFDB009A14DC82EBF77AEAF60749B148128FC05DB206E7B1DE4596D4

Function 0065630E Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,0066CBE8,00652664,0066CBE8,?,?,00652203,?,?,0066CBE8), ref: 00656312
_free.LIBCMT ref: 00656345
_free.LIBCMT ref: 0065636D
SetLastError.KERNEL32(00000000,?,0066CBE8), ref: 0065637A
SetLastError.KERNEL32(00000000,?,0066CBE8), ref: 00656386
_abort.LIBCMT ref: 0065638C

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d44fc1fdf81cb8301b8e9365e0a8215ac48cf0813ccf22a83717c140e10baeed
Instruction ID: 988ca18e9addb299559a4dab533f2c6fcf017954f1cae3bae6e681a254e43dfa
Opcode Fuzzy Hash: d44fc1fdf81cb8301b8e9365e0a8215ac48cf0813ccf22a83717c140e10baeed
Instruction Fuzzy Hash: E9F0F43514990066D7513774EC1EB9B122B8BD0733F251228FC15D32A1FFA5880AC1A9

Function 0064A8D3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,?,?,?,00001000), ref: 0064A92B
CharUpperW.USER32(?,?,?,?,?,00001000), ref: 0064A952

Strings

-, xrefs: 0064A919
*ag, xrefs: 0064A99B

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: CharUpper
String ID: *ag$-
API String ID: 9403516-929444008
Opcode ID: 3248dac528403572bb46c5ec104d4fad422fe0180d995ea1795926edce1bfff6
Instruction ID: 471e0f8cbee389911b3c1b34ad88e424a94c2cb25c38a26d42c85c024effb194
Opcode Fuzzy Hash: 3248dac528403572bb46c5ec104d4fad422fe0180d995ea1795926edce1bfff6
Instruction Fuzzy Hash: 642127724A4305B9D320EBE8880CBF7A69B9B95310F02481FF595C2681DBB8C8C8D367

Function 0064B81F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 006312E7: GetDlgItem.USER32(00000000,00003021), ref: 0063132B
Part of subcall function 006312E7: SetWindowTextW.USER32(00000000,006602E4), ref: 00631341

EndDialog.USER32(?,00000001), ref: 0064B86A
GetDlgItemTextW.USER32(?,00000066,00000800), ref: 0064B880
SetDlgItemTextW.USER32(?,00000065,?), ref: 0064B89A
SetDlgItemTextW.USER32(?,00000066), ref: 0064B8A5

Strings

RENAMEDLG, xrefs: 0064B837

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: b7228e8abd1af263870aa9235fd6c9a7c3e0ddb371e927d84072075a3680d9c4
Instruction ID: 7eee59dcb4a2f2fc8219835a9e1dacd2cc5949f339f8f42cade528a9bfb6cd81
Opcode Fuzzy Hash: b7228e8abd1af263870aa9235fd6c9a7c3e0ddb371e927d84072075a3680d9c4
Instruction Fuzzy Hash: 1001F532A802117ED7114FA9DE48F777B6EAB8AB41F002416F241B71D0C7A6E8059B72

Function 00654A7F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00654A30,?,?,006549D0,?,00667F60,0000000C,00654B27,?,00000002), ref: 00654A9F
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00654AB2
FreeLibrary.KERNEL32(00000000,?,?,?,00654A30,?,?,006549D0,?,00667F60,0000000C,00654B27,?,00000002,00000000), ref: 00654AD5

Strings

mscoree.dll, xrefs: 00654A98
CorExitProcess, xrefs: 00654AAA

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4e8c58229dfe240e8b3846f381105adee5765eae45db4f5cc2522527117796bc
Instruction ID: b019d748897050fba83a920c1d62418b004655ccb5f6eb1202a11015b0461eb8
Opcode Fuzzy Hash: 4e8c58229dfe240e8b3846f381105adee5765eae45db4f5cc2522527117796bc
Instruction Fuzzy Hash: 55F04F30A40209BBDB559F90DC19B9EBFBAEF44716F0441B8F805A2250DFB54A84CA94

Function 006552C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00655333
_free.LIBCMT ref: 00655353

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 019c3b8f1b40836c7086e40b16c80e6a7f6fd02642216720914e6f19350db1b9
Instruction ID: 0246f0e3755d5107b0f37d2e3924d21894bdc5f6200773d25e2e8d4ad7ab5a27
Opcode Fuzzy Hash: 019c3b8f1b40836c7086e40b16c80e6a7f6fd02642216720914e6f19350db1b9
Instruction Fuzzy Hash: A841E832A00600DFCB14DFB8C895A9DB7B6EF89321F15456DE956EB381EB71AD05CB80

Function 006589A0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006589A9
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006589CC

Part of subcall function 006559EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,0065239A,?,0000015D,?,?,?,?,00652F19,000000FF,00000000,?,?), ref: 00655A1E

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 006589F2
_free.LIBCMT ref: 00658A05
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00658A14

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: e9fd61ff9033e0247279cfe34e837ba11f8f45f6641e4309b8f46fb7175b12fd
Instruction ID: 46f8969a296e85d7757d8f8ad83ea1c018485e43878f3085896ed6428637c739
Opcode Fuzzy Hash: e9fd61ff9033e0247279cfe34e837ba11f8f45f6641e4309b8f46fb7175b12fd
Instruction Fuzzy Hash: F701A772602695BF372156BA6C4DCBB796FDFC6FA2714012EFD04E7600EEA08D0581B1

Function 00656392 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00655E33,00655ACF,?,0065633C,00000001,00000364,?,00652203,?,?,0066CBE8), ref: 00656397
_free.LIBCMT ref: 006563CC
_free.LIBCMT ref: 006563F3
SetLastError.KERNEL32(00000000,?,0066CBE8), ref: 00656400
SetLastError.KERNEL32(00000000,?,0066CBE8), ref: 00656409

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 23952c23384a078b8adee6aed47e3bdc33ae680904a140cf0e21b4dc63f10ba5
Instruction ID: 67fc3a855b22fa550f0e3e5ca9b902037c46fb87555992009bf31ca9da13ceaf
Opcode Fuzzy Hash: 23952c23384a078b8adee6aed47e3bdc33ae680904a140cf0e21b4dc63f10ba5
Instruction Fuzzy Hash: C6012672149A016797113764EC89A6B166BCBE0373F615128FC1693252EFA4CC0EC165

Function 0065925B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00659273

Part of subcall function 006559B2: RtlFreeHeap.NTDLL(00000000,00000000,?,006592F2,?,00000000,?,00000000,?,00659319,?,00000007,?,?,00659716,?), ref: 006559C8
Part of subcall function 006559B2: GetLastError.KERNEL32(?,?,006592F2,?,00000000,?,00000000,?,00659319,?,00000007,?,?,00659716,?,?), ref: 006559DA

_free.LIBCMT ref: 00659285
_free.LIBCMT ref: 00659297
_free.LIBCMT ref: 006592A9
_free.LIBCMT ref: 006592BB

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6d660fc24adf0fd2818095553228b73938fd003b9b4074a9c23d2bf0441b6b81
Instruction ID: 6a92c4858535c11f2750823afebb8746a40a2edb3df02eb7f5de229f883d4610
Opcode Fuzzy Hash: 6d660fc24adf0fd2818095553228b73938fd003b9b4074a9c23d2bf0441b6b81
Instruction Fuzzy Hash: DBF04F3251A640FB9A60EB98E986C56B3EBEB00731F64480DFC09E7601CA68FC844A64

Function 00655513 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00655531

Part of subcall function 006559B2: RtlFreeHeap.NTDLL(00000000,00000000,?,006592F2,?,00000000,?,00000000,?,00659319,?,00000007,?,?,00659716,?), ref: 006559C8
Part of subcall function 006559B2: GetLastError.KERNEL32(?,?,006592F2,?,00000000,?,00000000,?,00659319,?,00000007,?,?,00659716,?,?), ref: 006559DA

_free.LIBCMT ref: 00655543
_free.LIBCMT ref: 00655556
_free.LIBCMT ref: 00655567
_free.LIBCMT ref: 00655578

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c8f982bb6fe116295a6e8dd2f882744bf40822f9986f68e9c8cf73b9d838367e
Instruction ID: 1e9919747811865924ec9f69b7f5bbe87028d7a88d65ccd95c0bf015f2188d57
Opcode Fuzzy Hash: c8f982bb6fe116295a6e8dd2f882744bf40822f9986f68e9c8cf73b9d838367e
Instruction Fuzzy Hash: 4BF017B0826920ABAB517F98FC154097BB3FB04732B81220EFD15A2371D72808469F87

Function 00654B7A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\efthfxj.sfx.exe,00000104), ref: 00654BBA
_free.LIBCMT ref: 00654C85
_free.LIBCMT ref: 00654C8F

Strings

C:\Users\user\AppData\Roaming\efthfxj.sfx.exe, xrefs: 00654BB1, 00654BB8, 00654BE7, 00654C1F

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe
API String ID: 2506810119-2596865311
Opcode ID: 780bd16ba39fc83aa76c858479a959163ce520bf12073c626ed82acd415c32e0
Instruction ID: 64d9c3f841a1d72c52490cc67ba317c7d679cb67134944cefc7279ee7d5a032f
Opcode Fuzzy Hash: 780bd16ba39fc83aa76c858479a959163ce520bf12073c626ed82acd415c32e0
Instruction Fuzzy Hash: 5B319571A01258FFDB21DB999C8599EBBFEEF85315F1041AAFC0497310DB708A88CB54

Function 00637463 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00637468

Part of subcall function 00633A90: __EH_prolog.LIBCMT ref: 00633A95

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000), ref: 0063752E

Part of subcall function 00637A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00637AAC
Part of subcall function 00637A9D: GetLastError.KERNEL32 ref: 00637AF2
Part of subcall function 00637A9D: CloseHandle.KERNEL32(?), ref: 00637B01

Strings

SeSecurityPrivilege, xrefs: 006374AC
SeRestorePrivilege, xrefs: 006374C1

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 874f26c91ba3cc334d1f5f5bfa9e78322ce76a93f29c395c9e50238e62752908
Instruction ID: 9dc33e9def8f38a6e5bccc3d10cdc36caa1344efd9cff82840f382acec404c04
Opcode Fuzzy Hash: 874f26c91ba3cc334d1f5f5bfa9e78322ce76a93f29c395c9e50238e62752908
Instruction Fuzzy Hash: E731C4B1904248AFDFA0EFA4DC02BEE7BBBEF55320F004069F545A7252DB745A448BA5

Function 00649122 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 006312E7: GetDlgItem.USER32(00000000,00003021), ref: 0063132B
Part of subcall function 006312E7: SetWindowTextW.USER32(00000000,006602E4), ref: 00631341

EndDialog.USER32(?,00000001), ref: 006491AA
GetDlgItemTextW.USER32(?,00000065,00000000,?), ref: 006491BF
SetDlgItemTextW.USER32(?,00000065,?), ref: 006491D4

Strings

ASKNEXTVOL, xrefs: 0064913A

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 28ab615807e613cad5db9929d2e928e8b2f8a3ce457ca3b328bc2c4c287d431d
Instruction ID: acb82106f76583bca0072654f165fddd61d39c7d1052afd3b4520438f8338781
Opcode Fuzzy Hash: 28ab615807e613cad5db9929d2e928e8b2f8a3ce457ca3b328bc2c4c287d431d
Instruction Fuzzy Hash: C611E632284202BFE7019FE4DD4DF973B6BEB46701F014116F600AB2A0C362AD01DB76

Function 0064BFA9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,?,00649645,?,?), ref: 0064C021

Strings

GETPASSWORD1, xrefs: 0064C016
*ag, xrefs: 0064C064
*ag, xrefs: 0064BFC7

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: DialogParam
String ID: *ag$*ag$GETPASSWORD1
API String ID: 665744214-2557219278
Opcode ID: 1fea71e62a29c67e3c2b64d664be2412b3241288bd8a725d6fcd5e0729aa42fc
Instruction ID: 2cee4294985f60a98d6a84856bc590500d3c7021a64c99249523f5a531a636d3
Opcode Fuzzy Hash: 1fea71e62a29c67e3c2b64d664be2412b3241288bd8a725d6fcd5e0729aa42fc
Instruction Fuzzy Hash: 03113832244244ABEB51DE64EC05BEB378BBB09760F041069FD49A72C1D7B55C80DBA8

Function 00649645 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 006312E7: GetDlgItem.USER32(00000000,00003021), ref: 0063132B
Part of subcall function 006312E7: SetWindowTextW.USER32(00000000,006602E4), ref: 00631341

EndDialog.USER32(?,00000001), ref: 00649693
GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 006496AB
SetDlgItemTextW.USER32(?,00000066,?), ref: 006496D9

Strings

GETPASSWORD1, xrefs: 0064965E

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 0f33b12b0015cd4209a9e3f9ff822c87b9ea0f4184c360c9acfd1d17be977c0d
Instruction ID: 8f6650c56f2b89238fe899d52e323c7d64a597b9b46cdf11783863bcfe1e178b
Opcode Fuzzy Hash: 0f33b12b0015cd4209a9e3f9ff822c87b9ea0f4184c360c9acfd1d17be977c0d
Instruction Fuzzy Hash: 68112B32590118B7EB219EB49D49FFB376FEB0A700F120015FA45F72C0C2A5AD118AB5

Function 0063B150 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0063B177

Part of subcall function 00633F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00633F3E

_wcschr.LIBVCRUNTIME ref: 0063B195
_wcschr.LIBVCRUNTIME ref: 0063B1A5

Strings

%c:\, xrefs: 0063B16D

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 5916a0caaa3f29362842c769cac9966b67d176099091fb690a1d1d9c07b5acf6
Instruction ID: 0972db2546df60550aec1c58371db26ddd3d12e43652d395e494c2caac0990da
Opcode Fuzzy Hash: 5916a0caaa3f29362842c769cac9966b67d176099091fb690a1d1d9c07b5acf6
Instruction Fuzzy Hash: 4B014563500321B9DB30AB249C42CBBA3AEEE96360F00540FFE44C2282FB20D84482F5

Function 0063F982 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(000001A0,00000000,00671E74,?,?,0063FB9D,00000020,?,0063A812,?,0063C79B,?,00000000,?,00000001,?), ref: 0063F9BB
CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,0063A812,?,0063C79B,?,00000000,?,00000001,?,?,?,00643AFE), ref: 0063F9C5
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,0063A812,?,0063C79B,?,00000000,?,00000001,?,?,?,00643AFE), ref: 0063F9D5

Strings

Thread pool initialization failed., xrefs: 0063F9ED

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 3ed86bb21e4c6bee2952be13a70918324a8253bb0b0040f758ea6330c0e89642
Instruction ID: 0af253a524ac124be2f6638b4cd56faab7f53420e04cc5f956f99f732f3b2037
Opcode Fuzzy Hash: 3ed86bb21e4c6bee2952be13a70918324a8253bb0b0040f758ea6330c0e89642
Instruction Fuzzy Hash: 3C115AB1A00744AFD3205F66D889BA7FBEDFF95355F10483EE2DA86240DAB12840CB60

Function 0064BEE6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 0064BF41
REPLACEFILEDLG, xrefs: 0064BF2B, 0064BF5D

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 7f1c97f75babd6b5074b93d63d1e980b8768aeb5f9c938713e4ea65596d745f8
Instruction ID: 5ee66f8a80a9feb8b1dd367daa32e2f81f8a34be84cd0710aa284e496def2398
Opcode Fuzzy Hash: 7f1c97f75babd6b5074b93d63d1e980b8768aeb5f9c938713e4ea65596d745f8
Instruction Fuzzy Hash: 2C017171609202BFC7519F58EC40E22BB9BE789390F057526F549D2230E362DC5AEF65

Function 0063CE98 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0063CEA7
FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 0063CEB6

Strings

RTL, xrefs: 0063CEAF, 0063CEB4, 0063CEE8
LTR, xrefs: 0063CEC6, 0063CED1, 0063CEDA

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: LTR$RTL
API String ID: 3537982541-719208805
Opcode ID: 615e4c2ca5a97557a79aed3d73cfdcf51942b4a89d595327bf4fc1e974fc4e91
Instruction ID: e416ce25b511f96dd8249842a214a3d42c31b65be2f50728f15324bbfa04ab48
Opcode Fuzzy Hash: 615e4c2ca5a97557a79aed3d73cfdcf51942b4a89d595327bf4fc1e974fc4e91
Instruction Fuzzy Hash: B0F0243160425467F7246A74AC0AFA73BAEE785B20F00066DF606E61C0DBA0990987F4

Function 00639F7A Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00637F55,?,?,?), ref: 0063A020
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00637F55,?,?), ref: 0063A064
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00637F55,?,?,?,?,?,?,?,?), ref: 0063A0E5
CloseHandle.KERNEL32(?,?,00000000,?,00637F55,?,?,?,?,?,?,?,?,?,?,?), ref: 0063A0EC

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: a65a18bfde6f9d6ebd585168d5b209bc66726cbf4250017e58af310a5039b1f2
Instruction ID: 586935b24c289b46882373e7d2dff72f980fd4912cf821ae90676df55ef961d0
Opcode Fuzzy Hash: a65a18bfde6f9d6ebd585168d5b209bc66726cbf4250017e58af310a5039b1f2
Instruction Fuzzy Hash: 6341BE316483819AE731DF64DC45BEFBBEAAF85704F04091DF5E5D3280C6A49A08DBA3

Function 006593E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,F5E85006,00652784,00000000,00000000,00652FB2,?,00652FB2,?,00000001,00652784,F5E85006,00000001,00652FB2,00652FB2), ref: 00659431
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006594BA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 006594CC
__freea.LIBCMT ref: 006594D5

Part of subcall function 006559EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,0065239A,?,0000015D,?,?,?,?,00652F19,000000FF,00000000,?,?), ref: 00655A1E

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 0316da40b5ed5c27614da26ca9c1df4ec11b06d45f5f69e2d1e8e9e34271df64
Instruction ID: 4533815728e0087084653dfc71a7509b99ccb8d3504577003de68d7eb26ae47f
Opcode Fuzzy Hash: 0316da40b5ed5c27614da26ca9c1df4ec11b06d45f5f69e2d1e8e9e34271df64
Instruction Fuzzy Hash: E531CB72A0020AABDF25CF64CC85DEE7BA6EB00311F040168FC04DB291E735CD5ACBA0

Function 00649A75 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00649A85
GetObjectW.GDI32(00000000,00000018,?), ref: 00649AA6
DeleteObject.GDI32(00000000), ref: 00649ACE
DeleteObject.GDI32(00000000), ref: 00649AED

Part of subcall function 00648BCF: FindResourceW.KERNEL32(00000066,PNG,?,?,00649AC7,00000066), ref: 00648BE0
Part of subcall function 00648BCF: SizeofResource.KERNEL32(00000000,75FD5780,?,?,00649AC7,00000066), ref: 00648BF8
Part of subcall function 00648BCF: LoadResource.KERNEL32(00000000,?,?,00649AC7,00000066), ref: 00648C0B
Part of subcall function 00648BCF: LockResource.KERNEL32(00000000,?,?,00649AC7,00000066), ref: 00648C16

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID:
API String ID: 142272564-0
Opcode ID: 407b8aaccfe6b1343422ba13c9482d00fe74095502469ee33ce9e2c026d14480
Instruction ID: e635cd2f1971d4577c05c47b11b573f34c8f793cd9648c1252b4a687e5814564
Opcode Fuzzy Hash: 407b8aaccfe6b1343422ba13c9482d00fe74095502469ee33ce9e2c026d14480
Instruction Fuzzy Hash: 730126325802152FD71177B44D46EFF76AFEF84B61F080019FE00A7391DEA18C1186B5

Function 00650FD6 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00650FED

Part of subcall function 00651625: ___AdjustPointer.LIBCMT ref: 0065166F

_UnwindNestedFrames.LIBCMT ref: 00651004
___FrameUnwindToState.LIBVCRUNTIME ref: 00651016
CallCatchBlock.LIBVCRUNTIME ref: 0065103A

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: b9fa4c2ca776b65944230fb083eb0fa8b0de912ee33a1d220a96a688825d65b2
Instruction ID: b97face72208e6f6f2571fe8220eb1dfeb1723bbbf833599f956f3aa9c6b0a42
Opcode Fuzzy Hash: b9fa4c2ca776b65944230fb083eb0fa8b0de912ee33a1d220a96a688825d65b2
Instruction Fuzzy Hash: FE012532000149BBCF226F95CC01EDA3BBBFF59755F054018FE1866121C776E8A5EBA4

Function 0063FB54 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0063FB59
EnterCriticalSection.KERNEL32(00671E74,?,?,0063A812,?,0063C79B,?,00000000,?,00000001,?,?,?,00643AFE,?,00008000), ref: 0063FB66
new.LIBCMT ref: 0063FB82

Part of subcall function 0063F982: InitializeCriticalSection.KERNEL32(000001A0,00000000,00671E74,?,?,0063FB9D,00000020,?,0063A812,?,0063C79B,?,00000000,?,00000001,?), ref: 0063F9BB
Part of subcall function 0063F982: CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,0063A812,?,0063C79B,?,00000000,?,00000001,?,?,?,00643AFE), ref: 0063F9C5
Part of subcall function 0063F982: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,0063A812,?,0063C79B,?,00000000,?,00000001,?,?,?,00643AFE), ref: 0063F9D5

LeaveCriticalSection.KERNEL32(00671E74,?,0063A812,?,0063C79B,?,00000000,?,00000001,?,?,?,00643AFE,?,00008000,?), ref: 0063FBA3

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: CriticalSection$Create$EnterEventH_prologInitializeLeaveSemaphore
String ID:
API String ID: 3780591329-0
Opcode ID: 43be5fb6001b25c553467aef64691246c7cddb11b99e792304e5d35ac432f98e
Instruction ID: 26d0ec10e7c0ce7e68412f244a05053ba43aea0d12187ea4380343e642dc78ac
Opcode Fuzzy Hash: 43be5fb6001b25c553467aef64691246c7cddb11b99e792304e5d35ac432f98e
Instruction Fuzzy Hash: CDF01D75E122119BDB889F6CE811BAA7AA7EB4A311F00513EEC09D7350DBB189408B95

Function 00650B06 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00650B06
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00650B0B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00650B10

Part of subcall function 00651BDE: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00651BEF

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00650B25

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 531e6f4e0a03c94a47563f5691ee99a7aac98bf87a5ed1e2fb88b7d1485fc598
Instruction ID: 3e56dff7da74bbee2b8e15299922214d1546bb248b51ae6bfa6e54b18d75ac30
Opcode Fuzzy Hash: 531e6f4e0a03c94a47563f5691ee99a7aac98bf87a5ed1e2fb88b7d1485fc598
Instruction Fuzzy Hash: B1C04C14640395943DE43BB129833ED13431C637CFF8015C9AC501F2075A57884F503F

Function 00648CF2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00648BA4: GetDC.USER32(00000000), ref: 00648BA8
Part of subcall function 00648BA4: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00648BB3
Part of subcall function 00648BA4: ReleaseDC.USER32(00000000,00000000), ref: 00648BBE

GetObjectW.GDI32(?,00000018,?), ref: 00648D23

Part of subcall function 00648EE9: GetDC.USER32(00000000), ref: 00648EF2
Part of subcall function 00648EE9: GetObjectW.GDI32(?,00000018,?), ref: 00648F21
Part of subcall function 00648EE9: ReleaseDC.USER32(00000000,?), ref: 00648FB5

Strings

(, xrefs: 00648DEE

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 78e4b1ddead82265f25a59385b5e9705d818b6ea55a86c1103b2a0d5dfe32a0a
Instruction ID: a8d12b2edd99c7b8cca8d5670a37ee4fd3bf80f24573990a3eb4848db7cdeecb
Opcode Fuzzy Hash: 78e4b1ddead82265f25a59385b5e9705d818b6ea55a86c1103b2a0d5dfe32a0a
Instruction Fuzzy Hash: A0611371608211AFD310DFA4C884E6BBBEAEF89704F10491DF599CB261CB71E805CB62

Function 006401CD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00640393

Strings

%ls, xrefs: 0064020C, 00640222
%s: %s, xrefs: 006403A2

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 062b29bd6f4a5d78932ea6c92652350e14af7d9e615e38862c3e278c7d2ddb66
Instruction ID: 84dcf9071793063653b0fc965bdefeaf4ae5ef74302333c2cd88c3e8301bc321
Opcode Fuzzy Hash: 062b29bd6f4a5d78932ea6c92652350e14af7d9e615e38862c3e278c7d2ddb66
Instruction Fuzzy Hash: E2511B35288330FAF7711A948C4BF377657AB05F00F60850AF78A684E6C5F2A751B75A

Function 00657BD9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00657D45

Part of subcall function 00655D1D: IsProcessorFeaturePresent.KERNEL32(00000017,00655D0C,0000002C,006680C8,00658D62,00000000,00000000,00656391,?,?,00655D19,00000000,00000000,00000000,00000000,00000000), ref: 00655D1F
Part of subcall function 00655D1D: GetCurrentProcess.KERNEL32(C0000417,006680C8,0000002C,00655A4A,00000016,00656391), ref: 00655D41
Part of subcall function 00655D1D: TerminateProcess.KERNEL32(00000000), ref: 00655D48

Strings

., xrefs: 00657EFC
*?, xrefs: 00657C1C

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 7b97f05bead931982e7a23c9cf534e270e960d3348eeadaf4e8a2cba3451af48
Instruction ID: bf5a0572894fbb61d71bf61cfa4cab369aa9c450e636d8e57ec6ed2d1623149b
Opcode Fuzzy Hash: 7b97f05bead931982e7a23c9cf534e270e960d3348eeadaf4e8a2cba3451af48
Instruction Fuzzy Hash: DC51BE71E0420AAFDF14CFA8D881AEDBBB6EF48315F24416EEC54E7300E6719A098B50

Function 00637619 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0063761E
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00637799

Part of subcall function 0063A113: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00639F49,?,?,?,00639DE2,?,00000001,00000000,?,?), ref: 0063A127
Part of subcall function 0063A113: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00639F49,?,?,?,00639DE2,?,00000001,00000000,?,?), ref: 0063A158

Strings

:, xrefs: 0063768F

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: bd1fadf799a0a78d894abe3c07c16ce357c7214413517dc42a91abf4e3b1c6c5
Instruction ID: 02423c64b3ff3ad1180dd652bda9505a7907cf8a4351d925d9c6f9d54f3c740f
Opcode Fuzzy Hash: bd1fadf799a0a78d894abe3c07c16ce357c7214413517dc42a91abf4e3b1c6c5
Instruction Fuzzy Hash: 4341CEB1805218AADB74EB60DC56EEF777EAF45340F0040ADB645A2182DB705F89CFE4

Function 0063B2C5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

UNC, xrefs: 0063B361
\\?\, xrefs: 0063B317, 0063B353, 0063B3B4, 0063B407

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: b404b3b3374d290102b1ed08d6dae158e9f8f5736536d1f69c1a75059ee8adee
Instruction ID: 96d38f153af0c8aba9be6b9dcb6b7eec769b63b91270aeb4bb447aeb85b2c360
Opcode Fuzzy Hash: b404b3b3374d290102b1ed08d6dae158e9f8f5736536d1f69c1a75059ee8adee
Instruction Fuzzy Hash: B641E731800259BADF61AF20DC01EEF77ABAF01360F40542AFA5493157E770DA91DAE8

Function 0064802C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00648039

Strings

about:blank, xrefs: 006480D1
Shell.Explorer, xrefs: 00648065

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 6c809daa9fa3a6560c7799f7ccecf2122c7f83e42a012a78a613454b45bde13d
Instruction ID: 4a5efcf242c84888f1d0cde73e57e2a5a322ad12030ff2641f0ae1a2875a1617
Opcode Fuzzy Hash: 6c809daa9fa3a6560c7799f7ccecf2122c7f83e42a012a78a613454b45bde13d
Instruction Fuzzy Hash: AA21AE75310706AFD704AF64C8A0E3EB76ABF85B10B14862DF5058B282CF71EC44CBA0

Function 006312E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0063CF27: GetWindowRect.USER32(?,?), ref: 0063CF5E
Part of subcall function 0063CF27: GetClientRect.USER32(?,?), ref: 0063CF6A
Part of subcall function 0063CF27: GetWindowLongW.USER32(?,000000F0), ref: 0063D00B
Part of subcall function 0063CF27: GetWindowRect.USER32(?,?), ref: 0063D038
Part of subcall function 0063CF27: GetWindowTextW.USER32(?,?,00000400), ref: 0063D057

GetDlgItem.USER32(00000000,00003021), ref: 0063132B
SetWindowTextW.USER32(00000000,006602E4), ref: 00631341

Strings

0, xrefs: 006312EA

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: Window$Rect$Text$ClientItemLong
String ID: 0
API String ID: 660763476-4108050209
Opcode ID: 88a1f4bd31f0971637f6934e70c3966042b224e7b7c132ae175c5dfde067180e
Instruction ID: 4683de67e485a36881d7d87fd6d1910e212ab6395e02c4150f4d11a805dcbfd4
Opcode Fuzzy Hash: 88a1f4bd31f0971637f6934e70c3966042b224e7b7c132ae175c5dfde067180e
Instruction Fuzzy Hash: DCF096B158034CABEF251FA0CC19AF93F5BAF06755F084018FD84A86A1C775C991EF94

Function 0063FB19 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,0063FCF9,?,?,0063FD6E,?,?,?,?,?,0063FD58), ref: 0063FB1F
GetLastError.KERNEL32(?,?,0063FD6E,?,?,?,?,?,0063FD58), ref: 0063FB2B

Part of subcall function 00636D8F: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00636DAD

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 0063FB34

Memory Dump Source

Source File: 00000004.00000002.2051942387.0000000000631000.00000020.00000001.01000000.00000009.sdmp, Offset: 00630000, based on PE: true

Associated: 00000004.00000002.2051922636.0000000000630000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2051977563.0000000000660000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000066E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052001783.000000000068A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2052071994.000000000068C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_630000_efthfxj.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: b332050367ac99e9da8fcf43a59a830f88af278b77fc0a8a18a33e23e5ca6719
Instruction ID: 4520e52f4436615efb9571191ceb7953e475529df1ce0c5e3a6c39ab6304978f
Opcode Fuzzy Hash: b332050367ac99e9da8fcf43a59a830f88af278b77fc0a8a18a33e23e5ca6719
Instruction Fuzzy Hash: 44D05E71A0C43077EA412B28DC1AEBF7907AF52771F245769F53AA92F1CAA0084146E5

Analysis Process: efthfxj.exePID: 4052, Parent PID: 3852COMMON

Execution Graph

Execution Coverage:	23.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.8%
Total number of Nodes:	353
Total number of Limit Nodes:	13

Executed Functions

Function 01157D28 Relevance: 5.2, Strings: 4, Instructions: 239
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 01157D83
MhR, xrefs: 01157E91
Te]q, xrefs: 01157FC9
MhR, xrefs: 01157E8A

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID: MhR$MhR$Te]q$Te]q
API String ID: 0-1863040356
Opcode ID: 4d94b8a8ee8b2360a3158bdb8d1cb1b0c468cff3e1c7d37048754055966b0da6
Instruction ID: e792aaf52c7a316fe621466b192b9421f81d90527e65092a2c17a2ceee4458f1
Opcode Fuzzy Hash: 4d94b8a8ee8b2360a3158bdb8d1cb1b0c468cff3e1c7d37048754055966b0da6
Instruction Fuzzy Hash: E3A1D1B4E00219CFDB48CFAAC9819AEBBF2FF89300F608529D815AB354D7719905CF55

Function 04AF9880 Relevance: 1.9, APIs: 1, Instructions: 397
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 04AF9CCF

Memory Dump Source

Source File: 00000005.00000002.2078574746.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4af0000_efthfxj.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ac2747cc545c310a88059488a041c50c052c6beb703b9890ef3f3f98bcd58205
Instruction ID: 568434c3f8231a8686ed42a401f9678b0beb1630d5dd39dc67dd7418f4942e1a
Opcode Fuzzy Hash: ac2747cc545c310a88059488a041c50c052c6beb703b9890ef3f3f98bcd58205
Instruction Fuzzy Hash: 8E02C1B4E00229CFDB64CFA9CC80B9EBBB5BF49304F1481A9E519B7250DB34A985CF55

Function 04AF9875 Relevance: 1.9, APIs: 1, Instructions: 386
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 04AF9CCF

Memory Dump Source

Source File: 00000005.00000002.2078574746.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4af0000_efthfxj.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1b6fe3b58960b9bdd9b1bbcf874d4de31b8e74944c533da440a68d64c7d5a9d7
Instruction ID: da6da0fb008bd821fc10c1f4aa4f586494fe67e30ece835d26c79f93cd0b7902
Opcode Fuzzy Hash: 1b6fe3b58960b9bdd9b1bbcf874d4de31b8e74944c533da440a68d64c7d5a9d7
Instruction Fuzzy Hash: A2F1C2B4D00219CFDB24CFA9CC81B9EBBB5BF49304F1481A9E519B7250DB34A985CF55

Function 04AFA8D8 Relevance: 1.6, APIs: 1, Instructions: 118nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 04AFA9B0

Memory Dump Source

Source File: 00000005.00000002.2078574746.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4af0000_efthfxj.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: d3b3dbbe6dcc9b9ea2765ec8d0691401eee0ee5c54bedffb37d34fad08551a75
Instruction ID: 1999ca802bac57cae6d9ae74e1a5e35840a7e662cabf2658c1e8f441a4ae18ac
Opcode Fuzzy Hash: d3b3dbbe6dcc9b9ea2765ec8d0691401eee0ee5c54bedffb37d34fad08551a75
Instruction Fuzzy Hash: D641BCB5D012589FCF00CFA9D984AEEFBF1BF49314F14902AE418B7210D739AA45CB64

Function 04AFA8E0 Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 04AFA9B0

Memory Dump Source

Source File: 00000005.00000002.2078574746.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4af0000_efthfxj.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: c6cc38cf126e83c3a5bccc7a9dbcd6977d3689b9a802473328346a7e0a3dc543
Instruction ID: bc8f14f962249e3f39f028ae27030b3433b83c3e47b02a450f9b458652543837
Opcode Fuzzy Hash: c6cc38cf126e83c3a5bccc7a9dbcd6977d3689b9a802473328346a7e0a3dc543
Instruction Fuzzy Hash: C641ABB5D012589FCF10CFA9D984AEEFBF1BB49310F10902AE418B7210D739AA45CB64

Function 04AFA500 Relevance: 1.6, APIs: 1, Instructions: 109nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 04AFA5BA

Memory Dump Source

Source File: 00000005.00000002.2078574746.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4af0000_efthfxj.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 7ff32651f5e0ef0301fd7635971d82d97560db7e00388351af7a266a8ae6a9ea
Instruction ID: cbbfdfbc1eb5551b1e68fffbb7f7c94563f0b15542ca75f81f34698def35cba1
Opcode Fuzzy Hash: 7ff32651f5e0ef0301fd7635971d82d97560db7e00388351af7a266a8ae6a9ea
Instruction Fuzzy Hash: 6C41AAB5D002589FCF10CFA9D980AEEFBB1BF19310F14942AE819B7210D739A945CF64

Function 04AFA508 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 04AFA5BA

Memory Dump Source

Source File: 00000005.00000002.2078574746.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4af0000_efthfxj.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 206a974d7cf081b2c6e55d5a46b32d96aedc31066a71ef3b3f98ca94538482bc
Instruction ID: 66ac294198ac933aefd8c3a8c3984e6bd5cb9bf0bd845cd40d4e7cf7d9e01e39
Opcode Fuzzy Hash: 206a974d7cf081b2c6e55d5a46b32d96aedc31066a71ef3b3f98ca94538482bc
Instruction Fuzzy Hash: 54419BB5D042589FCF10CFA9D984AEEFBB1BF49310F10942AE919B7210D735A945CF64

Function 04AFAC01 Relevance: 1.6, APIs: 1, Instructions: 96nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL(?,?), ref: 04AFACB7

Memory Dump Source

Source File: 00000005.00000002.2078574746.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4af0000_efthfxj.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 1993e6d08590ab07ab4f1ffc4a0201592832722b2d0386b403610f0fc5353751
Instruction ID: c2c95cf9c746a16af04bf3e9a7292ebae3d319fa1b34c625405a42c13eb9d53a
Opcode Fuzzy Hash: 1993e6d08590ab07ab4f1ffc4a0201592832722b2d0386b403610f0fc5353751
Instruction Fuzzy Hash: 6F41ABB5D002589FCB10DFEAD984AEEBBF1BF49310F14902AE419B7240D739A945CFA4

Function 04AFAC08 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL(?,?), ref: 04AFACB7

Memory Dump Source

Source File: 00000005.00000002.2078574746.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4af0000_efthfxj.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 3430a513e9f8f8dce3975ce6b0ab3b19b5b084aba99ce3decc71a89eeaa1db0d
Instruction ID: d55ad922a1126f5c763434dbb141405ef06e8f68c0a40827305b8797d85d1292
Opcode Fuzzy Hash: 3430a513e9f8f8dce3975ce6b0ab3b19b5b084aba99ce3decc71a89eeaa1db0d
Instruction Fuzzy Hash: A631ABB4D002589FCB10DFEAD984AEEBBF1BF49310F14802AE419B7240D739A945CFA4

Function 04AFA6B9 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 04AFA749

Memory Dump Source

Source File: 00000005.00000002.2078574746.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4af0000_efthfxj.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e521ad646689aa4ae174e1f96aafe96175a26fd38ee242ef45ecf8acb451600d
Instruction ID: 768ba38a6c4e0cf9c99789313dbcffc9dc7988dc9d64fbfb4bb6c304872a4dd6
Opcode Fuzzy Hash: e521ad646689aa4ae174e1f96aafe96175a26fd38ee242ef45ecf8acb451600d
Instruction Fuzzy Hash: B53199B8D012189FCB10CFA9D984ADEFBF5BF49310F14942AE819B7200D735A945CF94

Function 04AFA6C0 Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 04AFA749

Memory Dump Source

Source File: 00000005.00000002.2078574746.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4af0000_efthfxj.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 87eff08a7948f198bff28948d22b8eac78f49042c3e5bfeb529b807d9cf20fa0
Instruction ID: 9e8309502675f277582be93c65ab182cc8305b312d452b6eb5ce37589c88e91b
Opcode Fuzzy Hash: 87eff08a7948f198bff28948d22b8eac78f49042c3e5bfeb529b807d9cf20fa0
Instruction Fuzzy Hash: 623199B8D012189FCB10DFA9D984ADEFBF5FB49310F10942AE819B7200D779A945CFA4

Function 01155E20 Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fcf0ee49c6fa24f7a12a588acfa60fc5cc56c755c9a8e20a132f7a1dc220bb
Instruction ID: c7732062fec84c1b3a8e8403d9efe9bb17692a3cb474b51df63400bf44fe90a9
Opcode Fuzzy Hash: 75fcf0ee49c6fa24f7a12a588acfa60fc5cc56c755c9a8e20a132f7a1dc220bb
Instruction Fuzzy Hash: A8E17DF2D043248FD79ACF558D491DDB7B2FB91321BCA80AED4899A625FA368941CF40

Function 0115D810 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5206844b518db7fa4e2099eec4cfd908fa76aa02f212067ba1bc278017e8b42
Instruction ID: 48774719a73e7a6e4a9594edf5ce77c365047c17f200f8e30fe3d4aa7abba6e9
Opcode Fuzzy Hash: a5206844b518db7fa4e2099eec4cfd908fa76aa02f212067ba1bc278017e8b42
Instruction Fuzzy Hash: BDA1B474E00208DFCB54DFA5E88569CBBB2FF89310F50906AD81AEB364DB745986CF21

Function 0115D550 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bef411b243a30655dff892e7ceac79f1b44283cd8b89f0d3348dd53d86afe7a
Instruction ID: 74faa8eb7fd6f8f748d8ac97870a6254ecd6272241550c010fa61e4ef1c66341
Opcode Fuzzy Hash: 6bef411b243a30655dff892e7ceac79f1b44283cd8b89f0d3348dd53d86afe7a
Instruction Fuzzy Hash: 2D615970D15219DFCF48DFE5D5406AEBBB1FB89308F10852AC826AB258D7759A02CF52

Function 01152B08 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6552dfa6bfd23a42f8cfc0160eace934bfa63614c6f19f4c842de82e8c730408
Instruction ID: b3a006997c126cdcbb099ae03994d9f325b49b01c1d5ee4275a9aaa4d57f7fe3
Opcode Fuzzy Hash: 6552dfa6bfd23a42f8cfc0160eace934bfa63614c6f19f4c842de82e8c730408
Instruction Fuzzy Hash: D2412471E116188BEB5DCF6B8D4078EFAF7AFC9201F14C1BAD91CAA215DB7016468F11

Function 01152AF7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae95bc791c0903b0fd69e7a3c6bb50ac25fee380dd80894381f1e42d2753ab5b
Instruction ID: af7f89ea6bdaea2150a007cc4673c8571bbc91eac26ef52777b372113c3a863d
Opcode Fuzzy Hash: ae95bc791c0903b0fd69e7a3c6bb50ac25fee380dd80894381f1e42d2753ab5b
Instruction Fuzzy Hash: B6414371E016588BEB5DCF6B8D4178AFAF7AFC9200F14C1BA880CAA225DB7406468F11

Function 01153645 Relevance: 2.5, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 011536D8
l.dl, xrefs: 0115364C

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID: l.dl$$]q
API String ID: 0-1344983801
Opcode ID: 40239cc40ae3c1b17fbe61b0b273b0a08cc3334feb55220f928576933cdc73e6
Instruction ID: 1ace634222fee2da84ffce3fea41df51d6c0a4b56250b1a841f8d5ee7276e840
Opcode Fuzzy Hash: 40239cc40ae3c1b17fbe61b0b273b0a08cc3334feb55220f928576933cdc73e6
Instruction Fuzzy Hash: 74110474A40229CFCB2ACF65C954B9EBBB6BF89340F1094E99449AB315CB708E81CF55

Function 00FB4CCF Relevance: 1.7, APIs: 1, Instructions: 199memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00FB4E3F

Memory Dump Source

Source File: 00000005.00000002.2075777880.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_efthfxj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 58a89ae509a52817a7ce7f4a77d648e1af32dca8762bdf202ca8be4bc4aad284
Instruction ID: 0f64c9cb390fcce176d4f4441f87fa031ab6e899435a8b6ab92c97b60d17ad17
Opcode Fuzzy Hash: 58a89ae509a52817a7ce7f4a77d648e1af32dca8762bdf202ca8be4bc4aad284
Instruction Fuzzy Hash: F7515D74D182988FEB16CFB5C99698DFFB0EF06300F1490AED8C967292C2359907CB51

Function 04AFA7B9 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04AFA86A

Memory Dump Source

Source File: 00000005.00000002.2078574746.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4af0000_efthfxj.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b41a09151a235eccb5730205b5f20a8214388981280ef65a9054be53a405821f
Instruction ID: 9870a21688f5304aa3184ec619e44893d862e708b338d3d50f99e4c0175ae1b3
Opcode Fuzzy Hash: b41a09151a235eccb5730205b5f20a8214388981280ef65a9054be53a405821f
Instruction Fuzzy Hash: 3A3199B5D002589FCF10CFA9D980ADEFBB1FB49310F10A42AE819B7210D775A942CF94

Function 04AFA7C0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04AFA86A

Memory Dump Source

Source File: 00000005.00000002.2078574746.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4af0000_efthfxj.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d5b5be50bb4c0e425611b469ea653b40c6d02ba481ed1a3a1a28dbd0fbd1e2e4
Instruction ID: 6526c1193f3b1dceb4a2c0eb29b0a3cdd8dbdda22dd7c5cc3bab827185243d83
Opcode Fuzzy Hash: d5b5be50bb4c0e425611b469ea653b40c6d02ba481ed1a3a1a28dbd0fbd1e2e4
Instruction Fuzzy Hash: 9A3187B9D002589FCF10CFA9D980ADEFBB5FB49310F10942AE919B7210D775A946CFA4

Function 00FBA478 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00FBA51F

Memory Dump Source

Source File: 00000005.00000002.2075777880.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_efthfxj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1794349b46dd7cd524ce7a8805da3c8ebb10d9458057d5056df648f2356183b8
Instruction ID: 6ea60387738ef55fd5b9721f24632c380ec0d0e72825e08557c1fd9491786e83
Opcode Fuzzy Hash: 1794349b46dd7cd524ce7a8805da3c8ebb10d9458057d5056df648f2356183b8
Instruction Fuzzy Hash: BB318BB5D042589FCB10CFA9D584ADEFBF5BF19310F14902AE818B7210D375AA45CF64

Function 00FB4D98 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00FB4E3F

Memory Dump Source

Source File: 00000005.00000002.2075777880.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_efthfxj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 58d1f9616d47da3156a97c634080e0342a87785503ad90998d65b18165720d0b
Instruction ID: 03e5b53d6dac6209acd5a0fde92dfd315e96f9120686ca9ea5fbdd2666a4f061
Opcode Fuzzy Hash: 58d1f9616d47da3156a97c634080e0342a87785503ad90998d65b18165720d0b
Instruction Fuzzy Hash: 6E3179B9D042589FCF10CFAAD584ADEFBF5BB19310F24902AE818B7211D375A945CFA4

Function 0AA70D67 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

,, xrefs: 0AA70E20

Memory Dump Source

Source File: 00000005.00000002.2079935868.000000000AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa70000_efthfxj.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: e69304722053b496247961f3dcc567332d9cb239068971986b2eb76ab4c923c9
Instruction ID: 697c7d7bb08513ad7294d3feb20e149e8a70d7b4444d2fc2d4909bfcea87f92c
Opcode Fuzzy Hash: e69304722053b496247961f3dcc567332d9cb239068971986b2eb76ab4c923c9
Instruction Fuzzy Hash: 93518074A052299FDB60DF68CD98BDEBBB1AB48301F5091D9E80DA7351DB31AE81CF50

Function 0115A578 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

9"U, xrefs: 0115A5AC

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID: 9"U
API String ID: 0-2706808553
Opcode ID: fa6119a6229f4185ac3c0991b44fb8564cc30589ab41709ed746e649b4490a33
Instruction ID: dd25dc67a826b81a1e44ba4a4573e1ef1f7996478d5e5107c454cc98d52d4330
Opcode Fuzzy Hash: fa6119a6229f4185ac3c0991b44fb8564cc30589ab41709ed746e649b4490a33
Instruction Fuzzy Hash: 67211874E04208EFCB48DFA9D584A9DBBF2FF88200F14C5A6D919A7354D770DA01CB11

Function 01152CAC Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

Y, xrefs: 01152CAC

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID: Y
API String ID: 0-3233089245
Opcode ID: 2733dff247988581693e1f66bcf75ef1a5dd2364a7f6a9b2e70c55996b88e92b
Instruction ID: 34d25f7693aa4dac6119f3ad6b8706033f5972f0bcd5c704ee971027cfc33f4e
Opcode Fuzzy Hash: 2733dff247988581693e1f66bcf75ef1a5dd2364a7f6a9b2e70c55996b88e92b
Instruction Fuzzy Hash: 00316D74A01229CFDBA5DF25C998B9DBBB5BB49300F5081D9E84DA7360DB309E81CF01

Function 01153670 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

$]q, xrefs: 011536D8

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 2d514e32d27c19871efd1c516ac314f1dff2afef5dbb1e9e1fd766c93bcca368
Instruction ID: ad84e8b6a7e87d2b1bbf2911ef85adb4b79646f4b46b379af07a3963ea56ccb8
Opcode Fuzzy Hash: 2d514e32d27c19871efd1c516ac314f1dff2afef5dbb1e9e1fd766c93bcca368
Instruction Fuzzy Hash: 97112974A40228CFCB6ACF24C844B9DBBBABF85300F1045EA944967214DB708FC1CF45

Function 01156B0D Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

@, xrefs: 01156B41

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 67b682530c91a33317c1f52ba2c21bd815b6f63c783cc329b4c5045bb3c6204b
Instruction ID: 07185fcc39dd065a1467761f3f725f5a147fddd75b0ad8b16b212eb0d953e43e
Opcode Fuzzy Hash: 67b682530c91a33317c1f52ba2c21bd815b6f63c783cc329b4c5045bb3c6204b
Instruction Fuzzy Hash: B5F0CFB4E0222DDEDBA8CF60DA8079EBB76BF52340F5010A9D5987A250C7301A81CF52

Function 01154360 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

<, xrefs: 01154386

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 914d4185daec4775c3268ffe83eba6d690f262b32c5ed1262d3d5b91f965c172
Instruction ID: edabe514a35f4c0d0317f0b2fb68a79932efa3474775fd3b895ec22b19efe715
Opcode Fuzzy Hash: 914d4185daec4775c3268ffe83eba6d690f262b32c5ed1262d3d5b91f965c172
Instruction Fuzzy Hash: 97F0F9B0D22229CFDBA5CF25C960B99BBB4BF45600F0094D9C44967212D7714BC0CF11

Function 0AA71388 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2079935868.000000000AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa70000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bdbd8c1a711bad5003a44ab7b7409eb2e481b5b3a810ad9dfec69f65bd657f
Instruction ID: 359cd1a5eb00b5d66470fba5490f36634b7228c57ed42923e40489da5b4e290a
Opcode Fuzzy Hash: 67bdbd8c1a711bad5003a44ab7b7409eb2e481b5b3a810ad9dfec69f65bd657f
Instruction Fuzzy Hash: 3C51A074E00219DFCF54CFA9D8509EEBBF6BF88310F10912AE419AB2A4DB359902CF51

Function 0AA71377 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2079935868.000000000AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa70000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f987e229be35c84f650dc7baf561c69bb835bd31f56a3607fff4c95eed1f52
Instruction ID: 3cca3c9b1bd2eba214a00099acb11cc83fe8ef0b1392a6bf49bf07bad3e221a2
Opcode Fuzzy Hash: 13f987e229be35c84f650dc7baf561c69bb835bd31f56a3607fff4c95eed1f52
Instruction Fuzzy Hash: 4251AFB5E042199FCF54CFA5D8909EEBBF6FF88300F14912AE415AB2A4DB359902CF51

Function 0115DC60 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47b498b123b7a1df9ed8e5a0c161f754358478adaf071bccc0ceac7a726f9da
Instruction ID: 9cfed4c2c3b4356f86b39d5429a4d778417f99f3a317a6630964cf3790e4f3b6
Opcode Fuzzy Hash: c47b498b123b7a1df9ed8e5a0c161f754358478adaf071bccc0ceac7a726f9da
Instruction Fuzzy Hash: CC410774D05209DFCF48CFA9E9446AEBBB2EF88300F10946AD815B7364DB749A01CF62

Function 0AA70833 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2079935868.000000000AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa70000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b163b78554ff28f318b2666d46ada8290eedd8118310fa6058494a7a9c26169
Instruction ID: 37da4eab5d00f770187c656ee316101238c01b0dd36b197146f33d42046a0cd9
Opcode Fuzzy Hash: 8b163b78554ff28f318b2666d46ada8290eedd8118310fa6058494a7a9c26169
Instruction Fuzzy Hash: 504192B5A012199FDBA5DF58C885BDEBBF9AB49300F1481D9E84CE7351DB319E818F20

Function 01158750 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc3869451b0d3aba25fab28e698b883a2475b9f1dfcc934662a9ebc011cf1d0
Instruction ID: 7996fd978ba6eadadb33b629e491a33d3b6bab3928072646b852639044f689f9
Opcode Fuzzy Hash: 6cc3869451b0d3aba25fab28e698b883a2475b9f1dfcc934662a9ebc011cf1d0
Instruction Fuzzy Hash: CB31C874E05209DFCB88CFAAC5815AEBBF2FB88300F10956AD919E7314D7749A41CF51

Function 0AA70A47 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2079935868.000000000AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa70000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfeb72912e25aabd4b80e64b7dc48e7df10b3320769dab48c651946475b7d621
Instruction ID: 4aad3ce29099862ed5f0b5e2c96afbfbc5685f7a7121dca0903ed28f7dc76cf4
Opcode Fuzzy Hash: cfeb72912e25aabd4b80e64b7dc48e7df10b3320769dab48c651946475b7d621
Instruction Fuzzy Hash: F331B4B5E012199FCB65CB58CC51BDEBBB1AB98300F14C0A5A55DA7351EB709E81CF50

Function 0AA70103 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2079935868.000000000AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa70000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69c341680da5059596b93e5ba63b64735805411ebabc084bd4009976abe09a4
Instruction ID: 1053b83d60f5cbd25a2c05bf2dc3c8cb9267d7c6c0733ac750cf9c6f95c32d2a
Opcode Fuzzy Hash: b69c341680da5059596b93e5ba63b64735805411ebabc084bd4009976abe09a4
Instruction Fuzzy Hash: 3631BD74A012298FCB25CF68CD94ADEFBF1AF48300F1480E9940CA7261DB30AE96CF54

Function 0AA703CB Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2079935868.000000000AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa70000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4646a2c36d3aab535fa3e45d9d8b5d715123cce419cb1330bfd05b5e0763dff
Instruction ID: fe0854bdebe5ae0326a5508e870161436edc0e283c689caf9b27aa57cde28b6a
Opcode Fuzzy Hash: e4646a2c36d3aab535fa3e45d9d8b5d715123cce419cb1330bfd05b5e0763dff
Instruction Fuzzy Hash: EE315A74911229DFDBA0DF58C884B9EBBB1EB48310F1095DAE80DA7391DB309E81CF11

Function 0AA70C63 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2079935868.000000000AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa70000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c925de2c8b0ce4118e2e293c93a41f6f9ad88ca8406ba46605f193526a0e86
Instruction ID: 835d3b017ad036a543d888797084b6b631e057fe743afe908262d1c588bbd507
Opcode Fuzzy Hash: 65c925de2c8b0ce4118e2e293c93a41f6f9ad88ca8406ba46605f193526a0e86
Instruction Fuzzy Hash: F3218074A012289FDBA4DF68EC88B9DBBF1BB49301F1081D9D84DA7351DB309E858F21

Function 01151C58 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826be79166f8c37d04a7fd737b8b59b57f926937ac76c0511255d3ae84a85c47
Instruction ID: 96bbdb331ad260f56d38ec3b67ab45fc40e97494314dcd4a10268aebf696d4cb
Opcode Fuzzy Hash: 826be79166f8c37d04a7fd737b8b59b57f926937ac76c0511255d3ae84a85c47
Instruction Fuzzy Hash: 82118E74859358DFCB57CF78C8806AD7FB0FF06320B90829DD48096246EB764A55CB81

Function 0AA70663 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2079935868.000000000AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa70000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f9edf5e72eb5c0b85c3b2a16bbcd19aa6a7be6a8379b210795999473c06c22
Instruction ID: d08ea946c0b5a2c0309b14d0100d9cc8bc0fcf7252ed8738cd5c69b3148f4195
Opcode Fuzzy Hash: 53f9edf5e72eb5c0b85c3b2a16bbcd19aa6a7be6a8379b210795999473c06c22
Instruction Fuzzy Hash: 6F014CB49051199FDBA0DF69C855BDEBAF6FB88300F10D0E9E50DE7241EA349E858F24

Function 01151C1E Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26dadd4958688b02eb27f9d7b8c23c0b4465a6c6864a22310ea6cd177d05b75c
Instruction ID: 84ed47f1c85092cb02152649ff8d50f7abbe87957a328e50c4d76b552a20eeaa
Opcode Fuzzy Hash: 26dadd4958688b02eb27f9d7b8c23c0b4465a6c6864a22310ea6cd177d05b75c
Instruction Fuzzy Hash: 97015E70C09348EFCB5ACF78C8806ADBFB0FF05310F5086A9D864D6252E7768A55CB85

Function 01152AA9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07cdc2c21fbbdb6a8dd74fbb3b30c91eb2a15533d28e9a4f3d948e82051f5e1
Instruction ID: c73dbff8609986006f0fff924ba6d938090277a2c939538f08feae4fcc526eb5
Opcode Fuzzy Hash: e07cdc2c21fbbdb6a8dd74fbb3b30c91eb2a15533d28e9a4f3d948e82051f5e1
Instruction Fuzzy Hash: 43F03A70C05348DFCB45DFB8C842AADBFB0EB06310F1086AAD854E7252D7B59A51CB91

Function 0AA709D6 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2079935868.000000000AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa70000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4ca5ecadc3cecff2991b7310e072a54ee7d8baa06b54062e950b6cad1117066
Instruction ID: 27e461f43b1ea958d68379b3be0c7ccbbca1a4e28992a49ba094a1b91255dffb
Opcode Fuzzy Hash: d4ca5ecadc3cecff2991b7310e072a54ee7d8baa06b54062e950b6cad1117066
Instruction Fuzzy Hash: 2A01B271D01219AFDF25DFA1DD44ADDBBB2BF88300F2081AAA509A3260D7315E829F10

Function 0AA706BE Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2079935868.000000000AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa70000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb995be01145fbc6ef1bf72e2ff6efe800577e1f55e7892b11095598566e98d4
Instruction ID: d38efb0132abb7768753b0ef06598ac8511664a5781f4b7422699684e6a0e5ae
Opcode Fuzzy Hash: eb995be01145fbc6ef1bf72e2ff6efe800577e1f55e7892b11095598566e98d4
Instruction Fuzzy Hash: FFF0DAB5901115AFDBA1DB58DC51BDEB6BABF88300F40D0A4F40CE3241EA349E408F60

Function 0AA7023C Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2079935868.000000000AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa70000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dac9454d0fe3c2b78f2e50107bf5439f8d464b45659f5553e661fc6d057163d
Instruction ID: 255da25d65b19b89c5c409f7f1f03a97f8ae8b78acc48dfed7faa5110f82a137
Opcode Fuzzy Hash: 8dac9454d0fe3c2b78f2e50107bf5439f8d464b45659f5553e661fc6d057163d
Instruction Fuzzy Hash: E2F04975D166298FDBA0CF24CC44ADEBBF0BB55300F14D0DAD44AE7251EB304A869F61

Function 01155488 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec02aaf5ae329f9782a7ea5fbc8b3c12ba861c204da1301e34229887055b2154
Instruction ID: e1dd4a28bc9055c5f0a7a295647a4833269146033d9ab0097042207f624837d6
Opcode Fuzzy Hash: ec02aaf5ae329f9782a7ea5fbc8b3c12ba861c204da1301e34229887055b2154
Instruction Fuzzy Hash: C4F01230A01759CFCB59DF25CC50779B3BAFF84606F1454D988096B254CA319EC2DF16

Function 0AA70FE2 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2079935868.000000000AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa70000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8af23c11f61bf060092ccda59e4d5bcce584475eb4e2ebc3bfebab3163d334e
Instruction ID: 30bd6cb3cf0b83ccf8be4c833af1bb5e1dae5ed88d397f00a56fa0bfd076624c
Opcode Fuzzy Hash: f8af23c11f61bf060092ccda59e4d5bcce584475eb4e2ebc3bfebab3163d334e
Instruction Fuzzy Hash: DBF09774A022148FDBA4CF24C944A9EF7B1EF49310F55C5E99449A7251DB31DE81CF01

Function 0AA70279 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2079935868.000000000AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa70000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0936d1516cf01bed824f30d84369a2d96bebab765136b2d451beefe2edf1609f
Instruction ID: 556293511de6b3c19659039caf0afcc959c90adafdf7b57268c2b0c88504c0e5
Opcode Fuzzy Hash: 0936d1516cf01bed824f30d84369a2d96bebab765136b2d451beefe2edf1609f
Instruction Fuzzy Hash: 6CE0E5F5A011159FD794DB58CC51BEEB6BAAB89300F10D099F509E3251D7345D418F60

Function 0115FE78 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1afe400d4e4199f10575bbe1b120b351670238970474b8b2590d4c50fa96f9f6
Instruction ID: cc1263b6c0fbfe32dbd12feed8662afa2147f8f4cd37211b74a2bb060ac8b35f
Opcode Fuzzy Hash: 1afe400d4e4199f10575bbe1b120b351670238970474b8b2590d4c50fa96f9f6
Instruction Fuzzy Hash: 31F0F274D0020DEFCF41DFA8D905AAEBFB1FB08310F0085A9E828A2210D7719660EF90

Function 0115E550 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30ab7d238c33cd70d3a1cb4e06b7ff664a5e37b25c228e9f0d2140da3f08e7d
Instruction ID: c17a8cf2f3ce962dfd298bb6b3682eac7cced940628cb9ea588b486a8c72d0c3
Opcode Fuzzy Hash: c30ab7d238c33cd70d3a1cb4e06b7ff664a5e37b25c228e9f0d2140da3f08e7d
Instruction Fuzzy Hash: B9F0C9B8D41218DFCB44DFA8D944AADBBF4FB08310F1085AAE818E3311E7719A50DF91

Function 0AA7178B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2079935868.000000000AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa70000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4073543cfa7918b50564b0e23402220dcb53ab3918f27143bad7bf1de58f767
Instruction ID: 95bd6617793765db17fbd8057c0ca697c2823bb2a6b03c6e9a25515d9d266427
Opcode Fuzzy Hash: d4073543cfa7918b50564b0e23402220dcb53ab3918f27143bad7bf1de58f767
Instruction Fuzzy Hash: 17E0EEB1D15208AFCB61EFA8C84538CBBF0AB14316F1481A99448E2390E7B69A80CB50

Function 01151CA8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4792dddd0a727ba0b249c37771137e827ad6410b879fbe0dbdadfb5152b34d1
Instruction ID: f03ac934829d53c0e6fae2c5f130398341387b106a56694b433e3eba65d67381
Opcode Fuzzy Hash: e4792dddd0a727ba0b249c37771137e827ad6410b879fbe0dbdadfb5152b34d1
Instruction Fuzzy Hash: 8BE0E5B0D00308EFCB45EFA8D8446ADBFF0FB48300F5086AAD824A3300E7719A50DB94

Function 01152AB8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f332a0bfb23fa6b48786e22de3f0c55b1aa39a2394301a4a4696c2f2cc9ea0
Instruction ID: 86a17bbf3d122ffd4e27d552a4adb870354113e849b8e5e45bbc41636f6c3730
Opcode Fuzzy Hash: d8f332a0bfb23fa6b48786e22de3f0c55b1aa39a2394301a4a4696c2f2cc9ea0
Instruction Fuzzy Hash: 53E0E5B0D00309EFCB44EFA8D8006AEBBB1FB08300F5086AAD828A3341D7719691DB95

Function 0AA704EC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2079935868.000000000AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa70000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db17c01580b3e5c2d05a127c32f2f9abc07f7cee82e2ec53a677026b54bbe5a2
Instruction ID: 7c6f4b96e9743dd39710302b9c877968dacbb3448b9f4f0154d67935a9c0fe24
Opcode Fuzzy Hash: db17c01580b3e5c2d05a127c32f2f9abc07f7cee82e2ec53a677026b54bbe5a2
Instruction Fuzzy Hash: BCF0F2349012299FCB64CF14C880AA9FBB2EB49310F24C0D9981CA7212CB31EE828F10

Function 01153DC6 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831d044146a6bd7ee8a628e760fc6c986c7d1b4aba3f0fb25b2c1ca8dfe2fe56
Instruction ID: 1aef2e482c4a0cdb63d20e03103731d1e674aa579f55f7d47d45263efa2472e9
Opcode Fuzzy Hash: 831d044146a6bd7ee8a628e760fc6c986c7d1b4aba3f0fb25b2c1ca8dfe2fe56
Instruction Fuzzy Hash: 8BE07EB5E0031CCFDF54CF98C880AADBBB5AB19310F0050599918AB340D3349985CF19

Function 01157281 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bace7253aacc5b4de98c3a216133ea71a36f74f71201b2a9ce25e16e79414c
Instruction ID: fae05a786f15ee16e316d396ddc6bb7c823732b6671e489b54f8b7765e90d7b5
Opcode Fuzzy Hash: f7bace7253aacc5b4de98c3a216133ea71a36f74f71201b2a9ce25e16e79414c
Instruction Fuzzy Hash: 2AE09A349412699FCB94DF69DA90B9CB7B5FF44204F0045E6D01DB7264D7305D49CF20

Function 01154C21 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f473f3ed23c7f90a3c8ab5789618506b9ab096ec8aa4e3c4187c5638020a70
Instruction ID: addaf2e77ca9ef55e1684df20cf567415c864142b91f80d2c903e1e69135f9e9
Opcode Fuzzy Hash: 85f473f3ed23c7f90a3c8ab5789618506b9ab096ec8aa4e3c4187c5638020a70
Instruction Fuzzy Hash: 06E01771D0401ECFDB58CBA0C840BAEF3B5BF84300F1094AA881AB7204D7309A81CF24

Function 01153B2E Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 324e58a04a4d78050a12cd5028f418e1be8d2a0f6d89f931331fc1ff3082a844
Instruction ID: ad30374a5cb4b67ea0a8d0e5223cf90540de57009d465471ea69200b161a1b47
Opcode Fuzzy Hash: 324e58a04a4d78050a12cd5028f418e1be8d2a0f6d89f931331fc1ff3082a844
Instruction Fuzzy Hash: B8D09E7691412ECFCB58CB91C840BAEB6B5AB54340F1055A98519FB245D7349A818F24

Function 01153D41 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3668fc8cdc316f67de2d5efa954d9a13ae8be7e6e3d9a745b02ae71cbd72ee9c
Instruction ID: 62034ec72a31d2bd31654cf5b8b1e6141bb71bdf74cb18ade962a9de05515a6e
Opcode Fuzzy Hash: 3668fc8cdc316f67de2d5efa954d9a13ae8be7e6e3d9a745b02ae71cbd72ee9c
Instruction Fuzzy Hash: B9D0C97690421ECBCB98DA90C840BAEB3B5BB55300F005555885AB7340CB3489828B15

Function 01153467 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2ebdd069914d330d50cacc95b0d2f2899efc0212a875cddc69f20d07bf981f
Instruction ID: c4de947f6e943f763bd202abc7b876e11bed672eb96cc97744fbd97ec46b25a0
Opcode Fuzzy Hash: 1d2ebdd069914d330d50cacc95b0d2f2899efc0212a875cddc69f20d07bf981f
Instruction Fuzzy Hash: 7BE0EC30908259CFCB19CF54CA40B99B7B9FF44204F0045E59109A7228D3709E82CF20

Function 01153EB8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e9ca138837a3dc81fdad7eb4118117df270811e961ec5f22eaabcb1bef38ed
Instruction ID: e602d554b2c14102a83d3549dfcc40c7427efc4b99ccac56cee25434ddbad8f4
Opcode Fuzzy Hash: 29e9ca138837a3dc81fdad7eb4118117df270811e961ec5f22eaabcb1bef38ed
Instruction Fuzzy Hash: 62D0C971D0011DCBCB58DF90C950BAEB374BF14300F0090998819B3200DB7459C1CF19

Function 01153961 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2409d59e5f45128d13b3e02d09004f7979442405c86e178bf96b53c6a3c6848b
Instruction ID: 198ebcc60b9607c5e7a89522dfd56450af28a6e0ad38dc50add990853b999352
Opcode Fuzzy Hash: 2409d59e5f45128d13b3e02d09004f7979442405c86e178bf96b53c6a3c6848b
Instruction Fuzzy Hash: FBC012B1D0421DCFCB54CF90C8107AEB274BB15300F005659891977200D33084828F19

Function 01154BB9 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac92589779e1471571e81ba5f969e2336d9db3b0cfae4b03c498739c3913345b
Instruction ID: b95ddd1ab7c9a11a9db6871f60e42908e5dfc3b5074c7f58e31e22729bdde8e2
Opcode Fuzzy Hash: ac92589779e1471571e81ba5f969e2336d9db3b0cfae4b03c498739c3913345b
Instruction Fuzzy Hash: B2C0127590011DCBCB54DF90C840BAEB374BB54300F005499841973300CB304D818F15

Function 01155931 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2076166418.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1150000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2abca4bd2e31e42e03afc1bef331151f3c4e2e7c5ebd7c2517d6191a302cd7e1
Instruction ID: bf228a5cd19f7cb2c832fef733cc1307622761c3b8e49bd17bbd9b04c6aa4ba4
Opcode Fuzzy Hash: 2abca4bd2e31e42e03afc1bef331151f3c4e2e7c5ebd7c2517d6191a302cd7e1
Instruction Fuzzy Hash: 57C02B72902D12CBC7B8C5A7CD00309F9E1AB453A0F05DBD1022AF93A0F370C9828E21

Non-executed Functions

Function 00FB6180 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2075777880.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6538f31c1c9879699a469210a567de62ee0f61c82b420965213678ac00d72ba
Instruction ID: 924e698be0af62dd2d2fdb01265ef48f5791e7788fa668a06a98791ada284b9b
Opcode Fuzzy Hash: e6538f31c1c9879699a469210a567de62ee0f61c82b420965213678ac00d72ba
Instruction Fuzzy Hash: C2215C70E0020A8FCF05DFA8D4416DEBBB1EF89310F15866AD540BB255DB746D8ACBA1

Analysis Process: efthfxj.exePID: 1084, Parent PID: 4052COMMON

Executed Functions

Function 02620B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON

Download Yara Rule

Strings

daq, xrefs: 02620E64

Memory Dump Source

Source File: 00000007.00000002.2064419816.0000000002620000.00000040.00000800.00020000.00000000.sdmp, Offset: 02620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2620000_efthfxj.jbxd

Similarity

API ID:
String ID: daq
API String ID: 0-1532007458
Opcode ID: d0151231a20ad996db212c0551c9da0fc6c0d1e72c8391074d90b9291363cb5c
Instruction ID: b99b4aa8afffb799ab95803b1ea8d6ce1fb57d708fe24530e9e477649b2d101b
Opcode Fuzzy Hash: d0151231a20ad996db212c0551c9da0fc6c0d1e72c8391074d90b9291363cb5c
Instruction Fuzzy Hash: 55829F74A00629CFCB24DFA8D984BDDBBB5BF49304F1086E6D409AB365D770AA85CF50

Function 02620A49 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2064419816.0000000002620000.00000040.00000800.00020000.00000000.sdmp, Offset: 02620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2620000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1a05d2e839b571e5986b91c3f88d25b74a5dc57e360602be966a6e3dcff4be
Instruction ID: d1d6bd8b6836d2ef8bd24056940deae5f11288e71ec3ac7c54c0707404d1f520
Opcode Fuzzy Hash: 7e1a05d2e839b571e5986b91c3f88d25b74a5dc57e360602be966a6e3dcff4be
Instruction Fuzzy Hash: 8F213670E0124A9FCF45DFB8D9509DDBFB1EF49300F4582A6D454BB2A6DB30A946CB90

Function 02620848 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2064419816.0000000002620000.00000040.00000800.00020000.00000000.sdmp, Offset: 02620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2620000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f5f3d460e59185f88ec00a318d1e70107fb7daddf2b6d4618b8009ebc73f29
Instruction ID: 4065e82a2c365f6b2910f29367b1a3dbd2301ba42480ac72e6117a75d750b306
Opcode Fuzzy Hash: 90f5f3d460e59185f88ec00a318d1e70107fb7daddf2b6d4618b8009ebc73f29
Instruction Fuzzy Hash: 09110D74901609DFCB45EFB8FA44A8D7BB5FB44309F0086B5D1059B279E7B46A4ACF80

Function 02621870 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2064419816.0000000002620000.00000040.00000800.00020000.00000000.sdmp, Offset: 02620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2620000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d246317a5282be9cdf30e082deac246218919233d014f2c009f69ab208f19b
Instruction ID: 8752fa2a1bcc6c06be42e595d13adae842654bd9ea3308f595e6ddcd6a7db5de
Opcode Fuzzy Hash: 03d246317a5282be9cdf30e082deac246218919233d014f2c009f69ab208f19b
Instruction Fuzzy Hash: 50F03CB4D092698BDF10DFA5D4447EEBBF0AB9A310F1090A9D418B7292D77C460ACF51

Function 026209DF Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2064419816.0000000002620000.00000040.00000800.00020000.00000000.sdmp, Offset: 02620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2620000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4830a257393d39e3f2a7db66323dd70a7c65fb797ec8dee3edb662c358227fa6
Instruction ID: 082bbe0afba62e73e4daebaf713afc71c8932b15e08081deef8cd4f0999eb5e9
Opcode Fuzzy Hash: 4830a257393d39e3f2a7db66323dd70a7c65fb797ec8dee3edb662c358227fa6
Instruction Fuzzy Hash: 4B01E470D052599FCB01DFB8D85569DBFB0BF06205F1446AAC455A72A1E7708A54CF81

Function 026209F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2064419816.0000000002620000.00000040.00000800.00020000.00000000.sdmp, Offset: 02620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2620000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf79525e1d1da9c8a25d7ec01b190224256a4fa5fe1fc7b5e9c1717d41fa5816
Instruction ID: 2ff4934f30d99f081267606131543ab2703b8501f1a7578c5b54ad7820158da6
Opcode Fuzzy Hash: bf79525e1d1da9c8a25d7ec01b190224256a4fa5fe1fc7b5e9c1717d41fa5816
Instruction Fuzzy Hash: ADF0B270D00219EFCB45EFB8D9456EEBBB4FB08305F5046AAD415A73A4EB709A84DF81

Analysis Process: efthfxj.exePID: 6200, Parent PID: 4052COMMON

Executed Functions

Function 00A63660 Relevance: 8.1, Strings: 6, Instructions: 640COMMON

Download Yara Rule

Strings

(Rr, xrefs: 00A63D9E
(Rr, xrefs: 00A63860
(Rr, xrefs: 00A63A97
(Rr, xrefs: 00A639F4
(Rr, xrefs: 00A637C3
(Rr, xrefs: 00A63CF5

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID: (Rr$(Rr$(Rr$(Rr$(Rr$(Rr
API String ID: 0-501461687
Opcode ID: 31a02b3a2849406da36a306b0be60e34337c30f310f084e0d8fefdc7bc2fd0aa
Instruction ID: a00ac509635bc7598ed751e558630b1c04e0b63b0f7c986b49f5ff9264179d52
Opcode Fuzzy Hash: 31a02b3a2849406da36a306b0be60e34337c30f310f084e0d8fefdc7bc2fd0aa
Instruction Fuzzy Hash: 84628E74A01229CFCB24CF68C984BD9BBF1BF8A310F5482A5D449AB365D734AE85CF51

Function 00A63650 Relevance: 4.2, Strings: 3, Instructions: 426COMMON

Download Yara Rule

Strings

(Rr, xrefs: 00A63D9E
(Rr, xrefs: 00A63860
(Rr, xrefs: 00A63A97

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID: (Rr$(Rr$(Rr
API String ID: 0-2808380048
Opcode ID: 06c354bb44bed1e119dcf3ffad2d8b6dc5d04553b5fba17ff3053e1bc93d4e1f
Instruction ID: d347530e1a76eb9caf5a16a9711291679a03e40a64e7e4f63e0284ecd86ed6b5
Opcode Fuzzy Hash: 06c354bb44bed1e119dcf3ffad2d8b6dc5d04553b5fba17ff3053e1bc93d4e1f
Instruction Fuzzy Hash: A7229E74A012298FCB24CF69C984BD9BBF1BF8A300F5182E5D449AB365D734AE85CF41

Function 00A60B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON

Download Yara Rule

Strings

daq, xrefs: 00A60E64

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID: daq
API String ID: 0-1532007458
Opcode ID: e71925e565196939951df59eca94a8d7827d7472168b88541d5f9e2aad8b9cf6
Instruction ID: bb0c1d6efef1e2a65a387ad91acb00a2f1a214bde27c12b4c89b1b532ffa7974
Opcode Fuzzy Hash: e71925e565196939951df59eca94a8d7827d7472168b88541d5f9e2aad8b9cf6
Instruction Fuzzy Hash: A0829074A00229CFCB24DFA8D984BDDBBB5FF49304F1486A6D409AB265D734AE85CF50

Function 00A62030 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

(aq, xrefs: 00A620A5

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 5d42f65dfad719ef02eda532fe9e1b1a815030808686f76bfd13f6a9544c1ba7
Instruction ID: 77b8220d8050178dea342cb9e4eab7aee2c532c70d533ceaf4bb5d74816de3c2
Opcode Fuzzy Hash: 5d42f65dfad719ef02eda532fe9e1b1a815030808686f76bfd13f6a9544c1ba7
Instruction Fuzzy Hash: 81E1F674A00209CFCB18DFA9C594A9EBBF6FF89310F208569D405AB3A5DB34AD46CF50

Function 00A60B52 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a8f6eb437ba89bf8b3e6cfbb01b4bc50ed8b46a4aefbc648ba9d61fc858308
Instruction ID: 456886683b286fa3befb5c3faaa79fe97e95447dab9e726a0cad2058821e30ed
Opcode Fuzzy Hash: 57a8f6eb437ba89bf8b3e6cfbb01b4bc50ed8b46a4aefbc648ba9d61fc858308
Instruction Fuzzy Hash: C1129574D00229CFCB24CFA8D984BDDBBB5FF89314F1482A6D419AB265D7349A85CF50

Function 00A64860 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42938ef5ccb53eebb5290429f043ce8390d70ab08fc4d69de63d9b20342357c2
Instruction ID: fa356c196bae433e009b050860e520bd4a8bbd412029fb42c785f2c2859806e5
Opcode Fuzzy Hash: 42938ef5ccb53eebb5290429f043ce8390d70ab08fc4d69de63d9b20342357c2
Instruction Fuzzy Hash: D7B16D75E00319CFCB14CFA9C584ADDBBF2BF89310F2591A9E409AB265D734AA85CF50

Function 00A64248 Relevance: 4.1, Strings: 3, Instructions: 307COMMON

Download Yara Rule

Strings

(Rr, xrefs: 00A644EA
(Rr, xrefs: 00A64466
(Rr, xrefs: 00A643A3

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID: (Rr$(Rr$(Rr
API String ID: 0-2808380048
Opcode ID: 24ec306ac063b14c3c63246f921be9d136adefc5af77e18f3359e073f5d58a89
Instruction ID: 66221213339b32b8fa576432e49b13076fcac37123c64e7117bdd975afbe64f8
Opcode Fuzzy Hash: 24ec306ac063b14c3c63246f921be9d136adefc5af77e18f3359e073f5d58a89
Instruction Fuzzy Hash: DBE19F74E002188FDB54CFA9D884ADDFBF5BF49310F1492A6E819AB369D734A946CF40

Function 00A642ED Relevance: 2.6, Strings: 2, Instructions: 85COMMON

Download Yara Rule

Strings

(Rr, xrefs: 00A64321
(Rr, xrefs: 00A643A3

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID: (Rr$(Rr
API String ID: 0-490398145
Opcode ID: c5bc8a100a5cda03e4858833cf51f7bc8a7433d1d2bf8866c36344c89e5c5891
Instruction ID: af7c1bd82a8011a0702fe92a76206da2f4711edeb0090c4e32c365461f797673
Opcode Fuzzy Hash: c5bc8a100a5cda03e4858833cf51f7bc8a7433d1d2bf8866c36344c89e5c5891
Instruction Fuzzy Hash: 13318F74E002098FCB08CFA9C584ADDBBF6FF89315F149166D415AB369E734A94ACF50

Function 00A64731 Relevance: 2.6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

Strings

h^q, xrefs: 00A647FC
h^q, xrefs: 00A64791

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID: h^q$h^q
API String ID: 0-4075327559
Opcode ID: 9e408f749db8c397c0852583552b10dbc53f6f042b5865c0b6e70bde94d6eef0
Instruction ID: b1ef4e5f0038aba9716005218b92e2ab6776926c716f51dc0d879589a6c231b2
Opcode Fuzzy Hash: 9e408f749db8c397c0852583552b10dbc53f6f042b5865c0b6e70bde94d6eef0
Instruction Fuzzy Hash: 052139B4E0025A8FCB05DFA8DA509EDBBF1FF89300F508696D414BB265CB34A906CF90

Function 00A64129 Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

h^q, xrefs: 00A641E8
h^q, xrefs: 00A64186

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID: h^q$h^q
API String ID: 0-4075327559
Opcode ID: 5e9caf701d772a2ff58b69b0bd65b86d65170bb1fd301c1cbeb12f60e078cf39
Instruction ID: f1428833cc86f23be3737c35aea41c2884fc1bee9ea144bb36461bfa2198a08b
Opcode Fuzzy Hash: 5e9caf701d772a2ff58b69b0bd65b86d65170bb1fd301c1cbeb12f60e078cf39
Instruction Fuzzy Hash: FD214A70E0014A9FCB05DFA8D5509DDBFF2EF89310F1082AAD454BB2A5DB34A946CF90

Function 00A65240 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

(aq, xrefs: 00A652C2

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 4de24aff2940e8e32de4cde01bd5753a4947f5db8e70a8083a09fa03441424b2
Instruction ID: 3063627dd9f25ae3b6b1d9075dce387dc393264e8be3e18f6ade385a2460f84f
Opcode Fuzzy Hash: 4de24aff2940e8e32de4cde01bd5753a4947f5db8e70a8083a09fa03441424b2
Instruction Fuzzy Hash: 56D18E74E002598FCB14CFA8D984ADDBBF2FF49310F1582A5E409AB36AD774A985CF50

Function 00A65230 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

(aq, xrefs: 00A652C2

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 22f1ebf30ec3c96c44d303398e742118bdaaf4dc59515c2908b72229cf6152ce
Instruction ID: bde528fd2fd2dbfa900e38ed0e998febe15807190c9bb811a2243e7d23bb12a7
Opcode Fuzzy Hash: 22f1ebf30ec3c96c44d303398e742118bdaaf4dc59515c2908b72229cf6152ce
Instruction Fuzzy Hash: E4C18074A00259CFCB14CFA8D984ADDBBF2FF49310F1581A5D409AB36AD774A989CF50

Function 00A620A4 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

(aq, xrefs: 00A620A5

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 78795cf9c9c191388e9f7cff4852f2bbc8141abf6aa2b85e8dd04e46da6c5685
Instruction ID: 3fb5a60b4ee2f4384f77e31112bc3ae5cec4823377ba77412e3a2bdf186ebf0c
Opcode Fuzzy Hash: 78795cf9c9c191388e9f7cff4852f2bbc8141abf6aa2b85e8dd04e46da6c5685
Instruction Fuzzy Hash: EB910974A00208CFCB19DFB8D594A9EBBB2FF89300F208569D405AB366DB35AD46CF54

Function 00A6280D Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcad2113afc7f386004f4b02ff59bc6e8cf64ddaf05f644e1f422462c1ff5858
Instruction ID: c79df6ac2c641c0de8a2602feb1693edb140d0111f2ddd736eaf8f1ffaceed56
Opcode Fuzzy Hash: fcad2113afc7f386004f4b02ff59bc6e8cf64ddaf05f644e1f422462c1ff5858
Instruction Fuzzy Hash: C75137B4D053889FCB11CFA9C894ADEBFB1EF4A304F2480AAD854BB251D7749946CF64

Function 00A62875 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79890086e810e777f8a273031a281f9a8cc8afee8afda74e32c7993eb48d951d
Instruction ID: b262946a365f9d1a9ef7eb243689a44c59332d86a8702dd707221dffb9f4ca7a
Opcode Fuzzy Hash: 79890086e810e777f8a273031a281f9a8cc8afee8afda74e32c7993eb48d951d
Instruction Fuzzy Hash: 0B51EFB4D042489FCF11CFA9C990AEEBFF1AF4A300F24906AE858BB251D7749985CF54

Function 00A62F70 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 017fb5b28f0f59bd8ff58d99cfdfeb60b388db117d41855396b83325279a5638
Instruction ID: 5b351790c56ca417adf0499227b33991f11c6fde3fc1deb0c38f33a5acf03b8c
Opcode Fuzzy Hash: 017fb5b28f0f59bd8ff58d99cfdfeb60b388db117d41855396b83325279a5638
Instruction Fuzzy Hash: 32314A74E0025A9FCB05DFA8D9509DDBBB2FF89300B1582A6D854AB365D730EE46CF90

Function 00A6120B Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2957c1e60e851555f39586eb811c6d756591bcef71b189ce8666b2a92b4f1e20
Instruction ID: 1623596dd13c6417a57ed3bdc617deef19f63df56ae30f14d501c73bc6f6f026
Opcode Fuzzy Hash: 2957c1e60e851555f39586eb811c6d756591bcef71b189ce8666b2a92b4f1e20
Instruction Fuzzy Hash: 60A18774A00229CFCB14CFA8D884BD9BBB5FF89314F1581A6D419AB365E730AE85CF50

Function 00A631D8 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f2fe0b238668f83aee03e54ec0eb721216b01c674daacd8ee21b397e5a7fae
Instruction ID: ce29b1deb56546023580345f22cbab07b68d08ae9c7c0ab0f13dfe039e59e7de
Opcode Fuzzy Hash: 13f2fe0b238668f83aee03e54ec0eb721216b01c674daacd8ee21b397e5a7fae
Instruction Fuzzy Hash: FD81C175E00219DFCB05DFA8D9949DDBBB2FF89310F10826AE415AB265D730AA46CB90

Function 00A620E8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33bcfac2a89cf2a0e8473ce8b846800a2220f7223b3c89ac71ea2b7f1794e69a
Instruction ID: b15cf1021385c1f8155f2d1a9067d3840c543652c7f3a8711bc1396984003269
Opcode Fuzzy Hash: 33bcfac2a89cf2a0e8473ce8b846800a2220f7223b3c89ac71ea2b7f1794e69a
Instruction Fuzzy Hash: 2791D774A00209CFCB18DFB8D584A9EBBB6FF89300F208569D409AB365DB35AD46CF54

Function 00A631E8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2585d848e86577293608da9c455e56ee1ee3c56960a00827e2c9bfa8c0f2a325
Instruction ID: 817f56a3f2485d1205aba408c9712417a9079f911902e8053b847d2c2e61e329
Opcode Fuzzy Hash: 2585d848e86577293608da9c455e56ee1ee3c56960a00827e2c9bfa8c0f2a325
Instruction Fuzzy Hash: 0961CF75E01218CFCB08CFA9C8849EDBBB6FF89310F149169E415AB365DB30AD46CB50

Function 00A62AD0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f257dec4c7f33e1896b399f541d3729c39e381306de5dffcb70857ef55f8a10
Instruction ID: bfc7922381cbb0b02a90394b68729f0671caefed12f172385f20cacf45f27a14
Opcode Fuzzy Hash: 5f257dec4c7f33e1896b399f541d3729c39e381306de5dffcb70857ef55f8a10
Instruction Fuzzy Hash: 1641BDB4D002489FCF14CFAAC984ADEBBB1BF49300F24942AE818BB250DB749985DF54

Function 00A64851 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebdaeab3cb647a6cde30b57f73c3aa4f64d7d9e1316e833f0dcf9830f5157710
Instruction ID: c780cc05ad2d938beaaffa00848c85eb9d85a3bba8d22d6a29658a3f0a767940
Opcode Fuzzy Hash: ebdaeab3cb647a6cde30b57f73c3aa4f64d7d9e1316e833f0dcf9830f5157710
Instruction Fuzzy Hash: 1F41C470D003198FDB14CFA9C994ADDBBF2BF89314F219199D458AB265D730AE86CF40

Function 009FD618 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3277752291.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9fd000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac79027060acf57b05ff1037dd943d7693977c715b3ad262c9f923a77bbff2b1
Instruction ID: c6fea5fd9e2fb8ba28397e39072d8eafb8a3282ae98967cffdc8b66cd01acc3d
Opcode Fuzzy Hash: ac79027060acf57b05ff1037dd943d7693977c715b3ad262c9f923a77bbff2b1
Instruction Fuzzy Hash: EB213771501208DFDB05DF14D9C0F36BF6AFB98324F208569EA0D8B25AC33AD816DBA1

Function 00A61F08 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fa867f0186d01abeb2d1730d30fff204528c3414d7c7bb7ef88fad64421906
Instruction ID: ce0d0d9a74121cbb2079dae7a7d37a3c8a4fe09ae7443369d2ddb48e5f68a532
Opcode Fuzzy Hash: 41fa867f0186d01abeb2d1730d30fff204528c3414d7c7bb7ef88fad64421906
Instruction Fuzzy Hash: 6A311770D0025A9FCB05DFA8D9509EDBFB1FF89310F0182A6D454BB266D730AA46CF90

Function 00A63531 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5caafb2d9188c971b06357206565b3fbeebcc0be0c988e8144c441edcbb9eb22
Instruction ID: 36ba5d11466b6963f88447257b24d346f147008632a4fdd409f4cfd0d241fcf3
Opcode Fuzzy Hash: 5caafb2d9188c971b06357206565b3fbeebcc0be0c988e8144c441edcbb9eb22
Instruction Fuzzy Hash: F53128B1E0021A8FCB05DFA8D9909EEBBB1FF89310F418566E411BB261DB34AD46CF50

Function 00A6511A Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45772a601f3ca1949010ee43293f723050d10c0fd5e366e20ff7b93090bf1d07
Instruction ID: 94761f8495fc54896410d8c1cc35cac974d9a6a12d92c6bb6e50887dfb7942b8
Opcode Fuzzy Hash: 45772a601f3ca1949010ee43293f723050d10c0fd5e366e20ff7b93090bf1d07
Instruction Fuzzy Hash: 15211970E0025A9FCF05DFA8D9509DDBBB1FF49300F0182AAD454BB266D734AA46CB90

Function 00A60A49 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28bcfbbd38aab243b3d64438401760e494c751562e4a25f0d9a64943dd11f83b
Instruction ID: 1162396911a0dd82e447335f5d04fccf0c12a5e4c0748ba2d5b4ff65d05d6ea1
Opcode Fuzzy Hash: 28bcfbbd38aab243b3d64438401760e494c751562e4a25f0d9a64943dd11f83b
Instruction Fuzzy Hash: 0B213471E0024A9FCB41DFA8D450ADDBFB1EF89300F4482A6D450BB265DB30A986CB90

Function 00A656BF Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0fdf7b007b6616679d8d5698b14a78ea7e6e9615f784495507866055946c29
Instruction ID: 7c4aa025e317840b6e488cd397c63b1f40e8b34025e8e86c35916297d3c54bd1
Opcode Fuzzy Hash: 5e0fdf7b007b6616679d8d5698b14a78ea7e6e9615f784495507866055946c29
Instruction Fuzzy Hash: 11214830D0024E9FCB46DFA8D4509DCBBB1EF49310F0486A6D450BB3A5DB34E946CB90

Function 00A607E0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ca95daaf34ff7b3c13c88f8d8109b36e088620015fdde840a4dfd1ca529ca2
Instruction ID: 96b80bc5fd3b0966e0786db14c6cf94aee4484babf5ffbef70c63e9e5447d15f
Opcode Fuzzy Hash: c0ca95daaf34ff7b3c13c88f8d8109b36e088620015fdde840a4dfd1ca529ca2
Instruction Fuzzy Hash: 0C218E70900609DFDB05EFBCF984AC97BB6EF89305F10C665D1045F26ADB799A4ACB80

Function 009FD613 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3277752291.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9fd000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: fe62bc356e4e3a841b93f0dc4767693b4717943cfe555e1fcfb95d1d787493e3
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 7E11D376504284CFCB16CF14D5C4B26BF72FB98314F24C5A9D9094B656C336D85ACBA2

Function 00A60839 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38177abce4ca2c16f5896bd6ba7d2cc1dc15f26340a06cc00acc7115a7eeb80d
Instruction ID: 0f143513695057eabec7347ad40463bc009cad1f190f6982cfb35e99826ef3fa
Opcode Fuzzy Hash: 38177abce4ca2c16f5896bd6ba7d2cc1dc15f26340a06cc00acc7115a7eeb80d
Instruction Fuzzy Hash: 73210B74900509DFDB05EFB8E984B897BB5EF89305F10C6B8D1059B22AD7795A4ACF80

Function 00A60848 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e8c7ba8d9af3654c82a08b3d8c0590e6bd9a474afe92296a4eac1349963dfd
Instruction ID: 982c48106ea2f4284abefc774aa38a19047b27519ffdad5596349b96bfcf16da
Opcode Fuzzy Hash: 34e8c7ba8d9af3654c82a08b3d8c0590e6bd9a474afe92296a4eac1349963dfd
Instruction Fuzzy Hash: 0F110D74900609DFDB05EFB8F984A8D7BB6EB88305F00C574D1059B26ADB785A49CF80

Function 00A631A0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed66b3ae6b25380a9e27fad43ee151837a1beab4c5fc12fbbefb9b9bbe058b3
Instruction ID: 67baf1a129b31827f4e6fdab731821598a78c580e76955aba276fa9e19450474
Opcode Fuzzy Hash: 4ed66b3ae6b25380a9e27fad43ee151837a1beab4c5fc12fbbefb9b9bbe058b3
Instruction Fuzzy Hash: FD018CB5E042499FCF01CFA8E9409EDBFB1EF45314B114399D464AB262C3308A46CB61

Function 00A651FA Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0098d33f49b1397f92e90e6a702b9b06f38a8955c14ffd67337eb292d586d287
Instruction ID: f44974fee5d06a6f10b473099c85230c7e5525a81b17e2f513b12ab103b62be5
Opcode Fuzzy Hash: 0098d33f49b1397f92e90e6a702b9b06f38a8955c14ffd67337eb292d586d287
Instruction Fuzzy Hash: E9115B70E0014A9FCF02CFA8DA909DDBBB1FF46314F4182DAE454AB262D730DA06CB90

Function 009FD149 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3277752291.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9fd000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f50c44161d1aa2810ab7e7ff5ec8a8085e0b6693411b5897b477a4617b67bc3
Instruction ID: 551f0e90dc97f2dbacd2553929046f1b714f6a59b358a2210d63698f1b1a8b04
Opcode Fuzzy Hash: 3f50c44161d1aa2810ab7e7ff5ec8a8085e0b6693411b5897b477a4617b67bc3
Instruction Fuzzy Hash: B501FC712093089AE7249A15CD84777BF9DDF45320F18C529EE180A246C2399841C771

Function 00A62020 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d033be7a38caf61011bec80b1c3f31feab9a8029ae21201d7791c4b7b7932318
Instruction ID: 4cc07ae7c62eeb37ec96c3dda987747c643957231298637b31b6f751ff827c92
Opcode Fuzzy Hash: d033be7a38caf61011bec80b1c3f31feab9a8029ae21201d7791c4b7b7932318
Instruction Fuzzy Hash: 2001AD35D042499BDB15CB74C865AEEBBB1AF84350F15882E8042AB291DE74194BCB82

Function 00A61870 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51bcd326a141d97ed74bbe852231450438cbd4d91642777b550fc09cc9a191cf
Instruction ID: 4d74e7a56fc2c21af4d42352ffb1858879ef315f8163ee7bfad68025ef3d078c
Opcode Fuzzy Hash: 51bcd326a141d97ed74bbe852231450438cbd4d91642777b550fc09cc9a191cf
Instruction Fuzzy Hash: 2CF037B5E04249CADF00CFA6D5043EEBBF4AB49311F14902AD554B7241D7784A4ACF60

Function 009FD148 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3277752291.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9fd000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9016fec15832d362c7688fb903f00431d27d9702fca2ca7011025b32cb4708c4
Instruction ID: c8174775ea098ab692b7c9ac745a106a42eb22f40d3416ac0f4e96eedc76da34
Opcode Fuzzy Hash: 9016fec15832d362c7688fb903f00431d27d9702fca2ca7011025b32cb4708c4
Instruction Fuzzy Hash: 42F0C2711093449EF7248A0ACC84B62FFACEF55334F18C45AEE084A286C2799844CBB0

Function 00A63419 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64e642702fde3c7eb7c1fbffc0a66a9a5a6b55893e3e049ecae1cde8259ec2f
Instruction ID: cc41142443ef8509db196d5858e29cccd163c4e8b05dca276fdb62e4a68ee1a1
Opcode Fuzzy Hash: c64e642702fde3c7eb7c1fbffc0a66a9a5a6b55893e3e049ecae1cde8259ec2f
Instruction Fuzzy Hash: 9E012470A40109DFCB05DFA8D684E9EFBB1AF85304F5482E9D4046B266CB34DE85DB85

Function 00A61FE8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2893b56c1d6deeb585aa47e5106b46e9d90f9b7a6d8f78ccfc3c763ef19230
Instruction ID: f46e5e5804f24608191f7484726b5eb18c66d349366cd386f335f0b55d50d573
Opcode Fuzzy Hash: 1c2893b56c1d6deeb585aa47e5106b46e9d90f9b7a6d8f78ccfc3c763ef19230
Instruction Fuzzy Hash: F0F052B0C0010ACFDB04CFA0D858BEEBB71BF04344F158068D008A7160CB740E0ACB62

Function 00A609DF Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502313e3adc9fb2a56642ee8ffabd716fac28360e02b03bd35eca2ad75aa6e1d
Instruction ID: 0597fff252107a7a5b5e9b53b8512f72bbb1657b672014888839b2a0b9aca29d
Opcode Fuzzy Hash: 502313e3adc9fb2a56642ee8ffabd716fac28360e02b03bd35eca2ad75aa6e1d
Instruction Fuzzy Hash: 5301F2B0D00209DFCB05DFA8C844ADDBBB0FF09305F1046AED415A7261EB709A50CF81

Function 00A61DC9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e778e00ee5ca304afb817ca2aceba87939e8df9f8b6e4942769886ec9e154d5
Instruction ID: 74d5f091562c1c46471d1d06dc618d969f0cd770c5c8078aa8f194d85b47244c
Opcode Fuzzy Hash: 9e778e00ee5ca304afb817ca2aceba87939e8df9f8b6e4942769886ec9e154d5
Instruction Fuzzy Hash: 8AF0E271B08240AFC704CF59D444EAABFB6FFC9321B18C05BE84AC3212C7319822CBA0

Function 00A61D65 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 046fdcdef08425c20005bb8bf8cec1e090d74b87ce36554594920cc673a683c5
Instruction ID: 90493f09450b09a23786c04e9c87a3e8748134df548a7e243863c7c922172c32
Opcode Fuzzy Hash: 046fdcdef08425c20005bb8bf8cec1e090d74b87ce36554594920cc673a683c5
Instruction Fuzzy Hash: A5F0A732B082089F8B04CF5DD4049AABFF6EBC9221719C05BE858C7355D631DD52D780

Function 00A61DD8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 281bd9b372b63395453bf97eecff450a6e3edad962daea4711137ad036ebe9ae
Instruction ID: 9567217c928a255477246bb8cb97fee435ed43cb6699b21065805ee581e76304
Opcode Fuzzy Hash: 281bd9b372b63395453bf97eecff450a6e3edad962daea4711137ad036ebe9ae
Instruction Fuzzy Hash: 20E03931B14204AB87148A4AE804D6ABFAAEBC9361768C02AE849C7315DA32DC529B90

Function 00A6400F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ddc842343ae2f477ffbae5a2479612dc0118a29b3012e886326d3dd20889678
Instruction ID: 6975c5e85b0f47e1ff73522f26b03d69ccc319a0d687b5a74ace9770d019e907
Opcode Fuzzy Hash: 8ddc842343ae2f477ffbae5a2479612dc0118a29b3012e886326d3dd20889678
Instruction Fuzzy Hash: 24F0D470E046288FCB28CF5AC944AA9F7F1AFCE360F5591A6C01DA7224D6309A41CF05

Function 00A609F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a765a1608efb1500dc7c6d98883d4f6eca6a3ec3c30a585585fb59a50b34314c
Instruction ID: cc124944708610a2eb82ad7ac506b1af79f9b26b214216141fca0feba57b656a
Opcode Fuzzy Hash: a765a1608efb1500dc7c6d98883d4f6eca6a3ec3c30a585585fb59a50b34314c
Instruction Fuzzy Hash: C5F0B770D00219DFCB45DFB8D5446DEBBB4FB05300F1086AAD415A7354EB709A41DF80

Function 00A640E2 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a042d64ecd53a83ade33b0099bf99c6efd4358441787444f4240e47fd5a7391e
Instruction ID: b00864b2d3c3d89b562a4c4dd8a3ced395d8c94ba701fa5743520eba36b214d8
Opcode Fuzzy Hash: a042d64ecd53a83ade33b0099bf99c6efd4358441787444f4240e47fd5a7391e
Instruction Fuzzy Hash: 3AF01E34905248EFCB05CBA8D54299CBFB1AB4A321F6482A8E84823366C3359E81CB40

Function 00A63397 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1cc47251b939af4b5b56822f53394040266bd95f919675bce423cea3c9f0185
Instruction ID: 11d0d299beb37e4482e47fbdb9e2ed5d2f1c14da8979c55da3d3256972f9f802
Opcode Fuzzy Hash: f1cc47251b939af4b5b56822f53394040266bd95f919675bce423cea3c9f0185
Instruction Fuzzy Hash: 1EE01A74E04218CBCF28DFAAE9408ECB7B1FFC4324B109566D015AB264D770DE12CB40

Function 00A6244D Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c056e03830db563824d3bab5295f76735b35bad5630995b60d3ef1b480bdde57
Instruction ID: a6873b910f66f5cf75144cadc1adcf6d40fc277c8f92b6fd0bcaf7855d11c7d6
Opcode Fuzzy Hash: c056e03830db563824d3bab5295f76735b35bad5630995b60d3ef1b480bdde57
Instruction Fuzzy Hash: 7BE08634E04108CBCB24CF99D5406ECB771EFC9320F20A165C009B7264C6305E128F50

Function 00A646B6 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3278359826.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a60000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eccf70f92f1f8a5cc306efa9761035831bc7fb1842acbd5b284c081a8353aa5
Instruction ID: 6de29c911d29d011ad85b325213c316acaab605cb717d13e2dcf0645f3ffdf64
Opcode Fuzzy Hash: 4eccf70f92f1f8a5cc306efa9761035831bc7fb1842acbd5b284c081a8353aa5
Instruction Fuzzy Hash: 88E04638E0421C8BCB14CFA9D84049CB772EFC6320F0092668069BF264C7309916CB00

Analysis Process: efthfxj.exePID: 1076, Parent PID: 4052COMMON

Executed Functions

Function 00E40B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON

Download Yara Rule

Strings

daq, xrefs: 00E40E64

Memory Dump Source

Source File: 0000000A.00000002.2064331007.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e40000_efthfxj.jbxd

Similarity

API ID:
String ID: daq
API String ID: 0-1532007458
Opcode ID: 95ebb6ec07b699c4eb037640a21a47e94836d88ef34b8d720904234080a4745a
Instruction ID: b2badb70f60d45cdab252469f678a8939fae0f840fd2ebb38af93f703fd0890d
Opcode Fuzzy Hash: 95ebb6ec07b699c4eb037640a21a47e94836d88ef34b8d720904234080a4745a
Instruction Fuzzy Hash: 03828074A002298FCB24DF68D984BD9BBB5FF49304F1096E6D409BB265DB34AE85CF50

Function 00E4061D Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2064331007.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e40000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2171218ab1912d0022ed0551c693222c5744fc4b29120e660b9954415d5aeee8
Instruction ID: 21ef1123abf975ea6ad2745b227d5ad952a1f67f898c06cb73e86b676d9aaec5
Opcode Fuzzy Hash: 2171218ab1912d0022ed0551c693222c5744fc4b29120e660b9954415d5aeee8
Instruction Fuzzy Hash: F5218BB09012499FDB06EF78E954B997FB5FF84304F0086A5C1049B26ADB789A49CF80

Function 00E405E7 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2064331007.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e40000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2f329a5a880d5a560e4288357f3e4ca254a9dba63e1e12180515c0dc2e7e38
Instruction ID: 0008baa556ae9d9ecf4d3726b0a2e277c2ef58e657f33e65e11647cb39ca6f57
Opcode Fuzzy Hash: 7b2f329a5a880d5a560e4288357f3e4ca254a9dba63e1e12180515c0dc2e7e38
Instruction Fuzzy Hash: E0213CB49012499FDB06EF78F984B997FF5FF85304F1086B5C1059B26ADB785A0ACB80

Function 00E40601 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2064331007.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e40000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193c621aa5fa78e69d4f088239e9bd0d5ddbced91ac46f6ba6057be0b0d0c518
Instruction ID: c798bdfd47102111464fa7af3d0b85c118b03bfa404ef5426a5a6131045f5ad7
Opcode Fuzzy Hash: 193c621aa5fa78e69d4f088239e9bd0d5ddbced91ac46f6ba6057be0b0d0c518
Instruction Fuzzy Hash: 58214AB49012499FDB06EF78F994B997FF5FF85304F0085B5C1059B26AEB789909CB80

Function 00E40A49 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2064331007.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e40000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e1b3b6787cafa13ac1b7f929e5540e7ff4647440d102b41f255ab82465a947
Instruction ID: 0b5af7cefd969c4a0bc8cb61089d78c80dff3b33fd16fd9644da976b8ce4569a
Opcode Fuzzy Hash: d1e1b3b6787cafa13ac1b7f929e5540e7ff4647440d102b41f255ab82465a947
Instruction Fuzzy Hash: F3214871E0024E9FCF41DFA8E4509EDBFB1EF49300F4582A6D454BB265DB30A946CB90

Function 00E40848 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2064331007.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e40000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed8a61abbb1ae85fe4c387840a248848e092f0f62bc4c913b8c09ae9cdbfcce
Instruction ID: 2004afa53ae68224892bbb326eae70245eb106f71bc5a3d3577e9f6ae0b0e868
Opcode Fuzzy Hash: eed8a61abbb1ae85fe4c387840a248848e092f0f62bc4c913b8c09ae9cdbfcce
Instruction Fuzzy Hash: 6F119C749012099FDB05EF78F944AA97BF5FB44304F1085B5D1059B26ADB785A49CB80

Function 00E41870 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2064331007.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e40000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 052e04a6f679e2827d163bac18ed38a72d185ef27c56cb9c499db05767e76d43
Instruction ID: 193fd616da5ef11fccbd1ac1e780a6d51498f775cb37799215add2de9fe73456
Opcode Fuzzy Hash: 052e04a6f679e2827d163bac18ed38a72d185ef27c56cb9c499db05767e76d43
Instruction Fuzzy Hash: 0AF04F74D04249CBCF04DFA5E5143EEBBF0AB4D310F54A0A5D414B7251D7395A59DF50

Function 00E409DF Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2064331007.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e40000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726908103354b62651db2dc2c59f0552920404e919a2c051bca086161687f3be
Instruction ID: e1225f61b32172989b0e328730939599d76c6888cc0ce262f253731c37376fcb
Opcode Fuzzy Hash: 726908103354b62651db2dc2c59f0552920404e919a2c051bca086161687f3be
Instruction Fuzzy Hash: DD0114B0D00209DFCB01DFB8D8446AEBBB0FF05315F104AAEC415A72A1EB709A40DB80

Function 00E409F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2064331007.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e40000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956f4cb094d41a6143d843f76ea6de1bdf76b040e7fe24e2f4464d6988c7aac0
Instruction ID: 1ce00980df42dd73bfa20eaf263a265a13694df3fdc7a50da2c9c35642bbb335
Opcode Fuzzy Hash: 956f4cb094d41a6143d843f76ea6de1bdf76b040e7fe24e2f4464d6988c7aac0
Instruction Fuzzy Hash: 1BF0B270D00219DFCB45EFB8D9446AEBBB4FB04314F104AAAD419A72A4EB709A40DB80

Analysis Process: efthfxj.exePID: 3992, Parent PID: 1084COMMON

Execution Graph

Execution Coverage:	17.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	350
Total number of Limit Nodes:	14

Executed Functions

Function 04CD7D28 Relevance: 5.2, Strings: 4, Instructions: 239
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MhR, xrefs: 04CD7E8A
Te]q, xrefs: 04CD7FC9
Te]q, xrefs: 04CD7D83
MhR, xrefs: 04CD7E91

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID: MhR$MhR$Te]q$Te]q
API String ID: 0-1863040356
Opcode ID: 2e9b7f0479c017c914a80622af9d18199cf4c69492685179f4a0026f8b9d6c7b
Instruction ID: 3d96721226412b2d4b8c084bf7b38085c3bfce32686a0570cfdaa3488656f7c4
Opcode Fuzzy Hash: 2e9b7f0479c017c914a80622af9d18199cf4c69492685179f4a0026f8b9d6c7b
Instruction Fuzzy Hash: B7A1C2B4E01219CFDB48CFAAC9849AEBBF2BF89300F24852AD515BB354D735A901CF54

Function 063A9880 Relevance: 1.9, APIs: 1, Instructions: 397
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 063A9CCF

Memory Dump Source

Source File: 0000000D.00000002.2097455439.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_63a0000_efthfxj.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: bfcd482a76e89a22dc6d02bb2da57300c96c7c36c548a17c93152901eaeecf9d
Instruction ID: 4880cb1febddfbe3e9c794de5f62baa761f8e51ba8e6c72c0208297a346d70b5
Opcode Fuzzy Hash: bfcd482a76e89a22dc6d02bb2da57300c96c7c36c548a17c93152901eaeecf9d
Instruction Fuzzy Hash: 7802C074E112288FEB64CFA9C880B9DBBB1FF49304F1481AAD419B7290DB349985DF95

Function 063A9875 Relevance: 1.9, APIs: 1, Instructions: 386
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 063A9CCF

Memory Dump Source

Source File: 0000000D.00000002.2097455439.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_63a0000_efthfxj.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 66d5cb9edb2ec1f9fb3f9ad608adca4654d197bc0343a78cec92d70fa9410ee1
Instruction ID: db3401679a5e1f79ca57d6887c7f27f03a2c4637c04b766b86b5c54c021da25b
Opcode Fuzzy Hash: 66d5cb9edb2ec1f9fb3f9ad608adca4654d197bc0343a78cec92d70fa9410ee1
Instruction Fuzzy Hash: 80F1D174D11228CFEB64CFA9C880B9DBBB1FF49304F1481AAE419B7290DB349985DF95

Function 063AA8D8 Relevance: 1.6, APIs: 1, Instructions: 118
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 063AA9B0

Memory Dump Source

Source File: 0000000D.00000002.2097455439.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_63a0000_efthfxj.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 5d6d1668b4db5123f3efea62451b1045da9aad13e1ae96584b1b0bc27a7462fe
Instruction ID: 594e35271049c896c9d236bd03bde3f8553038c4fc04a7932994d0e3d5058c14
Opcode Fuzzy Hash: 5d6d1668b4db5123f3efea62451b1045da9aad13e1ae96584b1b0bc27a7462fe
Instruction Fuzzy Hash: AE419CB5D012589FCB00DFA9D984ADEFBF1FF49310F14902AE418B7250D779A945CBA4

Function 063AA8E0 Relevance: 1.6, APIs: 1, Instructions: 115
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 063AA9B0

Memory Dump Source

Source File: 0000000D.00000002.2097455439.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_63a0000_efthfxj.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 4897e0c3bb3840fb890465c9cad6fe3a0622b3b9798b06e0b6c2f82a4c46098f
Instruction ID: 1306358f5b03a2a0eb320f5bb7ccde07b6b25812e5c658566b72b39b5d4809e6
Opcode Fuzzy Hash: 4897e0c3bb3840fb890465c9cad6fe3a0622b3b9798b06e0b6c2f82a4c46098f
Instruction Fuzzy Hash: FC419CB5D012589FCF00CFA9D984ADEFBF1FB49310F14902AE818B7250D779A945CB94

Function 063AA500 Relevance: 1.6, APIs: 1, Instructions: 109
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 063AA5BA

Memory Dump Source

Source File: 0000000D.00000002.2097455439.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_63a0000_efthfxj.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 615abb89927e743dadaab2f31bf7fa34c75d7f5ebd06c15004c32ec8b9c0b177
Instruction ID: 7baa59022af30f76405a4046dea22a2db1df5814fcab8743eaaff3343284f389
Opcode Fuzzy Hash: 615abb89927e743dadaab2f31bf7fa34c75d7f5ebd06c15004c32ec8b9c0b177
Instruction Fuzzy Hash: 6B419AB5D002589FCF10CFA9D984AEEFBB1BB19310F14942AE855B7210D739A945CFA4

Function 063AA508 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 063AA5BA

Memory Dump Source

Source File: 0000000D.00000002.2097455439.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_63a0000_efthfxj.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 20176f68cdc94ef40df385e0f69ee7b5e2dc4787c4361dace1d86161846a435d
Instruction ID: b6bd50de625a6d29f790604005726df9617a5487080ca4a15d0a9e3059bfc586
Opcode Fuzzy Hash: 20176f68cdc94ef40df385e0f69ee7b5e2dc4787c4361dace1d86161846a435d
Instruction Fuzzy Hash: 8841AAB5D002589FCF10CFA9D984AEEFBB1BB09310F10942AE815B7210D739A945CFA8

Function 063AAC01 Relevance: 1.6, APIs: 1, Instructions: 96nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL(?,?), ref: 063AACB7

Memory Dump Source

Source File: 0000000D.00000002.2097455439.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_63a0000_efthfxj.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 6ab6c70df1657a6f2d970a4349719387cc0d7d5ea68eadacc9bcac78f38669f5
Instruction ID: 91f118eab07e22de07b6b6392cbc67484896a50117ebf529d9d7afcbf8a12bbb
Opcode Fuzzy Hash: 6ab6c70df1657a6f2d970a4349719387cc0d7d5ea68eadacc9bcac78f38669f5
Instruction Fuzzy Hash: 6941BCB5D002589FDB10DFA9D984AEEBBF1BF49310F14802AE409B7240D738A945CF94

Function 063AAC08 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL(?,?), ref: 063AACB7

Memory Dump Source

Source File: 0000000D.00000002.2097455439.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_63a0000_efthfxj.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 29591c53b8f7b4f435a0f3ff3e320813739a8c3ced9ff937db6e8bc57b513927
Instruction ID: a7add0271d0430488921635c6da7b7b0e49123e28d4185df8928d0e82df3e230
Opcode Fuzzy Hash: 29591c53b8f7b4f435a0f3ff3e320813739a8c3ced9ff937db6e8bc57b513927
Instruction Fuzzy Hash: 8931ABB5D012589FDB10DFAAD984AEEFBF1BF49310F24802AE419B7240D739A945CF94

Function 063AA6B9 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 063AA749

Memory Dump Source

Source File: 0000000D.00000002.2097455439.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_63a0000_efthfxj.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 968d3c4b30f3db1632be0e7725fe2ab5274b3a721dec73f3bb32627f057c50f0
Instruction ID: cc51e09211da247c8019b7826f07d7025ca3af252089a297d969923eec69fabc
Opcode Fuzzy Hash: 968d3c4b30f3db1632be0e7725fe2ab5274b3a721dec73f3bb32627f057c50f0
Instruction Fuzzy Hash: 7331CAB9D012189FCB10CFA9D980A9EFBF5FF49310F24842AE805B7200C739A945CF94

Function 063AA6C0 Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 063AA749

Memory Dump Source

Source File: 0000000D.00000002.2097455439.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_63a0000_efthfxj.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e30f486dcb37480f8519417ce4be8bd3ddda1eb5516d975041fc15f703c53131
Instruction ID: f20db5bd3c4948d4b6a0ca6ac466c865276107068d958de3fc24c7d235180663
Opcode Fuzzy Hash: e30f486dcb37480f8519417ce4be8bd3ddda1eb5516d975041fc15f703c53131
Instruction Fuzzy Hash: B431A9B9D012189FCB10DFA9D984A9EFBF5FF49310F20942AE805B7200C779A945CFA4

Function 04CD6047 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a078f988ddbff9c203bd21d63d541f96d3a4185dd39e49eb413f32ed7991a05
Instruction ID: bf3f3e60657a40401a3af01b10ad86ba02c5babc6a6830c2e5399f262a797142
Opcode Fuzzy Hash: 0a078f988ddbff9c203bd21d63d541f96d3a4185dd39e49eb413f32ed7991a05
Instruction Fuzzy Hash: 609182B1D0165A8FDF14CF66C8852EDBBB2FF86304F1582B9D5099B221DA346A47DF00

Function 04CDD550 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db37b478912f383509d8ad5e734af9504e37e77341bbd23e12da343376d84b44
Instruction ID: 4e5c5f0d96f0bc4caab5f24a5318152a0aa3925d0afa1a058685cd1443ebcff4
Opcode Fuzzy Hash: db37b478912f383509d8ad5e734af9504e37e77341bbd23e12da343376d84b44
Instruction Fuzzy Hash: 53A1B678E40318DFCB14DFA5E98469DBBB2FF89300F50946AD51AA7314EB34A982CF50

Function 04CDD8C8 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38927736e1457cc9efc2b81ec6057b06e4d6afd2c091cca409f36af149fd700d
Instruction ID: a54e9b90aed93ee49ee676ed43ccc0f96fd2ce490d105714ab633fdfc5f91142
Opcode Fuzzy Hash: 38927736e1457cc9efc2b81ec6057b06e4d6afd2c091cca409f36af149fd700d
Instruction Fuzzy Hash: A7615970E05209DFCB18DFE6D540AAEBBB2FF89300F54992AC1167B254DB35AA02CF51

Function 04CD2B08 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0411c92e652d221634c3fbcdcabd7156cab0f882ea3cd5756078ce017d4a018f
Instruction ID: 4b42c457e9ea3aaead588c91e1a37df6fd3512d278de0353c2c9292af829414f
Opcode Fuzzy Hash: 0411c92e652d221634c3fbcdcabd7156cab0f882ea3cd5756078ce017d4a018f
Instruction Fuzzy Hash: 8A414271E016188BEB5CCF6B8D4078EFAF7AFC9301F14C1BA990CAA214DB7416428F11

Function 04CD2AF7 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe3ff5f31842063b3957df4c3030ed0ba850b92a261f38323ae00fe06b9bec6
Instruction ID: c196b25461f4003ca1ab53fbb3bbf5d2fce27d8d52c1b5d7bd93a8d1103e360d
Opcode Fuzzy Hash: 5fe3ff5f31842063b3957df4c3030ed0ba850b92a261f38323ae00fe06b9bec6
Instruction Fuzzy Hash: C54143B1E016188BEB5DCF6B8D4078AFAF7BFC9200F14C1BA990CAA215DB3406468F10

Function 04CD3645 Relevance: 2.5, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 04CD36D8
l.dl, xrefs: 04CD364C

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID: l.dl$$]q
API String ID: 0-1344983801
Opcode ID: aba2d89b57b5f1818035c645d773ff6682c0bfc0d66ad7128dce34a77a8d7fce
Instruction ID: df269e74c8be576b07101f0a348272d706e6e2e47efa2528f7e2fde1e09b8a3d
Opcode Fuzzy Hash: aba2d89b57b5f1818035c645d773ff6682c0bfc0d66ad7128dce34a77a8d7fce
Instruction Fuzzy Hash: 2C11FB74A402698FCB29CF65C94479EBBF6FF89340F1094E99449AB324DB709E81CF45

Function 02C34D7F Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02C34E3F

Memory Dump Source

Source File: 0000000D.00000002.2089195146.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2c30000_efthfxj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a5bb9c9ff5735fbdf379b55cdffebb69de1bba5ccabfb59f4a2db91e1ed7c877
Instruction ID: 3325bc8fd566e858f60dd667c4dda0560ba8f74fbb16a99a3f7ab841d5ca51b3
Opcode Fuzzy Hash: a5bb9c9ff5735fbdf379b55cdffebb69de1bba5ccabfb59f4a2db91e1ed7c877
Instruction Fuzzy Hash: 413198B9D052589FCF10CFA9D984ADEFBF1AF19310F14906AE814B7210D378A945CBA4

Function 063AA7B9 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 063AA86A

Memory Dump Source

Source File: 0000000D.00000002.2097455439.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_63a0000_efthfxj.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0a23a3d850cfbfed325d2169d9b7c0592d0c54c954303eb9bc7fe0d94d850e56
Instruction ID: 4c97f1f36d15e181b01c627e10dae918db5a9019dfb797a6035cc6195bcb5a12
Opcode Fuzzy Hash: 0a23a3d850cfbfed325d2169d9b7c0592d0c54c954303eb9bc7fe0d94d850e56
Instruction Fuzzy Hash: 073176B9D002589FCF10CFA9D984A9EFBB5FF49310F14942AE819B7210D735A946CFA4

Function 063AA7C0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 063AA86A

Memory Dump Source

Source File: 0000000D.00000002.2097455439.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_63a0000_efthfxj.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 68863eff60736a5cd05e9378d8d1cb9f1d797ca794a63980ad9b3c19b5861995
Instruction ID: 604a2abd2cfcf7f7d0d45c51e7a9db826a6a618c761e6d0e062bf95c45a5575d
Opcode Fuzzy Hash: 68863eff60736a5cd05e9378d8d1cb9f1d797ca794a63980ad9b3c19b5861995
Instruction Fuzzy Hash: 033167B9D002589FCF10CFA9D984A9EFBB5FB59310F10942AE815B7210D735A946CFA4

Function 02C3A478 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02C3A51F

Memory Dump Source

Source File: 0000000D.00000002.2089195146.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2c30000_efthfxj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 14e9f26cfbd363390d4728a047f17793a406c6a739fe2aed9fccd5d96b0216bf
Instruction ID: 42ba4923fcdf599f0e4d7ad62128773c50688764d704af9f04f8f0ef6e7a70b3
Opcode Fuzzy Hash: 14e9f26cfbd363390d4728a047f17793a406c6a739fe2aed9fccd5d96b0216bf
Instruction Fuzzy Hash: 2D3199B9D002589FCB10CFA9D584ADEFBF1BF19310F24902AE814B7210D379A945CF64

Function 02C34D98 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02C34E3F

Memory Dump Source

Source File: 0000000D.00000002.2089195146.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2c30000_efthfxj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d5914a6ce06cefae39298bd0b7cbfc35c500573505a05a161108c5874af72d4d
Instruction ID: fab2df3cfabd916e3b4adb1c2bfb850a0b32048cadba7fa53f5365fe294a96c4
Opcode Fuzzy Hash: d5914a6ce06cefae39298bd0b7cbfc35c500573505a05a161108c5874af72d4d
Instruction Fuzzy Hash: 303198B9D002589FCF14CFA9D584ADEFBF5BB19310F24902AE814B7210D379A945CFA4

Function 053A0D67 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

,, xrefs: 053A0E20

Memory Dump Source

Source File: 0000000D.00000002.2096857904.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_53a0000_efthfxj.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 5d77f154c2e76b091c17451500fbfdea7041a068d201321800bf925ba03fc094
Instruction ID: e0b07c8d921d6f68b9394fb1a9e4bd07a241c22bc0ddb19fa47a3d2051b07035
Opcode Fuzzy Hash: 5d77f154c2e76b091c17451500fbfdea7041a068d201321800bf925ba03fc094
Instruction Fuzzy Hash: A251A179A05228DFDB64DF68C988BE9BBB1EB49301F5081D9E40DA7351DB31AE81CF50

Function 04CDA578 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

9"U, xrefs: 04CDA5AC

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID: 9"U
API String ID: 0-2706808553
Opcode ID: e1c885c4770b728e1de85d5a83aa539b9686f6b4d9fef803554f7fda7692be5e
Instruction ID: f41c593e241b3fc883ebfc9986608639f2e6b50f2bf74401188a097413b55094
Opcode Fuzzy Hash: e1c885c4770b728e1de85d5a83aa539b9686f6b4d9fef803554f7fda7692be5e
Instruction Fuzzy Hash: 2C21E774E05508EFCB04DFA9C584A9DBBF2AB88300F54D4A69519A7254EB31EA01DB00

Function 04CD2CAC Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

Y, xrefs: 04CD2CAC

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID: Y
API String ID: 0-3233089245
Opcode ID: 330b13b5b420806cbebb069a7eced8a90e2ec0df7c59a8d2d931f0e0f68c4a02
Instruction ID: fd9173bb7c0fb36dc9c2410e23cac3505cf811ba0aa59c0a0adecc576a280699
Opcode Fuzzy Hash: 330b13b5b420806cbebb069a7eced8a90e2ec0df7c59a8d2d931f0e0f68c4a02
Instruction Fuzzy Hash: DF315178A112298FDB65DF15C988B9DBBB6BF49300F1081D9D44DA7364EB31AE81CF01

Function 04CD3670 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

$]q, xrefs: 04CD36D8

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 31880aed266c4bb63518655faa8c3c10db5b8ec2fe14d1cf2f9f35456872e491
Instruction ID: 6dcec6f983ab25f7c1ba72bafa50dcb4e053ab9108616f6995c5440a5df20067
Opcode Fuzzy Hash: 31880aed266c4bb63518655faa8c3c10db5b8ec2fe14d1cf2f9f35456872e491
Instruction Fuzzy Hash: CB11F974A402298FCB26DF25C98469DBBBABF85700F1045EA944DA7224DB709FC1CF45

Function 04CD6AE6 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

@, xrefs: 04CD6B41

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8fddcd3938b3594750fd56ed3a42d90c1019eee798b32f2d2be0cabe7c18fe3b
Instruction ID: 64f058b27895f587d6a310508ceb65eb355c990d101b5f972964a1e8ecc07271
Opcode Fuzzy Hash: 8fddcd3938b3594750fd56ed3a42d90c1019eee798b32f2d2be0cabe7c18fe3b
Instruction Fuzzy Hash: 9E018CB4A0621DDFDB60CF60C9416AAFB36FF52340F2012E9C19A6B111DB305A86DF01

Function 04CD4360 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

<, xrefs: 04CD4386

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 79a28c4d0028e920c3c42ce3e88aaf4eba90e6f5e77e7e3e600e1648ff59f592
Instruction ID: c2f591ab4c844a32dc4a1e7b65da6e2c6bc9858e768873910a38628ab7d074e7
Opcode Fuzzy Hash: 79a28c4d0028e920c3c42ce3e88aaf4eba90e6f5e77e7e3e600e1648ff59f592
Instruction Fuzzy Hash: F5F0F4B4D22229CFDB65CF25C960B99BBB9BF49600F0094D9C1896B212D7319B80CF10

Function 053A1388 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2096857904.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_53a0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb7997fcc432f0f3e8f4c04068b9a723d40252595926a5ef1188fe01a3f3a7e
Instruction ID: 846e0ba61ac0551a40365873c0bce6593c7d032933e40b443fe0a26583630547
Opcode Fuzzy Hash: 1cb7997fcc432f0f3e8f4c04068b9a723d40252595926a5ef1188fe01a3f3a7e
Instruction Fuzzy Hash: AA51BF75E14219DFCF04CFA9D8809EEBBB6FF88310F10912AE419AB254DB349912CF51

Function 053A1377 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2096857904.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_53a0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 677f4f000e5719baae685999484f07a883e5b23d465076e5acdd490ff86afe4f
Instruction ID: cc2d48400bf0ba76fb882d1ddf72e96e92cdba70a6762eb8da06ce84f26737fe
Opcode Fuzzy Hash: 677f4f000e5719baae685999484f07a883e5b23d465076e5acdd490ff86afe4f
Instruction Fuzzy Hash: 5D51B075E042199FCF04CFE9D8849AEBBF6FF88300F14952AE419AB254DB349912CF51

Function 053A0833 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2096857904.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_53a0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df585600a0f6e21bfce1132d06414e16d5e21c22a329803750ccb066fb9ae67
Instruction ID: 646bfca22e132bb8537795b3b43a9d5a017839c29e17ef33b9681f533731aee8
Opcode Fuzzy Hash: 3df585600a0f6e21bfce1132d06414e16d5e21c22a329803750ccb066fb9ae67
Instruction Fuzzy Hash: 3341A4B5A012199FDB64DF58C989BD9BBFAAF49300F1081D9E84CE7311DB309E818F10

Function 04CD8750 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c982d121327c8f4eb0cbb5b4b50fe6a2d03b707058acd7fc8d50b0c2e2325d
Instruction ID: e380f7f2ee2853eedb748cb37831ff11116a35c80a294a136b56adc4b4953375
Opcode Fuzzy Hash: f7c982d121327c8f4eb0cbb5b4b50fe6a2d03b707058acd7fc8d50b0c2e2325d
Instruction Fuzzy Hash: A231C6B4E05219DFCB44DFAAC5809AEFBF2FB88300F10956AD529A7354D734AA41CF60

Function 053A0A47 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2096857904.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_53a0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f10260be2b6aa8f8d378a2261c7ad795a1800635da1cf455acea87e77772ff25
Instruction ID: aafc619009e4673f4057068fd0facd27740c191b19939719900cce9ffbb6b1c6
Opcode Fuzzy Hash: f10260be2b6aa8f8d378a2261c7ad795a1800635da1cf455acea87e77772ff25
Instruction Fuzzy Hash: BE31B2B5E012198FCB68CB68C895BDDBBB2AB98304F14C0E5A55CA7355EB709E81CF50

Function 053A03CB Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2096857904.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_53a0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041b0fc0c79fc9a37940683e70e24c43e015561f7f99ea4a9f28d372fb45867b
Instruction ID: e6250a4b107adf99f6b24bd1c746bed919e1d03c5bd31c23215a92f476d9f7c1
Opcode Fuzzy Hash: 041b0fc0c79fc9a37940683e70e24c43e015561f7f99ea4a9f28d372fb45867b
Instruction Fuzzy Hash: C1315C789012298FDB64DF68C884B9DBBB2FB49310F5085DAD90DA7351DB30AE81CF11

Function 053A0103 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2096857904.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_53a0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9fd9fbab80d4f66047939c4be9115d7c7a2dd9059ae9b3328c03b1b31857be
Instruction ID: f7b9656bcc9bc928f97847e256040221fc5d1b64a479e661d7b2ce58e13b34ff
Opcode Fuzzy Hash: 7c9fd9fbab80d4f66047939c4be9115d7c7a2dd9059ae9b3328c03b1b31857be
Instruction Fuzzy Hash: 8031AE74A012298FCB29CF68C988ADDFBF1BF48304F1480E9940CA7221DB30AE95CF54

Function 053A0C63 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2096857904.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_53a0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3987a216780c7ac5407373dc335d296432dcb5d7adbec22be53635a1e05aa98
Instruction ID: 38015bcaf66ead273c74f0a2814d322076cfd6ea344d7fed6eafc8d2255fc191
Opcode Fuzzy Hash: b3987a216780c7ac5407373dc335d296432dcb5d7adbec22be53635a1e05aa98
Instruction Fuzzy Hash: E7219F74E412289FDBA4DF68E988B99BBF2BB49310F1085DAD44DA7350DB309E818F11

Function 04CD1C1E Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0216d16e0886869ce705c20bb110ccd1430ed8f0f737cfa64a5019e6ba904acc
Instruction ID: f77b6863d7aaac17eb0c50058e189734ab5455b0cfac55ab40593094e8524a34
Opcode Fuzzy Hash: 0216d16e0886869ce705c20bb110ccd1430ed8f0f737cfa64a5019e6ba904acc
Instruction Fuzzy Hash: 2C018FB1D00608AFCB14DFB9D8406EEBBF1EB48310F1486B9D91896301EA31A656DF44

Function 04CD1C7B Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba08017d9a292f865073bc9ea911a7f97651aaf7861a775aa567b0e5be5b100
Instruction ID: 47f7935b13bd4fb64b09478db8395fa013b3d2d73db4cf8756e64baa68376d4f
Opcode Fuzzy Hash: 7ba08017d9a292f865073bc9ea911a7f97651aaf7861a775aa567b0e5be5b100
Instruction Fuzzy Hash: 51F08CB1C00208ABCB14EFB9E4406EDBBF0EB48310F1046B9D91492301EB35965BDF80

Function 053A0663 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2096857904.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_53a0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c429349f050ec8719a9644c3a39832cd173685bfb4d82175e8bda3edc9450cee
Instruction ID: e91068d90ab863789fdc09f55da97748b1c56969bca035f5706328381a84f916
Opcode Fuzzy Hash: c429349f050ec8719a9644c3a39832cd173685bfb4d82175e8bda3edc9450cee
Instruction Fuzzy Hash: F4014CB5D051198FDBA4DF69C858B99BAF6FB88300F10D1E9D10CE7201EA349E808F20

Function 04CD2AA9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e60c21b9435c5be36082aed274169a72dda5dfb9de02d53027a63a2a50f2ee
Instruction ID: 9029d94b61f923b969b865a6610b33ca34093264db1c30f521c490421d6b8526
Opcode Fuzzy Hash: 45e60c21b9435c5be36082aed274169a72dda5dfb9de02d53027a63a2a50f2ee
Instruction Fuzzy Hash: 4BF058B0C11208DFCB05DFB8C9026ADBFB1FB05301F5085AAC818A3252D7709656CF90

Function 053A09D6 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2096857904.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_53a0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6252efeba478cbb603a879b35f059ce7011b62f5a347f1f38cd59abfd13d5fc8
Instruction ID: 6e21215cc4e1f9954d9afe4d41ca23b617f64602c05eb9e57d4b02c00e69212e
Opcode Fuzzy Hash: 6252efeba478cbb603a879b35f059ce7011b62f5a347f1f38cd59abfd13d5fc8
Instruction Fuzzy Hash: BD01B671D05219AFDF25DFA1DD44ADDBBB2FF88304F2081A9A509A3250DB315E519F00

Function 053A06BE Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2096857904.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_53a0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f423a0d4ef0eadefe5ce500b1fa049e5239885cb4acd5201b58b3888b45666
Instruction ID: c8387d5dec53fe94a634ec9733f6a62a28d79addd962497fe7702008c62964e7
Opcode Fuzzy Hash: 46f423a0d4ef0eadefe5ce500b1fa049e5239885cb4acd5201b58b3888b45666
Instruction Fuzzy Hash: 52F0B7B69011149FDB55DF59D855BE9B6BAEB89300F44D0A5E008E3211DA309A408F20

Function 04CD5488 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aaaf342a36773e257676000d12ed0fc900d74cb9ecfe9de10a6e06d0d81dfe5
Instruction ID: 1e46506466f5f8b78b6620783194f67e521d5322db01b2e0254bdac4e550a482
Opcode Fuzzy Hash: 3aaaf342a36773e257676000d12ed0fc900d74cb9ecfe9de10a6e06d0d81dfe5
Instruction Fuzzy Hash: A8F01D70A017598FDB29DB25CC507BAB3BBAF8460AF1444E984096B260CA359E82DF06

Function 053A023C Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2096857904.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_53a0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b6c86bc9d67471cf9cd40da56e31c97cc216ff341ee0cdffcbed4c9e9225e7
Instruction ID: b4ec7203732376e7a8968977231ac4a4b23b2729e24b2c8b187d7824c8c50eff
Opcode Fuzzy Hash: f6b6c86bc9d67471cf9cd40da56e31c97cc216ff341ee0cdffcbed4c9e9225e7
Instruction Fuzzy Hash: 14F04975D066698FDB54CF24CC48A89FBF1BB55300F14D0DAC049E7211EB305A819F61

Function 053A0FE2 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2096857904.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_53a0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdbf34c8afbdfbb0a2c209f2e1155f4e533b790c0964ac0d6cc3c8a33073a95c
Instruction ID: 6104fdee1bcdd9cb97e4581d7ef40cc5dcbfc460bb87ec1c64fdc2e0964b6983
Opcode Fuzzy Hash: cdbf34c8afbdfbb0a2c209f2e1155f4e533b790c0964ac0d6cc3c8a33073a95c
Instruction Fuzzy Hash: 81F0A475A022188FDBA4CF24C984A9AFBB1FF89314F54C5E9984DAB211DB31DE81CF01

Function 04CDFE78 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900f51e4ac0cec2fb7035ad5004e0acbc2fde0e2af012453ecf8fcb611672539
Instruction ID: a5cce08482a7ec35dd7f363a2e0614256d03b4551752149cb0d5b83740ff96f5
Opcode Fuzzy Hash: 900f51e4ac0cec2fb7035ad5004e0acbc2fde0e2af012453ecf8fcb611672539
Instruction Fuzzy Hash: 50F01C74C0020CEFCF41DFA8D9046ADBFB1FB08310F008559E814A2210D7719660DF90

Function 053A0279 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2096857904.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_53a0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704084cb728e3c7d2b9459b1cd79dbe25dedcf9dbc72c372091d4ced5bcd1cb4
Instruction ID: 90750cf328ea62a4e58cd6a305c50a9f02f720e2fe72d5f7fb4fa9f68f7bb526
Opcode Fuzzy Hash: 704084cb728e3c7d2b9459b1cd79dbe25dedcf9dbc72c372091d4ced5bcd1cb4
Instruction Fuzzy Hash: 2CE0EDFAA011149FDB54DF58CC45FEDBABAEB89300F10D099E109E3211EB30AE418F20

Function 04CDE550 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c97a1f06958709cdbc345d3535678ebfd52b24feddffb7ec7674d5d07564b4
Instruction ID: 97227d84f38b28cb8e75b7cdfd567cdbe99eb07c66798ce20467a4a99d7b019e
Opcode Fuzzy Hash: 18c97a1f06958709cdbc345d3535678ebfd52b24feddffb7ec7674d5d07564b4
Instruction Fuzzy Hash: 06F0C9B4D40218DFCB44EFA9D944AADBBF4FB08310F1085AAE818A7311E771AA50DF91

Function 04CD1CA8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a592e5d4a26eb06f6bbcf21a65fe3afe09acd0086efbb69f102878a16ab6a17e
Instruction ID: 1a565ebd85df43330ad71674e156d7d1976db2b298fe247dd16d67904fce82d3
Opcode Fuzzy Hash: a592e5d4a26eb06f6bbcf21a65fe3afe09acd0086efbb69f102878a16ab6a17e
Instruction Fuzzy Hash: 5FE0E5B0D00218EFCB44EFA9D8446ADBBF1FB48300F5086AAD824A3300EB719A51DF80

Function 04CDF9C0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef25c456989dbaeea444a2ab6c3d3eeaa83c6640d126f2097666148d18276bc9
Instruction ID: 733f013c01f3e527589e0bea9d1f16f6248177001c0003cd82139ad5bed83982
Opcode Fuzzy Hash: ef25c456989dbaeea444a2ab6c3d3eeaa83c6640d126f2097666148d18276bc9
Instruction Fuzzy Hash: 6EE0EDB4D4121CEFCB40EFA8D9056ADBBB5FB08310F1085A9E858A3300D7719661DF90

Function 04CD2AB8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e51240f7ffff210b718ecbb5f1feefdd055cb99eba02ce9ed162a00e8d8797
Instruction ID: 82f131c07b2a080e19754417fee9d43aaeb49304aa341eb8b656acc1f72ff673
Opcode Fuzzy Hash: f9e51240f7ffff210b718ecbb5f1feefdd055cb99eba02ce9ed162a00e8d8797
Instruction Fuzzy Hash: FDE0ED70D00219DFCB44DFA8D4006ADBBB1FB08300F5085A9D818A3341D7719651DF81

Function 053A1789 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2096857904.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_53a0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0026bd85d9ad70ace7e6189307f337f9a10c0c2ff29be8d484f3f9e7a1531885
Instruction ID: d8f69a124a1e13bbc88688af1831f4818f591d2a6d90881e99cda558abfa1572
Opcode Fuzzy Hash: 0026bd85d9ad70ace7e6189307f337f9a10c0c2ff29be8d484f3f9e7a1531885
Instruction Fuzzy Hash: 14E01A71D45308AFCB91DFB8D80538DBBF4EB04301F1485A98448D2380EB759A50CB41

Function 053A04EC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2096857904.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_53a0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb16ead6a5189e667b6db75e65cdcdebe416b3d20d47f533381b0366602df2f6
Instruction ID: 404f18f20348c8061d192d8e0ca5d3b2cc416aae2daeebd6a29c182a0223b015
Opcode Fuzzy Hash: eb16ead6a5189e667b6db75e65cdcdebe416b3d20d47f533381b0366602df2f6
Instruction Fuzzy Hash: 1DF09274A012199FDB68CF24C984AA9FBB2FB49314F24D1D9981CA7212DB71EE81CF50

Function 04CD3DC6 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18cf9d8e8b32c31af847ea62dadb57787b706d31480609c9650273ff5cc80bbd
Instruction ID: a046d648b6a999814ed117876288bb73c17ba4a9c8b64d26232f5ee57f96efea
Opcode Fuzzy Hash: 18cf9d8e8b32c31af847ea62dadb57787b706d31480609c9650273ff5cc80bbd
Instruction Fuzzy Hash: 67E07EB8E0031C8FDF10CF99C881AADBBB6AB49310F0450999A08AB340D334A985CF18

Function 04CD7281 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de416f1142b453767d380d1fcbc3a37c22d1b76140ad3c84a353fb2129e27fa3
Instruction ID: a57ce39dc979000393c4141a0d77fdcc6a5511ca570c472ab7cd8e7e385d23db
Opcode Fuzzy Hash: de416f1142b453767d380d1fcbc3a37c22d1b76140ad3c84a353fb2129e27fa3
Instruction Fuzzy Hash: BCE09A749512699FCB54EF69D98079CB7B5FB88200F0055E6900DB7224DB349D89CF20

Function 04CD4C21 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b0c6dc4595639d51026a61929127d9f1fa3b13ea72732198e50c0a5fd8a527
Instruction ID: e4dc5a09cd9427e5ada4f0de1f31ade2fc76e677aabe90c62abc4425ee3c888e
Opcode Fuzzy Hash: d5b0c6dc4595639d51026a61929127d9f1fa3b13ea72732198e50c0a5fd8a527
Instruction Fuzzy Hash: 9CE01774D0411E8FEB14CBA1CC40BAEF7B6BF84300F1494EA810AB7244E630AA82CF24

Function 04CD3B2E Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403f0fb3205a511338e035edee170c3e1cd820a989e41d2e4575ee3bf227e08f
Instruction ID: 95e6833093da8b40c9a33fdceb538ebd870ace052eed0971be98a3e86f5866c4
Opcode Fuzzy Hash: 403f0fb3205a511338e035edee170c3e1cd820a989e41d2e4575ee3bf227e08f
Instruction Fuzzy Hash: 3AD09E7591422E8FDB54CB91C841BAEBAB6AB84340F1455E98219FB244D6349A828F24

Function 04CD3467 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e347e7eb64de3475f3cfb5fa28fe709a5975e88e0f03c2e27502dc53837c641
Instruction ID: 266f523461b49a55994b355e161ad1673c7f932911c104e317c45a8101a03d0f
Opcode Fuzzy Hash: 3e347e7eb64de3475f3cfb5fa28fe709a5975e88e0f03c2e27502dc53837c641
Instruction Fuzzy Hash: E8E012309142998FCB1ADF15CE40799B7B9FF84304F0459E69109A7128E7309F82CF20

Function 04CD3D41 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e858ce1946aa5aeb29267121d305216855a60f467b9ae769e16d1ca254c9e5e1
Instruction ID: c6398c0d2677a107bc5cc275a732ac9e3618e5b4035c8d978730a8213cd57aad
Opcode Fuzzy Hash: e858ce1946aa5aeb29267121d305216855a60f467b9ae769e16d1ca254c9e5e1
Instruction Fuzzy Hash: 23D0C97490421E8BDB54DA50CC40BAEB776BB95300F005595814AB7380DA3499829B15

Function 04CD3EB8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0af6d5142db93ee78e17e5ddc0210ed8255b09a1e237b688b51124435d2e76
Instruction ID: 1f572b8061e535866cd6e2a97cfd64b3a70258fa4fd7cb6999c32219b20f11a1
Opcode Fuzzy Hash: 4c0af6d5142db93ee78e17e5ddc0210ed8255b09a1e237b688b51124435d2e76
Instruction Fuzzy Hash: 1DD0C974D0021D8BDB10DF50CD40BAEB775BF44300F0490D98109B3240DB746D82CF18

Function 04CD3961 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c916677aad2304745289b3e7ebb836c38797b58d29083a9cdfa9e31521a299c
Instruction ID: 2da75413536bfed86de6640a11a495d3f6ff5b985a9e4ceb42762dfd225feb9f
Opcode Fuzzy Hash: 0c916677aad2304745289b3e7ebb836c38797b58d29083a9cdfa9e31521a299c
Instruction Fuzzy Hash: 2AC002B4E0426D8FDB20DFA1C850BAEB67ABB55300F1456DA8609B7240E730A9839F19

Function 04CD4BB9 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb877ed5064c40500a8e891949442ef4e049a0fd5ae7fae474768a415ae4def1
Instruction ID: aec30889e89d3369515fffaf3423fd79f457d69cb86a5c70449f16eab08e58b8
Opcode Fuzzy Hash: fb877ed5064c40500a8e891949442ef4e049a0fd5ae7fae474768a415ae4def1
Instruction Fuzzy Hash: BBC012B890022C8BDB10DFA0CC40BAEB776BB84300F0494D9810AB3240DA30AE829F15

Function 04CD5931 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2095132839.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4cd0000_efthfxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea0e50666c560fd37989b1453c979fff092cd8d713080d32a3789a27c7a0c82
Instruction ID: c5e53608c1a51623b1df928d573b8d3e21fbe4acc14b23193656f5bf127b17f0
Opcode Fuzzy Hash: 9ea0e50666c560fd37989b1453c979fff092cd8d713080d32a3789a27c7a0c82
Instruction Fuzzy Hash: D5C08C61902912CBDB60C667CD0030AB9A2AB862A0F0897C1021AF91A4F274C9828E10

Analysis Process: efthfxj.exePID: 1276, Parent PID: 3992COMMON

Executed Functions

Function 01220B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON

Download Yara Rule

Strings

daq, xrefs: 01220E64

Memory Dump Source

Source File: 0000000E.00000002.2075241634.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_efthfxj.jbxd

Similarity

API ID:
String ID: daq
API String ID: 0-1532007458
Opcode ID: dd6c4e0bde177d62c3aefbf13465b6e8ce50a4614d33af36b607e9182dbe16ed
Instruction ID: 724d9c3fbef35f874c8b81063b2f9a3cd75694014c6d31b89db0dee8f48a5440
Opcode Fuzzy Hash: dd6c4e0bde177d62c3aefbf13465b6e8ce50a4614d33af36b607e9182dbe16ed
Instruction Fuzzy Hash: DD82A174A10229CFCB24DF68D984BDDBBB5FF49304F1082AAD409AB265D770AE85CF50

Source: unknown	Process created: C:\Users\user\Desktop\vkXe5gkY34.exe "C:\Users\user\Desktop\vkXe5gkY34.exe"
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\eystsdf.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe efthfxj.sfx.exe -pgtrfdewscbsdyethnymkdesppodtyuhngfszafugyRhvqxsdfHbgnmeG -dC:\Users\user\AppData\Roaming
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe "C:\Users\user\AppData\Roaming\efthfxj.exe"
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe C:\Users\user\AppData\Roaming\efthfxj.exe
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe C:\Users\user\AppData\Roaming\efthfxj.exe
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe C:\Users\user\AppData\Roaming\efthfxj.exe
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe C:\Users\user\AppData\Roaming\efthfxj.exe
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 80
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe "C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe"
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "HDdisplay" /XML "C:\Users\user\AppData\Local\Temp\tmp3BF9.tmp" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe C:\Users\user\AppData\Roaming\efthfxj.exe
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe C:\Users\user\AppData\Roaming\efthfxj.exe
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe C:\Users\user\AppData\Roaming\efthfxj.exe
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe C:\Users\user\AppData\Roaming\efthfxj.exe
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe C:\Users\user\AppData\Roaming\efthfxj.exe
Source: C:\Users\user\Desktop\vkXe5gkY34.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\eystsdf.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe efthfxj.sfx.exe -pgtrfdewscbsdyethnymkdesppodtyuhngfszafugyRhvqxsdfHbgnmeG -dC:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.sfx.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe "C:\Users\user\AppData\Roaming\efthfxj.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe C:\Users\user\AppData\Roaming\efthfxj.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe C:\Users\user\AppData\Roaming\efthfxj.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe C:\Users\user\AppData\Roaming\efthfxj.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe C:\Users\user\AppData\Roaming\efthfxj.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe "C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "HDdisplay" /XML "C:\Users\user\AppData\Local\Temp\tmp3BF9.tmp" /F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe C:\Users\user\AppData\Roaming\efthfxj.exe
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe C:\Users\user\AppData\Roaming\efthfxj.exe
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe C:\Users\user\AppData\Roaming\efthfxj.exe
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Process created: C:\Users\user\AppData\Roaming\efthfxj.exe C:\Users\user\AppData\Roaming\efthfxj.exe

Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Queries volume information: C:\Users\user\AppData\Roaming\efthfxj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Queries volume information: C:\Users\user\AppData\Roaming\efthfxj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Queries volume information: C:\Users\user\AppData\Roaming\efthfxj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Queries volume information: C:\Users\user\AppData\Roaming\efthfxj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Queries volume information: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Queries volume information: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Queries volume information: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Queries volume information: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe	Queries volume information: C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Queries volume information: C:\Users\user\AppData\Roaming\efthfxj.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Queries volume information: C:\Users\user\AppData\Roaming\efthfxj.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Queries volume information: C:\Users\user\AppData\Roaming\efthfxj.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Queries volume information: C:\Users\user\AppData\Roaming\efthfxj.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\efthfxj.exe	Queries volume information: C:\Users\user\AppData\Roaming\efthfxj.exe VolumeInformation

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report vkXe5gkY34.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: XenoRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\efthfxj.exe.log

C:\Users\user\AppData\Local\Temp\tmp3BF9.tmp

C:\Users\user\AppData\Roaming\XenoManager\efthfxj.exe

C:\Users\user\AppData\Roaming\efthfxj.exe

C:\Users\user\AppData\Roaming\efthfxj.sfx.exe

C:\Users\user\AppData\Roaming\eystsdf.cmd

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
vkXe5gkY34.exe